Amazon AWS Certified Cloud Practitioner Exam Practice Flashcards

Question

According to the AWS shared responsibility model, what responsibility does a customer have when using Amazon RDS to host a database? A. Manage connections to the database B. Install Microsoft SQL Server C. Design encryption-at-rest strategies D. Apply minor database patches

Answer 1

According to the AWS shared responsibility model, when using Amazon RDS (Relational Database Service) to host a database, the customer's responsibilities include: D. Apply minor database patches Customers are responsible for applying minor database patches and updates to their Amazon RDS instances. AWS manages the underlying infrastructure, patching the database engine, and performing routine maintenance. However, customers are responsible for managing the database schema, application logic, and any minor version upgrades to the database engine. Options A, B, and C fall under AWS's responsibilities in the shared responsibility model. AWS manages connections to the database, the installation of the database engine (e.g., Microsoft SQL Server), and the design and management of encryption-at-rest strategies.

Answer 2

The advantages of using Amazon EC2 instances to host applications in the AWS Cloud instead of on premises are: B. EC2 integrates with Amazon VPC, AWS CloudTrail, and AWS Identity and Access Management (IAM): Amazon EC2 instances seamlessly integrate with AWS services like Amazon VPC (Virtual Private Cloud), AWS CloudTrail for audit and monitoring, and IAM for fine-grained access control. This enhances security and management capabilities in the AWS Cloud. D. EC2 has a flexible, pay-as-you-go pricing model: Amazon EC2 offers a flexible and cost-effective pricing model that allows you to pay for the compute capacity you use on an hourly or per-second basis. This pricing model provides cost savings and scalability compared to investing in on-premises hardware. Explanation: A. EC2 includes operating system patch management: While AWS manages the underlying infrastructure and hardware, customers are responsible for managing the operating system, including patch management, on EC2 instances. This is not a service provided by AWS for EC2. C. EC2 does not have a 100% service level agreement (SLA): Amazon EC2 has a service level agreement that provides availability targets, but it does not guarantee 100% uptime. E. EC2 does not have automatic storage cost optimization: AWS provides various storage services with cost optimization features, but EC2 itself does not offer automatic storage cost optimization. It's up to the user to configure and manage storage resources efficiently.

Answer 3

To determine whether an Amazon EC2 instance's security groups were modified in the last month and to see if a change was made, you should: C. Use AWS CloudTrail to see if the security group was changed. AWS CloudTrail is a service that provides a detailed history of AWS API calls made on your account, including changes to resources like security groups. You can use CloudTrail logs to track changes to your security groups and identify who made those changes. Option A (Use Amazon EC2) won't provide historical information about changes to security groups. Option B (Use AWS Identity and Access Management) can help track which user or role made changes but doesn't provide detailed information about the specific changes made. Option D (Use Amazon CloudWatch) is a monitoring service but doesn't specifically track and record changes to security groups; it's not designed for change tracking.

Answer 4

The AWS service that helps protect applications running on AWS from Distributed Denial of Service (DDoS) attacks is: C. AWS Shield AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. It offers protection against common and most advanced DDoS attacks, helping to keep applications highly available and responsive during DDoS attacks. AWS Shield provides both standard and advanced protection tiers, with the latter offering additional protection for more complex and larger-scale attacks. While AWS WAF (Web Application Firewall) (Option B) can help protect applications from web-based attacks, it's not primarily focused on DDoS protection. AWS WAF is more for filtering and monitoring web traffic and can be used in conjunction with AWS Shield. Options A (Amazon GuardDuty) and D (Amazon Inspector) are security services that focus on threat detection, vulnerability assessment, and security monitoring, but they are not DDoS protection services.

Answer 5

The AWS service or feature that acts as a firewall for Amazon EC2 instances is: D. Security group A security group acts as a virtual firewall for Amazon EC2 instances to control inbound and outbound traffic. You can define inbound and outbound rules for your security group, specifying the allowed sources and destinations, and the permitted ports and protocols. Security groups provide an essential layer of security and access control for EC2 instances within an Amazon Virtual Private Cloud (VPC). Option A (Network ACL) is a network-level control list that operates at the subnet level, controlling traffic in and out of the associated subnets. Option B (Elastic network interface) is a logical networking component that represents a virtual network card and is not a firewall. Option C (Amazon VPC) is the virtual network where your Amazon EC2 instances reside and can be configured to control network access, but it is not a firewall on its own. Firewalls, like security groups, are configured within the context of the VPC.

Answer 6

The AWS Cloud pricing model differs from the traditional on-premises storage pricing model in several ways, but one of the key differences is: C. There are no upfront cost commitments In the traditional on-premises storage model, organizations often have significant upfront capital expenditures for hardware, software, and infrastructure. They typically need to purchase and maintain storage equipment, pay for software licenses, and invest in data center facilities. These upfront costs can be substantial. In contrast, AWS provides a pay-as-you-go pricing model where customers only pay for the resources and services they consume, with no large upfront costs or long-term commitments. This model offers cost flexibility and scalability as businesses can adjust their resources based on demand without incurring large capital expenses. Options A, B, and D are not accurate in the context of AWS pricing: - AWS resources do incur costs based on usage. - While AWS eliminates the need to manage physical infrastructure, AWS services have associated costs. - AWS may include software licensing costs depending on the specific services and software being used.

Answer 7

To achieve high availability with a single Amazon EC2 instance, the company should: B. Scale horizontally across multiple Availability Zones. By distributing the EC2 instance across multiple Availability Zones (AZs), you can achieve redundancy and fault tolerance. If one Availability Zone experiences an issue, the application can still operate from the other Availability Zone. This ensures high availability and helps to minimize downtime. Option A (Scaling vertically to a larger EC2 instance size) doesn't provide high availability on its own. While it can improve performance, it doesn't protect against failures in a single Availability Zone. Option C (Purchasing an EC2 Dedicated Instance) doesn't address high availability; it relates to tenancy and doesn't inherently make your instance highly available. Option D (Changing the EC2 instance family) can improve performance but doesn't directly address high availability.

Answer 8

The company that can now deploy its application in 2-3 days compared to 3-4 weeks in the on-premises environment has experienced the benefit of: C. Agility Moving to the AWS Cloud has improved the company's agility by allowing for quicker and more efficient application deployment. AWS provides the flexibility to scale resources up or down as needed, which leads to faster development and deployment cycles, enabling the company to respond to changing business requirements more rapidly. Option A (Elasticity) and Option B (Flexibility) are related benefits, but in this context, the improved deployment speed is more aligned with agility. Option D (Resilience) relates to the ability to withstand and recover from failures, which may be a benefit of using AWS, but it's not the primary benefit highlighted in this scenario.

Answer 9

AWS Enterprise Support includes the following: A. AWS technical account manager (TAM): AWS Enterprise Support provides access to a dedicated Technical Account Manager (TAM) who can help with technical and architectural guidance, operational best practices, and AWS resource optimization. D. Support of third-party software integration to AWS: AWS Enterprise Support includes support for third-party software that is integrated with AWS services. Options B, C, and E are not included in AWS Enterprise Support: B. AWS partner-led support typically involves AWS Partner Network (APN) consulting partners and is separate from AWS Enterprise Support. C. AWS Professional Services are not included in AWS Enterprise Support and are typically separate consulting and professional services offered by AWS. E. The 5-minute response time for critical issues is a feature of AWS Business Support and AWS Enterprise Support Plus, but not included in standard AWS Enterprise Support.

Answer 10

To limit access to AWS services for member accounts within AWS Organizations, the company can use: B. Service control policies (SCPs) Service control policies (SCPs) are used to set fine-grained permissions on what services and actions can be accessed by member accounts within AWS Organizations. SCPs are attached at the root, organizational unit (OU), or account level and allow you to define which AWS services can and cannot be used by accounts, helping to enforce security and compliance policies across the organization. Options A (AWS Identity and Access Management), C (Organizational units), and D (Access control lists) play important roles in access control and security but are not used specifically to limit access to AWS services for member accounts within the context of AWS Organizations.

Answer 11

To limit its employees' AWS access to a portfolio of predefined AWS resources, the company should use: C. AWS Service Catalog AWS Service Catalog allows organizations to create and manage catalogs of IT services, applications, and resources that are approved for use within the organization. By setting up a portfolio in AWS Service Catalog, the company can control and limit access to predefined AWS resources, ensuring that employees can only provision resources from the approved catalog. This helps maintain control, compliance, and standardization while providing a self-service mechanism for employees to request and access resources. Options A (AWS Config), B (AWS software development kits), and D (AWS AppSync) are not designed for this specific use case of controlling and limiting employee access to predefined AWS resources. They serve different purposes within AWS.

Answer 12

The scenario described, where the company can quickly launch new products and features and scale infrastructure as required after migrating to AWS, aligns with the AWS Cloud value proposition of: A. Business agility Business agility is a key benefit of AWS, enabling organizations to respond to changing business needs more rapidly, innovate, and launch new products or features with greater speed and flexibility. AWS's cloud infrastructure and services provide the agility needed for businesses to adapt and scale as required, allowing for faster time-to-market and improved competitiveness.

Answer 13

The advantages of the AWS Cloud are: B. Ability to quickly change required capacity: AWS offers the flexibility to easily scale resources up or down to meet changing requirements. This agility allows you to respond to fluctuations in demand and optimize costs. C. High economies of scale: AWS operates on a massive scale, which allows them to achieve efficiencies and economies of scale. This often translates into cost savings for AWS customers. Option A (AWS management of user-owned infrastructure) is not an advantage but rather a responsibility shift from the customer to AWS when moving to the cloud. Option D (Increased deployment time to market) is not an advantage but rather a disadvantage. AWS typically reduces deployment time to market, so this is not a benefit of the AWS Cloud. Option E (Increased fixed expenses) is not an advantage; cloud services often provide the advantage of reducing fixed expenses by replacing large capital expenditures with pay-as-you-go models.

Answer 14

This statement describes the advantage of the AWS Cloud: C. High economies of scale AWS can achieve lower pay-as-you-go pricing by aggregating usage across a large and diverse customer base, allowing them to leverage their massive infrastructure efficiently and pass on cost savings to customers. This benefit is a result of the economies of scale that AWS can achieve, making cloud services cost-effective for a wide range of users.

Answer 15

For a workload that will run for 1 year on Amazon EC2 instances and where the instance sizes are suitable, the MOST cost-effective EC2 instance purchasing option is: A. Standard Reserved Instances Standard Reserved Instances (RIs) provide a significant cost savings when compared to On-Demand Instances for a committed 1-year term. By committing to a 1-year term, you receive a discount on the hourly rate compared to On-Demand pricing while keeping the flexibility to choose the instance size and Availability Zone. Option B (On-Demand Instances) may be more expensive for a 1-year continuous workload compared to Reserved Instances. Option C (Spot Instances) offer lower pricing but are not suitable for workloads that require continuous and predictable availability. Option D (Convertible Reserved Instances) also provide cost savings but often require a 3-year term commitment and offer more flexibility to change instance types. For a 1-year term, Standard Reserved Instances are typically the more cost-effective choice.

Answer 16

For a high-performance NoSQL database for a mobile app, the company could use the following AWS services: D. Amazon DocumentDB (with MongoDB compatibility): Amazon DocumentDB is a managed NoSQL database service compatible with MongoDB, making it a good choice for NoSQL database needs, especially if the application already uses MongoDB. E. Amazon DynamoDB: Amazon DynamoDB is a fully managed NoSQL database service designed for high-performance and scalability. It's a popular choice for mobile and web applications that require low-latency access to data and need to scale easily as the application grows. Options A (Amazon Aurora) and B (Amazon RDS) are relational database services, not NoSQL databases, and may not be the best fit for a high-performance NoSQL database use case. Option C (Amazon Redshift) is a data warehousing service, which is not typically used as a high-performance NoSQL database for a mobile app.

Answer 17

The tasks that are the responsibility of AWS according to the AWS shared responsibility model are: A. Patch the Amazon EC2 guest operating system. D. Maintain the physical security of edge locations. AWS takes responsibility for the physical infrastructure, as well as the host operating system on managed services like Amazon EC2. However, the customer is responsible for configuring and securing their applications and data running on these services. Tasks like patching the operating system and maintaining physical security are the responsibility of AWS.

Answer 18

The features of network ACLs (Access Control Lists) as they are used in the AWS Cloud are: A. They are stateless: Network ACLs are stateless, which means that rules are not automatically applied in both directions. You need to create rules for both inbound and outbound traffic if necessary. D. They process rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic: Network ACLs evaluate rules in order from lowest to highest rule number, and the first matching rule determines the action taken for the traffic. Network ACLs operate at the subnet level, not the instance level, and control traffic entering and leaving the subnet. Option B (They are stateful) is incorrect. Network ACLs in AWS are stateless and do not keep track of the state of connections like stateful firewalls do. Stateful behavior is typically associated with security groups in AWS.

Answer 19

The scenario described, where a company has protocols in place to continuously improve supporting processes and effectively run its AWS Cloud workloads, aligns with the following pillar of the AWS Well-Architected Framework: D. Operational excellence Operational excellence focuses on the efficient and continuous improvement of processes and procedures, allowing organizations to run and monitor systems effectively, and respond to events and changes with minimal effort. While security (Option A), performance efficiency (Option B), and cost optimization (Option C) are all important aspects of a well-architected infrastructure, the scenario emphasizes operational excellence as the primary focus.

Answer 20

The AWS service or feature that can be used to create a private connection between an on-premises workload and an AWS Cloud workload is: C. AWS Direct Connect AWS Direct Connect is a network service that provides dedicated and private network connections between on-premises data centers and AWS. It allows for a secure and high-bandwidth connection between your on-premises infrastructure and AWS, enabling you to extend your network and access AWS resources without going over the public internet. Option A (Amazon Route 53) is a scalable domain name system (DNS) web service and is not used for creating private network connections. Option B (Amazon Macie) is a service for discovering, classifying, and protecting sensitive data, but it's not used for creating network connections. Option D (AWS PrivateLink) is a service that provides private network connections to AWS services, but it primarily focuses on accessing AWS services privately from within the AWS network rather than connecting to on-premises workloads.

Answer 21

The AWS Billing and Cost Management tool that provides AWS billing and usage data in a graphical format is: B. Cost Explorer AWS Cost Explorer is a graphical tool that allows you to visualize your AWS billing and usage data over time. It provides various charts, graphs, and reports to help you understand your monthly costs and usage patterns. You can use it to explore and analyze your AWS spending, view usage trends, and set up cost and usage budgets. Option A (AWS Bills) typically provides itemized lists of charges but does not offer the graphical visualization of cost and usage data. Option C (AWS Cost and Usage Report) provides detailed data in CSV files but does not offer graphical visualization. Option D (AWS Budgets) allows you to set up cost and usage budgets and receive alerts but does not provide graphical visualization of data.

Answer 22

To meet the requirements of having a designated AWS technical account manager (TAM) and 24/7 technical support, the appropriate AWS Support plan is: B. AWS Enterprise Support AWS Enterprise Support offers the concierge service of a designated technical account manager (TAM) and provides 24/7 technical support, making it the right choice for production workloads with these specific requirements. Options A (AWS Basic Support), C (AWS Business Support), and D (AWS Developer Support) do not include a designated TAM or 24/7 support to the same extent as AWS Enterprise Support.

Answer 23

The architecture design principle that describes the need to isolate failures between dependent components in the AWS Cloud is: D. Loosely couple components. In a well-architected system, components should be loosely coupled, meaning that they interact with each other through well-defined interfaces and APIs. This design approach helps to isolate failures in one component from affecting other components, promoting resilience and fault tolerance. Options A (Use a monolithic design) and C (Design for single points of failure) are not best practices in AWS architecture design. Monolithic designs are typically less fault-tolerant, and designing for single points of failure is not recommended. AWS architecture aims to minimize single points of failure. Option B (Design for automation) is an important principle but not the one that specifically addresses isolating failures between dependent components.

Answer 24

The managed database services provided by AWS are: C. Amazon RDS: Amazon Relational Database Service (RDS) is a managed relational database service that supports multiple database engines such as MySQL, PostgreSQL, Oracle, SQL Server, and MariaDB. E. Amazon DynamoDB: Amazon DynamoDB is a managed NoSQL database service that provides fast and flexible database capabilities for applications requiring seamless scalability. Options A (Amazon Elastic Block Store - EBS) and D (Amazon Elastic File System - EFS) are storage services, not managed database services. Option B (Amazon S3) is a scalable object storage service but not a managed database service.

Answer 25

If the Free Tier usage period expires or if the application use exceeds the Free Tier usage limits, the following will typically occur: A. The company will be charged the standard pay-as-you-go service rates for the usage that exceeds the Free Tier usage. In other words, the company will start incurring standard charges for the services that go beyond the Free Tier limits. AWS will charge for the usage that exceeds the Free Tier allowance, but the account does not get frozen, and there is no need to set up a payment plan. AWS charges are based on actual usage beyond the Free Tier.

Answer 26

To limit network traffic directly to an Amazon RDS instance, the company should use: B. Security groups Security groups act as stateful firewalls at the instance level and control inbound and outbound traffic to and from your Amazon RDS instances. You can define rules that allow or deny specific traffic based on source, destination, and port. Security groups are the primary means to control access to RDS instances within a Virtual Private Cloud (VPC). Options A (Network ACLs) are network-level access control lists that control traffic at the subnet level but are less specific for controlling traffic to an RDS instance. Options C (AWS WAF) and D (Amazon GuardDuty) are services related to web application firewall and threat detection, respectively, but they are not used to directly control network traffic to RDS instances in a VPC.

Answer 27

The AWS service that uses machine learning to help discover, monitor, and protect sensitive data stored in Amazon S3 buckets is: B. Amazon Macie Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to automatically discover and classify sensitive data, monitor data access, and provide alerts and actionable recommendations for securing data in Amazon S3 buckets. Options A (AWS Shield) is a service that provides DDoS protection, not sensitive data discovery and protection. Options C (AWS Network Firewall) is a service for filtering network traffic and is not related to sensitive data protection. Option D (Amazon Cognito) is a service for user authentication and authorization, not related to data discovery and protection in S3 buckets.

Answer 28

To improve the overall availability and performance of applications hosted on AWS, the company should use: C. AWS Global Accelerator AWS Global Accelerator is a service that helps you improve the availability and performance of applications by utilizing static IP addresses and routing traffic over the AWS global network to the optimal AWS endpoint based on health, geography, and routing policies. It provides a highly available and scalable solution for improving application performance and resiliency. Options A (Amazon Connect) and B (Amazon Lightsail) are not related to improving application availability and performance; they are focused on other use cases. Option D (AWS Storage Gateway) is a service for connecting on-premises environments to cloud storage and is not directly related to application availability and performance improvement.

Answer 29

The AWS service or feature that identifies whether an Amazon S3 bucket or an IAM role has been shared with an external entity is: C. AWS IAM Access Analyzer AWS IAM Access Analyzer is a service that examines your policies to help you identify and review access that has been granted to external entities (accounts outside your AWS organization) for your S3 buckets, IAM roles, and other resources. It helps you identify unintended or potentially risky access and security misconfigurations.

Answer 30

The requirements described align with the following pillar of the AWS Well-Architected Framework: D. Cost optimization This pillar emphasizes the need to pay only for the resources that you use and to have the ability to increase or decrease resource usage to meet business requirements without relying on elaborate forecasting. Cost optimization focuses on maximizing the value of your cloud resources while minimizing unnecessary expenses, making it an important consideration for cost-effective and efficient resource management.

Answer 31

The requirement for a system to automatically recover from failure aligns with the following pillar of the AWS Well-Architected Framework: D. Reliability Reliability focuses on designing systems that can recover from failures and maintain a high level of availability and fault tolerance. This includes the ability to automatically recover from failures to ensure that the system continues to operate smoothly even when issues or outages occur.

Answer 32

To connect and centrally manage network connectivity between multiple VPCs in different AWS Regions, the AWS service that meets these requirements is: B. AWS Transit Gateway AWS Transit Gateway is a service that simplifies the network architecture by allowing you to connect multiple VPCs, whether they are in the same Region or different Regions, and route traffic between them. It provides centralized management and simplifies network connectivity, making it an ideal solution for large enterprises with multi-VPC and multi-Region deployments. Options A (AWS Direct Connect) and C (AWS Site-to-Site VPN) are used for connectivity to on-premises networks but are not specific to interconnecting VPCs in different Regions. Option D (VPC endpoints) is used for direct connectivity to AWS services from within a VPC but is not designed for interconnecting multiple VPCs across Regions.

Answer 33

The AWS service that supports the creation of visual reports from AWS Cost and Usage Report data is: B. Amazon QuickSight Amazon QuickSight is a business analytics service that allows you to create interactive and visual reports and dashboards from a variety of data sources, including AWS Cost and Usage Reports. It enables you to analyze and visualize your AWS cost and usage data to gain insights and make data-driven decisions. Options A (Amazon Athena), C (Amazon CloudWatch), and D (AWS Organizations) are not typically used for creating visual reports from AWS Cost and Usage Report data. Amazon Athena is more focused on querying and analyzing data, while Amazon CloudWatch and AWS Organizations have different purposes.

Answer 34

The AWS service that should be used to monitor Amazon EC2 instances for CPU and network utilization is: C. Amazon CloudWatch Amazon CloudWatch is a monitoring and observability service that allows you to collect and track metrics, collect and monitor log files, and set alarms. It provides insights into the performance and operational health of AWS resources, including Amazon EC2 instances. You can use CloudWatch to monitor CPU and network utilization, among other metrics, for your EC2 instances. Options A (Amazon Inspector) is a security assessment service and not used for general performance monitoring. Option B (AWS CloudTrail) is used for logging API activity and is not focused on monitoring resource performance. Option D (AWS Config) is used for assessing and auditing the configuration of AWS resources and is not a monitoring service.

Answer 35

The AWS resource that will provide guidance about how the company should scale its architecture and receive operational support during the event, especially with an AWS Enterprise Support plan, is: B. The designated AWS technical account manager (TAM) The AWS technical account manager (TAM) is a designated resource provided as part of AWS Enterprise Support. The TAM serves as a trusted advisor and provides guidance on architectural best practices, operational optimization, and other support-related matters. In this scenario, the TAM can help the company with architectural and scaling recommendations to ensure the web store can handle the expected high traffic during the event. They can also assist with operational support to address any issues that may arise.

Answer 36

To deploy a service to the AWS Cloud using infrastructure-as-code (IaC) principles, you should use: B. AWS CloudFormation AWS CloudFormation is a service that allows you to define and provision AWS infrastructure as code. You can create templates that describe the AWS resources needed for your application and then launch those resources as a stack. It enables you to automate the deployment of infrastructure, making it a suitable choice for IaC practices. Options A (AWS Systems Manager), C (AWS CodeCommit), and D (AWS Config) are useful services for various purposes, but they are not specifically designed for infrastructure provisioning and deployment as AWS CloudFormation is.

Answer 37

To centrally manage and govern AWS Cloud environments, automate the creation of AWS accounts, apply service control policies (SCPs), and simplify billing processes, the company should use: A. AWS Organizations AWS Organizations is a service that allows you to consolidate multiple AWS accounts into an organization, create new AWS accounts, and apply service control policies (SCPs) to centrally manage the permissions and resources across those accounts. It also simplifies billing processes by providing consolidated billing for the accounts within the organization. Options B (Cost Explorer), C (AWS Budgets), and D (AWS Trusted Advisor) are useful services, but they do not provide the centralized account management and governance capabilities that AWS Organizations offers.

Answer 38

In the AWS shared responsibility model, the following IT controls are shared between AWS and the customer: B. Patch management: While AWS manages the underlying infrastructure, it is the customer's responsibility to manage patches and updates for their operating systems and applications running on AWS services. D. Zone security: Security within an Amazon VPC, including configuring security groups and network ACLs to control traffic to and from AWS resources, is a shared responsibility. AWS provides the infrastructure, but customers configure the security settings. Options A (Physical and environmental controls), C (Cloud awareness and training), and E (Application data encryption) are not typically shared responsibilities as per the AWS shared responsibility model. AWS takes care of physical and environmental controls, and customers are responsible for their own cloud awareness and training, as well as data encryption within their applications.

Answer 39

To ensure the company can recover data that is accidentally overwritten or deleted while allowing a large team of researchers to have shared access to the data in Amazon S3, the company should turn on: B. S3 Versioning Amazon S3 Versioning allows you to preserve, retrieve, and restore every version of every object stored in a bucket. This feature is useful for data recovery and maintaining a historical record of changes made to objects. In case of accidental deletions or overwrites, you can retrieve a previous version of the object. Options A (Server access logging), C (S3 Lifecycle rules), and D (Encryption in transit and at rest) are not primarily focused on data recovery for accidental deletions or overwrites. Server access logging records access to objects, Lifecycle rules are used for managing object storage, and encryption addresses security rather than versioning and data recovery.

Answer 40

To host a critical application with minimum latency and sensitivity to interruptions in connectivity, given that the remote site has a slow internet connection, the company should use: C. AWS Wavelength AWS Wavelength is designed to minimize latency for applications that require ultra-low latency and high bandwidth connectivity. It brings AWS services to the edge of the 5G network, allowing you to run your application in proximity to 5G networks. This can significantly reduce the round-trip time for data to travel between the application and the AWS infrastructure. Options A (Availability Zones), B (AWS Local Zones), and D (AWS Outposts) do not specifically address the requirement for minimizing latency for applications sensitive to interruptions in connectivity. AWS Wavelength is designed for low-latency, high-throughput use cases, making it a suitable choice for this scenario.

Answer 41

To migrate applications from an on-premises data center to a VPC in the AWS Cloud while ensuring access to on-premises resources, the following actions can meet these requirements: B. Create a VPN connection between an on-premises device and a virtual private gateway in the VPC. - A VPN connection allows secure communication between the VPC and on-premises resources over the public internet. D. Set up an AWS Direct Connect connection between the on-premises data center and AWS. - AWS Direct Connect provides a dedicated network connection that ensures high bandwidth, low-latency access between the on-premises data center and AWS. Option A (Use AWS Service Catalog) is a service for organizing, governing, and provisioning cloud resources but does not directly address the requirement for connectivity to on-premises resources. Option C (Use an Amazon CloudFront distribution) is a content delivery network service and does not directly provide connectivity to on-premises resources. Option E (Use Amazon CloudFront to restrict access to static web content) pertains to web content delivery and access control and is not related to connecting on-premises resources to a VPC.

Answer 42

To provide secure access to desktop applications running in a fully managed environment in the AWS Cloud, the company should use: B. Amazon AppStream 2.0 Amazon AppStream 2.0 is a service that enables you to securely stream desktop applications to users' web browsers. It allows for secure access to desktop applications from a fully managed environment, with control over user access and resources. This is particularly useful for scenarios where you need to deliver desktop applications securely to remote users. Options A (Amazon S3), C (AWS AppSync), and D (AWS Outposts) have different use cases and are not designed for providing secure access to desktop applications in a fully managed environment as AppStream 2.0 does.

Answer 43

To implement threat detection on AWS infrastructure without deploying additional software, the company should use: C. Amazon GuardDuty Amazon GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior within your AWS environment. It uses machine learning, anomaly detection, and integrated threat intelligence to identify threats without requiring additional software deployment. GuardDuty can help you protect your AWS infrastructure by detecting potential security threats. Options A (Amazon VPC), B (Amazon EC2), and D (AWS Direct Connect) are not specifically designed for threat detection; they are infrastructure and networking services within AWS. GuardDuty is the service tailored for threat detection in AWS environments.

Answer 44

The AWS service that uses edge locations is: B. AWS Global Accelerator AWS Global Accelerator is a service that uses edge locations to route traffic over the AWS global network to the optimal AWS endpoint based on your application's requirements and the health of the endpoints. Edge locations are a critical part of the AWS global network infrastructure, and Global Accelerator leverages them for optimized content delivery and application performance. Options A (Amazon Aurora), C (Amazon Connect), and D (AWS Outposts) are separate services and do not directly use edge locations for traffic optimization in the same way as AWS Global Accelerator.

Answer 45

To eliminate the need to provision and manage container hosts when running Docker containers, the company should use: A. AWS Fargate AWS Fargate is a serverless compute engine for containers. It allows you to run containers without having to manage the underlying infrastructure. With Fargate, you only need to define your application's requirements, and AWS takes care of provisioning, scaling, and managing the containers for you. Options B (Amazon FSx for Windows File Server), C (Amazon Elastic Container Service), and D (Amazon EC2) do not provide the same level of serverless container management as AWS Fargate. Fargate is designed to simplify the deployment and management of containers by abstracting the host infrastructure.

Answer 46

The AWS service or feature that checks access policies and offers actionable recommendations to help users set secure and functional policies is: B. AWS IAM Access Analyzer AWS IAM Access Analyzer is a service that examines your resource policies to identify and provide recommendations on policies that may allow unintended access or that have other security issues. It helps you ensure that your policies are both secure and function as intended, and it provides actionable recommendations to improve your access policies. This is especially useful for maintaining a secure IAM (Identity and Access Management) configuration. Options A (AWS Systems Manager), C (AWS Trusted Advisor), and D (Amazon GuardDuty) have different use cases and do not specifically focus on analyzing and providing recommendations for IAM access policies.

Answer 47

To collect, format, and process data at sea where there is intermittent or no internet connectivity and then move the data to AWS later, the company should use: D. AWS Snowball Edge AWS Snowball Edge is a ruggedized device with on-board compute and storage capabilities. It is designed for use cases where you need to collect and process data in remote or disconnected environments and then transfer that data to AWS when connectivity is available. It can be used to transport data from edge locations, including at sea, to an AWS region. Options A (AWS IoT Core), B (Amazon Lightsail), and C (AWS Storage Gateway) have different use cases and do not provide the same capabilities as AWS Snowball Edge for collecting and transporting data from remote, disconnected environments.

Answer 48

To build a highly available architecture for a new ecommerce platform using only AWS services that replicate data across multiple Availability Zones, the company should use the following services: C. Amazon Aurora - Amazon Aurora is a fully managed, highly available, and scalable relational database service that replicates data across multiple Availability Zones for high availability and durability. D. Amazon DynamoDB - Amazon DynamoDB is a managed NoSQL database service that automatically replicates data across multiple Availability Zones within an AWS region to ensure high availability and fault tolerance. Options A (Amazon EC2), B (Amazon Elastic Block Store), and E (Amazon Redshift) do not inherently replicate data across multiple Availability Zones; this capability depends on the specific configuration and choices made when using these services. For high availability and data replication across Availability Zones, Aurora and DynamoDB are suitable choices.

Answer 49

The characteristic of the AWS Cloud that helps users eliminate underutilized CPU capacity is: B. Elasticity Elasticity in the AWS Cloud allows users to automatically and dynamically scale their resources up or down based on demand. This means that users can easily adjust their resource allocation to match the workload's requirements, eliminating the need for over-provisioning and reducing underutilized CPU capacity. It helps optimize resource utilization and cost-effectiveness by ensuring that you only pay for the resources you actually use.

Answer 50

Service control policies (SCPs) manage permissions for: C. AWS Organizations SCPs are used in AWS Organizations to set fine-grained permissions for member accounts within the organization. They allow you to control what services and actions are allowed or denied for accounts and organizational units (OUs) in the AWS organization. SCPs help you manage and restrict access to AWS services and actions at the organizational level, providing centralized control over permissions.

Answer 51

The AWS service that can be used to encrypt data at rest is: D. AWS Key Management Service (AWS KMS) AWS Key Management Service (KMS) is a fully managed encryption service that allows you to create and control encryption keys used to encrypt and decrypt your data at rest. It provides robust security controls and options for data encryption, making it an essential component for securing data in AWS. While options A (Amazon GuardDuty), B (AWS Shield), and C (AWS Security Hub) are valuable services for security and threat detection, they do not provide data encryption at rest like AWS KMS does.

Answer 52

The advantages of using the AWS Cloud include: B. Compute capacity that is adjusted on demand: - AWS provides the ability to dynamically scale your compute resources up or down based on demand. This elasticity allows you to efficiently allocate resources when needed and reduce them during periods of lower demand. D. Enhanced security: - AWS offers a wide range of security services, features, and best practices to help secure your workloads. AWS has a shared responsibility model, and it provides the tools and services necessary to help you secure your applications and data in the cloud. Options A (A 100% service level agreement), C (Availability of AWS Support for code development), and E (Increases in cost and complexity) do not accurately represent typical characteristics of using the AWS Cloud. While AWS offers SLAs for its services, they vary by service and are not uniformly 100%. AWS Support is available for various purposes, not just code development. The goal of using AWS is often to reduce complexity and cost, not increase it.

Answer 53

To restrict access to objects stored in Amazon S3 and meet compliance obligations, the user should: B. Tag the objects in the S3 bucket. Tagging objects allows you to assign metadata to the objects, and you can use these tags to implement fine-grained access controls based on object metadata. By setting appropriate bucket policies or access control lists (ACLs) based on the tags, you can control who has access to the objects. AWS Identity and Access Management (IAM) policies can also be applied based on object tags to restrict access. Options A (Use AWS Secrets Manager), C (Use security groups), and D (Use network ACLs) do not directly address the need to restrict access to objects in Amazon S3 based on compliance requirements. Tagging is a common method to implement object-level access control in S3.

Answer 54

To convert video and audio files from their source format into a format that will play on smartphones, tablets, and web browsers, you should use: A. Amazon Elastic Transcoder Amazon Elastic Transcoder is a fully managed media transcoding service that allows you to convert media files from their source format into different formats suitable for various devices and playback scenarios, including smartphones, tablets, and web browsers. It's designed to make it easy to transcode and optimize media for delivery over the internet and across different platforms. This service is ideal for tasks like video and audio format conversion, resizing, and more.

Answer 55

The benefits of Amazon EC2 Auto Scaling include: A. Improved health and availability of applications: - Auto Scaling helps maintain the desired number of instances and replaces unhealthy instances, which improves the overall health and availability of applications. It helps ensure that your application can handle changes in traffic and maintain responsiveness. C. Optimized performance and costs: - Auto Scaling can automatically adjust the number of instances in response to changing workloads. This optimization helps control costs by scaling out when traffic is high and scaling in when demand decreases. Options B (Reduced network latency), D (Automated snapshots of data), and E (Cross-Region Replication) are not typically associated with Amazon EC2 Auto Scaling. Auto Scaling primarily focuses on managing the number of EC2 instances based on workload changes to ensure application availability and cost optimization.

Answer 56

To achieve the goal of having all AWS costs on a single invoice while still being able to track costs incurred by each department, the company should use: B. Consolidated billing AWS Consolidated Billing allows an organization to consolidate multiple AWS accounts (belonging to different departments, teams, or business units) into a single paying account. This provides the benefit of a single invoice for all the accounts. However, it also maintains individual billing and cost tracking for each of the linked AWS accounts. Each linked account can continue to access and manage its own resources and services, and the payer account can see the costs associated with each linked account. This way, you can simplify payment while still tracking costs by department or account. Option A (AWS Cost and Usage Reports) is a reporting tool that can provide detailed usage and cost data, but it does not offer the ability to consolidate billing. Options C (Savings Plans) and D (AWS Budgets) are related to cost optimization and budgeting but do not address the consolidation of billing and cost tracking for multiple AWS accounts.

Answer 57

To forecast the cost of running a large application on AWS, the company can use: A. AWS Pricing Calculator The AWS Pricing Calculator is a web-based service provided by AWS that allows you to estimate and calculate the cost of running various AWS services based on your specific usage and requirements. You can input details about the services you plan to use, such as the type and number of instances, storage, data transfer, and more. The calculator provides you with cost estimates and helps you plan your AWS budget. Option B (AWS Budgets) is used for creating and managing custom budgets to track your AWS cost and usage over time, but it is not specifically for forecasting costs. Options C (AWS Trusted Advisor) and D (Cost Explorer) are more focused on providing recommendations and insights into cost optimization and usage, rather than forecasting costs for a specific workload.

Answer 58

The advantage of the AWS Cloud that matches the company's requirements is: D. Pay-as-you-go pricing Pay-as-you-go pricing in the AWS Cloud means that you only pay for the cloud resources you consume, without the need to make upfront commitments or long-term contracts. This eliminates the need to guess infrastructure capacity before deployments and allows you to align your expenses with your actual resource usage. It provides flexibility and cost efficiency by scaling resources up or down as needed, so you can make the most of your budget while avoiding over-provisioning. Option A (Reliability) relates to the availability and durability of AWS services but is not directly related to cost or pricing. Option B (Global reach) is about AWS's presence in multiple regions and does not specifically address pricing. Option C (Economies of scale) is a factor that contributes to the cost-effectiveness of AWS, but it doesn't directly address the elimination of guessing infrastructure capacity and pay-as-you-go pricing.

Answer 59

The AWS service that supports a hybrid architecture, enabling users to extend AWS infrastructure, AWS services, APIs, and tools to data centers, co-location environments, or on-premises facilities, is: C. AWS Outposts AWS Outposts is a service that allows you to run AWS infrastructure and services on-premises. It extends the AWS cloud to your own data centers or co-location facilities, creating a seamless hybrid architecture that integrates your on-premises environment with AWS. This enables you to leverage the benefits of AWS services locally while still having the ability to connect and manage your on-premises resources. Options A (AWS Snowmobile), B (AWS Local Zones), and D (AWS Fargate) are AWS services with different purposes and do not primarily focus on hybrid architectures or extending on-premises environments.

Answer 60

To extend the capacity of a physical tape library to the AWS Cloud, the company should use: D. AWS Storage Gateway AWS Storage Gateway is a service that enables hybrid cloud storage between on-premises environments and AWS. It allows you to seamlessly integrate your on-premises applications and storage with the AWS Cloud. One of the modes of AWS Storage Gateway is the "Tape Gateway" mode, which helps you extend your existing backup infrastructure to the cloud. This mode allows you to store backups in Amazon S3 and Amazon S3 Glacier, providing an efficient and cost-effective way to extend your backup capabilities. Options A (Amazon EBS), B (Amazon S3), and C (Amazon EFS) are AWS storage services, but they do not directly address the need to extend a physical tape library's capacity to the AWS Cloud in the same manner as AWS Storage Gateway's Tape Gateway mode.

Answer 61

The advantages of moving to the AWS Cloud that would MOST benefit the online retail company with seasonal sales spikes are: B. Elasticity: Elasticity in the AWS Cloud allows the company to dynamically adjust its infrastructure resources to meet varying demand. During seasonal sales spikes, the company can easily scale up its resources to handle the increased workload and scale down during periods of lower demand. This elasticity ensures that the company can efficiently manage its infrastructure without over-provisioning or incurring unnecessary costs. E. Pay-as-you-go pricing: Pay-as-you-go pricing in the AWS Cloud means the company only pays for the resources it consumes, allowing cost optimization during periods of lower demand. The company can avoid upfront capital expenses and adapt its spending to align with business needs, especially during seasonal peaks. Options A (Global footprint), C (AWS service quotas), and D (AWS shared responsibility model) are valuable aspects of the AWS Cloud, but they are not as directly related to addressing the company's challenges with seasonal sales spikes and infrastructure demand management as the elasticity and pay-as-you-go pricing advantages.

Answer 62

A. Amazon Polly Amazon Polly is the AWS service that can be used to turn text into lifelike speech. It provides text-to-speech capabilities, allowing you to convert text input into natural-sounding speech in various languages and voices.

Answer 63

A. VPC Flow Logs Amazon VPC Flow Logs is the AWS service or tool that can be used to capture information about inbound and outbound traffic in an Amazon Virtual Private Cloud (VPC). VPC Flow Logs provide detailed network traffic information, which can be useful for monitoring, troubleshooting, and analyzing network activity within a VPC.

Answer 64

B. Place the EC2 instances in two separate Availability Zones within the same AWS Region. To ensure that two Amazon EC2 instances are in separate data centers with minimal communication latency between the data centers, you should place the EC2 instances in two separate Availability Zones within the same AWS Region. Availability Zones are designed to provide physically separated and isolated data centers with low-latency connections, making them an ideal choice for high availability and minimal latency between instances.

Answer 65

A. When an application that runs on Amazon EC2 instances requires access to other AWS services B. When the company creates AWS access credentials for individuals IAM users are typically used in scenarios where individuals or applications require access to AWS services and resources. For example: A. When an application running on Amazon EC2 instances requires access to other AWS services, you can create an IAM user and assign necessary permissions to that user, and then configure the application to use the IAM user's credentials for authentication and access. B. When the company creates AWS access credentials for individuals, such as employees or partners, you can create IAM users for them to provide secure and controlled access to AWS resources. IAM roles, on the other hand, are typically used for applications and services that run on AWS resources like EC2 instances, Lambda functions, or containers. Roles allow these resources to securely make requests to other AWS services without needing to store long-term access keys or credentials.

Answer 66

B. Amazon RDS E. Amazon Elastic File System (Amazon EFS) Amazon RDS (Relational Database Service) is a managed relational database service that allows you to create, read, and write data to a database that can handle frequent data changes and transactions. Amazon Elastic File System (Amazon EFS) is a managed file storage service that's designed to work with multiple EC2 instances, making it suitable for reading and writing data that changes frequently and needs to be shared across multiple compute resources.

Answer 67

C. AWS KMS (Key Management Service) AWS Key Management Service (KMS) is used to provide encryption for Amazon EBS (Elastic Block Store) volumes. It allows you to create and manage encryption keys that can be used to protect data at rest.

Answer 68

B. Amazon CloudFront C. AWS Global Accelerator Amazon CloudFront and AWS Global Accelerator both make use of AWS's global edge locations to deliver content and improve the availability and performance of web applications. These edge locations are distributed worldwide to cache and serve content closer to end-users.

Answer 69

C. AWS Outposts AWS Outposts is designed to extend AWS infrastructure to on-premises locations, including factories. It allows you to run AWS services on-premises with the same APIs and control plane used in the AWS Cloud. This would provide the ability to process data, store data, and run applications with low latency while maintaining a local system's interdependencies.

Answer 70

D. Avoid monolithic architecture by segmenting workloads. Segmenting workloads into smaller, loosely coupled components is a recommended design principle for AWS Cloud architecture. Monolithic architectures can be less flexible and more challenging to scale and manage, while segmenting workloads into smaller components promotes agility, scalability, and easier maintenance.

Answer 71

C. Operational excellence Designing workloads to be updated regularly, and making changes in small, reversible increments aligns with the pillar of operational excellence. It encourages best practices for operational processes, such as automation, frequent updates, and the ability to quickly adapt to changes, ensuring that systems are running efficiently and reliably.

Answer 72

B. Security groups Security groups act as an instance-level firewall to control inbound and outbound access to Amazon EC2 instances. They allow you to specify rules that control the traffic to and from your instances. Network access control lists (NACLs) operate at the subnet level, and they provide additional network-level controls for inbound and outbound traffic. Virtual private gateways are used in VPN connections, and AWS Trusted Advisor is a service that helps optimize your AWS infrastructure but is not used for firewall rules.

Answer 73

B. Partial Upfront Reserved Instances To run a workload continuously for one year without any interruptions and make it cost-effective, you can use Partial Upfront Reserved Instances. Reserved Instances offer significant cost savings compared to On-Demand Instances, and Partial Upfront Reserved Instances allow you to pay part of the cost upfront, reducing the hourly rate you pay for your instances while maintaining availability and predictability. This is an ideal option for a continuous, one-year workload that cannot tolerate service interruptions. Dedicated Instances might be used for compliance or security reasons but don't inherently provide cost savings. On-Demand Instances would be more expensive over a one-year period compared to Reserved Instances.

Answer 74

A. AWS Shield AWS Shield is the service designed to protect against Distributed Denial of Service (DDoS) attacks. It provides protection for AWS resources and applications against various types of DDoS attacks, helping to ensure the availability of your applications and data.

Answer 75

A. Security Using AWS Config to record, audit, and evaluate changes to AWS resources is primarily focused on the "Security" pillar of the AWS Well-Architected Framework. It helps to enhance security by providing visibility into changes made to your AWS resources and helps you maintain compliance and traceability.

Answer 76

B. Network ACL Network Access Control Lists (Network ACLs) in AWS act as a VPC firewall at the subnet level. They are used to control inbound and outbound traffic at the subnet level, allowing you to define rules to permit or deny traffic based on IP addresses, port ranges, and protocols. Security groups, on the other hand, are used to control traffic at the instance level.

Answer 77

The AWS service that can be used to decouple applications is **Amazon Simple Queue Service (Amazon SQS)**. Amazon SQS is a fully managed message queuing service that enables decoupling of application components or microservices. It allows different parts of an application to communicate by sending messages to a central queue, which can then be consumed by other components when they are ready. This decoupling can help improve system scalability, reliability, and flexibility.`

Answer 78

The **"Pilot light"** disaster recovery option is typically the least expensive among the provided options. In a "Pilot light" scenario, the essential components of an application or system are pre-configured and ready to launch in case of a disaster. This minimal setup often involves only core components or databases that are kept in a standby state. It is more cost-effective compared to a warm standby or multisite option because it involves less infrastructure and fewer active resources. Here's a brief overview of each option: - **Warm standby** involves having a scaled-down version of your environment running and partially active. It's more expensive than a "Pilot light" because it requires more resources to be actively running. - **Multisite** is a high-availability setup where you have active sites in multiple locations. While it offers excellent redundancy and availability, it's typically more expensive due to the infrastructure and data replication requirements. - **Backup and restore** is a backup solution but doesn't provide immediate recovery options like the other three methods. It's essential for data recovery but doesn't offer the same level of continuity as the others. The "Pilot light" option ensures that your critical components can be quickly scaled up if needed, but it doesn't keep all components running at all times, which helps minimize costs.

Answer 79

The type of AWS storage that is ephemeral and is deleted when an Amazon EC2 instance is stopped or terminated is **Amazon EC2 instance store** (option B). EC2 instance store is local, temporary storage that is physically attached to the host machine of an EC2 instance. It is often used for temporary storage of data that doesn't need to be persistent, such as caching, temporary files, or scratch data. However, data stored on EC2 instance store volumes is lost when the instance is stopped or terminated, as it is tied to the lifecycle of the instance itself. In contrast, Amazon Elastic Block Store (EBS) provides persistent block storage that can be detached from an EC2 instance and attached to another, making it suitable for storing data that needs to persist beyond the lifecycle of an instance. Amazon Elastic File System (EFS) is a network-attached file storage service, and Amazon S3 is an object storage service, both of which are designed for durable, highly available, and scalable storage.

Answer 80

The characteristic of the AWS account root user is: C. **The root user is the first sign-in identity that is available when an AWS account is created.** The root user is created by default when an AWS account is set up. It has the highest level of privilege in the AWS account and can perform any action in the account. It is important to secure the root user's credentials, as it is the most powerful and should be used only for initial setup and emergency situations. It's recommended to configure multi-factor authentication (MFA) for the root user for added security. Other users and roles should be created for day-to-day operations to follow best security practices.

Answer 81

The **MOST operationally efficient solution** to delegate permissions for an Amazon EC2 instance to access AWS resources like Amazon S3 and Amazon DynamoDB is: **A. Create an IAM role with the required permissions and attach the role to the EC2 instance.** By using IAM roles and attaching them to the EC2 instance, you can provide secure and temporary credentials to the EC2 instance without needing to manage access keys directly. This approach is more secure and operationally efficient compared to using IAM users' access keys in your EC2 instance. Using IAM roles for EC2 instances is the recommended best practice for delegating permissions and ensuring the security of your AWS resources. Options B and C suggest using IAM users' access keys, which is not the best practice for EC2 instances, as it requires manual management of access keys and can be less secure. Option D is not operationally efficient and is not the best practice, as it suggests attaching a role to an administrative IAM user, which doesn't directly address the requirement of granting permissions to an EC2 instance.

Answer 82

**B. AWS Regions** is a component of the AWS Global Infrastructure. AWS Regions are physical locations around the world where AWS has data centers. Each AWS Region is a separate geographic area and is entirely isolated from the other AWS Regions to provide fault tolerance. AWS customers can choose the AWS Region where they want to run their applications and services, allowing them to be close to their end-users or meet data residency requirements. Options A, C, and D are not components of the AWS Global Infrastructure. Amazon Alexa is a voice-controlled virtual assistant, Amazon Lightsail is a simplified virtual server offering, and AWS Organizations is a service for managing multiple AWS accounts.

Answer 83

**B. To allow communication between the VPC and the internet** is the purpose of having an internet gateway within a VPC. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It serves as a gateway for traffic to and from the internet, enabling resources within your VPC to access the internet or be accessed from the internet. Options A, C, and D do not accurately describe the primary purpose of an internet gateway within a VPC. An internet gateway does not create VPN connections, impose bandwidth constraints, or load balance traffic from the internet across Amazon EC2 instances.

Answer 84

**C. AWS Artifact** allows users to download security and compliance reports about the AWS infrastructure on demand. AWS Artifact provides access to various compliance reports, including SOC reports, PCI DSS reports, and more. Users can access and download these reports to help demonstrate and validate their security and compliance efforts in the AWS Cloud.

Answer 85

**C. AWS Transit Gateway** should be used by the pharmaceutical company to help simplify management and reduce operational costs when interconnecting thousands of VPCs across various AWS accounts within a single AWS Region. AWS Transit Gateway acts as a hub for connecting multiple VPCs and VPN connections, making it easier to manage and scale the network connectivity within your AWS environment. It provides a centralized and simplified way to route traffic and enforce policies across interconnected VPCs. This is particularly useful in scenarios with a large number of VPCs that need to communicate efficiently.

Answer 86

**D. AWS Pricing Calculator** can provide a cost estimate for running infrastructure in the AWS Cloud. The AWS Pricing Calculator is a web-based tool that allows you to estimate your monthly bill based on your expected usage of AWS services and resources. It helps you understand the cost implications of your architectural decisions and allows you to plan and budget for your AWS infrastructure before deployment. You can input details about the services and resources you plan to use, and it will provide you with a cost estimate based on that information.

Answer 87

**B. AWS Organizations** helps to centrally manage billing and allows controlled access to resources across AWS accounts. AWS Organizations is a service that allows you to centrally manage multiple AWS accounts within your organization. It helps you consolidate billing, apply policies across accounts, and simplify the management of your AWS resources. By using AWS Organizations, you can create a hierarchical structure of accounts and apply Service Control Policies (SCPs) to control the actions that accounts and their users can perform within the organization. This allows for better resource governance and cost management across multiple AWS accounts.

Answer 88

**B. Subnets; internet gateways** are Amazon Virtual Private Cloud (Amazon VPC) resources. Amazon VPC resources include subnets, route tables, network ACLs, security groups, internet gateways, and more. These resources are used to configure and control your VPC's network environment within AWS. Subnets are logical divisions of an IP address range within your VPC, and internet gateways enable outbound and inbound traffic between your VPC and the internet.

Answer 89

**B. AWS CloudTrail** provides the capability to track user access to the AWS Management Console and other AWS services. You can use CloudTrail logs to identify when specific users accessed the AWS Management Console and what actions they performed, including the last time they accessed it. CloudTrail records API calls, including console sign-in events, which can be used to audit user activity in AWS.

Answer 90

To connect to an Amazon EC2 instance launched with the latest Amazon Linux 2 AMI, you can use the following methods: **A. Use Amazon EC2 Instance Connect:** This allows you to connect directly from the AWS Management Console or using the AWS CLI without requiring a separate key pair. **D. Use AWS Systems Manager Session Manager:** AWS Systems Manager provides a secure and auditable way to access EC2 instances. Session Manager is a part of AWS Systems Manager that allows you to connect to and manage your instances through a web-based shell or the AWS CLI. Remote Desktop Protocol (RDP) connections (option B) are typically used for Windows instances, and AWS Batch (option C) is used for batch processing, not for interactive instance access. Amazon Connect (option E) is a service for setting up cloud-based contact centers and is not used for connecting to EC2 instances.

Answer 91

To perform sentiment analysis on customer service email messages and identify whether the customer service engagement was positive or negative, the company should use **Amazon Comprehend (option C)**. Amazon Comprehend is a natural language processing (NLP) service that includes sentiment analysis as one of its features. It can analyze text to determine the sentiment, such as positive, negative, or neutral, in the given content. Options like Amazon Textract (option A) are used for text extraction from documents, Amazon Translate (option B) is used for language translation, and Amazon Rekognition (option D) is used for image and video analysis. These services are not designed for sentiment analysis.

Answer 92

Amazon S3 (Simple Storage Service) does not have a fixed total amount of storage. It is a scalable and highly flexible object storage service that allows users to store as much data as they need. The amount of storage you can use in Amazon S3 is virtually unlimited, and you can scale your storage needs based on your requirements. Therefore, the correct answer is **D. Unlimited.**

Answer 93

For a large-scale data migration like this, where you need to transfer a significant amount of data to Amazon S3 within a specified time frame, **AWS Snowball** is the most suitable service. AWS Snowball is a physical data transfer service that allows you to securely move large amounts of data into and out of AWS. It provides a physical storage device that you can ship to your data center for the initial data transfer. Once the data is loaded onto the Snowball device, you can ship it back to AWS, where the data is then imported into an S3 bucket. In this case, you can use AWS Snowball to transfer the 60 TB of data from your on-premises data center to AWS within the 10-day timeframe. Snowball offers a secure and efficient way to handle large data transfer tasks.

Answer 94

Amazon DynamoDB is a NoSQL database service provided by AWS. It is specifically categorized as a **key-value** and **document database**. While it primarily stores data in a key-value format, it also allows you to store more complex data structures, including documents, lists, or maps. DynamoDB is designed for high availability, scalability, and low-latency performance.

Answer 95

Reconfiguring a single AWS account into multiple AWS accounts provides several advantages, but not all the options you mentioned are correct: A. It allows for administrative isolation between different workloads. - **Advantage:** By having separate AWS accounts for different workloads or teams, you can enforce stricter access control and isolate administrative responsibilities. D. Having multiple accounts reduces the risks associated with malicious activity targeted at a single account. - **Advantage:** Isolating workloads into separate accounts helps limit the blast radius in case of security breaches or malicious activity in one account, reducing the overall risk. Options B, C, and E are not valid advantages of having multiple AWS accounts: B. Discounts can be applied on a quarterly basis by submitting cases in the AWS Management Console. - Discounts and pricing depend on various factors but are not typically tied to the number of AWS accounts. C. Transitioning objects from Amazon S3 to Amazon S3 Glacier in separate AWS accounts will be less expensive. - This statement doesn't accurately describe the cost model for transitioning objects between Amazon S3 and Amazon S3 Glacier. E. Amazon QuickSight offers access to a cost tool that provides application-specific recommendations for environments running in multiple accounts. - While AWS provides various cost management tools, this specific statement doesn't accurately represent the functionality of Amazon QuickSight or AWS cost management tools.

Answer 96

To protect against SQL injection attacks in this scenario, you should use AWS Web Application Firewall (WAF). B. AWS WAF (Amazon Web Application Firewall) allows you to create custom rules and WebACLs (Web Access Control Lists) to protect your web applications from common web exploits, including SQL injection attacks. You can configure AWS WAF with your Application Load Balancer (ALB) to inspect incoming web requests and filter out malicious traffic based on the rules you set. This helps protect your application from common security threats. So, the correct answer is option B: AWS WAF.

Answer 97

C. AWS Trusted Advisor provides features that allow you to proactively monitor and plan for the service quotas (also known as limits) of AWS resources. It can give you recommendations and notifications regarding the AWS resource limits associated with your account and help you optimize your AWS infrastructure. This can help you avoid unexpected resource limit issues and potential service disruptions. So, the correct answer is option C: AWS Trusted Advisor.

Answer 98

A. Elimination of expenses for running and maintaining data centers Moving on-premises workloads to the AWS Cloud often eliminates the need for organizations to run and maintain their own data centers. This can result in cost savings associated with data center infrastructure, including hardware, cooling, power, physical security, and staffing costs. AWS takes over the operational responsibilities for the underlying infrastructure, allowing users to focus more on their applications and data rather than managing data centers. It's important to note that while the operational burden may be reduced, AWS customers still retain certain responsibilities, depending on the AWS shared responsibility model.

Answer 99

B. Anticipate failure. In the operational excellence pillar of the AWS Well-Architected Framework, one of the key design principles is to "anticipate failure." This principle encourages organizations to design their systems with the assumption that components can fail at any time. By designing for failure, you can build systems that are resilient, highly available, and capable of recovering from disruptions. While creating annotated documentation, ensuring performance efficiency, and optimizing costs are important aspects of architecture and operational excellence, "anticipating failure" specifically addresses the need to design for resilience and reliability in the face of unexpected failures.

Answer 100

A. Amazon Simple Notification Service (Amazon SNS) E. Amazon DynamoDB Amazon Simple Notification Service (SNS) and Amazon DynamoDB are AWS services that offer gateway VPC endpoints, allowing you to access these services without sending traffic over the public internet. This enhances security and reduces exposure to the public internet when interacting with these services from within your Amazon Virtual Private Cloud (VPC).

Answer 101

C. AWS Directory Service for Microsoft Active Directory In the AWS shared responsibility model, for AWS Directory Service for Microsoft Active Directory, the customer is typically responsible for maintaining the operating system and applications within the instances, which includes updating and patching. AWS manages the underlying infrastructure and the Directory Service itself.

Answer 102

B. The customer only According to the AWS shared responsibility model, patching the host operating system of an Amazon EC2 instance is the responsibility of the customer. AWS is responsible for the underlying infrastructure, but the customer is responsible for managing the software and configurations of their EC2 instances. This includes applying patches and updates to the guest operating system.

Answer 103

B. Open a support case and request that AWS patch the DB instance operating system. According to the AWS shared responsibility model, AWS is responsible for the infrastructure and underlying software, including patching and maintaining the operating system of the RDS DB instances. Customers are responsible for the configurations, data, and applications they run on these instances. In the case of Amazon RDS, AWS manages the operating system patches as part of its service offering, and customers can request that AWS applies the necessary patches through a support case or by following the guidance provided by AWS for such updates. Therefore, option B is the appropriate choice.

Answer 104

B. A Well-Architected review helps identify design gaps and helps evaluate design decisions and related documents. An AWS Well-Architected review is a critical part of the cloud design process because it helps organizations assess the design of their workloads, applications, and infrastructure in terms of best practices, operational excellence, security, reliability, performance efficiency, and cost optimization. The review helps identify design gaps, vulnerabilities, and areas for improvement, ensuring that the architecture aligns with AWS best practices and meets the organization's specific requirements. It is not mandatory for all workloads but is highly recommended for organizations seeking to build robust and efficient architectures in the AWS Cloud.

Answer 105

The action of implementing an Amazon EC2 Auto Scaling policy along with an Application Load Balancer to automatically recover unhealthy applications that run on Amazon EC2 instances primarily covers the "Reliability" pillar of the AWS Well-Architected Framework. The "Reliability" pillar focuses on ensuring that a workload performs as expected, even in the face of failures or disruptions. Auto Scaling and Load Balancers are key components of building reliable and fault-tolerant systems. Auto Scaling helps in ensuring that your application can handle varying workloads by automatically adding or removing instances, and the Load Balancer helps distribute traffic and route it away from unhealthy instances, increasing the reliability of the application. While other pillars like "Security," "Performance Efficiency," and "Operational Excellence" are important considerations, the primary focus of this action is to enhance the reliability of the architecture.

Answer 106

The AWS Cloud benefit shown by an architecture's ability to withstand failures with minimal downtime is "High availability." High availability refers to a system's ability to remain operational and accessible even in the presence of failures, such as hardware failures, software failures, or other disruptions. Achieving high availability is a critical aspect of building resilient and reliable architectures in the cloud. Architectures that are designed for high availability are structured in a way that minimizes downtime and ensures that services remain accessible to users, even in the event of failures. While "Agility," "Elasticity," and "Scalability" are also important benefits of AWS cloud services, they are not specifically related to the ability to withstand failures with minimal downtime. High availability is the term that directly addresses this capability.

Answer 107

Under the AWS shared responsibility model, the customer's responsibility when managing AWS Lambda functions includes: D. Updating the Lambda runtime environment. The AWS Lambda runtime environment is the environment in which your Lambda function runs. It includes the language runtime, libraries, and dependencies necessary for your function to execute. As a customer, you are responsible for ensuring that your Lambda function's code and any associated dependencies are up to date and compatible with the chosen runtime environment. AWS manages the infrastructure and operational aspects of Lambda, such as server and operating system maintenance, scaling, and hardware provisioning.

Answer 108

B. A primary point of contact for AWS Billing and AWS Support. The AWS Concierge Support team provides customers with a primary point of contact for AWS Billing and AWS Support. This team assists with billing and account-related inquiries and issues, making it easier for customers to manage their AWS accounts and access AWS support resources. While the other options (A, C, and D) may be available through other AWS support offerings, the primary role of the Concierge Support team is to assist with billing and account-related matters.

Answer 109

To meet the requirement of generating reports that can break down cloud costs by product, by company-defined tags, and by hour, day, and month, the company should use: D. AWS Cost and Usage Reports. AWS Cost and Usage Reports provide detailed, comprehensive data about your AWS usage and costs. You can use these reports to break down costs by various dimensions, including product, tags, and time intervals like hour, day, and month. This allows you to analyze your AWS spending in a highly customizable way, making it a suitable choice for the specified reporting needs.

Answer 110

The AWS service that the company can use to trace user requests as they move through the application's components, such as the Amazon API Gateway API, AWS Lambda function, and Amazon DynamoDB database, is: D. AWS X-Ray. AWS X-Ray is a distributed tracing service that helps you analyze and understand how your applications are performing and how they interact with different components. It allows you to trace and monitor requests as they traverse various AWS services and microservices in your application. This service provides insights into request latency, error rates, and can help you identify performance bottlenecks and troubleshoot issues in a serverless or microservices architecture.

Answer 111

To set up a petabyte-scale data warehouse in the AWS Cloud, the appropriate AWS service to meet this requirement is: C. Amazon Redshift. Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the AWS Cloud. It is specifically designed for large-scale data warehousing and analytics. It offers high performance, scalability, and the ability to handle very large datasets, making it an ideal choice for data warehousing at a petabyte scale.

Answer 112

Among the options listed, AWS Identity and Access Management (IAM) is always provided at no charge. AWS IAM allows you to manage access to AWS services and resources securely, and there is no cost associated with creating and using IAM users, roles, and policies. While some other AWS services may have free usage tiers or offer a limited amount of free usage for new customers, IAM itself is always free to use and manage access to your AWS resources.

Answer 113

To design an AWS disaster recovery plan that covers multiple geographic areas, you should: C. Configure the architecture across multiple AWS Regions. Configuring the architecture across multiple AWS Regions is a key strategy for disaster recovery and high availability. Each AWS Region is a separate geographic area with its own data centers and infrastructure. By replicating your resources and data across multiple AWS Regions, you ensure that your applications and data can be quickly recovered and made available in the event of a disaster in one Region. This approach helps to provide geographic redundancy and minimize downtime.

Answer 114

A. Compute instances can be launched and terminated as needed to optimize costs. One of the significant benefits of moving from an on-premises data center to the AWS Cloud is the ability to use compute instances as needed and scale them up or down based on demand. This flexibility allows you to optimize costs by only running instances when necessary and terminating them when not in use. This elasticity is a key advantage of cloud computing, as it helps you avoid the need to permanently run instances at peak load (Option D) and allows you to efficiently manage your compute costs.

Answer 115

Two ways in which the AWS Cloud offers a lower total cost of ownership (TCO) of computing resources compared to on-premises data centers are: A. AWS replaces upfront capital expenditures with pay-as-you-go costs: With AWS, you don't need to make large upfront capital expenditures for infrastructure and hardware. Instead, you pay for the resources you use on a pay-as-you-go basis. This model reduces the financial burden of acquiring and maintaining physical hardware. D. AWS uses economies of scale to continually reduce prices: AWS can take advantage of its large scale and global presence to negotiate lower hardware costs, and these cost savings are often passed on to customers in the form of reduced prices for various AWS services. As AWS grows and improves its infrastructure, it can offer more cost-effective solutions to its customers. While the other options (B, C, and E) have their own benefits, they are not directly related to reducing TCO when compared to on-premises data centers.

Answer 116

The AWS service that monitors AWS accounts for security threats is: A. Amazon GuardDuty. Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized activities in your AWS accounts and workloads. It uses machine learning and anomaly detection to identify potential security threats, including unusual API calls, unauthorized access, and other suspicious activities, helping you improve the security of your AWS resources.

Answer 117

B. Designated support from an AWS technical account manager (TAM). An AWS Enterprise Support plan includes designated support from an AWS Technical Account Manager (TAM). A TAM is a technical advisor who provides personalized support, helps with architectural guidance, and assists in optimizing your AWS environment. TAMs work closely with your organization to help you make the most of AWS services and improve your overall AWS experience. This level of support is a key benefit of the AWS Enterprise Support plan.

Answer 118

C. Encrypt user network traffic. AWS automatically encrypts user network traffic for services where encryption is applicable. For example, when you enable Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for a service like Amazon S3, Amazon RDS, or Amazon API Gateway, AWS automatically handles the encryption of data in transit. The other options may require user configuration or involve actions performed by the user, such as managing encryption for data at rest in Amazon DynamoDB (Option A), patching Amazon EC2 instances (Option B), and creating TLS certificates for users' websites (Option D).

Answer 119

C. Cost Explorer. Cost Explorer is an AWS service that allows a company to visualize, understand, and manage AWS spending and usage over time. It provides various tools and features to help analyze and explore your AWS cost and usage data, allowing you to view historical trends, create custom reports, set up cost and usage budgets, and more. It's a valuable tool for tracking and managing your AWS spending.

Answer 120

To meet the requirement of keeping data local and on premises while maintaining low latency between AWS and company resources, the appropriate AWS service or feature is: C. AWS Outposts. AWS Outposts is a service that enables you to run AWS infrastructure and services on-premises. It extends the AWS cloud capabilities to your data center or co-location facility, allowing you to keep data on premises while still benefiting from the AWS ecosystem and services. AWS Outposts can be used to meet regulatory requirements and maintain low-latency connections between your on-premises resources and AWS services. This can help create a hybrid cloud environment with low-latency connectivity.

Answer 121

To create an isolated environment within AWS for security purposes, you should: B. Create a separate VPC (Virtual Private Cloud) to host the resources. A VPC allows you to create an isolated network environment within AWS where you can define your own IP address range, control network settings, and implement network security measures. By creating a separate VPC, you can keep your resources separate and isolated from other VPCs, ensuring the security and isolation required by your organization's security policies. While the other options (A, C, and D) have their own use cases and purposes, they do not directly provide the isolation and security typically achieved by creating a separate VPC.

Answer 122

C. Amazon Route 53. Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service provided by AWS. It offers DNS and domain registration services, allowing you to route internet traffic to your applications or services running on AWS or elsewhere. Route 53 is designed for high availability, low latency, and scalability, making it suitable for managing domain names and DNS resolution for a wide range of applications and services.

Answer 123

B. Enable multi-factor authentication (MFA) for the root user. Enabling multi-factor authentication (MFA) for the root user is an important AWS best practice for enhancing security. MFA adds an extra layer of protection by requiring the user to provide a second authentication factor (typically a temporary code from a hardware or software token) in addition to the password when logging in. This helps prevent unauthorized access to the AWS account, even if the password is compromised. The other options, such as keeping the root user password with the security team (Option A), creating an access key for the root user (Option C), or keeping the root user password consistent for compliance purposes (Option D), are generally not recommended best practices for the root user because they can introduce security risks or compliance issues. It's important to secure the root user account and only use it for specific administrative tasks.

Answer 124

B. AWS Systems Manager Session Manager. AWS Systems Manager Session Manager provides a more secure and auditable way to access Amazon EC2 instances remotely without having to open inbound SSH ports or manage SSH keys. It allows you to establish secure, encrypted sessions to your instances using AWS Identity and Access Management (IAM) roles and policies. This approach not only enhances security but also provides detailed audit trails of who accessed instances, what commands were executed, and when the sessions occurred, which is valuable for compliance and security monitoring.

Answer 125

D. All upfront payment. Among the pricing options for Amazon EC2 Dedicated Host reservations, making an all upfront payment provides the largest discount. When you pay all upfront, you are committing to the entire cost of the reservation upfront, and AWS typically offers the most significant discount for this payment option. It reduces the effective hourly rate over the term of the reservation, providing cost savings compared to hourly on-demand or partial upfront payment options.

Answer 126

C. Architecture optimization. The example of a company refining its workload to use specific AWS services to improve efficiency and reduce costs is a demonstration of the best practice of architecture optimization. Optimizing your architecture involves choosing the right AWS services and configurations to match the requirements of your workloads while minimizing costs. It's a key aspect of cost governance because it focuses on designing your infrastructure to be cost-efficient and aligning it with your business objectives. While cost allocation, tagging enforcement, and resource controls are important components of cost governance, architecture optimization plays a significant role in cost reduction and efficiency improvements.

Answer 127

To host MySQL databases on AWS and maintain full control over the operating system, database installation, and configuration, the company should use: B. Amazon EC2 (Elastic Compute Cloud). Amazon EC2 provides virtual machines that allow you to install and configure your database software, including MySQL, on the operating system of your choice. With EC2, you have full control over the environment, and you can tailor it to your specific requirements. While Amazon RDS and Amazon Aurora are managed database services that offer convenience and automation, they may not provide the level of control and customization that you need in this scenario. Amazon DynamoDB, on the other hand, is a NoSQL database service and not suitable for hosting MySQL databases.

Answer 128

D. The AWS infrastructure consists of isolated AWS Regions with independent Availability Zones that are connected with low-latency networking and redundant power supplies. The AWS global infrastructure is designed to offer high availability and fault tolerance to its users through the use of isolated AWS Regions and independent Availability Zones. Each AWS Region is a separate geographic area with its own set of Availability Zones, which are essentially separate data centers with redundant power, cooling, and network connectivity. The isolation and redundancy provided by these Regions and Availability Zones help ensure that services remain available even in the face of failures or disruptions in one part of the infrastructure. This design enhances the reliability and fault tolerance of AWS services.

Answer 129

The use of Amazon EC2 Auto Scaling to scale Amazon EC2 instances illustrates the benefit of: B. Elasticity. Elasticity is one of the core benefits of the AWS Cloud. With Auto Scaling, a company can automatically adjust its compute capacity (in this case, EC2 instances) based on actual demand. This ensures that the application can handle varying workloads and scale up or down as needed, helping to optimize costs and maintain performance. Elasticity is a key advantage of cloud computing, allowing organizations to efficiently allocate resources to meet demand and improve overall operational efficiency.

Answer 130

A. Amazon Simple Notification Service (Amazon SNS). Amazon Simple Notification Service (Amazon SNS) is used to send messages (including both text messages and email messages) from distributed applications to a variety of endpoints, including email, SMS, HTTP, and more. It's a flexible, fully managed notification service that enables you to publish and subscribe to messages, making it useful for a wide range of messaging and notification scenarios.

Answer 131

D. AWS Organizations. A user can set up a master payer account to view consolidated billing reports through AWS Organizations. AWS Organizations is a service that enables you to consolidate and manage multiple AWS accounts. It provides consolidated billing and a way to organize and manage accounts in a hierarchy. Through AWS Organizations, the master payer account can see consolidated billing reports that include the costs and usage of all linked accounts, making it easier to manage and analyze the overall AWS costs for an organization.

Answer 132

D. Updating the guest operating system on Amazon EC2 instances. According to the AWS shared responsibility model, the customer is responsible for tasks related to the guest operating system, including security patches, updates, and configurations, when using Amazon Elastic Compute Cloud (EC2) instances. AWS is responsible for the underlying infrastructure, including the physical hardware and virtualization infrastructure. The customer, on the other hand, is responsible for the guest operating system, the application software, and the data within the EC2 instances.

Answer 133

B. Amazon Lightsail. Amazon Lightsail is a simplified compute service that is designed for users with limited operational knowledge. It's an ideal service for quickly migrating a small website and database from on-premises infrastructure to the AWS Cloud. It provides a simple and easy-to-use platform for hosting web applications, websites, and databases, making it suitable for users who may not have extensive AWS experience. Lightsail offers pre-configured instances, databases, and application stacks, making the migration process straightforward and user-friendly.

Answer 134

D. Create cost allocation tags. To monitor AWS Cloud costs incurred by each application within a single AWS account, you can use cost allocation tags. By creating and assigning specific tags to your AWS resources, you can categorize costs by application, environment, or any other meaningful dimension. This allows you to track spending at a granular level and generate reports based on the allocated tags, helping you understand the cost breakdown for each application. Cost allocation tags are a powerful tool for cost management and monitoring in a multi-application environment.

Answer 135

C. Testing recovery procedures. The reliability pillar of the AWS Well-Architected Framework emphasizes the importance of designing systems that can recover from failures and disruptions. This design principle is achieved by testing recovery procedures, ensuring that your systems can gracefully handle failures and recover in a reliable and predictable manner. Testing recovery procedures is a key aspect of building resilient and reliable architectures in the cloud. Vertical scaling (Option A) and manual failure recovery (Option B) are not specific design principles related to the reliability pillar. Changing infrastructure manually (Option D) can introduce risks and is generally not a recommended practice for achieving reliability.

Answer 136

B. Amazon DynamoDB DynamoDB is a fully managed NoSQL database service offered by AWS. With DynamoDB, users do not have to provision or manage servers or other database infrastructure. DynamoDB handles all the hardware provisioning, software patching, setup, configuration, and backups required to run a highly available database. RDS (A) provides managed relational databases, but requires the user to choose a specific database engine like MySQL or PostgreSQL. Aurora (C) is a relational database compatible with MySQL and PostgreSQL, but still requires more management than a fully managed NoSQL option. Redshift (D) is a data warehouse service, not a general purpose NoSQL database. So DynamoDB is the best option for quickly deploying a managed NoSQL database on AWS without infrastructure management overhead.

Answer 137

C. Installing the database engine When using Amazon RDS, AWS handles the installation, upgrades, and configuration of the underlying database engine (such as MySQL, PostgreSQL, etc). Tasks like creating tables, updating schemas, and manipulating records are the responsibility of the application or database administrator. So the one thing AWS handles with RDS is installing and maintaining the database software itself. The user is responsible for interacting with the database and managing the database objects and data.

Answer 138

B. Amazon API Gateway Amazon API Gateway is the AWS service designed for publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs. It handles API versioning, traffic management, security, monitoring, and documentation. App Mesh (A) provides service mesh functionality to monitor and manage microservices, but does not specifically offer API publishing or gateway capabilities. CloudFront (C) is a content delivery network, not an API management service. Cloud Map (D) provides discovery and naming for cloud resources, but not API publishing or management. So Amazon API Gateway is the right service for publishing and managing REST APIs in AWS.

Answer 139

C. Amazon Rekognition Amazon Rekognition provides pre-trained computer vision models for image and video analysis. It can detect objects, scenes, faces, text, and more without requiring machine learning expertise. Rekognition's pre-built inappropriate content detection can identify suggestive or explicit images. SageMaker (A) is a service for building custom machine learning models, which requires ML expertise this company lacks. Textract (B) is for text extraction and document analysis, not image analysis. Comprehend (D) is for natural language processing, not computer vision. Rekognition lets the company detect inappropriate images without needing to build custom ML models, making it the best choice.

Answer 140

C. Operating system patches When a company hosts databases on Amazon EC2 instances, AWS is responsible for managing the underlying EC2 infrastructure, including installing the operating system and applying OS-level security patches. The company is responsible for tasks related to the database software itself, like backups (A) and database engine patches (B). The company must also handle operating system installation (D) using an AMI, since AWS provides the OS but does not customize it during EC2 provisioning. So operating system patching is handled by AWS, while database administration and OS configuration are the customer's responsibility when running databases on EC2.

Answer 141

C. S3 Standard-Infrequent Access (S3 Standard-IA) For rarely accessed but critical data that must be retrieved within seconds, S3 Standard-IA provides the right balance of low cost and high performance. S3 Standard (A) has higher availability and performance than necessary for rarely accessed data. S3 One Zone-IA (B) has lower availability than Standard-IA, since it is only stored in one AZ. S3 Glacier (D) has much higher latency for data retrieval compared to Standard-IA. So S3 Standard-IA meets the requirements of low cost for infrequent access and ability to retrieve data within seconds. It is the most cost-optimal solution.

Answer 142

B. Pay-as-you-go pricing D. Auto Scaling policies Pay-as-you-go pricing and Auto Scaling allow the company to match its resource usage and costs to its seasonal workload demands. Pay-as-you-go means the company only pays for the resources it needs during peak season. Auto Scaling allows programmatic scaling out of resources to match increased demand. Choices A, C, and E are general benefits of the AWS Cloud but do not directly relate to handling variable workloads in a cost-optimal manner.

Answer 143

D. Amazon Simple Queue Service (Amazon SQS) Amazon SQS is a managed message queuing service that enables decoupled, asynchronous integration between distributed application components using a loose coupling approach. SQS allows microservices to communicate in a scalable, reliable, and fault-tolerant way without requiring the services to be concurrently available. Elastic Load Balancing (A) distributes traffic across instances and Availability Zones but does not provide messaging. Amazon SNS (B) is a publish-subscribe service for push notifications, not a queueing service. CloudFront (C) is a content delivery network, not a messaging service. So SQS fits the need for reliable, asynchronous messaging between independent microservices.

Answer 144

C. AWS Compliance Program The AWS Compliance Program provides details about compliance with regional regulatory standards across AWS services and Regions. It allows customers to review audits, certifications, accreditations, and other compliance reports to ensure AWS meets all required standards in a particular region. AWS Audit Manager (A) helps customers automate audit-related processes but does not detail regional compliance by AWS. AWS Shield (B) is for DDoS protection. AWS Artifact (D) provides on-demand access to AWS security and compliance reports but does not outline regional regulatory compliance by service. So the AWS Compliance Program is the best way to review compliance with regional regulations when determining which AWS services can be used.

Answer 145

A. Amazon Cognito Amazon Cognito provides user identity and data synchronization across mobile apps and the web. It can handle user sign-up, sign-in, access control, and sync user data for a fleet of mobile apps. AWS Security Hub (B) aggregates security alerts but does not provide identity management. AWS Shield (C) provides DDoS protection, not identity management. AWS WAF (D) secures web applications from common vulnerabilities but does not offer identity services. Amazon Cognito is the AWS service designed specifically for handling user identities across large mobile app fleets.

Answer 146

A. Standard Reserved Instance For an EC2 instance that needs to run steadily for 1 year, a Standard Reserved Instance provides the most cost savings compared to On-Demand or Spot pricing. The 1-year term matches the required usage period. A Convertible Reserved Instance (B) allows instance size flexibility but is not any cheaper than a Standard RI for a fixed size. On-Demand (C) has no upfront commitment so is more expensive for steady, long-term use. Spot (D) does not guarantee instance availability, so is risky for a database server needing constant uptime. The 1-year Standard RI matches the fixed server size and steady usage needs at the lowest cost.

Answer 147

A. Security groups Security groups allow defining network access controls between resources based on least privilege. Rules can restrict traffic to only the source IPs, protocols, and ports required for an application tier to communicate with other tiers or applications. AWS Shield (B) protects against DDoS attacks but does not enforce least privilege. AWS Global Accelerator (C) optimizes global application traffic routing but does not enforce security rules. AWS Direct Connect gateway (D) facilitates hybrid connectivity but does not enforce network security policies. Security groups are the most effective way to implement least privilege network access between EC2 instances hosting multi-tier apps.

Answer 148

A. IAM role For applications running on AWS, it is a security best practice to use IAM roles to manage credentials and access permissions. Roles can be assumed by an application at runtime to obtain temporary credentials. This avoids hardcoding long-term credentials into the application. IAM users (B) are intended for human users, not applications. IAM groups (C) only group users, they do not provide credentials. IAM MFA (D) provides extra authentication but does not provide credentials. An IAM role is the most secure way for an application to get the AWS access it requires.

Answer 149

A. Amazon EC2 instances D. Amazon RDS instances The operating system patch routine applies to EC2 instances and RDS instances, where the company manages the OS. AWS Lambda functions (B) and Fargate tasks (C) are serverless options that abstract the OS from the user. Amazon ECS (E) launches containers, which do not have their own OS to patch. So EC2 and RDS are the two AWS resource types that require OS patch management by the customer as part of normal operations. The document should cover those.

Answer 150

A. Security groups Security groups act like a firewall to control inbound and outbound traffic at the instance level. Rules can be defined for each security group to allow or deny traffic based on protocols, ports, and source/destination IPs. Amazon Route 53 (B) provides DNS management but does not control instance traffic. AWS Direct Connect (C) facilitates private connectivity to AWS but does not manage traffic rules. Amazon VPC (D) enables launching resources in an isolated virtual network, but does not manage instance-level traffic without security groups. So security groups give the ability to control both incoming and outgoing traffic to/from EC2 instances.

Answer 151

B. AWS Developer Support The AWS Developer Support plan provides technical support access during business hours, as well as architectural guidance, at the lowest cost. AWS Basic Support (A) only provides billing and account support, not technical or architectural guidance. AWS Business Support (C) and Enterprise Support (D) include additional features like managed cases and are more expensive plans aimed at large production workloads. The AWS Developer Support plan meets the basic requirements at the lowest cost for a company that is just starting to build infrastructure on AWS.

Answer 152

B. Amazon Route 53 Amazon Route 53 is the AWS service for registering and hosting domain names. It can manage domain registration as well as DNS records that map domain names to AWS resources. AWS Lambda (A) runs serverless code functions, but does not provide domain registration or DNS management. Amazon CloudFront (C) is a content delivery network, not a domain name service. AWS Direct Connect (D) establishes dedicated network connectivity to AWS, but does not manage domains or DNS. Route 53 should be used to host the company's public website domain name when migrating the site to AWS.

Answer 153

C. AWS Trusted Advisor AWS Trusted Advisor inspects customer environments and provides best practice recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits. This aligns with the stated requirements. AWS Shield (A) protects against DDoS attacks but does not provide best practices. AWS WAF (B) secures web apps but does not provide best practices. AWS Service Catalog (D) manages cloud products but does not provide best practice checks. AWS Trusted Advisor is the service designed to analyze environments and suggest best practices improvements.

Answer 154

D. AWS X-Ray AWS X-Ray provides application tracing and performance insights for distributed applications, such as end-to-end request latencies, service maps, error rates etc. This helps troubleshoot performance problems across complex microservices architectures. AWS Cloud9 (A) is an IDE for coding and debugging but does not trace production applications. AWS CodeStar (B) helps manage application development workflows but does not monitor production apps. AWS Cloud Map (C) is a service discovery and naming service, not an application performance tool. AWS X-Ray is specifically designed for performance monitoring, tracing, and troubleshooting distributed applications running on AWS.

Answer 155

D. Economies of scale The ability to get lower prices and costs through high volume purchases demonstrates the economies of scale benefit of cloud computing. AWS passes on cost savings from its volume discounts to customers. Pay-as-you-go pricing (A) lets you pay only for what you use but is not related to volume discounts. High availability (B) and global reach (C) are other benefits of the cloud but are not demonstrated by volume-based cost reductions. So the economies of scale from high volume purchases directly enables AWS to lower its costs and pass on savings to customers.

Answer 156

C. Amazon GuardDuty Amazon GuardDuty is a threat detection service that continuously monitors for malicious or unauthorized behavior across a customer's AWS accounts and workloads. It analyzes account and network activity as well as S3 data access to identify potential security issues. AWS Shield (A) protects against DDoS attacks but does not provide broader threat monitoring. AWS Firewall Manager (B) centrally configures firewall rules but does not detect broader threats. Amazon Inspector (D) analyzes application security but does not monitor accounts/networks for malicious actors. GuardDuty is designed specifically for threat detection across AWS accounts, workloads, and data sources like S3.

Answer 157

C. Amazon Elastic Container Registry (Amazon ECR) Amazon ECR provides secure, scalable storage for Docker container images. It integrates with Amazon ECS and AWS Fargate to simplify deployment of containerized applications. Amazon DynamoDB (A) is a NoSQL database service, not container image storage. Amazon Kinesis Data Streams (B) manages real-time streaming data intake and processing. Amazon EFS (D) provides scalable file storage but is not designed specifically for container images. Amazon ECR is the purpose-built AWS service for storing, managing, and deploying Docker container images.

Answer 158

D. Amazon Inspector Amazon Inspector performs automated security assessments of EC2 instances. It identifies potential vulnerabilities, unintended network accessibility, and deviations from best practices. This includes checks for open ports, improper security group rules, and vulnerable software packages. AWS Trusted Advisor (A) provides best practices checks but does not do automated vulnerability scans. Security groups (B) control network access but do not audit configurations. Amazon Macie (C) secures sensitive data but does not assess vulnerabilities. Amazon Inspector is designed to run automated security assessments on EC2 instances specifically.

Answer 159

Based on the requirements to operate globally, store data in the closest AWS Region to the user, and minimize operational overhead, I would recommend using Amazon DynamoDB global tables. The key reasons are: - DynamoDB global tables provide a fully managed multi-region and multi-master database that replicates data across AWS Regions with minimal operational overhead. - Data is automatically replicated across Regions with built-in redundancy and durability. - Applications can access the local DynamoDB Region with the lowest latency, while the table data is kept in sync across Regions. - There is no need to manually setup replication or configure EC2 instances in multiple Regions. - DynamoDB handles replication, failover, recovery across Regions. - Much lower operational overhead compared to self-managing cross-region RDS, EC2 or using DMS for replication. So for these requirements, DynamoDB global tables would be the best approach to minimize overhead while providing low latency access to a globally distributed database.

Answer 160

The two economic advantages of the AWS Cloud are: D) Simplified total cost of ownership (TCO) accounting E) Faster product launches The key reasons are: - AWS allows pay-as-you-go pricing and eliminates large upfront capital expenditures. This simplifies TCO accounting. - AWS handles the infrastructure which allows faster development cycles and ability to launch products faster without having to manage underlying infrastructure. - Workforce productivity, encryption and compliance audits are not economic advantages specific to the cloud. They are general software development best practices. So the two options that provide economic advantages by using AWS Cloud are simplified TCO accounting and faster product launches.

Answer 161

In the AWS shared responsibility model, the customer fully inherits the Physical and environmental controls from AWS. The key reasons are: - AWS is responsible for managing physical security of data centers, environmental safeguards like cooling, power, etc. - The customer does not manage any physical infrastructure when using AWS services. - Patch management, awareness training, and configuration management are still shared responsibilities between AWS and the customer for the specific services used. - But physical and environmental controls of data centers are fully managed by AWS. So out of the given options, Physical and environmental controls are fully inherited by the customer from AWS in the shared responsibility model. The customer does not have to provision any of these controls when using AWS cloud.

Answer 162

According to the AWS shared responsibility model, management of the guest operating systems is the customer's responsibility. The key reasons are: - AWS manages the host operating system, virtualization layer, physical infrastructure and Availability Zones. - The customer is responsible for managing the guest OS running on top of the infrastructure provided by AWS. - This includes tasks like patches, security updates, configuration, etc. for the guest OS. - Maintenance of infrastructure devices, host OS, and Availability Zones is handled by AWS. Therefore, out of the given options, management of the guest operating systems is the responsibility of the customer as per the AWS shared responsibility model. The customer needs to ensure the guest OS is securely configured, patched and hardened appropriately.

Answer 163

The requirement to deliver new website features quickly in an iterative manner to minimize time to market represents the concept of Agility in the AWS Cloud. The key reasons are: - Agility in the cloud refers to the ability to rapidly develop, test and launch applications to meet changing business requirements. - The cloud provides the flexibility and tools to iterate quickly without upfront infrastructure costs. - This agility helps minimize the time required to build and launch new website features. - Reliability, Elasticity and High Availability are other characteristics of the cloud, but not directly related to rapid iteration and time to market. So out of the given options, Agility best represents the ability to deliver website features quickly in an iterative manner to minimize time to market. The agility of the cloud model enables this through flexible resources and services.

Answer 164

The ability to recover infrastructure in case of a natural disaster represents the Reliability pillar of the AWS Well-Architected Framework. The key reasons are: - Reliability in the AWS Well-Architected Framework refers to the ability of a system to recover from infrastructure or service disruptions. - Recovering from a natural disaster that impacts infrastructure falls directly under the reliability pillar. - It focuses on designing systems that can withstand component or service failures. - Cost optimization, performance efficiency and security do not directly relate to recovering from disasters. Therefore, out of the given options, the Reliability pillar represents the ability to recover infrastructure after a natural disaster the most. The reliability pillar guides how to build resilient systems that can withstand disruptions.

Answer 165

AWS CloudTrail tracks API calls and user activity in an AWS account. The key reasons are: - AWS CloudTrail captures API calls made by users, roles or AWS services and delivers the logs to CloudWatch Logs or S3. - It provides visibility into user activity and API usage for auditing and security. - AWS Organizations is for managing multiple AWS accounts centrally. - AWS Config is for tracking resource configurations, but does not log user activity. - CloudWatch monitors performance metrics and operational health, not user activity. Therefore, out of the given options, AWS CloudTrail is the service that specifically tracks API calls made by users and services in an AWS account.

Answer 166

AWS Cost Anomaly Detection uses machine learning to continuously monitor cloud spending for unusual patterns or anomalies. The key reasons are: - Cost Anomaly Detection is a feature of AWS Cost Explorer that uses ML models trained on the account's typical spending patterns. - It monitors usage and flags any sudden or unusual changes in spend so action can be taken. - Amazon Lookout for Metrics detects anomalies in metrics but not cost. - AWS Budgets set custom cost/usage thresholds but don't use ML. - CloudWatch monitors resources but does not detect spending anomalies. Therefore, out of the given options, AWS Cost Anomaly Detection specifically leverages machine learning to monitor cloud spend for unexpected changes or anomalies automatically.

Answer 167

AWS Cost Anomaly Detection uses machine learning to continuously monitor cloud spending for unusual patterns or anomalies. The key reasons are: - Cost Anomaly Detection is a feature of AWS Cost Explorer that uses ML models trained on the account's typical spending patterns. - It monitors usage and flags any sudden or unusual changes in spend so action can be taken. - Amazon Lookout for Metrics detects anomalies in metrics but not cost. - AWS Budgets set custom cost/usage thresholds but don't use ML. - CloudWatch monitors resources but does not detect spending anomalies. Therefore, out of the given options, AWS Cost Anomaly Detection specifically leverages machine learning to monitor cloud spend for unexpected changes or anomalies automatically.

Answer 168

The company can purchase the security software from the AWS Marketplace. The key reasons are: - AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors that make their solutions available on AWS. - Partners can offer their solutions on the AWS Marketplace for customers to find, test, buy, deploy, and manage their software on AWS. - Since the security vendor offers their software as a service on AWS, the company can procure it directly from the AWS Marketplace. - The AWS Support Center and Management Console are not places to browse and purchase software products from partners. - The AWS Partner Solutions Finder helps find partner solutions but does not offer procurement. Therefore, the AWS Marketplace is the correct place to purchase the security software service from the vendor for use on AWS.

Answer 169

Based on the requirements to securely transfer large sets of critical data daily from an on-premises data center to AWS over a dedicated connection, I recommend using AWS Direct Connect. The key reasons are: - AWS Direct Connect provides a dedicated private connection from an on-premises site directly to AWS. - It offers high bandwidth, consistent network performance, and private connectivity to AWS. - Data can be transferred securely over a private dedicated connection rather than the public internet. - Transfers can occur daily as required over the established Direct Connect connection. - AWS Backup, DataSync and Snowball are more for periodic or one-time migrations vs daily transfers over a dedicated line. Therefore, AWS Direct Connect best meets the needs for secure, consistent, daily data transfers over a private dedicated connection from the on-prem data center to AWS.

Answer 170

Based on the requirements stated, the AWS Support plan that will meet the needs at the lowest cost is AWS Business Support. The key reasons are: - AWS Business Support provides 24x7 access to Cloud Support Engineers for troubleshooting issues. - It also includes access to the AWS Health API and architecture guidance for business applications. - AWS Enterprise Support adds things like concierge support that are not needed based on the requirements. - AWS Developer Support does not provide 24x7 engineer access. - AWS Basic Support only provides email access during business hours. Therefore, AWS Business Support is the right plan to get 24x7 technical support, Health API access, and architecture guidance at the lowest cost compared to Enterprise or Developer support. It meets the requirements without paying for unnecessary features.

Answer 171

AWS Glue is a fully managed ETL (extract, transform, and load) service provided by AWS. The key reasons are: - AWS Glue provides capabilities to clean, normalize, transform and load data into data warehouses and lakes. This makes it specifically suited for ETL workflows. - It natively integrates with a variety of AWS data stores like S3, Redshift, etc. - Athena is an interactive query service, not for ETL. - S3 is object storage, not an ETL service. - Snowball Edge is a data transport device, not for ETL. Therefore, out of the given options, AWS Glue is the managed service designed and optimized specifically for ETL jobs like extracting data, transforming it, and loading into data stores.

Answer 172

The two actions that are controlled with AWS Identity and Access Management (IAM) are: A) Control access to AWS service APIs and to other specific resources. C) Provide multi-factor authentication (MFA) for users. The key reasons are: - IAM allows creating users, groups, roles to grant permissions to AWS resources. This controls access to APIs and resources. - IAM supports enabling MFA to provide an extra layer of protection for user identities and access. - However, IAM does not provide threat detection, firewalls, or physical data center access controls. Those are handled by other AWS services. In summary, IAM specifically helps control access through permissions policies and supports enabling MFA for users. These align with options A and C.

Answer 173

According to the AWS shared responsibility model, the two shared controls that apply to both AWS and the customer are: B) Network data integrity C) Employee awareness and training The key reasons are: - Network data integrity refers to protecting data in transit across networks and this is a joint responsibility between AWS and the customer. - Awareness and training for employees on security best practices is also a shared control. - Resource configuration, physical security, and disk disposal are fully AWS responsibilities. In summary, network data protections and training employees on security are shared between AWS and the customer in the shared responsibility model. Therefore, options B and C are the controls that are shared.

Answer 174

The two pieces of information that can be found in an AWS IAM credential report are: A) The date and time an IAM user's password was last used to sign in D) Whether multi-factor authentication (MFA) is enabled for each IAM user The key reasons are: - The IAM credential report provides details about the status of IAM user passwords and MFA devices. - It shows password last used timestamps and MFA status for each IAM user. - However, it does not provide real-time login data, browser info, or failed login counts. In summary, the IAM credential report specifically contains password last used data and MFA status per user, which aligns with options A and D.

Answer 175

The least expensive AWS Support plan that contains a full set of AWS Trusted Advisor best practice checks is AWS Business Support. The key reasons are: - AWS Business Support provides access to all Trusted Advisor checks including cost optimization, security, fault tolerance, performance improvement. - AWS Developer and Basic Support only provide access to a subset of Trusted Advisor checks. - AWS Enterprise Support includes concierge support and additional features, but Business Support already has the full set of Trusted Advisor checks. So while Enterprise Support does include Trusted Advisor, it is a higher tier and cost than Business Support which also provides the full checks. Therefore, AWS Business Support is the least expensive plan that contains the complete set of AWS Trusted Advisor best practice checks.

Answer 176

Amazon Route 53 provides domain registration, DNS routing, and health checks on AWS. The key reasons are: - Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service. - It lets you register domain names, route internet traffic to AWS resources via DNS, and check the health of endpoints. - AWS Direct Connect provides dedicated network connections to AWS. - Amazon CloudFront is a content delivery network (CDN). - Amazon API Gateway handles creation and management of APIs. Therefore, out of the options, Amazon Route 53 is the service that specifically offers domain registration, DNS routing capabilities, and health checks functionality on AWS.

Answer 177

The best AWS service for securely and cost-effectively storing recordings of calls for 6 years, while ensuring accessibility within 48 hours, is Amazon S3 Glacier. Amazon S3 Glacier is designed for long-term storage of data that you don't need to access frequently, and it offers a cost-effective solution for archiving data for extended periods. It provides different storage classes, such as Glacier and Glacier Deep Archive, with varying retrieval times and pricing options. While retrieval from Glacier can take several hours, it's suitable for a situation where you need to access the recordings within 48 hours, and it is cost-effective for long-term storage. Therefore, the correct answer is: B. Amazon S3 Glacier

Answer 178

To migrate an on-premises MySQL database to Amazon RDS (Relational Database Service), you should use the AWS Database Migration Service (AWS DMS). AWS DMS is specifically designed for database migrations and supports various source and target database engines, including MySQL. It allows you to efficiently replicate data from your on-premises MySQL database to Amazon RDS, ensuring minimal downtime and data consistency during the migration process. Therefore, the correct answer is: C. AWS Database Migration Service (AWS DMS)

Answer 179

When a company moves from on-premises IT architecture to the AWS Cloud, it can gain several benefits, but not all options listed are accurate. The two main benefits are: A. Reduced or eliminated tasks for hardware troubleshooting, capacity planning, and procurement: AWS takes care of the underlying infrastructure, which means the company no longer has to worry about hardware issues, scaling, or purchasing new hardware as the business grows. This is a significant operational benefit. E. Faster deployment of new features and applications: AWS provides a range of services and tools that enable rapid deployment and scalability, which can accelerate the development and deployment of new features and applications. This agility is a key advantage of cloud computing. The other options listed are not accurate: B. Elimination of the need for trained IT staff: Moving to the cloud doesn't eliminate the need for IT staff. While some operational tasks are offloaded to AWS, you still need IT professionals to manage and optimize your cloud infrastructure, security, and application deployments. C. Automatic security configuration of all applications that are migrated to the cloud: AWS provides robust security tools and features, but the responsibility for configuring security settings and policies still falls on the company. Security is a shared responsibility between AWS and the customer. D. Elimination of the need for disaster recovery planning: Disaster recovery planning is still necessary in the cloud to ensure business continuity. AWS provides tools and services to help with disaster recovery, but companies are responsible for designing and implementing their own recovery strategies.

Answer 180

B. Ability to upgrade components independently Decoupling an AWS Cloud architecture means separating components and services to reduce their interdependencies. This separation allows different components to function independently, which offers several benefits, including the ability to upgrade components independently. When components are tightly coupled, upgrading one component may require changes in other components, causing complexity and potential downtime. Decoupling allows for more flexibility and ease in upgrading and evolving different parts of your architecture without affecting the entire system.

Answer 181

B. Patch the guest operating system of Amazon EC2 instances. According to the AWS shared responsibility model, the customer is responsible for tasks related to their usage of AWS services. This includes tasks like patching the guest operating system on Amazon EC2 instances, managing access control, configuring security groups, and securing the applications and data they run on AWS services. AWS is responsible for the underlying infrastructure and the security "of" the cloud, while the customer is responsible for the security "in" the cloud. This means customers have to manage and secure the components they control within the AWS environment, such as the guest operating system on EC2 instances.

Answer 182

C. Consolidated billing Consolidated billing is an AWS Organizations feature that allows you to combine the billing for multiple AWS accounts within your organization. With consolidated billing, you can track charges across these accounts and generate a single, combined bill that provides a comprehensive view of the costs incurred by all the member accounts. This helps you with cost management and reporting across multiple AWS accounts in your organization.

Answer 183

C. The ability to deploy to AWS on a global scale One of the significant benefits of AWS is the ability to deploy and scale applications and resources globally. AWS provides a global network of data centers and infrastructure, allowing users to deploy their applications and services in multiple regions around the world. This global scale enables businesses to reach a global audience, improve availability, and expand their operations as needed, making it a key advantage of using AWS. The other options listed are not typical benefits of AWS services.

Answer 184

A. Cost of application software licenses When an ecommerce company migrates its IT infrastructure to the AWS Cloud, it is responsible for the cost of the application software licenses. AWS provides the infrastructure (hardware, networking, and data centers) and associated costs are typically billed separately. The company must acquire and manage the necessary software licenses for its applications that run on the AWS infrastructure. The other options are typically AWS's responsibility: B. Cost of the hardware infrastructure on AWS: AWS provides the hardware infrastructure as part of its services, and customers pay for the use of these resources through services like Amazon EC2, Amazon RDS, etc. C. Cost of power for the AWS servers: AWS covers the cost of power, cooling, and other data center operational expenses as part of its service. D. Cost of physical security for the AWS data center: AWS is responsible for the physical security of its data centers, including access control, surveillance, and other security measures.

Answer 185

D. Operational excellence, reliability, performance efficiency, security, and cost optimization The AWS Well-Architected Framework is built on these five pillars, which serve as best practices for designing and operating reliable, secure, efficient, and cost-effective systems in the AWS Cloud. These pillars are key considerations for architects and developers when designing applications and workloads in AWS.

Answer 186

To automate the process of capturing data from scanned PDF files, the company should use: B. Amazon Textract Amazon Textract is a service specifically designed for extracting text and structured data from scanned documents. It can process scanned documents, including PDF files, and extract information such as text, forms, and tables. This service is well-suited for automating the process of capturing data from paper forms and integrating it with backend systems.

Answer 187

To organize, characterize, and search large numbers of images, a company should use: B. Amazon Rekognition Amazon Rekognition is a service that provides image and video analysis capabilities, including image search and recognition, facial analysis, object detection, and more. It is designed to help businesses manage and analyze large volumes of images and videos, making it a suitable choice for organizing, characterizing, and searching images.

Answer 188

To initiate an Amazon EC2 Auto Scaling action based on CPU utilization, you would typically use: D. Amazon CloudWatch alarm Amazon CloudWatch allows you to set up alarms that can monitor metrics, such as CPU utilization, and trigger Auto Scaling actions based on defined thresholds. When the CPU utilization exceeds or falls below the specified thresholds, CloudWatch alarms can initiate the scaling actions to add or remove EC2 instances, ensuring that the application can handle changes in demand effectively.

Answer 189

To host a private version control system for application code in the AWS Cloud, the company should use: C. AWS CodeCommit AWS CodeCommit is a fully managed source control service that makes it easy for teams to host secure and scalable Git-based repositories. It provides a private version control system for your application code and supports collaboration and integration with other AWS development and deployment services like AWS CodeBuild, AWS CodePipeline, and AWS CodeDeploy. This service allows you to securely store and manage your code repositories in the AWS Cloud.

Answer 190

A. AWS Budgets To set up notifications for custom spending thresholds in AWS, you can use AWS Budgets. AWS Budgets allows you to define custom cost and usage thresholds and receive alerts when your spending exceeds those thresholds. This can help you manage your AWS spending more effectively and be aware of any cost overruns.

Answer 191

A. Amazon S3 Amazon S3 (Simple Storage Service) is commonly used to host static websites. You can configure an S3 bucket to serve static web content, and it provides a cost-effective and scalable solution for hosting web assets like HTML, CSS, JavaScript, images, and other files. It's a popular choice for hosting static websites and offers high availability and low latency.

Answer 192

A. AWS WAF (Web Application Firewall) AWS WAF is a service that provides protection for web applications against common web exploits, including SQL injection attacks and cross-site scripting (XSS). It allows you to define rules and conditions to filter and monitor the traffic to your web applications, helping to safeguard them from malicious requests and threats. AWS WAF can be used to mitigate various security vulnerabilities and protect your web applications from attacks.

Answer 193

B. Dedicated Hosts For per-core software licenses, where you want to have full control over the underlying physical server, you should use Dedicated Hosts. Dedicated Hosts allow you to run EC2 instances on physical servers dedicated to your use. This provides you with control over the placement of your instances on specific physical servers, which is necessary for per-core licensing to ensure compliance with the licensing terms of the software. With Dedicated Hosts, you can launch instances on the same physical server, and the per-core licensing model will be properly supported.

Answer 194

C. Amazon Cognito Amazon Cognito is the AWS service that is designed to handle user authentication and access control for applications. It allows you to set up user authentication using a variety of methods, including user name and password, and also supports federated identity, allowing users to sign in through third-party identity providers such as Facebook, Google, or OpenID Connect. This makes it a suitable choice for applications that need flexible and secure authentication options.

Answer 195

To automate the tasks of patching the database and taking backup snapshots of the data, it is recommended to use Amazon RDS (Relational Database Service) with MySQL. B. Use Amazon RDS with a MySQL database Amazon RDS is a managed database service that simplifies many administrative tasks, including patch management and automated backups. It allows you to focus on your application and data while AWS takes care of the operational aspects. With Amazon RDS, you can configure automated backups and apply software patches to the database instance with minimal manual intervention, making it a suitable choice for this workload.

Answer 196

C. Automatic monitoring for threats to AWS workloads Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized activities in your AWS environment. It is designed to protect against security threats and unauthorized access to AWS resources, making it a valuable service for detecting and responding to threats to AWS workloads. It uses machine learning and threat intelligence to analyze events and provide threat detection capabilities without the need for manual configuration and rule creation.

Answer 197

The business value of migrating to the AWS Cloud includes: B. AWS availability and security provide the ability to improve service level agreements (SLAs) while reducing risk and unplanned downtime. AWS offers robust availability and security features that can help improve the reliability of services and reduce the risk of unplanned outages, which can lead to better service level agreements. D. Companies that migrate to the AWS Cloud reduce IT costs related to infrastructure, freeing budget for reinvestment in other areas. Migrating to the AWS Cloud can result in cost savings by eliminating the need to invest in and manage on-premises infrastructure. These cost savings can then be reinvested in other business areas or used for innovation. The other options are not accurate: A. The migration of enterprise applications to the AWS Cloud doesn't automatically make these applications available on mobile devices; that depends on how the applications are developed and configured. C. Companies that migrate to the AWS Cloud still need to plan for high availability and disaster recovery, but AWS provides tools and services to help with these planning and implementation efforts. E. Migration to the AWS Cloud may involve rearchitecting and modernizing applications, but it's not a requirement for all migrations. The extent of modernization depends on the specific migration strategy chosen by the company.

Answer 198

D. Amazon Macie Amazon Macie is a service that is specifically designed for discovering and protecting sensitive data, including personally identifiable information (PII), in AWS. It uses machine learning and pattern matching techniques to automatically identify and classify sensitive data stored in Amazon S3. This service helps organizations meet data privacy and compliance requirements by detecting and managing sensitive information in their data repositories.

Answer 199

The AWS services and tools designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks are: C. AWS Shield Standard: AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that helps protect applications from large and sophisticated DDoS attacks. Shield Standard provides protection against common and most frequently observed network and transport layer DDoS attacks. E. AWS WAF (Web Application Firewall): AWS WAF is a web application firewall that helps protect web applications from common web exploits, including SQL injection and cross-site scripting (XSS). It allows you to define rules and conditions to filter and monitor the traffic to your web applications to mitigate such threats. The other options are not specifically related to protecting against these types of attacks: A. VPC endpoint and B. Virtual private gateway are networking components in AWS. D. AWS Config is a service for assessing and managing configurations of AWS resources, but it's not focused on security against these types of attacks.

Answer 200

B. Amazon Forecast Amazon Forecast is the service designed to provide forecasts for future costs and usage of AWS resources based on historical consumption data. It uses machine learning and statistical techniques to generate accurate forecasts, which can help organizations plan and optimize their resource usage and costs.

Answer 201

The AWS services that use cloud-native storage with replication across multiple Availability Zones by default are: C. Amazon Neptune D. Amazon DocumentDB (with MongoDB compatibility) Amazon Neptune and Amazon DocumentDB are managed database services that offer high availability and automatic replication of data across multiple Availability Zones. This ensures data durability and fault tolerance. The other services listed do not have replication across Availability Zones as a default feature.

Answer 202

The AWS services that are serverless are: A. AWS Fargate: AWS Fargate is a serverless compute engine for containers that allows you to run Docker containers without managing the underlying infrastructure. D. Amazon S3: Amazon S3 (Simple Storage Service) is a serverless object storage service. It doesn't require you to provision or manage servers to store and retrieve data; it's fully managed by AWS. The other options involve traditional server-based or server-managed services: B. Amazon Managed Streaming for Apache Kafka: It is a managed service for Apache Kafka, which involves provisioning and managing servers. C. Amazon EMR (Elastic MapReduce): EMR is a big data processing service that runs on EC2 instances within a cluster. E. Amazon EC2 (Elastic Compute Cloud): EC2 is a traditional virtual server service where you manage the server instances.

Answer 203

C. Perform automated backups of Amazon RDS instances. According to the AWS shared responsibility model, AWS is responsible for certain tasks related to the underlying infrastructure and services provided. One of those responsibilities includes performing automated backups of Amazon RDS (Relational Database Service) instances. AWS takes care of the operational aspects of creating and managing backups for RDS, while customers are responsible for configuring and managing their RDS instances and databases.

Answer 204

To deploy a PostgreSQL database into Amazon RDS with high availability and fault tolerance, the company should use: C. Amazon RDS with multiple Availability Zones Using Amazon RDS with multiple Availability Zones provides high availability and fault tolerance for the database. In this configuration, the database is automatically replicated to a standby instance in a different Availability Zone, which ensures that if there's a failure in one Availability Zone, the workload can automatically fail over to the standby instance in the other Availability Zone, minimizing downtime and increasing fault tolerance. This is a recommended approach for ensuring the reliability of your database deployments.

Answer 205

To add facial identification to the user verification process on an application, the company should use: D. Amazon Rekognition Amazon Rekognition is a service that provides image and video analysis capabilities, including facial recognition. It can be used to identify and verify faces in images and videos, making it a suitable choice for adding facial identification to user verification processes.

Answer 206

B. AWS Elastic Beanstalk AWS Elastic Beanstalk is a Platform as a Service (PaaS) that enables you to quickly deploy and manage applications without having to provision and manage the underlying infrastructure. It simplifies the deployment process by providing a platform where you can simply upload your application code, and Elastic Beanstalk takes care of the resource provisioning, scaling, and load balancing for you. This service allows you to focus on your application code rather than the infrastructure, making it a good choice for quickly uploading applications to the AWS Cloud.

Answer 207

D. Amazon CloudWatch Amazon CloudWatch is the AWS service that monitors various metrics, including CPU utilization, on Amazon EC2 instances. It provides insights into the performance and operational health of your resources and applications in the AWS environment, allowing you to set up alarms and automate responses based on the monitored metrics, like CPU utilization.

Answer 208

A. Use cost allocation tags. To categorize and track costs for AWS resources, a company should use cost allocation tags. Cost allocation tags allow you to label resources with metadata that helps you track spending and allocate costs to specific categories, departments, or projects. This helps in better understanding and managing your AWS cost structure.

Answer 209

D. Amazon WorkSpaces Amazon WorkSpaces is the AWS service that provides virtual desktop infrastructure (VDI) solutions. It allows employees to securely access company-provided desktops from their personal devices, offering a secure and scalable way to manage and deliver virtual desktops to end-users. This is an ideal choice for companies that want to enable remote access to desktop environments for their employees.

Answer 210

B. Remove unused and underutilized AWS resources across all accounts. AWS Organizations is a service that allows you to manage multiple AWS accounts. It provides tools for centralizing the management of your accounts, setting policies, and automating account management tasks. One of the tasks you can complete using AWS Organizations is optimizing and managing your AWS resources, which includes identifying and removing unused or underutilized resources across all accounts in your organization. This can help you save costs and improve resource efficiency.

Answer 211

The user can use the following AWS services to change their own IAM user password: A. AWS Command Line Interface (AWS CLI): The user can change their password using the AWS CLI, specifically the `aws iam update-login-profile` command. C. AWS Management Console: Users can change their own IAM user password through the AWS Management Console by navigating to the "Security Credentials" section of their user profile. The other options (B, D, E) are not typically used for changing IAM user passwords directly.

Answer 212

For running Amazon EC2 instances that cannot be interrupted and require no long-term commitment or upfront payment, the most cost-effective option is: A. On-Demand Instances On-Demand Instances allow you to pay for compute capacity on an as-needed basis without any upfront payments or long-term commitments. You can launch instances and use them without interruption, and they are billed by the hour or second, depending on the instance type, with no long-term obligations. This is the best option for workloads that require flexibility and the ability to start and stop instances as needed.

Answer 213

To visualize monthly spending on both On-Demand Instances and Spot Instances, you should use: A. AWS Cost Explorer AWS Cost Explorer is a powerful tool for visualizing and understanding your AWS spending. It allows you to filter and view your costs by various dimensions, including instance type and purchase options (such as On-Demand and Spot Instances). You can use Cost Explorer to create custom cost and usage reports, view spending trends, and gain insights into your monthly spending on different types of instances. This will help you track and visualize your spending effectively.

Answer 214

D. Grant permissions to applications that run on Amazon EC2 instances. AWS Identity and Access Management (IAM) allows users to control access to AWS resources by managing permissions and policies. Users can create and manage IAM roles and permissions to grant applications and services running on Amazon EC2 instances the necessary permissions to access other AWS resources. This helps control and secure access to resources within the AWS environment.

Answer 215

D. Amazon Redshift Amazon Redshift is the AWS service designed for data warehousing and analytics. It can handle large volumes of data and perform SQL-based queries for business intelligence and operational analytics. You can query data stored in an Amazon S3 data lake using Amazon Redshift Spectrum, which allows you to analyze data in Amazon S3 without the need to load it into Redshift. This is a common setup for processing petabytes of data for reporting and analytics.

Answer 216

D. Reliability The situation where a system automatically recovers from failure when launched on the AWS Cloud demonstrates the reliability pillar of the AWS Well-Architected Framework. Reliability is one of the key pillars, and it focuses on the ability of a system to recover from failures, automatically scale, and continue operating without disruption. In this context, the system's resilience to failure is a demonstration of the reliability pillar.

Answer 217

C. An extension of an AWS Region to more granular locations AWS Local Zones are an extension of AWS Regions to geographic locations with a limited number of availability zones. They are designed to provide low-latency access to AWS services in specific metropolitan areas and are positioned to support workloads that require proximity to end-users or specific on-premises data centers. Local Zones are meant to provide a more granular, region-specific option for deploying resources.

Answer 218

The costs that the retail company is likely to eliminate by migrating its IT infrastructure applications from on-premises to the AWS Cloud are: A. Cost of data center operations: By migrating to the cloud, the company can eliminate the costs associated with operating and maintaining its own data centers, including expenses for power, cooling, physical security, and data center management. D. Cost of physical server hardware: With the move to the cloud, the company can reduce or eliminate the costs of purchasing, maintaining, and upgrading physical server hardware, as AWS provides the necessary infrastructure as a service. The other options (B, C, E) are not directly related to the costs of the IT infrastructure migration to the cloud: B. Cost of application licensing: The cost of application licensing depends on the specific software used, and this may or may not be eliminated with the migration, depending on the licensing model. C. Cost of marketing campaigns: This cost is unrelated to the IT infrastructure migration and would not be eliminated by the migration. E. Cost of network management: Network management costs could still be relevant in the cloud, depending on the specific network requirements of the company's cloud-based applications.

Answer 219

C. Increased business agility Moving to the AWS Cloud can significantly improve time to market by increasing business agility. AWS provides the ability to quickly provision and scale resources, deploy applications faster, and respond to changing business needs more efficiently. With on-demand resources and managed services, businesses can be more agile in delivering new features and applications to the market, which helps improve their competitive edge and speed to market. This increased agility is a key benefit of adopting cloud computing.

Answer 220

The characteristics of a serverless application in the AWS Cloud are: C. The application has built-in fault tolerance: Serverless applications often benefit from built-in fault tolerance provided by the AWS service or platform, which automatically handles scaling, availability, and fault recovery. This reduces the need for manual configuration to ensure high availability. E. The application can scale based on demand: Serverless applications can automatically scale resources up or down based on demand, ensuring that they can handle varying workloads without manual intervention. The other options (A, B, D) are not typically associated with serverless applications: A. Users don't manually configure Amazon EC2 instances in a serverless application because serverless doesn't involve managing virtual machines like EC2. B. In a serverless environment, you don't have to choose or manage the underlying operating system. D. Amazon EC2 Spot Instances are a separate AWS compute offering and are not typically used in serverless architectures.

Answer 221

B. Launch an Amazon EC2 instance on a Dedicated Host. To meet the requirement of licensing physical cores in the AWS Cloud, a company should launch an Amazon EC2 instance on a Dedicated Host. A Dedicated Host provides a physical server with dedicated resources, which is an ideal choice when you need to ensure that the underlying physical hardware is used exclusively for your workloads. This allows you to maintain compliance with software licensing that requires licensing physical cores.

Answer 222

B. AWS Enterprise Support AWS Enterprise Support is the AWS Support plan that provides access to a Technical Account Manager (TAM) who can work with your organization to provide technical guidance, assist with strategies related to incidents, trade-offs, support, and risk management, and help optimize your AWS environment. It is a more comprehensive support plan designed for enterprises with complex AWS architectures and workloads that require a higher level of support and expertise.

Answer 223

A. Users eliminate the need to guess about infrastructure capacity requirements. One of the key advantages of the AWS Cloud is that it allows users to eliminate the need to guess about infrastructure capacity requirements. AWS provides on-demand resources that can scale up or down as needed, eliminating the need for upfront capital investments in hardware and allowing users to pay for what they use. This flexibility is a significant benefit of cloud computing. The other options (B, C, D) are not typically advantages provided by the AWS Cloud.

Answer 224

The AWS services that can use AWS WAF (Web Application Firewall) to protect against common web exploitations are: B. Amazon CloudFront: AWS WAF can be integrated with Amazon CloudFront to protect web applications and content delivered through the content delivery network. E. Amazon API Gateway: AWS WAF can also be used with Amazon API Gateway to protect your APIs from common web exploits and attacks. The other options (A, C, D) are not typically associated with AWS WAF integration for web application protection.

Answer 225

The controls shared under the AWS shared responsibility model are: C. Configuration management: While AWS manages the underlying infrastructure, customers are responsible for configuring their resources securely. This includes setting up security groups, network ACLs, and other resource-specific configurations. E. Service and communications protection or security: AWS provides the security of the cloud infrastructure, while customers are responsible for securing their data, applications, and access to AWS services. This includes setting up authentication, authorization, and encryption for data in transit and at rest. The other options (A, B, D) are not controls shared under the shared responsibility model: A. Awareness and training are the responsibility of the customer, but they are not typically considered as controls. B. Patching of Amazon RDS is managed by AWS as part of the shared responsibility model. D. Physical and environmental controls are the responsibility of AWS and not shared with customers under the shared responsibility model.

Answer 226

B. AWS Global Accelerator AWS Global Accelerator is the service that can improve the availability and performance of global applications by providing static IP addresses that act as Anycast IP addresses. It routes traffic over the AWS global network to the optimal AWS endpoint based on health, geography, and routing policies. This service helps to ensure high availability and improved application performance for a global audience.

Answer 227

The AWS compute services among the options are: A. Amazon Lightsail: Amazon Lightsail is a simplified compute service that allows you to easily deploy and manage virtual private servers. D. AWS Batch: AWS Batch is a service for running batch computing workloads on the AWS Cloud. It provides the ability to schedule and manage batch jobs. The other options (B, C, E) are not compute services but are related to management, infrastructure provisioning, and security services in AWS.

Answer 228

D. AWS CloudTrail logs To report on events involving specific AWS services, a company can use AWS CloudTrail logs. AWS CloudTrail records and logs API calls made on AWS resources, which includes the specific AWS services used, the actions performed, and the associated events. This allows you to track and analyze activities and events related to the AWS services your company uses. You can then use these logs with Amazon CloudWatch for monitoring, reporting, and analysis.

Answer 229

B. AWS Concierge Support team The AWS Concierge Support team is a specialized support team available to AWS Enterprise Support customers. They can assist with understanding your monthly AWS bill, implementing billing best practices, and optimizing your AWS spending. This team is dedicated to helping customers navigate AWS billing and cost management.

Answer 230

C. Amazon DynamoDB Amazon DynamoDB is an AWS key-value database offering consistent single-digit millisecond performance at any scale. It's a fully managed NoSQL database service that provides fast and predictable performance, making it well-suited for applications that require low-latency access to data, such as real-time applications and web services.

Answer 231

C. Amazon DynamoDB Amazon DynamoDB is a fully managed NoSQL database service that is designed for high scalability and can easily meet increasing demand as the popularity of the application grows. It provides fast and predictable performance, automatic scaling, and is well-suited for applications that require a scalable and low-latency database, making it an excellent choice for the described requirements.

Answer 232

B. AWS CodeStar AWS CodeStar is a fully managed service that provides an integrated development and continuous delivery toolchain for coding, building, testing, and deploying code. It simplifies the process of setting up, managing, and automating your development workflow. With CodeStar, you can quickly build, test, and deploy applications on AWS. While the other services listed (Amazon CodeGuru, AWS CodeCommit, AWS CodeDeploy) are also part of the AWS DevOps ecosystem, AWS CodeStar is designed to provide an integrated toolchain for the entire development and continuous delivery process.

Answer 233

A. AWS CloudTrail AWS CloudTrail is the service that enables customers to audit API calls in their AWS accounts. It records API activity and provides logs that help customers track changes, troubleshoot issues, and meet compliance and security requirements by monitoring who is making API calls and what actions are being performed in their AWS environment.

Answer 234

A. AWS VPN To establish an encrypted connection to AWS for secure data transfer, a company can use AWS VPN (Virtual Private Network). AWS VPN provides a secure and encrypted connection over the internet, allowing you to connect your on-premises network to your AWS resources securely. This is a common approach for securely connecting to AWS from an office or on-premises data center.

Answer 235

D. Amazon EC2 Auto Scaling Amazon EC2 Auto Scaling is the AWS service that will meet the requirements of steady and predictable performance at the lowest possible cost while allowing the ability to scale resources to ensure the right resources are available at the right time. With Auto Scaling, you can automatically adjust the number of EC2 instances in your fleet based on demand, helping you maintain steady performance and cost efficiency. It allows you to automatically scale your resources up or down as needed, making it a cost-effective and scalable solution.

Answer 236

B. Using AWS Artifact Using AWS Artifact provides documentation to help a company evaluate whether its use of the AWS Cloud is compliant with local regulatory standards. AWS Artifact provides access to various compliance reports, including those related to regional compliance, allowing organizations to assess their compliance with local and global regulations. These reports can be used for audits and evaluations related to regulatory standards.

Answer 237

A. Spot Instances Spot Instances are the cost-effective option for running applications on Amazon EC2 instances for short time periods, especially when applications can be interrupted. Spot Instances allow you to take advantage of spare EC2 capacity at a significantly lower price compared to On-Demand Instances. However, they can be terminated with a very short notice (when the capacity is needed elsewhere), so they are suitable for applications that are fault-tolerant and can handle interruptions.

Answer 238

The benefits of building a mobile app in the AWS Cloud include: B. Increased speed for trying out new projects: AWS provides a highly flexible and scalable environment that allows rapid experimentation and development, which can lead to faster innovation and quicker time-to-market for new projects. D. Flexibility to scale up in minutes as the application becomes popular: The AWS Cloud offers the ability to easily scale resources up or down based on demand, ensuring that you can quickly respond to changes in application popularity or usage. The other options (A, C, E) do not align with the typical benefits of building an app in the AWS Cloud: A. AWS offers low upfront costs and pay-as-you-go pricing, which reduces the need for large, upfront capital expenses and provides variable expenses based on actual usage. C. While AWS provides a secure cloud environment, control over physical security is not in the hands of AWS customers as it is in a data center environment. E. AWS abstracts the specific data center locations and provides a global network of data centers, giving customers high availability and redundancy, but customers do not typically pick specific data center locations for their resources.

Answer 239

C. AWS CodeCommit AWS CodeCommit is the AWS service that securely hosts Git-based code repositories and provides version control for application source code. It allows developers to store and manage their code securely in the AWS Cloud. This service is designed for securely managing code and facilitating collaboration among development teams.

Answer 240

B. A physical location around the world where data centers are clustered An AWS Region is a physical location around the world where AWS has multiple data centers (Availability Zones) that are clustered together. Each Region is a separate geographic area designed to provide low-latency access to AWS services and resources for customers in that geographic region. Each Region is made up of multiple Availability Zones to provide redundancy, fault tolerance, and high availability.

Answer 241

D. Global reach The AWS benefit that enables users to deploy cloud infrastructure consisting of multiple geographic regions connected by a network with low latency, high throughput, and redundancy is referred to as "Global reach." AWS provides a global network of data centers across multiple geographic regions, allowing users to deploy resources in different regions and connect them with low-latency, high-throughput networking, and redundancy. This global reach enables users to create highly available and geographically distributed architectures for their applications.

Answer 242

A. Use AWS Managed Services to provision, run, and support the company infrastructure. To offload support of the workload and take advantage of AWS's expertise in managing infrastructure, a company can use AWS Managed Services. AWS Managed Services helps provision, run, and support the company's infrastructure, allowing the company to focus on its applications and business logic while AWS manages the underlying infrastructure, operations, and support. This can result in increased operational efficiency and reduced administrative overhead.

Answer 243

D. Management of infrastructure is offloaded to AWS. A key benefit of using AWS serverless computing, such as AWS Lambda, is that it offloads the management of infrastructure to AWS. In a serverless architecture, you don't need to worry about provisioning, scaling, patching, or managing servers. AWS takes care of the underlying infrastructure, allowing you to focus on your application code, without the need for infrastructure management tasks. This can lead to increased development speed, reduced operational overhead, and greater agility.

Answer 244

D. AWS Pricing Calculator To determine the AWS Regions that offer the lowest price for your specific application and usage, you can use the AWS Pricing Calculator. The Pricing Calculator allows you to estimate the costs of running your application in different AWS Regions, taking into account the services you plan to use and your usage patterns. This can help you make informed decisions about the most cost-effective AWS Regions for your application.

Answer 245

D. Encrypt data by using AWS Key Management Service (AWS KMS). Encrypting data using AWS Key Management Service (AWS KMS) enhances a user's security on AWS by protecting the confidentiality and integrity of their data. AWS KMS provides a secure and managed way to create and control encryption keys, making it a critical component for ensuring data security in the cloud. Multi-AZ deployments, hybrid architectures, and application monitoring (such as with AWS X-Ray) are important for other aspects of security and availability but do not directly provide encryption and data protection.

Answer 246

D. Security group The AWS service or tool associated with an Amazon EC2 instance that acts as a virtual firewall to control inbound and outbound traffic is called a "Security group." Security groups are used to specify which traffic is allowed to access an EC2 instance and which traffic is not, effectively providing network-level security for the instance. They help control the flow of traffic to and from the instance, acting as a firewall to manage access.

Answer 247

B. Security patching of the guest operating system According to the AWS shared responsibility model, the company is responsible for security patching of the guest operating system running on Amazon EC2 instances. AWS is responsible for the underlying infrastructure, including the EC2 hypervisor, network connectivity, and the physical data center. The company's responsibility extends to the configuration and management of the EC2 instances, including patching and securing the guest operating system and the applications running on those instances.

Answer 248

D. AWS Fargate To meet the requirements of automatically provisioning and managing backend instances while provisioning only the necessary resources, a developer should use AWS Fargate. AWS Fargate is a serverless compute engine for containers that allows you to run containers without having to manage the underlying infrastructure. It automatically provisions the required compute resources for your containers, ensuring that you only pay for the resources you use, making it a cost-effective and convenient solution for deploying container-based applications.

Answer 249

The tasks that require the use of the AWS account root user are: A. Changing an AWS Support plan: Changing the AWS Support plan for an AWS account is a task that typically requires the AWS account root user's access. E. Closing an AWS account: Closing or terminating an AWS account is a task that is performed by the AWS account root user to ensure the entire account is shut down. The other options (B, C, D) do not typically require the use of the AWS account root user and can be managed by other IAM (Identity and Access Management) users or roles with appropriate permissions.

Answer 250

A. Amazon Simple Queue Service (Amazon SQS) Amazon Simple Queue Service (Amazon SQS) is the AWS service that enables the decoupling and scaling of applications. It provides a fully managed message queuing service that allows you to decouple the components of your applications, ensuring that they can scale independently and communicate asynchronously. Amazon SQS is commonly used for building distributed and scalable systems where different parts of an application need to communicate and process data without being tightly coupled.

Answer 251

B. Amazon S3 is an object storage service that provides high-level performance, security, scalability, and data availability. Amazon S3 (Simple Storage Service) is an object storage service that is designed to provide high-level performance, security, scalability, and data availability for storing and retrieving data. It is not a block storage service or a file storage system, and it is not an NFS service. Instead, Amazon S3 is used for storing and managing objects, such as files, images, videos, and other data, in a highly reliable and scalable manner.

Answer 252

A. It aggregates usage across accounts so that the company can reach volume discount thresholds sooner. Consolidated billing in AWS allows multiple AWS accounts to be linked together under a single paying account. This aggregation of accounts allows for the combined usage to count toward volume discount thresholds, which can lead to cost savings as the company reaches higher tiers of discount pricing. This can help reduce costs for a company with multiple AWS accounts by optimizing the cost structure based on collective usage.

Answer 253

D. AWS Certificate Manager (ACM) To secure a consumer web application by using SSL/TLS to encrypt traffic, a company can use AWS Certificate Manager (ACM). AWS ACM is a service that makes it easy to provision, manage, and deploy SSL/TLS certificates for use with AWS services and integrated applications. It helps ensure that data in transit between the web application and users is encrypted and secure.

Answer 254

The advantages of moving to the AWS Cloud include: C. Users experience increased speed and agility: AWS provides the ability to rapidly deploy, scale, and manage infrastructure and applications, which leads to increased agility and responsiveness to changing business needs. D. Users benefit from massive economies of scale: AWS's global infrastructure and scale can result in cost savings for users due to shared resources, efficient infrastructure management, and reduced capital expenditures. Option A is not a valid advantage as the immediate provisioning of all AWS services in seconds is not a practical or accurate representation of cloud service deployment. Option B is also incorrect because, while AWS takes responsibility for the security of the cloud infrastructure, the customer is still responsible for securing their applications and data within the cloud. Option E is not a valid advantage as moving hardware to the AWS Cloud is typically done by provisioning AWS resources rather than physically moving existing hardware.

Answer 255

C. Use an IAM role with the necessary permissions. According to AWS security best practices, it's recommended to use IAM roles for granting permissions to AWS resources, including EC2 instances, to access other services like Amazon S3. You can attach an IAM role to the EC2 instances and define the necessary permissions in the role's policies. This approach is more secure and avoids the need to manage access keys (option B), which can be a security risk if not handled properly. Options A and D are not appropriate for granting access to EC2 instances for S3 bucket access. The AWS account root user access keys (option A) should be avoided for security reasons, and activating multi-factor authentication (MFA) and versioning on the S3 bucket (option D) does not directly grant access to EC2 instances.

Answer 256

B. Amazon Detective Amazon Detective is the AWS service that continuously monitors your AWS account for suspicious activity and can initiate automated actions against threats that are identified in the security findings. It helps you investigate security incidents and quickly respond to potential security threats within your AWS environment. Amazon GuardDuty is another AWS service that helps protect your AWS environment by identifying potentially malicious activity and threats, but it does not provide the same level of automated response capabilities as Amazon Detective. AWS Trusted Advisor and Amazon Inspector are AWS services that focus on providing recommendations and security assessments but do not have the same continuous monitoring and automated threat response capabilities as Amazon Detective.

Answer 257

B. Amazon Detective Amazon Detective is the AWS service that continuously monitors your AWS account for suspicious activity and can initiate automated actions against threats that are identified in the security findings. It helps you investigate security incidents and quickly respond to potential security threats within your AWS environment. Amazon GuardDuty is another AWS service that helps protect your AWS environment by identifying potentially malicious activity and threats, but it does not provide the same level of automated response capabilities as Amazon Detective. AWS Trusted Advisor and Amazon Inspector are AWS services that focus on providing recommendations and security assessments but do not have the same continuous monitoring and automated threat response capabilities as Amazon Detective.

Answer 258

B. Amazon Detective Amazon Detective is the AWS service that continuously monitors your AWS account for suspicious activity and can initiate automated actions against threats that are identified in the security findings. It helps you investigate security incidents and quickly respond to potential security threats within your AWS environment. Amazon GuardDuty is another AWS service that helps protect your AWS environment by identifying potentially malicious activity and threats, but it does not provide the same level of automated response capabilities as Amazon Detective. AWS Trusted Advisor and Amazon Inspector are AWS services that focus on providing recommendations and security assessments but do not have the same continuous monitoring and automated threat response capabilities as Amazon Detective.

Answer 259

C. Amazon Route 53 Amazon Route 53 is the AWS service that can help a company detect an outage of its website servers and automatically redirect users to alternate servers or endpoints. Route 53 is a scalable and highly available Domain Name System (DNS) web service that includes health checks and routing policies, allowing you to configure failover and traffic routing in response to server or endpoint availability. Amazon CloudFront is a content delivery network (CDN) service that caches and delivers content to users with low latency and high data transfer speeds but is not focused on server failover and redirection. Amazon GuardDuty is a threat detection service focused on identifying malicious activity in your AWS environment. AWS Trusted Advisor provides recommendations for optimizing your AWS resources and cost savings but is not related to outage detection and server redirection.

Answer 260

The security measures that fall under the responsibility of AWS (as part of the shared responsibility model) in the described scenario are: B. Protecting against IP spoofing and packet sniffing: AWS is responsible for network-level security, including protecting against IP spoofing and packet sniffing. D. Encrypting communication between the EC2 instances and the Elastic Load Balancer: AWS is responsible for providing encryption capabilities for communication between services like Elastic Load Balancers and EC2 instances. Running a virus scan on EC2 instances (option A) and installing the latest security patches on the RDS instance (option C) are tasks that typically fall under the responsibility of the customer. These are application-level and infrastructure-level security practices that are the customer's responsibility to manage. Configuring a security group and a network access control list (NACL) for EC2 instances (option E) is also the responsibility of the customer, as it involves configuring the network-level access controls for the EC2 instances.

Answer 261

B. Make frequent, small, reversible changes. The AWS Well-Architected Framework design principle for operational excellence emphasizes making frequent, small, and reversible changes to your infrastructure and applications. This approach is aligned with best practices for agility, reducing risk, and ensuring that changes can be quickly rolled back if issues arise. Frequent, small changes can help teams adapt to evolving requirements and respond to customer needs more effectively while maintaining operational excellence.

Answer 262

A. Amazon CodeGuru Amazon CodeGuru is the AWS service that provides intelligent recommendations to improve code quality and identify an application's most expensive lines of code. It helps developers write better code, improve application performance, and reduce costs by leveraging machine learning and automated code reviews. It includes tools for code profiling and code review, allowing developers to make data-driven decisions for code optimization.

Answer 263

C. Begin to deploy resources in the second Region. To expand into a second AWS Region, a company needs to begin deploying resources in the second Region. AWS allows customers to create and manage resources in multiple AWS Regions, enabling geographic redundancy, disaster recovery, and improved global availability. You do not need to sign a new contract or download a separate AWS Management Console for the second Region. Availability Zones are contained within a Region and do not represent a separate Region.

Answer 264

B. Amazon Elastic File System (Amazon EFS) Amazon Elastic File System (Amazon EFS) is an AWS service that provides scalable file storage that can be mounted across multiple Amazon EC2 instances. It allows multiple EC2 instances to access the same file system simultaneously, making it a suitable choice for applications that require shared file storage across instances.

Answer 265

B. AWS Elastic Beanstalk AWS Elastic Beanstalk is a Platform as a Service (PaaS) offering that simplifies the deployment and management of applications in the AWS Cloud. It allows you to quickly deploy applications without having to manage the underlying infrastructure. Elastic Beanstalk abstracts much of the complexity involved in deploying, scaling, and monitoring applications, making it a suitable choice for rapidly deploying applications with minimal resource management overhead.

Answer 266

C. Dedicated Hosts When a company wants to bring its existing software licenses (such as Microsoft SQL Server licenses) to run on Amazon EC2 instances without any sharing of physical hardware with other customers, Dedicated Hosts are a suitable EC2 instance purchasing option. Dedicated Hosts provide physical servers that are dedicated exclusively to the company, allowing them to run instances with their own licenses on these hosts. This ensures that the company's licenses are used in a compliant manner, as required by the software vendor.

Answer 267

A. Scale the number of EC2 instances in or out automatically, based on demand. Amazon EC2 Auto Scaling groups allow you to automatically scale the number of EC2 instances in or out based on changing demand. You can configure Auto Scaling policies to add or remove instances dynamically, ensuring that your application can handle varying levels of traffic and workload. This is a key feature for optimizing resource utilization in the AWS Cloud.

Answer 268

C. AWS Abuse team If a company discovers unauthorized activity involving resources hosted on AWS, it should contact the AWS Abuse team to report the issue. This team is responsible for handling security-related incidents, abuse, and violations of AWS policies and can provide guidance and assistance in addressing such issues. They will help investigate and resolve security concerns related to AWS resources.

Answer 269

A. Configuration management of infrastructure devices is the customer's responsibility. C. AWS is responsible for protecting the physical cloud infrastructure. In the AWS shared responsibility model: A. Configuration management of infrastructure devices (such as EC2 instances) is typically the customer's responsibility. Customers are responsible for configuring and securing their resources and applications running on the AWS infrastructure. C. AWS is responsible for protecting the physical cloud infrastructure, including data centers, networking, and hardware, while customers are responsible for securing their data and applications within the AWS environment. The other options mentioned are not accurate in the context of the shared responsibility model. AWS is responsible for protecting the physical infrastructure (option C), but customers are responsible for managing the operating systems, platforms, and configurations of their resources (option A), and AWS is not responsible for training the customer's employees (option D). Option B is not entirely correct, as AWS operates the infrastructure layer for services like Amazon S3, but customers are responsible for their own data and access controls. Option E is also not accurate; for Amazon EC2, customers are responsible for maintaining the guest operating system.

Answer 270

B. AWS Trusted Advisor AWS Trusted Advisor is the service that provides real-time guidance on following AWS best practices, which include cost optimization, system performance improvement, and security enhancements. It helps users identify opportunities to save money, improve performance, and close security gaps in their AWS environment by analyzing their AWS resources and configurations. It provides actionable recommendations based on best practices and can help users understand how to align their resources with their business needs and improve their AWS infrastructure.

Answer 271

B. AWS Identity and Access Management (IAM) AWS Identity and Access Management (IAM) is the AWS service that allows you to organize users into groups and grant permissions to those groups. By using IAM, you can create IAM groups and assign permissions to those groups, making it easier to manage access to AWS resources for different sets of users. This is a fundamental aspect of access control in AWS, and it helps in ensuring the principle of least privilege for your users and resources.

Answer 272

C. AWS Config D. AWS CloudTrail AWS Config and AWS CloudTrail can provide information about changes in an AWS environment. - AWS Config provides a detailed view of the configuration of AWS resources and can capture changes to resources over time, providing historical context for auditing purposes. - AWS CloudTrail records API calls and actions taken within your AWS account, including who made the call, what actions were performed, and from which IP address. This is valuable for auditing and tracking changes. Both of these services can help you monitor changes in your environment and provide the information auditors need to understand how your AWS environment has changed.

Answer 273

B. AWS CloudFormation AWS CloudFormation is a service that allows you to provision and manage AWS infrastructure as code using templates. With CloudFormation, you can create templates that describe your infrastructure's resources and their dependencies. You can use these templates to reliably provision, manage, and update your infrastructure in a safe and automated manner. It helps you maintain consistency, eliminate manual errors, and manage infrastructure as a code, making it a suitable choice for infrastructure provisioning and management.

Answer 274

D. Use Migration Evaluator. Migration Evaluator (formerly known as TSO Logic) is a tool provided by AWS to help you assess your current on-premises infrastructure and estimate the costs of running that infrastructure in the AWS Cloud. It helps you compare your existing on-premises costs to the costs of AWS services, enabling you to make informed decisions about migrating to the cloud. This tool provides valuable insights into the cost implications of moving to AWS and helps you with cost comparisons.

Answer 275

A. AWS Step Functions AWS Step Functions is a low-code, visual workflow service that allows developers to build distributed applications by coordinating the components of their applications as a series of steps in a visual workflow. It helps in the development and orchestration of complex, distributed, and serverless applications with ease.

Answer 276

B. AWS Direct Connect C. AWS Server Migration Service (AWS SMS) To accelerate the migration from a data center to the AWS Cloud, a company can use AWS Direct Connect for dedicated network connections between their data center and AWS, which can improve network performance and reliability during migration. Additionally, AWS Server Migration Service (AWS SMS) helps automate and simplify the process of migrating virtual machines from on-premises environments to AWS, reducing migration times and complexity. These services can be used in combination to facilitate a faster and smoother migration.