AWS Associates Flashcards by Nicholas Maione

Under a single AWS account, you have set up an Auto Scaling group with a maximum capacity of 50
Amazon Elastic Compute Cloud (Amazon EC2) instances in us-west-2. When you scale out, however,
it only increases to 20 Amazon EC2 instances. What is the likely cause?
A. Auto Scaling has a hard limit of 20 Amazon EC2 instances.
B. If not specified, the Auto Scaling group maximum capacity defaults to 20 Amazon EC2 instances.
C. The Auto Scaling group desired capacity is set to 20, so Auto Scaling stopped at 20 Amazon EC2
instances.
D. You have exceeded the default Amazon EC2 instance limit of 20 per region.

D. Auto Scaling may cause you to reach limits of other services, such as the default number of
Amazon EC2 instances you can currently launch within a region, which is 20.

How well did you know this?

Not at all

Perfectly

Elastic Load Balancing allows you to distribute traffic across which of the following?
A. Only within a single Availability Zone
B. Multiple Availability Zones within a region
C. Multiple Availability Zones within and between regions
D. Multiple Availability Zones within and between regions and on-premises virtualized instances
running OpenStack

B. The Elastic Load Balancing service allows you to distribute traffic across a group of Amazon Elastic
Compute Cloud (Amazon EC2) instances in one or more Availability Zones within a region.

How well did you know this?

Not at all

Perfectly

Amazon CloudWatch offers which types of monitoring plans? (Choose 2 answers)
A. Basic
B. Detailed
C. Diagnostic
D. Precognitive
E. Retroactive

A and B. Amazon CloudWatch has two plans: basic and detailed. There are no diagnostic,
precognitive, or retroactive monitoring plans for Amazon CloudWatch.

How well did you know this?

Not at all

Perfectly

An Amazon Elastic Compute Cloud (Amazon EC2) instance in an Amazon Virtual Private Cloud
(Amazon VPC) subnet can send and receive traffic from the Internet when which of the following
conditions are met? (Choose 3 answers)
A. Network Access Control Lists (ACLs) and security group rules disallow all traffic except relevant
Internet traffic.
B. Network ACLs and security group rules allow relevant Internet traffic.
C. Attach an Internet Gateway (IGW) to the Amazon VPC and create a subnet route table to send all
non-local traffic to that IGW.
D. Attach a Virtual Private Gateway (VPG) to the Amazon VPC and create subnet routes to send all
non-local traffic to that VPG.
E. The Amazon EC2 instance has a public IP address or Elastic IP (EIP) address.
F. The Amazon EC2 instance does not need a public IP or Elastic IP when using Amazon VPC.

B, C, and E. You must do the following to create a public subnet with Internet access:
Attach an IGW to your Amazon VPC.
Create a subnet route table rule to send all non-local traffic (for example, 0.0.0.0/0) to the IGW.
Configure your network ACLs and security group rules to allow relevant traffic to flow to and from
your instance.
You must do the following to enable an Amazon EC2 instance to send and receive traffic from the
Internet:
Assign a public IP address or EIP address.

How well did you know this?

Not at all

Perfectly

If you launch five Amazon Elastic Compute Cloud (Amazon EC2) instances in an Amazon Virtual
Private Cloud (Amazon VPC) without specifying a security group, the instances will be launched into
a default security group that provides which of the following? (Choose 3 answers)
A. The five Amazon EC2 instances can communicate with each other.
B. The five Amazon EC2 instances cannot communicate with each other.
C. All inbound traffic will be allowed to the five Amazon EC2 instances.
D. No inbound traffic will be allowed to the five Amazon EC2 instances.
E. All outbound traffic will be allowed from the five Amazon EC2 instances.
F. No outbound traffic will be allowed from the five Amazon EC2 instances.

A, D, and E. If a security group is not specified at launch, then an Amazon EC2 instance will be
launched into the default security group for the Amazon VPC. The default security group allows
communication between all resources within the security group, allows all outbound traffic, and
denies all other traffic.

How well did you know this?

Not at all

Perfectly

Your company wants to host its secure web application in AWS. The internal security policies
consider any connections to or from the web server as insecure and require application data
protection. What approaches should you use to protect data in transit for the application? (Choose 2
answers)
A. Use BitLocker to encrypt data.
B. Use HTTPS with server certificate authentication.
C. Use an AWS Identity and Access Management (IAM) role.
D. Use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for database connection.
E. Use XML for data transfer from client to server.

B and D. To protect data in transit from the clients to the web application, HTTPS with server
certificate authentication should be used. To protect data in transit from the web application to the
database, SSL/TLS for database connection should be used.

How well did you know this?

Not at all

Perfectly

You have an application that will run on an Amazon Elastic Compute Cloud (Amazon EC2) instance.
The application will make requests to Amazon Simple Storage Service (Amazon S3) and Amazon
DynamoDB. Using best practices, what type of AWS Identity and Access Management (IAM) identity
should you create for your application to access the identified services?
A. IAM role
B. IAM user
C. IAM group
D. IAM directory

A. Don’t create an IAM user (or an IAM group) and pass the user’s credentials to the application or
embed the credentials in the application. Instead, create an IAM role that you attach to the Amazon
EC2 instance to give applications running on the instance temporary security credentials. The
credentials have the permissions specified in the policies attached to the role. A directory is not an
identity object in IAM.

How well did you know this?

Not at all

Perfectly

When a request is made to an AWS Cloud service, the request is evaluated to decide whether it should
be allowed or denied. The evaluation logic follows which of the following rules? (Choose 3 answers)
A. An explicit allow overrides any denies.
B. By default, all requests are denied.
C. An explicit allow overrides the default.
D. An explicit deny overrides any allows.
E. By default, all requests are allowed.

B, C, and D. When a request is made, the AWS service decides whether a given request should be
allowed or denied. The evaluation logic follows these rules:
1) By default, all requests are denied (in general, requests made using the account credentials for
resources in the account are always allowed).
2) An explicit allow overrides this default.
3) An explicit deny overrides any allows.

How well did you know this?

Not at all

Perfectly

What is the data processing engine behind Amazon Elastic MapReduce (Amazon EMR)?
A. Apache Hadoop
B. Apache Hive
C. Apache Pig
D. Apache HBase

A. Amazon EMR uses Apache Hadoop as its distributed data processing engine. Hadoop is an open
source, Java software framework that supports data-intensive distributed applications running on
large clusters of commodity hardware. Hive, Pig, and HBase are packages that run on top of Hadoop.

How well did you know this?

Not at all

Perfectly

What type of AWS Elastic Beanstalk environment tier provisions resources to support a web
application that handles background processing tasks?
A. Web server environment tier
B. Worker environment tier
C. Database environment tier
D. Batch environment tier

B. An environment tier whose web application runs background jobs is known as a worker tier. An
environment tier whose web application processes web requests is known as a web server tier.
Database and batch are not valid environment tiers.

How well did you know this?

Not at all

Perfectly

What Amazon Relational Database Service (Amazon RDS) feature provides the high availability for
your database?
A. Regular maintenance windows
B. Security groups
C. Automated backups
D. Multi-AZ deployment

D. Multi-AZ deployment uses synchronous replication to a different Availability Zone so that
operations can continue on the replica if the master database stops responding for any reason.
Automated backups provide disaster recovery, not high availability. Security groups, while important,
have no effect on availability. Maintenance windows are actually times when the database may not be
available.

How well did you know this?

Not at all

Perfectly

What administrative tasks are handled by AWS for Amazon Relational Database Service (Amazon
RDS) databases? (Choose 3 answers)
A. Regular backups of the database
B. Deploying virtual infrastructure
C. Deploying the schema (for example, tables and stored procedures)
D. Patching the operating system and database software
E. Setting up non-admin database accounts and privileges

A, B, and D. Amazon RDS will launch Amazon Elastic Compute Cloud (Amazon EC2) instances,
install the database software, handle all patching, and perform regular backups. Anything within the
database software (schema, user accounts, and so on) is the responsibility of the customer.

How well did you know this?

Not at all

Perfectly

Which of the following use cases is well suited for Amazon Redshift?
A. A 500TB data warehouse used for market analytics
B. A NoSQL, unstructured database workload
C. A high traffic, e-commerce web application
D. An in-memory cache

A. Amazon Redshift is a petabyte-scale data warehouse. It is not well suited for unstructured NoSQL
data or highly dynamic transactional data. It is in no way a cache.

How well did you know this?

Not at all

Perfectly

Which of the following statements about Amazon DynamoDB secondary indexes is true?
A. There can be many per table, and they can be created at any time.
B. There can only be one per table, and it must be created when the table is created.
C. There can be many per table, and they can be created at any time.
D. There can only be one per table, and it must be created when the table is created.

D. There can be one secondary index per table, and it must be created when the table is created.

How well did you know this?

Not at all

Perfectly

What is the primary use case of Amazon Kinesis Firehose?
A. Ingest huge streams of data and allow custom processing of data in flight.
B. Ingest huge streams of data and store it to Amazon Simple Storage Service (Amazon S3), Amazon
Redshift, or Amazon Elasticsearch Service.
C. Generate a huge stream of data from an Amazon S3 bucket.
D. Generate a huge stream of data from Amazon DynamoDB.

B. The Amazon Kinesis family of services provides functionality to ingest large streams of data.
Amazon Kinesis Firehose is specifically designed to ingest a stream and save it to any of the three
storage services listed in Response B.

How well did you know this?

Not at all

Perfectly

Your company has 17TB of financial trading records that need to be stored for seven years by law.
Experience has shown that any record more than a year old is unlikely to be accessed. Which of the
following storage plans meets these needs in the most cost-efficient manner?
A. Store the data on Amazon Elastic Block Store (Amazon EBS) volume attached to t2.large
instances.
B. Store the data on Amazon Simple Storage Service (Amazon S3) with lifecycle policies that change
the storage class to Amazon Glacier after one year, and delete the object after seven years.
C. Store the data in Amazon DynamoDB, and delete data older than seven years.
D. Store the data in an Amazon Glacier Vault Lock.

B. Amazon S3 and Amazon Glacier are the most cost-effective storage services. After a year, when the
objects are unlikely to be accessed, you can save costs by transferring the objects to Amazon Glacier
where the retrieval time is three to five hours.

How well did you know this?

Not at all

Perfectly

What must you do to create a record of who accessed your Amazon Simple Storage Service (Amazon
S3) data and from where?
A. Enable Amazon CloudWatch logs.
B. Enable versioning on the bucket.
C. Enable website hosting on the bucket.
D. Enable server access logs on the bucket.
E. Create an AWS Identity and Access Management (IAM) bucket policy.

D. Server access logs provide a record of any access to an object in Amazon S3.

How well did you know this?

Not at all

Perfectly

Amazon Simple Storage Service (Amazon S3) is an eventually consistent storage system. For what
kinds of operations is it possible to get stale data as a result of eventual consistency?
A. GET after PUT of a new object
B. GET or LIST after a DELETE
C. GET after overwrite PUT (PUT to an existing key)
D. DELETE after GET of new object

C. Amazon S3 provides read-after-write consistency for PUTs to new objects (new key), but eventual
consistency for GETs and DELETEs of existing objects (existing key). Response C changes the
existing object so that a subsequent GET may fetch the previous and inconsistent object.

How well did you know this?

Not at all

Perfectly

How is data stored in Amazon Simple Storage Service (Amazon S3) for high durability?
A. Data is automatically replicated to other regions.
B. Data is automatically replicated to different Availability Zones within a region.
C. Data is replicated only if versioning is enabled on the bucket.
D. Data is automatically backed up on tape and restored if needed.

B. AWS will never transfer data between regions unless directed to by you. Durability in Amazon S3 is
achieved by replicating your data geographically to different Availability Zones regardless of the
versioning configuration. AWS doesn’t use tapes.

How well did you know this?

Not at all

Perfectly

Your company needs to provide streaming access to videos to authenticated users around the world.
What is a good way to accomplish this?
A. Use Amazon Simple Storage Service (Amazon S3) buckets in each region with website hosting
enabled.
B. Store the videos on Amazon Elastic Block Store (Amazon EBS) volumes.
C. Enable Amazon CloudFront with geolocation and signed URLs.
D. Run a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances to host the videos.

C. Amazon CloudFront provides the best user experience by delivering the data from a geographically
advantageous edge location. Signed URLs allow you to control access to authenticated users.

How well did you know this?

Not at all

Perfectly

Which of the following are true about the AWS shared responsibility model? (Choose 3 answers)
A. AWS is responsible for all infrastructure components (that is, AWS Cloud services) that support
customer deployments.
B. The customer is responsible for the components from the guest operating system upward
(including updates, security patches, and antivirus software).
C. The customer may rely on AWS to manage the security of their workloads deployed on AWS.
D. While AWS manages security of the cloud, security in the cloud is the responsibility of the
customer.
E. The customer must audit the AWS data centers personally to confirm the compliance of AWS
systems and services.

A, B, and D. In the AWS shared responsibility model, customers retain control of what security they
choose to implement to protect their own content, platform, applications, systems, and networks, no
differently than they would for applications in an on-site data center.

How well did you know this?

Not at all

Perfectly

Which process in an Amazon Simple Workflow Service (Amazon SWF) workflow implements a task?
A. Decider
B. Activity worker
C. Workflow starter
D. Business rule

B. An activity worker is a process or thread that performs the activity tasks that are part of your
workflow. Each activity worker polls Amazon SWF for new tasks that are appropriate for that activity
worker to perform; certain tasks can be performed only by certain activity workers. After receiving a
task, the activity worker processes the task to completion and then reports to Amazon SWF that the
task was completed and provides the result. The activity task represents one of the tasks that you
identified in your application.

How well did you know this?

Not at all

Perfectly

Which of the following is true if you stop an Amazon Elastic Compute Cloud (Amazon EC2) instance
with an Elastic IP address in an Amazon Virtual Private Cloud (Amazon VPC)?
A. The instance is disassociated from its Elastic IP address and must be re-attached when the
instance is restarted.
B. The instance remains associated with its Elastic IP address.
C. The Elastic IP address is released from your account.
D. The instance is disassociated from the Elastic IP address temporarily while you restart the
instance.

B. In an Amazon VPC, an instance’s Elastic IP address remains associated with an instance when the
instance is stopped.

How well did you know this?

Not at all

Perfectly

Which Amazon Elastic Compute Cloud (Amazon EC2) pricing model allows you to pay a set hourly
price for compute, giving you full control over when the instance launches and terminates?
A. Spot instances
B. Reserved instance
C. On Demand instances
D. Dedicated instances

C. You pay a set hourly price for an On Demand instance from when you launch it until you explicitly
stop or terminate it. Spot instances can be terminated when the spot price goes above your bid price.
Reserved instances involve paying for an instance over a one- or three-year term. Dedicated instances
run on hardware dedicated to your account and are not a pricing model.

How well did you know this?

Not at all

Perfectly

Under what circumstances will Amazon Elastic Compute Cloud (Amazon EC2) instance store data not be preserved? A. The associated security groups are changed. B. The instance is stopped or rebooted. C. The instance is rebooted or terminated. D. The instance is stopped or terminated. E. None of the above

D. The data in an instance store persists only during the lifetime of its associated instance. If an instance is stopped or terminated, then the instance store does not persist. Rebooting an instance does not shut down the instance; if an instance reboots (intentionally or unintentionally), data on the instance store persists. Security groups have nothing to do with the lifetime of an instance and have no effect here.

How many relational database engines does RDS currently support? A. Three: MySQL, Oracle and Microsoft SQL Server. B. Just two: MySQL and Oracle. C. Six: Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB. D. Just one: MySQL.

C. Six: Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB. Amazon RDS provides you six familiar database engines to choose from, including Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB. https://aws.amazon.com/rds/?nc1=h_ls

Amazon rds provides a facility to modify the back-up retention policy for automated backups, with a value of 0 indicating for no backup retention. What is the maximum retention period allowed in days? A. 45 B. 35 C. 15 D. 10

B. 35

Which of the following databases are not supported on Amazon RDS? A. MSSOL B. MySOL C. Aurora D. DB2

D. DB2

A company is hosting EC2 instances which focuses on work-loads are on non-production and non-priority batch loads. Also, these processes can be interrupted at any time. What is the best pricing model which can be used for EC2 instances in this use case? A. Reserved Instances B. On-Demand Instances C. Spot Instances D. Regular Instances

C. Spot Instances

How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another? A. Detach the volume and attach to an EC2 instance in another AZ. B. Create a new volume in the other AZ and specify the current volume as the source. C. Create a snapshot of the volume and then create a volume from the snapshot in the other AZ D. Create a new volume in the AZ and do a disk copy of contents from one volume to another.

C. Create a snapshot of the volume and then create a volume from the snapshot in the other AZ “Snapshots can be used to instantiate multiple new volumes, expand the size of a volume, or move volumes across Availability Zones. When a new volume is created, you may choose to create it based on an existing Amazon EBS snapshot. In that scenario, the new volume begins as an exact replica of the snapshot.” https://aws.amazon.com/ebs/details/

***** If a provisioned IOPS volume of 4iGB is created, what are the possible correct values for IOPS for the volume in order for it to be created? A. 200 B. 300 C. 400 D. 500

***** A. 200 Max IOPS:Size ratio is 50:1 (Max 50×4 = 200) http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

What is the minimum size of an EBS volume as per AWS? A. 2TB B. 1GiB C. 1GB D. 1Byte

B. 1GiB https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

A customer has a requirement to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement? A. Amazon VPC B. Elastic IP Addresses C. AWS Direct Connect D. Amazon VPC virtual private gateway

C. AWS Direct Connect

When it comes to API credentials, what is the best practice recommended by AWS? A. Create a role which has the necessary permissions and can be assumed by the EC2 instance. B. Use the API credentials from an EC2 instance. C. Use the API credentials from a bastion host. D. Use the API credentials from a NAT Instance.

A. Create a role which has the necessary permissions and can be assumed by the EC2 instance. http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

Is an edge location in AWS the same as a region? A. True B. False

B. False http://www.linuxnix.com/amazon-aws-regions-vs-availability-zones-vs-edge-locations-vs-data-centers/

Which of the following is a durable key-value store? A. Amazon Simple Storage Service B. Amazon Simple Workflow Service C. Amazon Simple Queue Service D. Amazon Simple Notification Service

A. Amazon Simple Storage Service http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingObjects.html

After creating a new AWS account, you use the API to request 40 on-demand EC2 instances in a single AZ. After 20 successful requests, subsequent requests failed. What could be a reason for this issue, and how would you resolve it? A. You encountered a soft limit of 20 instances per region. Submit the limit increase form and retry the failed requests once approved. B. AWS allows you to provision no more than 20 instances per Availability Zone. Select a different Availability Zone and retry the failed request. C. You need to use Amazon Virtual Private Cloud (VPC) in order to provision more than 20 instances in a single Availability Zone. Simply terminate the resources already provisioned and re-launch them all in a VPC. D. You encountered an API throttling situation and should try the failed requests using an exponential decay retry algorithm.

A. You encountered a soft limit of 20 instances per region. Submit the limit increase form and retry the failed requests once approved. https://aws.amazon.com/ec2/faqs/#How_many_instances_can_I_run_in_Amazon_EC2

You have an application running in us-west-2 that requires six EC2 instances running at all times. With three AZs available in that region (us-west-2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent fault tolerance if any single AZ in us-west-2 becomes unavailable? Choose 2 answers A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances B. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances C. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances D. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances E. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances

D. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances E. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances ``` option A : 2 2 2 option B : 3 3 – option C : 4 2 2 option D : 6 6 – option E : 3 3 3 ``` So if one availability zone fails you need to have a backup of 6 instances running Only D & E satisfy that requirement

What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection between an on-premises data center and an Amazon VPC virtual private gateway? A. Modify the main route table to allow traffic to a network address translation instance. B. Use a dedicated network address translation instance in the public subnet. C. Assign a static Internet-routable IP address to an Amazon VPC customer gateway. D. Establish a dedicated networking connection using AWS Direct Connect.

C. Assign a static Internet-routable IP address to an Amazon VPC customer gateway.

How can software determine the public and private IP addresses of the EC2 instance that it is running on? A. Query the local instance metadata. B. Query the local instance userdata. C. Query the appropriate Amazon CloudWatch metric. D. Use an ipconfig or ifconfig command.

A. Query the local instance metadata.

A startup company hired you to help them build a mobile application, that will ultimately store billions of images and videos in S3. The company is lean on funding and wants to minimize operational costs, however, they have an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases in traffic to and from S3, and need to ensure that it can handle the performance needs of their application. What other information must you gather from this customer in order to determine whether S3 is the right option? A. You must know how many customers the company has today because this is critical in understanding what their customer base will be in two years. B. You must find out the total number of requests per second at peak usage. C. You must know the size of the individual objects being written to S3, in order to properly design the key namespace. D. In order to build the key namespace correctly, you must understand the total amount of storage needs for each S3 bucket.

B. You must find out the total number of requests per second at peak usage.

A VPC public subnet is one that: A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW). B. Includes a route in its associated routing table via a Network Address Translation (NAT) instance. C. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0. D. Has the Public Subnet option selected in its configuration?

A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW). http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

In reviewing the Auto Scaling events for your application you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? Choose 2 answers A. Modify the Auto Scaling policy to use scheduled scaling actions B. Modify the Auto Scaling group termination policy to terminate the oldest instance first. C. Modify the Auto Scaling group cool-down timers. D. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. E. Modify the Auto Scaling group termination policy to terminate the newest instance first.

C. Modify the Auto Scaling group cool-down timers. D. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KN-_V7WJkvYXS0ySYZV/questions-want-to-verify-answers

What combination of the following options will protect S3 objects from both accidental deletion and accidental overwriting? Choose 2 answers A. Enable S3 versioning on the bucket. B. Access S3 data using only signed URLs. C. Disable S3 delete using an IAM bucket policy. D. Enable S3 Reduced Redundancy Storage. E. Enable multi-factor authentication (MFA) protected access.

A. Enable S3 versioning on the bucket. | E. Enable multi-factor authentication (MFA) protected access.

You have been tasked with creating a VPC network topology for your company. The VPC network must support both Internet-facing applications and internally-facing applications accessed only over VPN. Both Internet-facing and internally-facing applications must be able to leverage at least three AZs for high availability. At a minimum, how many subnets must you create within your VPC to accommodate these requirements? A. 2 B. 3 C. 4 D. 6

D. 6

You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr and your Spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance? A. $0.00 B. $0.02 C. $0.03 D. $0.05 E. $0.06

A. $0.00 Q. Will I be charged if my Spot Instance is terminated by Amazon EC2 before the hour is up? No. If the Spot Instance is terminated by Amazon EC2, you will not be charged for a partial hour of usage”

Which of the following requires a custom CloudWatch metric to monitor? A. Memory use B. CPU use C. Disk read operations D. Network in E. Estimated charges

A. Memory use E is wrong because billing and charges information is monitored a http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CW_Support_For_AWS.html And CPU, Disk, and Network are monitored according to Amazon EC2 Metrics and Dimensions – http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ec2-metricscollected.html

You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers A. Amazon CloudWatch B. Amazon Relational Database Service (RDS) C. Elastic Load Balancing D. Amazon ElastiCache E. AWS Storage Gateway F. Amazon DynamoDB

B. Amazon Relational Database Service (RDS) D. Amazon ElastiCache F. Amazon DynamoDB

You have a business-critical two-tier web app currently deployed in two AZs in a single region, using Elastic Load Balancing and Auto Scaling. The app depends on synchronous replication (very low latency connectivity) at the database layer. The application needs to remain fully available even if one application AZ goes off-line, and Auto Scaling cannot launch new instances in the remaining Availability Zones. How can the current architecture be enhanced to ensure this? A. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 50 percent peak load per Region. B. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 100 percent peak load per region. C. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone. D. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 33 percent peak load per zone.

C. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone.

You are deploying an application on EC2 that must call AWS APIs. What method of securely passing credentials to the application should you use? A. Use AWS Identity and Access Management roles for EC2 instances. B. Pass API credentials to the instance using instance userdata. C. Embed the API credentials into your JAR files. D. Store API credentials as an object in Amazon Simple Storage Service.

A. Use AWS Identity and Access Management roles for EC2 instances.

Which route must be added to your routing table in order to allow connections to the Internet from your subnet? A. Destination: 0.0.0.0/0 –> Target: your Internet gateway B. Destination: 192.168.1.257/0 –> Target: your Internet gateway C. Destination: 0.0.0.0/33 –> Target: your virtual private gateway D. Destination: 0.0.0.0/0 –> Target: 0.0.0.0/24 E. Destination: 10.0.0.0/32 –> Target: your virtual private gateway

A. Destination: 0.0.0.0/0 –> Target: your Internet gateway

A customer’s nightly EMR job processes a single 2-TB data file stored on Amazon Simple Storage Service (S3). The EMR job runs on two On-Demand core nodes and three On-Demand task nodes. Which of the following may help reduce the EMR job completion time? Choose 2 answers A. Use three Spot Instances rather than three On-Demand instances for the task nodes. B. Change the input split size in the MapReduce job configuration. C. Use a bootstrap action to present the S3 bucket as a local filesystem. D. Launch the core nodes and task nodes within an Amazon Virtual Cloud. E. Adjust the number of simultaneous mapper tasks. F. Enable termination protection for the job flow.

B. Change the input split size in the MapReduce job configuration. E. Adjust the number of simultaneous mapper tasks. https://acloud.guru/forums/aws-certified-solutions-architect-associate/discussion/-KN-_V7WJkvYXS0ySYZV/questions-want-to-verify-answers

Which is an operational process performed by AWS for data security? A. AES-256 encryption of data stored on any shared storage device B. Decommissioning of storage devices using industry-standard practices C. Background virus scans of EBS volumes and EBS snapshots D. Replication of data across multiple AWS Regions E. Secure wiping of EBS data when an EBS volume is unmounted

Answer: B. Decommissioning of storage devices using industry-standard practices Clearly, there is no way you could do this, so AWS take care. Wrong Answers: A. AES-256 encryption of data stored on any shared storage device Encryption of storage devices (EBS) is your concern. C. Background virus scans of EBS volumes and EBS snapshots Too detailed for EC2 – Amazon doesn't want to interact with your data. D. Replication of data across multiple AWS Regions No, you have to do this yourself. E. Secure wiping of EBS data when an EBS volume is un-mounted An un-mount doesn’t cause an EBS volume to be wiped.

Amazon Glacier is designed for: (Choose 2 answers) A. active database storage. B. infrequently accessed data. C. data archives. D. frequently accessed data. E. cached session data

B. infrequently accessed data. C. data archives.

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly? A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI. B. Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy. C. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User. D. Create an S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI. https://markosrendell.wordpress.com/2013/12/12/aws-certified-solutions-architect-sample-questions-answered-and-discussed/

Which of the following will occur when an EC2 instance in a VPC with an associated Elastic IP is stopped and started? (Choose 2 answers) A. The Elastic IP will be dissociated from the instance B. All data on instance-store devices will be lost C. All data on EBS (Elastic Block Store) devices will be lost D. The ENI (Elastic Network Interface) is detached E. The underlying host for the instance is changed

B. All data on instance-store devices will be lost E. The underlying host for the instance is changed https://markosrendell.wordpress.com/2013/12/12/aws-certified-solutions-architect-sample-questions-answered-and-discussed/

In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics: A. web server visible metrics such as number failed transaction requests B. operating system visible metrics such as memory utilization C. database visible metrics such as number of connections D. hypervisor visible metrics such as CPU utilization

D. hypervisor visible metrics such as CPU utilization

Can an EBS volume be attached to more than one EC2 instance at the same time? A. No B. Yes. C. Only EC2-optimized EBS volumes. D. Only in read mode.

A. No http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html

Disabling automated backups disables the point-in-time recovery feature. A. True B. False

A. True

Out of the striping options available for the EBS volumes, which one has the following disadvantage: ‘Doubles the amount of I/O required for the instance to EBS compared to RAID 0, because you’re mirroring all writes to a pair of volumes, limiting how much you can stripe.'? A. Raid 5 B. Raid 6 C. Raid 1 D. Raid 2

C. Raid 1

What is the maximum write throughput I can provision per table for a single DynamoDB table? A. 5,000 us east, 1,000 all other regions B. 100,000 us east, 10, 000 all other regions C. Designed to scale without limits, but if you go beyond 40,000 us east/10,000 all other regions you have to contact AWS first. D. There is no limit

C. Designed to scale without limits, but if you go beyond 40,000 us east/10,000 all other regions you have to contact AWS first. http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html

What is the maximum groups an IAM user be a member of? A. 20 B. 5 C. 10 D. 15

C. 10 http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

While performing volume status checks using volume status checks, if the status is insufficient-data, what does it mean? A. checks may still be in progress on the volume B. check has passed C. check has failed D. there is no such status

A. the checks may still be in progress on the volume http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html

SQL Server stores logins and passwords in the master database. A. True B. False

A. True

Using Amazon IAM, I can give permissions based on organizational groups? A. True B. False

A. True

While creating an EC2 snapshot using the API, which Action should I be using? A. MakeSnapShot B. FreshSnapshot C. DeploySnapshot D. CreateSnapshot

D. CreateSnapshot http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html

Reserved Instances are available for Multi-AZ Deployments. A. True B. False

A. True https://aws.amazon.com/rds/faqs/ Q: Are reserved instances available for Multi-AZ deployments? Yes. When you call the DescribeReservedDBInstancesOfferings API or describe-reserved-db-instances-offerings command, simply look for the Multi-AZ options listed among the DB Instance configurations available for purchase. If you want to purchase a reservation for a DB instance with synchronous replication across multiple Availability Zones, specify one of these offerings in your PurchaseReservedDBInstancesOffering call.

New database versions will automatically be applied to AWS RDS instances as they become available. A. True B. False

B. False https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html Minor version upgrades usually contain database changes that are backward-compatible with the previous version of the database. As a result, Amazon RDS might apply a minor version upgrade automatically in some cases. For more information about minor version upgrades, see the documentation for your DB engine listed following. “…Major version upgrades can contain database changes that are not backward-compatible with previous versions of the database. This functionality can cause your existing applications to stop working correctly. As a result, Amazon RDS *DOESN’T* apply major version upgrades automatically;”

What is the default per account limit of Elastic IPs? A. 1 B. 3 C. 5 D. 0

C. 5 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-IP-addresses-eip.html 5 is per region limit and not per account Per account, it will be “5 * 15 (total regions till now)” = 75

What is a Security Group? A. None of these. B. A list of users that can access Amazon EC2 instances. C. An Access Control List (ACL) for AWS resources. D. It acts as a virtual firewall that controls the traffic for one or more instances.

D. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Multi-AZ deployment is supported for Microsoft SQL Server DB Instances. A. True B. False

A. True http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_SQLServerMultiAZ.html “…Amazon RDS supports Multi-AZ deployments for DB instances running Microsoft SQL Server by using SQL Server Database Mirroring…”

Does AWS allow for the use of Multi Factor Authentication tokens? A. Yes, with both hardware or virtual MFA devices B. Yes, but only virtual MFA devices. C. Yes, but only physical (hardware) MFA devices. D. No

A. Yes, with both hardware or virtual MFA devices

In a management network scenario, which interface on the instance handles public-facing traffic? A. Primary network interface B. Subnet interface C. Secondary network interface

C. Secondary network interface | http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

By default, what happens to ENIs that are automatically created and attached to EC2 instances when the attached instance terminates? A. Remain as is B. Terminate C. Hibernate D. Pause

B. Terminate

What does ec2-create-group do with respect to the Amazon EC2 security groups? A. Creates a new rule inside the security group. B. Creates a new security group for use with your account. C. Creates a new group inside the security group. D. Groups the user-created security groups into a new group for easy access

B. Creates a new security group for use with your account “If you’re using the command line interface, you would use the ec2-create-group command to create a security group and then the ec2-authorize command to add a rule to the security group…” (https://aws.amazon.com/articles/1233/)

What is the default VPC security group limit? A. 500 B. 50 C. 5 D. There is no limit

Answer is A Amazon Virtual Private Cloud (Amazon VPC) Limits Security groups per VPC 500 http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

Is there a method or command in the IAM system to allow or deny access to a specific instance? A. Only for VPC based instances B. Yes C. No

C. No Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to the operating system of specific Amazon EC2 instances. There’s no method in the IAM system to allow or deny access to the operating system of a specific instance. http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-evaldenyallow – By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.) – An explicit allow overrides this default. – An explicit deny overrides any allows.

After an Amazon EC2-VPC instance is launched, can I change the VPC security groups it belongs to? A. No B. Yes C. Only if you are the root user D. Only if the tag “VPC_Change_Group” is true

Answer is B: Yes. This is because the question is talking about EC2-VPC. In EC2-Classic you cannot change the Security Group while the instance is up and running. In EC2-VPC, you can change security groups. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

In Amazon CloudWatch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A. FreeStorage B. FreeStorageVolume C. FreeStorageSpace D. FreeStorageAllocation

Ans: C http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/rds-metricscollected.html

A Provisioned IOPS SSD volume must be at least _____ GB in size. A. 1 B. 6 C. 20 D. 4

D http://docs.aws.amazon.com/zh_cn/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

You are a solutions architect working for a company that specializes in ingesting large data feeds (using Kinesis) and then analyzing these feeds using Elastic Map Reduce (EMR). The results are then stored on a custom MySQL database which is hosted on an EC2 instance which has 3 volumes, the root/boot volume, and then 2 additional volumes which are striped into a RAID 1. Your company recently had an outage and lost some key data and have since decided that they will need to run nightly backups. Your application is only used during office hours, so you can afford to have some down time in the middle of the night if required. You decide to take a snapshot of all three volumes every 24 hours. In what manner should you do this? A. Take a snapshot of each volume independently, while the EC2 instance is running. B. Stop the EC2 instance and take a snapshot of each EC2 instance independently. Once the snapshots are complete, start the EC2 instance and ensure that all relevant volumes are remounted. C. Add two additional volumes to the existing RAID 0 volume and mirror these volumes creating a RAID 10. Take a snap of only the two new volumes. D. Create a read replica of the existing EC2 instance and then take your snapshots from the read replica and not the live EC2 instance.

B. Stop the EC2 instance and take a snapshot of each EC2 instance independently. Once the snapshots are complete, start the EC2 instance and ensure that all relevant volumes are remounted. If the instance is not shutdown, any data available in the cache will not be a part of the snapshot. Snapshots are taken on the data available in the volumes. Due to the statement – “Your application is only used during office hours, so you can afford to have some down time in the middle of the night if required” – Hence we take snapshots after the system is shutdown

What are the valid methodologies for encrypting data on S3? A. Server Side Encryption (SSE)-S3, SSE-C, SSE-KMS or a client library such as Amazon S3 Encryption Client. B. Server Side Encryption (SSE)-S3, SSE-A, SSE-KMS or a client library such as Amazon S3 EncryptionClient. C. Server Side Encryption (SSE)-S3, SSE-C, SSE-SSL or a client library such as Amazon S3 Encryption Client. D. Server Side Encryption (SSE)-S3, SSE-C, SSE-SSL or a server library such as Amazon S3 Encryption Client.

A. Server Side Encryption (SSE)-S3, SSE-C, SSE-KMS or a client library such as Amazon S3 Encryption Client. http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/serv-side-encryption.html

In Identity and Access Management, when you first create a new user, certain security credentials are automatically generated. Which of the below are valid security credentials? A. Access Key ID, Authorized Key B. Private Key, Secret Access Key C. Private Key, Authorized Key D. Access Key ID, Secret Access Key

D. Access Key ID, Secret Access Key https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.

Amazon Web Services offer 3 different levels of support, which of the below are valid support levels. A. Corporate, Business, Developer B. Enterprise, Business, Developer C. Enterprise, Business, Free Tier D. Enterprise, Company, Free Tier

B. Enterprise, Business, Developer https://aws.amazon.com/premiumsupport/faqs/ Q: What level of architecture support is provided by Support? The level of architecture support provided varies by support level. Higher service levels provided progressively more support for the customer use case and application specifics. Developer: Building Blocks Guidance on how to use all AWS products, features, and services together. Includes guidance on best practices and generalized architectural advice. Business: Use Case Guidance Guidance on what AWS products, features, and services to use to best support your specific use cases. Includes guidance on optimizing AWS products and configuration to meet your specific needs. Enterprise: Application Architecture Consultative partnership supporting specific use cases and applications. Includes design reviews and architectural guidance. Enterprise-level customers support team includes a dedicated Technical Account Manager and access to an AWS Solutions Architect.

``` You are a solutions architect working for a large digital media company. Your company is migrating their production estate to AWS and you are in the process of setting up access to the AWS console using Identity Access Management (IAM). You have created 5 users for your system administrators. What further steps do you need to take to enable your system administrators to get access to the AWS console? ``` A. Generate an Access Key ID & Secret Access Key, and give these to your system administrators. B. Enable multi-factor authentication on their accounts and define a password policy. C. Generate a password for each user created and give these passwords to your system administrators. D. Give the system administrators the secret access key and access key id, and tell them to use these credentials to log in to the AWS console.

C: Generate a password for each user created and give these passwords to your system administrators. The AWS Management Console You create a password for each user who needs access to the AWS Management Console. Users access the console via your IAM-enabled AWS account sign-in page. http://docs.aws.amazon.com/IAM/latest/UserGuide/console_controlling-access.html

Amazon S3 buckets in all Regions provide which of the following? A. Read-after-write consistency for PUTS of new objects AND Strongly consistent for POST & DELETES B. Read-after-write consistency for POST of new objects AND Eventually consistent for overwrite PUTS & DELETES C. Read-after-write consistency for PUTS of new objects AND Eventually consistent for overwrite PUTS & DELETES D. Read-after-write consistency for POST of new objects AND Strongly consistent for POST & DELETES

C. Read-after-write consistency for PUTS of new objects AND Eventually consistent for overwrite PUTS & DELETES https://aws.amazon.com/s3/faqs/

What function of an AWS VPC is stateless? A. Security Groups B. Elastic Load Balancers C. Network Access Control Lists D. EC2

C. Network Access Control Lists http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

Which of the following services allows you root access (i.e. you can login using SSH)? A. Elastic Load Balancer B. Elastic Map Reduce C. Elasticache D. RDS

B. Elastic Map Reduce

When trying to grant an Amazon account access to S3 using access control lists what method of identification should you use to identify that account with? A. The email address of the account or the canonical user ID B. The AWS account number C. The ARN D. An email address with a 2FA token

A. The email address of the account or the canonical user ID https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html A grantee can be an AWS account or one of the predefined Amazon S3 groups. You grant permission to an AWS account by the email address or the canonical user ID. However, if you provide an email in your grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACLs will always contain the canonical user ID for the AWS account, not the AWS account’s email address.

You are a solutions architect working for a large oil and gas company. Your company runs their production environment on AWS and has a custom VPC. The VPC contains 3 subnets, 1 of which is public and the other 2 are private. Inside the public subnet is a fleet of EC2 instances which are the result of an autoscaling group. All EC2 instances are in the same security group. Your company has created a new custom application which connects to mobile devices using a custom port. This application has been rolled out to production and you need to open this port globally to the internet. What steps should you take to do this, and how quickly will the change occur? A. Open the port on the existing network Access Control List. Your EC2 instances will be able to communicate on this port after a reboot. B. Open the port on the existing network Access Control List. Your EC2 instances will be able to communicate over this port immediately. C. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port immediately. D. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port as soon as the relevant Time To Live (TTL) expires.

C. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port immediately.

Which of the following is not supported by AWS Import/Export? A. Import to Amazon S3 B. Export from Amazon S3 C. Import to Amazon EBS D. Import to Amazon Glacier E. Export from Amazon Glacier

E. Export from Amazon Glacier http://docs.aws.amazon.com/zh_cn/AWSImportExport/latest/DG/whatisdisk.html

Which of the following is not a service of the security category of the AWS trusted advisor service? A. Security Groups – Specific Ports Unrestricted B. MFA on Root Account C. IAM Use D. Vulnerability scans on existing VPCs.

D. Vulnerability scans on existing VPCs.

You work for a market analysis firm who are designing a new environment. They will ingest large amounts of market data via Kinesis and then analyze this data using Elastic Map Reduce. The data is then imported into a high-performance NoSQL Cassandra database which will run on EC2 and then be accessed by traders from around the world. The database volume itself will sit on 2 EBS volumes that will be grouped into a RAID 0 volume. They are expecting very high demand during peak times, with an IOPS performance level of approximately 15,000. Which EBS volume should you recommend? A. Magnetic B. General Purpose SSD C. Provisioned IOPS (PIOPS) D. Turbo IOPS (TIOPS)

C. Provisioned IOPS (PIOPS)

What are the different types of virtualization available on EC2? A. Pseudo-Virtual (PV) & Hardware Virtual Module (HSM) B. Para-Virtual (PV) & Hardware Virtual Machine (HVM) C. Pseudo-Virtual (PV) & Hardware Virtual Machine (HVM) D. Para-Virtual (PV) & Hardware Virtual Module (HSM)

B. Para-Virtual (PV) & Hardware Virtual Machine (HVM) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html Linux Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main difference between PV and HVM AMIs is the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.

Which of the following is not a valid configuration type for AWS Storage gateway. A. Gateway-accessed volumes B. Gateway-cached volumes C. Gateway-stored volumes D. Gateway-Virtual Tape Library

A. Gateway-accessed volumes https://docs.aws.amazon.com/storagegateway/latest/userguide/StorageGatewayConcepts.html

You have started a new role as a solutions architect for an architectural firm that designs large sky scrapers in the Middle East. Your company hosts large volumes of data and has about 250Tb of data on internal servers. They have decided to store this data on S3 due to the redundancy offered by it. The company currently has a telecoms line of 2Mbps connecting their head office to the internet. What method should they use to import this data on to S3 in the fastest manner possible? A. Upload it directly to S3 B. Purchase and AWS Direct connect and transfer the data over that once it is installed. C. AWS Data Pipeline D. AWS Import/Export

D. AWS Import/Export You can create up to 50 jobs per day”. 50 * 16TB = 800 TB per day. http: //docs.aws.amazon.com/AWSImportExport/latest/DG/CHAP_GuideAndLimit.html http: //docs.aws.amazon.com/AWSImportExport/latest/DG/shipping-multiple-devices.html Direct Connect isn’t available in the middle east.

You are designing a site for a new start up which generates cartoon images for people automatically. Customers will log on to the site, upload an image which is stored in S3. The application then passes a job to AWS SQS and a fleet of EC2 instances poll the queue to receive new processing jobs. These EC2 instances will then turn the picture into a cartoon and will then need to store the processed job somewhere. Users will typically download the image once (immediately), and then never download the image again. What is the most commercially feasible method to store the processed images? A. Rather than use S3, store the images inside a BLOB on RDS with Multi-AZ configured for redundancy. B. Store the images on S3 RRS, and create a lifecycle policy to delete the image after 24 hours. C. Store the images on glacier instead of S3. D. Use elastic block storage volumes to store the images.

B. Store the images on S3 RRS, and create a lifecycle policy to delete the image after 24 hours. Reduced Redundancy Storage http://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/UsingRRS.html

You are hosting a website in Ireland called aloud.guru and you decide to have a static DR site available on S3 in the event that your primary site would go down. Your bucket name is also called “acloudguru”. What would be the S3 URL of the static website? A. https://acloudguru.s3-website-eu-west-1.amazonaws.com B. https://s3-eu-east-1.amazonaws.com/acloudguru C. https://acloudguru.s3-website-us-east-1.amazonaws.com D. https://s3-eu-central-1.amazonaws.com/acloudguru

A. https://acloudguru.s3-website-eu-west-1.amazonaws.com hosting a website in Ireland => Region: eu-west-1 Correct Answer is A(https://acloudguru.s3-website-eu-west-1.amazonaws.com) Bucket name comes first, which is acloudguru, and eu-west-1 is Ireland.

Which of the following is NOT a valid SNS subscribers? A. Lambda B. SWF C. SQS D. Email E. HTTPS F. SMS

B. SWF

You are appointed as your company’s Chief Security Officer and you want to be able to track all changes made to your AWS environment, by all users and at all times, in all regions. What AWS service should you use to achieve this? A. CloudAudit B. CloudWatch C. CloudTrail D. CloudDetective

C. CloudTrail

You have a high performance compute application and you need to minimize network latency between EC2 instances as much as possible. What can you do to achieve this? A. Use Elastic Load Balancing to load balance traffic between availability zones B. Create a CloudFront distribution and to cache objects from an S3 bucket at Edge Locations. C. Create a placement group within an Availability Zone and place the EC2 instances within that placement group. D. Deploy your EC2 instances within the same region, but in different subnets and different availability zones so as to maximize redundancy.

C. Create a placement group within an Availability Zone and place the EC2 instances within that placement group.

Amazon S3 buckets in the US Standard region do not provide eventual consistency. A. True B. False

B. False https://forums.aws.amazon.com/ann.jspa?annID=3112

Placement Groups can be created across 2 or more Availability Zones. A. True B. False

B. False

You can add multiple volumes to an EC2 instance and then create your own RAID 5/RAID 10/RAID 0 configurations using those volumes. A. True B. False

A. True

You are creating your own relational database on an EC2 instance and you need to maximize IOPS performance. What can you do to achieve this goal? A. Add a single additional volume to the EC2 instance with provisioned IOPS. B. Create the database on an S3 bucket. C. Add multiple additional volumes with provisioned IOPS and then create a RAID 0 stripe across those volumes. D. Attach the single volume to multiple EC2 instances so as to maximize performance.

C. Add multiple additional volumes with provisioned IOPS and then create a RAID 0 stripe across those volumes. http://mytechinterests.blogspot.com.au/2016/06/amazon-scenario-questions.html Question 17

Which of the services below do you get root access to? A. Elasticache & Elastic MapReduce B. RDS & DynamoDB C. EC2 & Elastic MapReduce D. Elasticache & DynamoDB

C. EC2 & Elastic MapReduce Explanation: AWS provides the root or system privileges only for a limited set of services, which includes Elastic Cloud Compute (EC2) Elastic MapReduce (EMR) Elastic BeanStalk Opswork AWS does not provide root privileges for managed services like RDS, DynamoDB, S3, Glacier etc For RDS, if you need Admin privileges or want to use features not enabled by RDS, you can go with the Database on EC2 approach

``` Using SAML (Security Assertion Markup Language 2.0) you can give your federated users single sign-on (SSO) access to the AWS Management Console. ``` A. True B. False

A. True http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

You can have 1 subnet stretched across multiple availability zones. A. True B. False

B. False

When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones. A. True B. False

A. True http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

It is possible to transfer a reserved instance from one Availability Zone to another. A. True B. False

A. True You can modify the Availability Zone, scope, network platform, or instance size (within the same instance type) of your Reserved Instance. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html

You have an EC2 instance which needs to find out both its private IP address and its public IP address. To do this you need to; A. Run IPCONFIG (Windows) or IFCONFIG (Linux) B. Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/ C. Retrieve the instance Userdata from http://169.254.169.254/latest/meta-data/ D. Use the following command; AWS EC2 displayIP

B. Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/

To retrieve instance metadata or userdata you will need to use the following IP Address; A. http://127.0.0.1 B. http://192.168.0.254 C. http://10.0.0.1 D. http://169.254.169.254

D. http://169.254.169.254

Amazon S3 buckets in all other regions (other than US Standard) provide read-after-write consistency for PUTS of new objects. A. True B. False

A. True

Amazon S3 provides; A. Unlimited File Size for Objects B. Unlimited Storage C. A great place to run a No SQL database from D. The ability to act as a web server for dynamic content (i.e. can query a database)

B. Unlimited Storage

In order to enable encryption at rest using EC2 and Elastic Block Store you need to A. Configure encryption when creating the EBS volume B. Configure encryption using the appropriate Operating Systems file system C. Configure encryption using X.509 certificates D. Mount the EBS volume into S3 and then encrypt the bucket using a bucket policy.

A. Configure encryption when creating the EBS volume

You can select a specific Availability Zone in which to place your DynamoDB Table A. True B. False

B. False You need to choose Subnet and AZ for RDS instance, but not for DynamoDB

When creating an RDS instance you can select which availability zone in which to deploy your instance. A. True B. False

A. True

Amazon’s Redshift uses which block size for its columnar storage? A. 2KB B. 8KB C. 16KB D. 32KB E. 1024KB / 1MB

E. 1024KB / 1MB http://docs.aws.amazon.com/zh_cn/redshift/latest/dg/c_columnar_storage_disk_mem_mgmnt.html

You run a website which hosts videos and you have two types of members, premium fee paying members, and free members. All videos uploaded by both your premium members and free members are processed by a fleet of EC2 instances which will poll SQS as videos are uploaded. However, you need to ensure that your premium fee paying members videos have a higher priority than your free members. How do you design SQS? A. SQS allows you to set priorities on individual items within the queue, so simply set the fee paying members at a higher priority than your free members. B. Create two SQS queues, one for premium members and one for free members. Program your EC2 fleet to poll the premium queue first and if empty, to then poll your free members SQS queue. C. SQS would not be suitable for this scenario. It would be much better to use SNS to encode the videos.

B. Create two SQS queues, one for premium members and one for free members. Program your EC2 fleet to poll the premium queue first and if empty, to then poll your free members SQS queue.