97 - Quiz

Question 1

Application Load Balancers can route traffic to different Target Groups based on the following, EXCEPT:
A. Client's Location (Geography)
B. Hostname
C. Request URL Path
D. Source IP Address

Answer 1

ALBs can route traffic to different Target Groups based on URL Path, Hostname, HTTP Headers, and Query Strings.

Question 2

For compliance purposes, you would like to expose a fixed static IP address to your end-users so that they can write firewall rules that will be stable and approved by regulators. What type of Elastic Load Balancer would you choose?
A. Application Load Balancer with an Elastic IP attached to it
B. Network Load Balancer
C. Classic Load Balancer

Answer 2

Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.

Question 3

You want to create a custom application-based cookie in your Application Load Balancer. Which of the following you can use as a cookie name?
A. AWSALBPP
B. APPUSERC
C. AWSALBTG
D. AWSALB

Answer 3

The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG).

Question 4

You have an Application Load Balancer that is configured to redirect traffic to 3 Target Groups based on the following hostnames: users.example.com, api.external.example.com, and checkout.example.com. You would like to configure HTTPS for each of these hostnames. How do you configure the ALB to make this work?
A. Use an HTTP to HTTPS redirect rule
B. Use a security group SSL certificate
C. Use Server Name Indication (SNI)

Answer 4

Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Question 5

We have an RDS database that struggles to keep up with the demand of requests from our website. Our million users mostly read news, and we don’t post news very often. Which solution is NOT adapted to this problem?
A. An ElastiCache Cluster
B. RDS Multi-AZ
C. RDS Read Replicas

Answer 5

Be very careful with the way you read questions at the exam. Here, the question is asking which solution is NOT adapted to this problem. ElastiCache and RDS Read Replicas do indeed help with scaling reads.

Question 6

You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform a PutObject API call. What is a possible cause for this?
A. The S3 bucket policy must be wrong
B. The user is lacking permissions
C. The IAM user must have an explicit DENY in the attached IAM Policy
D. You need to contact AWS support to lift this limit

Answer 6

Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.

Question 7

You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions?
A. Use a bucket policy
B. Enable MFA Delete
C. Encrypt the files
D. Disable versioning

Answer 7

MFA Delete forces users to use MFA codes before deleting S3 objects. It’s an extra level of security to prevent accidental deletions.

Question 8

Which of the following is NOT a Glacier Deep Archive retrieval mode?
A. Expedited (1 - 5 minutes)
B. Standard (12 hours)
C. Bulk (48 hours)

Answer 8

A. Expedited (1 - 5 minutes)

Question 9

When you are using an Edge-Optimized API Gateway, your API Gateway lives in CloudFront Edge Locations across all AWS Regions.
A. False
B. True

Answer 9

An Edge-Optimized API Gateway is best for geographically distributed clients. API requests are routed to the nearest CloudFront Edge Location which improves latency. The API Gateway still lives in one AWS Region.

Question 10

You are running an application in production that is leveraging DynamoDB as its datastore and is experiencing smooth sustained usage. There is a need to make the application run in development mode as well, where it will experience the unpredictable volume of requests. What is the most cost-effective solution that you recommend?
A. Use Provisioned Capacity Mode with Auto Scaling enabled for both development and production
B. Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development
C. Use Provisioned Capacity Mode with Auto Scaling enabled for development and use On-Demand Capacity Mode for production
D. Use On-Demand Capacity Mode for both development and production

Answer 10

B. Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development

Question 11

You have created a DynamoDB table in ap-northeast-1 and would like to make it available in eu-west-1, so you decided to create a DynamoDB Global Table. What needs to be enabled first before you create a DynamoDB Global Table?
A. DynamoDB Streams
B. DynamoDB DAX
C. DynamoDB Versioning
D. DynamoDB Backups

Answer 11

DynamoDB Streams enable DynamoDB to get a changelog and use that changelog to replicate data across replica tables in other AWS Regions.

Question 12

A CloudWatch Alarm set on a High-Resolution Custom Metric can be triggered as often as ......................
A. 1 second
B. 10 seconds
C. 30 seconds
D. 1 minute

Answer 12

If you set an alarm on a high-resolution metric, you can specify a high-resolution alarm with a period of 10 seconds or 30 seconds, or you can set a regular alarm with a period of any multiple of 60 seconds.

Question 13

You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use?
A. Amazon CloudWatch
B. AWS CloudTrail

Answer 13

Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications’ performance and metrics.

Question 14

You are running a website on a fleet of EC2 instances with OS that has a known vulnerability on port 84. You want to continuously monitor your EC2 instances if they have port 84 exposed. How should you do this?
A. Setup CloudWatch Metrics
B. Setup CloudTrail Trails
C. Setup Config Rules
D. Schedule a CloudWatch Event to trigger a Lambda function to scan your EC2 instances

Answer 14

C. Setup Config Rules

Question 15

You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …
A. True
B. False

Answer 15

You can use the AWS Managed Service keys in KMS, therefore we don’t need to create our own KMS keys.

Question 16

You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 3 months. What should you do?
A. Re-configure your KMS CMK and enable Automatic Rotation, in the “Period” select 3 months
B. Use AWS Managed Keys as they are automatically rotated by AWS every 3 months
C. Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

Answer 16

C. Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

Question 17

What should you use to control access to your KMS CMKs?
A. KMS Key Policies
B. KMS IAM Policy
C. AWS GuardDuty
D. KMS Access Control List (KMS ACL)

Answer 17

A. KMS Key Policies

Question 18

You have a corporate network of size 10.0.0.0/8 and a satellite office of size 192.168.0.0/16. Which CIDR is acceptable for your AWS VPC if you plan on connecting your networks later on?
A. 172.16.0.0/12
B. 172.16.0.0/16
C. 10.0.16.0/16
D. 192.168.4.0/18

Answer 18

CIDR not should overlap, and the max CIDR size in AWS is /16.

Question 19

You have attached an Internet Gateway to your VPC, but your EC2 instances still don’t have access to the internet. What is NOT a possible issue?
A. Route Tables are missing entries
B. The EC2 instances don’t have public IPs
C. The Security Group does not allow traffic in
D. The NACL does not allow network traffic out

Answer 19

Security groups are stateful and if traffic can go out, then it can go back in.

Question 20

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?
A. Site-to-Site VPN
B. AWS PrivateLink
C. AWS Direct Connect
D. Amazon EventBridge

Answer 20

C. AWS Direct Connect

Question 21

Using a Direct Connect connection, you can access both public and private AWS resources.
A. True
B. False

Answer 21

A. True

Question 22

You have an on-premises Oracle database that you want to migrate to AWS, specifically to Amazon Aurora. How would you do the migration?
A. Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data
B. Use Database Migration Service (AWS DMS) to convert the database schema, then use AWS Schema Conversion Tool (AWS SCT) to migrate the data

Answer 22

A. Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data

Question 23

As a Solutions Architect, you have created an architecture for a company that includes the following AWS services: CloudFront, Web Application Firewall (AWS WAF), AWS Shield, Application Load Balancer, and EC2 instances managed by an Auto Scaling Group. Sometimes the company receives malicious requests and wants to block these IP addresses. According to your architecture, Where should you do it?
A. CloudFront
B. AWS WAF
C. AWS Shield
D. ALB Security Group
E. EC2 Security Group
F. NACL

Answer 23

B. AWS WAF

Question 24

Which AWS service helps you deploy your code to a fleet of EC2 instances with a specific strategy (e.g., Blue/Green deployment)?
A. AWS CodeDeploy
B. AWS CodeBuild
C. AWS CodePipeline
D. AWS CodeCommit

Answer 24

AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of computing services such as EC2, Fargate, Lambda, and your on-premises servers. You can define the strategy you want to execute such as in-place or blue/green deployments.