AWS Certified Cloud Practitioner Practice Test 5 (Bonso)

Question 1

What is the main benefit of deploying instances to multiple availability zones?
A.Agility
B.High Availability
C.Cost Optimization
D.Security

Answer 1

B.High Availability

Explanation:
When you launch an instance, you can select your preferred Availability Zone or let AWS choose one for you. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests.

High Availability (HA) describes systems that are dependable enough to operate continuously without fail. They are well-tested and sometimes equipped with redundant components.

Hence, the correct answer is: High Availability.

Agility, Cost Optimization, and Security are all incorrect because these options are not related to deploying instances to multiple availability zones.

Agility is the ability to rapidly develop, test, and launch software applications that drive business growth. Cost Optimization is the ability to avoid or eliminate unneeded cost or suboptimal resources. Security is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Question 2

Which of the following AWS services allows you to query data directly in Amazon S3? (Select TWO.)
A.Amazon ElastiCache
B.Amazon Athena
C.Amazon Neptune
D.Amazon MQ
E.Amazon Redshift Spectrum

Answer 2

B.Amazon Athena
E.Amazon Redshift Spectrum

Explanation:
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to set up or manage, and you can start analyzing data immediately. You don’t even need to load your data into Athena, it works directly with data stored in S3.

Amazon Redshift Spectrum allows you to query and retrieve structured and semistructured data from files in Amazon S3 without having to load the data into Amazon Redshift tables. Much of the processing occurs in the Redshift Spectrum layer, and most of the data remain in Amazon S3. Multiple clusters can concurrently query the same dataset in Amazon S3 without the need to make copies of the data for each cluster.

Therefore, the correct options are:

• Amazon Athena
• Amazon Redshift Spectrum

Amazon MQ, Amazon Neptune, and Amazon Elasticache are all incorrect because these services are not suitable for querying data in Amazon S3. Amazon MQ is a message broker service for Apache ActiveMQ. Amazon Neptune is a fully-managed graph database service. Amazon Elasticache is an in-memory data store and caching service.

Question 3

Which of the following services allows you to quickly query data in S3 using SQL without having to set up and manage any servers?
A.Amazon Athena
B.AWS Step Functions
C.Amazon SQS
D.Amazon Lambda

Answer 3

A.Amazon Athena

Explanation:
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to set up or manage, and you can start analyzing data immediately. You don’t even need to upload your data into Athena, as it works directly with data stored in S3.

Hence, the correct answer is: Amazon Athena.

Amazon SQS is incorrect because this is a message queue service used by distributed applications to exchange messages through a polling model, and can be used to decouple sending and receiving components. You use Amazon SQS to decouple your applications, and not for querying data in S3.

AWS Lambda and AWS Step Functions are both incorrect. These serverless services don’t have a built-in capability to analyze data in Amazon S3 using standard SQL.

Question 4

Which of the following benefits do AWS Organizations provide? (Select TWO.)
A.Automate AWS account creation and management
B.Allow Active Directory Access Controls
C.Records AWS API calls
D.Ability to create IAM Roles
E.Centrally manage policies across multiple AWS accounts

Answer 4

A.Automate AWS account creation and management
E.Centrally manage policies across multiple AWS accounts

Explanation:
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance.

AWS Organizations benefits are:

• Centrally Manage Policies across Multiple AWS Accounts
• Automate AWS Account Creation and Management
• Consolidate Billing across Multiple AWS Accounts
• Govern Access to AWS Services, Resources, and Regions
• Configure AWS Services Across Multiple Accounts

Hence, the correct options that correctly describe AWS Organizations are:

• Automate AWS account creation and management
• Centrally manage policies across multiple AWS accounts

The option that says: Ability to create IAM Roles is incorrect because this is a feature of AWS IAM and not AWS Organizations. It uses roles to delegate access to users, applications, or services that don’t normally access your AWS resources.

The option that says: Allow Active Directory access controls is incorrect because it is not a benefit of AWS Organizations. This option is related to AWS Managed Microsoft AD.

The option that says: Records AWS API calls is incorrect because this function is under AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in your AWS environment. AWS Organizations do not provide an event history of your AWS account.

Question 5

Which of the following AWS resources is a zonal service? (Select TWO.)
A.Amazon Route 53
B.Amazon S3
C.AWS IAM
D.Amazon EBS
E.Amazon EC2

Answer 5

D.Amazon EBS
E.Amazon EC2

Explanation:
Global Services is not tied to a specific region and can be used in all regions. Regional Services are accessible by any resources within the same region. Zonal Services or Availability Zone Services are resources that are hosted in a zone and called per-zone resources. Zone-specific resources are unique to that zone and are only usable by other resources in the same zone.

Amazon EC2 is a compute capacity in the cloud and Amazon EBS is a block storage service. Both are created in a specific Availability Zone, and EBS can be attached to any instances in that same Availability Zone.

Hence, the correct options in this scenario are:

• Amazon EC2
• Amazon EBS

Amazon S3, Amazon Route 53, and AWS IAM are all incorrect because these are global services offered by AWS. These services can be used across all AWS regions and not Zone-specific.

Question 6

Which of the following Amazon RDS features should you use to achieve high availability with automatic failover?
A.RDS Multi-AZ Deployments
B.RDS Performance Insights
C.DB Snapshots
D.RDS Read Replica

Answer 6

A.RDS Multi-AZ Deployments

Explanation:
Amazon Relational Database Service is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.

RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Amazon RDS uses several different technologies to provide failover support. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.

Amazon RDS Multi-AZ deployments provide enhanced availability for database instances within a single AWS Region. With Multi-AZ, your data is synchronously replicated to a standby in a different Availability Zone (AZ). In the event of an infrastructure failure, Amazon RDS performs an automatic failover to the standby, minimizing disruption to your applications.

Hence, the correct answer is: RDS Multi-AZ Deployments.

RDS Read Replica is incorrect because it just enables you to create one or more read-only copies of your database instance within the same AWS Region or in a different AWS Region. The updates made to the source database are then asynchronously copied to your Read Replicas. Moreover, it doesn’t provide high availability and automatic failover.

DB Snapshots is incorrect because it only creates a snapshot of your DB instance. It helps store a backup of your data but not achieve a high availability architecture.

RDS Performance Insights is incorrect because this feature does not provide enhanced availability for your database instances. RDS Performance Insights is simply a database performance tuning and monitoring feature that helps you quickly assess the load on your database, and determine when and where to take action.

Question 7

Which of the following services connects VPCs and on-premises networks through a central hub?
A.Amazon VPC Peering
B.AWS Transit Gateway
C.AWS Direct Connect
D.AWS Client VPN

Answer 7

B.AWS Transit Gateway

Explanation:
AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

Without AWS Transit Gateway:

Without a central hub, the network complexity increases with scale. You must maintain routing tables within each VPC and connect to each onsite location using separate network gateways.

With AWS Transit Gateway:

Your network is more streamlined and scalable if you use a centralized hub. AWS Transit Gateway routes all traffic to and from each VPC or VPN, and you have one place to manage and monitor it all.

Hence, the correct answer is: AWS Transit Gateway.

AWS Client VPN is incorrect because this is just a VPN service used to securely access your AWS resources and resources in your on-premises network. You can’t use AWS Client VPN to connect and manage multiple VPCs.

VPC Peering is incorrect. Although this service could connect two or more VPCs, it is not appropriate to use if you are managing multiple VPC peering connections and on-premises networks at scale.

AWS Direct Connect is incorrect because this is a dedicated network connection from your on-premises to AWS. Direct Connect doesn’t support the peering between VPCs unless it is associated with Transit Gateway.

Question 8

Which of the following advantages of cloud computing describes the continual price reduction of AWS services?
A.Trade capital expense for variable expense
B.Stop guessing capacity
C.Benefit from massive economies of scale
D.Stop spending money running and maintaining data centers

Answer 8

C.Benefit from massive economies of scale

Explanation:
Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform via the Internet with pay-as-you-go pricing. Whether you are running applications that share photos to millions of mobile users or supporting your business’s critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources.

One of the benefits of using cloud computing is achieving a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices.

Hence, the correct answer is: Benefit from massive economies of scale.

Stop guessing capacity, Stop spending money running and maintaining data centers, and Trade capital expense for variable expense are all incorrect because these are not the appropriate advantages that describe the continual price reduction of AWS services.

Stop guessing capacity - allows you to access as much or as little capacity as you need in AWS, and scale up and down as required with only a few minutes’ notice.

Stop spending money running and maintaining data centers - lets you focus on projects that differentiate your business, not the infrastructure.

Trade capital expense for variable expense - instead of having to invest heavily in data centers and servers before you know how you’re going to use them, you can pay only when you consume computing resources, and pay only for how much you consume.

Question 9

Which of the following is a benefit of using AWS Global Accelerator?
A.Accelerates server performance of your Amazon EC2 instances globally
B.provides a highly durable data store in AWS
C.Decreased latency in accessing applications hosted in AWS
D.Reducdes server costs in running AWS services

Answer 9

C.Decreased latency in accessing applications hosted in AWS

Explanation:
AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. It provides you with static IP addresses that serve as a fixed entry point to your applications hosted in one or more AWS Regions. These IP addresses are anycast from AWS edge locations, so they’re announced from multiple AWS edge locations at the same time. This enables traffic to ingress onto the AWS global network as close to your users as possible.

Global Accelerator uses the AWS global network to optimize the path from your users to your applications, improving the performance of your traffic by as much as 60%.

Hence, the correct answer in this scenario is: Decreased latency in accessing applications hosted in AWS.

The following options are incorrect because these are not the benefits of using AWS Global Accelerator:

• Accelerates server performance of your Amazon EC2 instances globally
• Reduced server costs in running AWS Services
• Provides a highly durable data store in AWS

Question 10

Which configuration management service in AWS helps you configure applications and manage resources in your cloud architecture by using Puppet or Chef?
A.AWS Trusted Advisor
B.AWS Config
C.AWS OpsWorks
D.AWS Management Console

Answer 10

C.AWS OpsWorks

Explanation:
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed and managed across your Amazon EC2 instances or on-premises compute environments.

OpsWorks has three offerings:

AWS OpsWorks for Chef Automate is a fully managed configuration management service that hosts Chef Automate, a suite of automation tools from Chef for configuration management, compliance and security, and continuous deployment.

AWS OpsWorks for Puppet Enterprise is a fully managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management.

AWS OpsWorks Stacks is an application and server management service. With OpsWorks Stacks, you can model your application as a stack containing different layers, such as load balancing, database, and application server.

Hence, the correct answer is: AWS OpsWorks.

AWS Trusted Advisor is incorrect because this is not a configuration management service for Chef and Puppet. Trusted Advisor is just a tool that provides you real-time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor provides recommendations for Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits.

AWS Management Console is incorrect because this is only a web interface for Amazon Web Services that allows you to access and manage cloud services. This option is not related to Chef and Puppet.

AWS Config is incorrect because this is not a suitable service for automated configuration management using Chef or Puppet. Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config as your framework for creating and deploying governance and compliance rules across your AWS accounts and regions.

Question 11

What is the cloud computing model for services like Amazon RDS and Amazon ECS?
A.FaaS 
B.IaaS
C.PaaS
D.SaaS

Answer 11

C.PaaS

Explanation:
There are three main models for cloud computing. Each model represents a different part of the cloud computing stack, they are:

• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)

Platform as a Service, sometimes abbreviated as PaaS, removes the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allow you to focus on the deployment and management of your applications.

Amazon RDS and ECS are considered PaaS because you don’t need to worry about setting up servers, storage, and network. You only manage the application and the data.

IAAS, or infrastructure as a service, is incorrect. IAAS contains the basic building blocks for cloud IT and typically provides networking features, computers (virtual or on dedicated hardware), and data storage space. IAAS lets you manage your own infrastructure, but in RDS and ECS, you don’t have total control over what could be done within the instances. Therefore, it’s incorrect.

SaaS, or software as a service, is incorrect. Software as a Service provides you with a completed product that is run and managed by the service provider. With a SaaS offering, you only need to think about how you will use that particular piece of software. RDS and ECS are not a complete product since you are still managing the application and the data.

FaaS, or function as a service, is incorrect. Amazon RDS and ECS are not serverless computing services that execute modular pieces of code.

Question 12

A developer needs to install their application in Docker containers. Which of the following services eliminates the need to manage containers manually?
A.Amazon ECS
B.AWS Fargate
C.Amazon FSx
D.Amazon EC2

Answer 12

B.AWS Fargate

Explanation:
AWS Fargate is a serverless compute engine for containers. Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Fargate lets you define your application content, networking, storage, and scaling requirements. There is no provisioning, patching, cluster capacity management, or any infrastructure management required.

Hence, the correct answer in this scenario is: AWS Fargate.

Amazon FSx is incorrect because this is primarily used as a file system for Windows-based applications.

Amazon ECS is incorrect because by using this service, you still need to manage your own EC2 instances where your containers are hosted.

Amazon EC2 is incorrect since you still need to provision and manage your Docker containers that are hosted in these EC2 instances.

Question 13

A company needs access to the full set of monitoring checks in AWS Trusted Advisor to ensure that its cloud environment is well-architected.

What is the MOST cost-effective support plan that the company should avail of?
A.Basic
B.Business
C.Enterprise
D.Developer

Answer 13

B.Business

Explanation:
AWS Support Plans offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. All support plans offer 24x7 access to customer service, AWS documentation, whitepapers, and support forums. For technical support and more resources to plan, deploy, and improve your AWS environment, you can select a support plan that best aligns with your AWS use case.

In addition to what is available with Basic Support, Business Support provides:

AWS Trusted Advisor - Access to the full set of Trusted Advisor checks and guidance to provision your resources following best practices to help reduce costs, increase performance and fault tolerance, and improve security.

AWS Personal Health Dashboard - Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices to increase performance and improve security.

Enhanced Technical Support - 24x7 access to Cloud Support Engineers via phone, chat, and email. You can have an unlimited number of contacts that can open an unlimited amount of cases.

Hence, the correct answer is: Business support plan.

The option that says: Enterprise is incorrect. Although it provides you a full set of checks, this support plan is not cost-effective compared with the Business support plan.

The option that says: Basic and Developer are both incorrect because these support plans only provide 7 Core Checks in AWS Trusted Advisor.

Question 14

A team of developers needs to run hundreds of thousands of fully managed batch computing jobs on AWS. Which of the following service should they choose?
A.AWS Elastic BeanStalk
B.AWS Fargate
C.AWS Lambda
D.AWS Batch

Answer 14

D.AWS Batch

Explanation:
AWS Batch is a set of batch management capabilities that enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources based on the volume and specific resource requirements of the batch jobs submitted.

AWS Batch manages compute environments and job queues, allowing you to easily run thousands of jobs of any scale using EC2 and Spot Instances. It carefully monitors the progress of your jobs. When capacity is no longer needed, it will be removed.

Hence, the correct answer is: AWS Batch.

AWS Lambda and AWS Fargate are both incorrect since these are just serverless computing services. Lambda lets you run code without provisioning or managing servers, while Fargate removes the need to provision and manage servers using a serverless compute engine built for containers on AWS. Therefore, these services are not suitable for the provision of thousands of computing jobs.

AWS Elastic Beanstalk is incorrect because this is simply a managed platform that supports running web applications developed for specific programming languages, frameworks, and web containers. Elastic Beanstalk is a Platform-as-a-Service cloud deployment model, and you don’t manage the underlying infrastructure of this service. It is not suitable for running hundreds of thousands of batch computing jobs on AWS.

Question 15

A customer needs to establish a private connection between two virtual private clouds (VPCs) without using additional software. Which of the following should they use?
A.AWS Direct Connect
B.VPC Peering
C.AWS Site-to-Site VPN
D.Amazon Connect

Answer 15

B.VPC Peering

Explanation:
A VPC Peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection).

VPC Peering allows VPC resources, including EC2 instances, Amazon RDS databases, and Lambda functions that run in different AWS Regions to communicate with each other using private IP addresses, without requiring gateways, VPN connections, or separate network appliances.

Hence, the correct answer in this scenario is VPC Peering.

Amazon Connect is incorrect because it is an omnichannel cloud contact center service that helps companies provide superior customer service across voice and chat at a lower cost than traditional contact center systems. This service doesn’t provide a private connection between VPCs.

Amazon Direct Connect and AWS Site-to-Site VPN are both incorrect because these are just used to establish a connection between on-premises and AWS. The scenario doesn’t need a hybrid architecture to establish a private connection between two VPCs. Therefore, these services are incorrect.

Question 16

A company plans to encrypt and manage its own encryption keys using a single-tenant hardware security module. The company must also have exclusive control over how its keys are used via an authentication mechanism independent from AWS.

Which service would meet that requirement?
A.AWS KMS
B.Amazon GuardDuty
C.AWS CloudHSM
D.Amazon S3

Answer 16

C.AWS CloudHSM

Explanation:
AWS CloudHSM is standards-compliant and enables you to export all of your keys to most other commercially-available HSMs, subject to your configurations. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.

AWS CloudHSM provides you with a FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from AWS. You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2. You can use AWS CloudHSM to support a variety of use cases, such as Digital Rights Management (DRM), Public Key Infrastructure (PKI), document signing, and cryptographic functions using PKCS#11, Java JCE, or Microsoft CNG interfaces.

Hence, the correct answer is: AWS CloudHSM.

Amazon GuardDuty is incorrect because this is just a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. This service doesn’t provide you a hardware security module.

Amazon S3 is incorrect because this is simply a storage service and not an encryption service. You can use S3 to store and retrieve any amount of data, at any time, from anywhere on the web. You can store as many objects as you want in one or more buckets, and each object can be up to 5 TB in size.

AWS KMS is incorrect because this service is primarily used to create and manage cryptographic keys, and control their use across a wide range of AWS services and in your applications. KMS CMKs are backed by multi-tenant, FIPS-validated hardware service modules (HSMs) that AWS manages. Remember that it is stated in the scenario that the company must also have exclusive control over how its keys are used via an authentication mechanism independent from AWS. To manage your own HSMs, use AWS CloudHSM.

Question 17

An e-commerce company launches several EC2 instances to run their web application. Which of the following services can be used to help ensure security compliance? (Select TWO.)
A.AWS Trusted Advisor
B.AWS OpsWorks
C.AWS CloudFormation
D.Amazon Inspector
E.Amazon MQ

Answer 17

A.AWS Trusted Advisor
D.Amazon Inspector

Explanation

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

Hence, the correct options are:

• Amazon Inspector
• AWS Trusted Advisor

Amazon MQ is incorrect because this is a message broker service, not a security compliance service. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

AWS OpsWorks is incorrect because this is a configuration management service that helps customers configure and operate applications, both on-premises and in the AWS Cloud, using Chef, and Puppet. This service is not related to security compliance.

AWS CloudFormation is incorrect because it only helps you turn your infrastructure into code and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. CloudFormation automates and simplifies the task of repeatedly and predictably creating groups of related resources that power your applications, and not for security compliance.

Question 18

Which of the following AWS services helps you coordinate the components of distributed applications and microservices using visual workflows?
A.Amazon API Gateway
B.AWS batch
C.Amazon Rekognition
D.AWS Step Functions

Answer 18

D.AWS Step Functions

Explanation:
AWS Step Functions is a web service that enables you to coordinate the components of distributed applications and microservices using visual workflows. You build applications from individual components that perform a discrete function, or task, allowing you to scale and change applications quickly. Step Functions provide auditable automation of routine deployments, upgrades, installations, and migrations.

Step Functions can easily automate recurring tasks such as patch management, infrastructure selection, and data synchronization, and Step Functions will automatically scale, respond to timeouts, and retry failed tasks.

Hence, the correct answer is: AWS Step Functions.

Amazon API Gateway is incorrect because this is just a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. This service doesn’t provide a way for you to easily coordinate workflows.

AWS Batch is incorrect because this service simply enables you to run batch computing workloads of any scale. AWS Batch automatically provisions compute resources and optimizes the workload distribution based on the quantity and scale of the workloads. This option is not related to event-driven workflows and orchestration.

Amazon Rekognition is incorrect because this is primarily used for image and video analysis. You can’t use this service for patch management and infrastructure selection.

Question 19

Which of the following pricing options will automatically reduce your cost on any EC2 instance usage regardless of region, instance family, size, OS, or tenancy?
A.On-Demand Instances
B.Saving Plans
C.Reserved Instances
D.Dedicated hosts

Answer 19

B.Saving Plans

Explanation:
Savings Plans is a flexible pricing model that saves up to 72 percent on Amazon EC2, AWS Fargate, and AWS Lambda usage. Savings Plans provides you lower prices for your Amazon EC2 usage, Fargate, and Lambda in exchange for a commitment to a consistent usage amount (measured in $/hour) for a one or three year term.

Savings Plans Types:

Compute Savings Plans provide the most flexibility and prices of up to 66 percent off on-Demand rates. These plans automatically apply to your EC2 instance usage, regardless of instance family, instance sizes, region, operating system, or tenancy.

EC2 Instance Savings Plans provide savings up to 72 percent off On-Demand, in exchange for a commitment to a specific instance family in a chosen AWS Region.

Hence, the correct answer is: Savings Plans.

On-Demand Instances is incorrect because this pricing model lets you pay for computing capacity by the hour or second (minimum of 60 seconds) with no long-term commitments. Since you need to reduce your cost, on-demand is not the best option.

Reserved Instances is incorrect. Although it offers discounts on hourly cost, you still need to commit at least a whole year’s worth of instance cost to fully maximize the discounts. If you need to reduce your cost for AWS Fargate, this option is not suitable.

Dedicated Hosts is incorrect since this is just a type of Amazon EC2 instance that runs in a VPC on hardware that’s dedicated to a single customer. This option is the most expensive pricing model. Therefore, it is incorrect.

Question 20

A high-performance computing (HPC) application needs a storage service in AWS that can be used as a centralized Windows File Server for multiple EC2 instances.

Which of the following should they use?
A.Amazon EBS
B.Amazon EFS
C.Amazon FSx
D.Amazon S3

Answer 20

C.Amazon FSx

Explanation:
Amazon FSx makes it easy and cost-effective to launch and run popular file systems. With Amazon FSx, you can leverage the rich feature sets and fast performance of widely-used open source and commercially-licensed file systems, while avoiding time-consuming administrative tasks like hardware provisioning, software configuration, patching, and backups. It provides cost-efficient capacity and high levels of reliability, and it integrates with other AWS services so that you can manage and use the file systems in cloud-native ways.

Amazon FSx provides you with two file systems to choose from:

Amazon FSx for Windows File Server provides fully managed file storage that is accessible over the industry-standard Server Message Block (SMB) protocol.

Amazon FSx for Lustre makes it easy and cost-effective to launch and run the world’s most popular high-performance file system, Lustre.

Hence, the correct answer in this scenario is: Amazon FSx.

Amazon S3 is incorrect because this is just an object storage service. You can’t use this as a centralized Windows File Server.

Amazon EFS is incorrect. Although it is a shared file system storage, EFS only supports Linux workloads.

Amazon EBS is incorrect. An EBS volume can only be accessed by multiple EC2 instances if it is a Provisioned IOPS EBS volume. A more suitable option here is to use Amazon FSx for Windows File Server.

Question 21

A developer plans to build a serverless application with a key-value database. Which of the following AWS services can be used to fulfill this requirement? (Select TWO.)
A.Amazon SageMaker
B.Amazon ECR
C.Amazon RDS
D.Amazon DynamoDB
E.AWS Lambda

Answer 21

D.Amazon DynamoDB
E.AWS Lambda

Explanation:
AWS Lambda is a serverless computing service. It lets you run your code without provisioning or managing servers. Serverless computing allows you to build and run applications and services without thinking about servers. With serverless computing, your application still runs on servers, but AWS does all the server management.

Amazon DynamoDB is aligned with the values of Serverless applications: automatic scaling according to your application load, pay-per-what-you-use pricing, easy to get started with, and no servers to manage. It makes DynamoDB a very popular choice for Serverless applications running in AWS.

Hence, the correct options in this scenario are:

• AWS Lambda
• Amazon DynamoDB

Amazon RDS is incorrect because it is not a key-value database. RDS is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. Also, RDS is not a suitable fit for key-value pairs.

Amazon ECR is incorrect because this is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images. ECR is not a serverless computing service. If you want to have a serverless container, you can use AWS Fargate.

Amazon SageMaker is incorrect because this is not a serverless service. SageMaker is primarily used to build, train, and deploy machine learning (ML) models quickly.

Question 22

A startup company plans to create a user management and authentication service for its customers. The users need to sign in through an external identity provider to access their web and mobile applications. Which AWS service should they use to meet this requirement?
A.AWS IAM
B.AWS Artifact
C.Amaon Macie
D.Amazon Cognito

Answer 22

D.Amazon Cognito

Explanation:
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google, or Apple.

The two main components of Amazon Cognito are user pools and identity pools.

User pools are user directories that provide sign-up and sign-in options for your app users.

Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.

Cognito is a user management and authentication service that can be integrated into your web or mobile applications. It also enables you to authenticate users through an external identity provider and provides temporary security credentials to access your app’s backend resources in AWS or any service behind Amazon API gateway.

Hence, the correct answer in this scenario is: Amazon Cognito.

AWS IAM is incorrect because this is just a service that enables you to manages users’ access only in your AWS account. AWS IAM is not a suitable service to use for authenticating users through an external identity provider. It does not provide mobile authentication as well, unlike Amazon Cognito.

Amazon Macie and AWS Artifact are both incorrect because these services are not user management services.

Question 23

A company plans to use AWS to send email updates for their new products through SMTP. Which service should they use?
A.Amazon SES
B.Amazon SWF
C.Amazon SQS
D.Amazon SNS

Answer 23

A.Amazon SES

Explanation:
Amazon Simple Email Service is a highly scalable and cost-effective service for sending and receiving email. Amazon SES eliminates the complexity and expense of building an in-house email solution or licensing, installing, and operating a third-party email solution. You can use SMTP interface or one of the AWS SDKs to integrate Amazon SES directly into your existing applications. You can also embed the email sending capabilities of Amazon SES into the software you already use, such as ticketing systems and email clients.

SES is an excellent solution for anyone who needs a reliable, scalable, and inexpensive way to send and receive an email. AWS users include a diverse range of organizations, such as online retailers, application developers, and digital marketing organizations.

Hence, the correct answer in this scenario is: Amazon SES.

Amazon SNS, Amazon SQS, and Amazon SWF are all incorrect since the scenario asks you to send email updates through SMTP, and Amazon SES is the appropriate service to use in this question.

Question 24

A customer needs to store objects that are frequently accessed. To help the customer save costs, you must select a storage service free from retrieval charges. Which of the following S3 storage classes would meet this requirement? (Select TWO.)
A.S3 One Zone IA
B.S3 Standard-IA
C.S3 Standard
D.S3 Intelligent Tiering
E.S3 Glacier Archive

Answer 24

C.S3 Standard
D.S3 Intelligent Tiering

Explanation:
S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Because it delivers low latency and high throughput, S3 Standard is appropriate for a wide variety of use cases, including cloud applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics.

The S3 Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead. It works by storing objects in two access tiers: one-tier optimized for frequent access and another lower-cost tier optimized for infrequent access.

The S3 Standard-IA and S3 One Zone-IA storage classes are designed for long-lived and infrequently accessed data. (IA stands for infrequent access.) S3 Standard-IA and S3 One Zone-IA objects are available for millisecond access (same as the S3 Standard storage class). Amazon S3 charges a retrieval fee for these objects, so they are most suitable for infrequently accessed data.

Both the S3 Standard and S3 Intelligent-Tiering storage classes do not have retrieval fees. Hence, the correct answers are:

S3 Standard

S3 Intelligent-Tiering

S3 Glacier Deep Archive, S3 Standard-IA, and S3 One Zone-IA are all incorrect since these storage tiers have object retrieval fees.

Question 25

Which of the following provides the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud?
A.AWS Reference Architecture Diagrams
B.AWS Well-Architected Framework
C.Shared Responsibility Model
D.AWS Marketplace

Answer 25

B.AWS Well-Architected Framework

Explanation:
AWS Well-Architected Framework has been developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications.

This is based on five pillars namely:

1. Operational Excellence - The ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures.
2. Security - The ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.
3. Reliability - The ability to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
4. Performance Efficiency - The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.
5. Cost Optimization - The ability to avoid or eliminate unneeded cost or suboptimal resources.

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. By answering a set of foundational questions, you learn how well your architecture aligns with cloud best practices and are provided guidance for making improvements. It provides a consistent approach for customers and partners to evaluate architectures, and implement designs that will scale over time.

Hence, the correct answer is: AWS Well-Architected Framework.

AWS Reference Architecture Diagrams is incorrect because this is simply a collection of technical resources to help you build industry-tested architectures more effectively and efficiently in the AWS Cloud. It does not provide a set of foundational questions that you can use to evaluate if your architecture is aligned with AWS best practices.

AWS Marketplace is incorrect because this is only an online software store that helps customers find, buy, and immediately start using the software and services that run on AWS. It doesn’t provide any architectural best practices in AWS.

Shared Security Model is incorrect because this just describes the specific responsibilities of AWS and the customer in managing, maintaining, and securing AWS services, including its underlying resources.

Question 26

Which of the following services displays the general status of all available AWS Services and informs you if a service is experiencing availability issues?
A.AWS personal Health Dashboard
B.AWS Service Health Dashboard
C.AWS CloudTrail
D.Amazon CloudWatch

Answer 26

B.AWS Service Health Dashboard

Explanation:
AWS Service Health Dashboard displays the general status of AWS services. It also provides the flexibility of displaying the history of a specific service within a geographical area. It is useful for determining whether a failure has had effects that you might have never encountered inside your own network. AWS keeps this history of service interruptions for a year.

Service Health Dashboard provides a complete health check of all services in all regions.

Hence, the correct answer is: AWS Service Health Dashboard.

AWS Personal Health Dashboard is incorrect because it only gives you a personalized view of the performance and availability of the services you are using and not all of the available AWS services. You have to use the AWS Service Health Dashboard to check the current status and status history of all AWS services in various regions.

Amazon CloudWatch and AWS CloudTrail are both incorrect because these services are primarily used to monitor performance and event history of your AWS Services.

Question 27

Which of the following services simplifies contact center operations, improves agent efficiency, lowers costs, and can scale to support millions of customers?
A.AWS Direct Connect
B.Amazon Lex
C.Amazon WorkSpaces
D.Amazon Connect

Answer 27

D.Amazon Connect

Explanation

Amazon Connect provides a seamless experience across voice and chats for your customers and agents. This includes one set of tools for skills-based routing, powerful real-time and historical analytics, and easy-to-use intuitive management tools – all with pay-as-you-go pricing, which means Amazon Connect simplifies contact center operations, improves agent efficiency, and lowers costs. You can set up a contact center in minutes that can scale to support millions of customers.

Hence, the correct answer is: Amazon Connect.

Amazon Lex is incorrect because this is just a service for building conversational interfaces into any application using voice and text. It is used to build chatbots for everyday consumer requests, such as accessing the latest news updates, game scores, or weather.

Amazon WorkSpaces is incorrect since it is not an omnichannel cloud contact center service. WorkSpaces is simply a secure cloud desktop service, which allows you to provision either Windows or Linux desktops in only a few minutes, and quickly scale to provide thousands of desktops to workers across the globe.

AWS Direct Connect is incorrect because this is not related to contact center operations. Direct Connect is a cloud service solution that makes it easier for you to establish a dedicated network connection from your on-premises network to AWS.

Question 28

A developer needs to set up a message broker service for Apache ActiveMQ for its enterprise application running in AWS. Which service should be used in this scenario?
A.Amazon MQ
B.Amazon WorkMail
C.Amazon Chime
D.Amazon Simple Email Service

Answer 28

A.Amazon MQ

Explanation:
Amazon MQ is a managed message broker service for Apache ActiveMQ that makes it easy to set up and operate message brokers in the cloud. Amazon MQ manages the administration and maintenance of ActiveMQ, a popular open-source message broker. You can also get direct access to the ActiveMQ console and industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket.

With Amazon MQ, you can easily move from any message broker that uses these standards to Amazon MQ because you don’t have to rewrite any messaging code in your applications.

Hence, the correct answer in this scenario is: Amazon MQ.

Amazon Simple Email Service is incorrect because this is only a cloud-based email sending service and not a message broker service for Apache ActiveMQ. Amazon SES is designed to help digital marketers and application developers send marketing, notification, and transactional emails.

Amazon Chime is incorrect because this is simply a communications service that lets you meet, chat, and place business calls inside and outside your organization, all using a single application. This service is not suitable for setting up a message broker service.

Amazon WorkMail is incorrect because this is just a service to manage your corporate email infrastructure and eliminates the need for up-front investments to license and provision on-premises email servers. This service does not provide direct access to the ActiveMQ console and industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket.

Question 29

A customer plans to speed up the time it takes to download data between its clients and S3 bucket over long distances. Which service would meet this requirement?
A.Amazon Route 53
B.Amazon Kinesis
C.Amazon DynamoDB
D.Amazon S3 Transfer Acceleration

Answer 29

D.Amazon S3 Transfer Acceleration

Explanation:
Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50% - 500% for long-distance transfer of larger objects. Customers who have either web or mobile applications with widespread users or applications hosted far away from their S3 bucket can experience long and variable upload and download speeds over the Internet.

S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrive at an edge location, they are routed to Amazon S3 over an optimized network path.

Hence, the correct answer is: Amazon S3 Transfer Acceleration.

Amazon DynamoDB is incorrect because this is a non-relational database service that is fully-managed by AWS. You can’t use this service to accelerate the transfer of large objects to your Amazon S3 bucket.

Amazon Kinesis is incorrect because it cannot accelerate the transfer of data over long distances from an S3 bucket. Kinesis is primarily used to collect, process, and analyze real-time streaming data to get timely insights and react quickly to new information.

Amazon Route 53 is incorrect because this service just provides a highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services. You can use Route 53 to route end-users to Internet applications by translating names like tutorialsdojo.com into numeric IP addresses, and not for transferring files in an S3 bucket.

Question 30

Which AWS service can automatically detect a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers?
A.Amazon SageMaker
B.Amazon CloudSearch
C.Amazon Rekognition
D.Amazon Macie

Answer 30

D.Amazon Macie

Explanation:
Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how these data are being accessed or moved.

You can use Amazon Macie to automatically detect a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.

Hence, the correct answer is: Amazon Macie.

Amazon Rekognition is incorrect. Although it is a machine learning-based service like Amazon Macie, it is primarily used for image and video analysis but not for detecting personally identifiable information (PII). You can’t use this to protect your sensitive data in AWS.

Amazon CloudSearch is incorrect because this service cannot protect sensitive data in AWS. CloudSearch is a service in the AWS Cloud that is used to set up, manage, and scale a search solution for your website or application in AWS.

Amazon SageMaker is incorrect because this service is primarily used to quickly build, train, and deploy machine learning (ML) models and not detect sensitive information in AWS.

Question 31

Which AWS service allows you to easily manage access to multiple AWS accounts and provide users with single login access?
A.Amazon SWF
B.AWS SSO
C.Amazon SES
D.Amazon SQS

Answer 31

B.AWS SSO

Explanation:
AWS Single Sign-On is an AWS service that enables you to makes it easy to manage access to multiple AWS accounts and business applications centrally. It also provides users with single sign-on access to all their assigned accounts and applications from one place.

SSO is used to manage your employees’ access to multiple AWS accounts, SAML-enabled cloud applications, and custom-built in-house applications, all from a central place.

Hence, the correct answer is: AWS SSO.

Amazon SES is incorrect because this is just a cloud-based email service designed to help digital marketers and application developers send marketing, notification, and transactional emails. This option does not provide you a feature to log in to multiple AWS accounts.

Amazon SWF and Amazon SQS are both incorrect because these services just facilitate the integration of applications or microservices. These services are not suitable for managing or accessing multiple AWS accounts.

Question 32

A company needs to store frequently accessed data in Amazon S3. How will AWS bill you for storing objects in your S3 buckets?
A.By Number of Requests
B.Per Hour or Second
C.Per GB
D.By Instance Type

Answer 32

C.Per GB

Explanation:
Amazon Simple Storage Service (S3) is the object storage of AWS. It is used to store and retrieve any amount of data from anywhere on the Internet. It is also a service that offers an extremely durable, highly available, and infinitely scalable data storage infrastructure at a very low cost.

S3 Standard is the general-purpose storage for any type of data, typically used for frequently accessed data. You only pay for storing objects in your S3 buckets. The rate you are charged depends on your objects’ size, how long you stored the objects and the storage class.

Hence, the correct answer in this scenario is: Per GB.

Per Hour or Second and By Instance Type are both incorrect because these are not valid S3 bucket pricing tiers. The usage of an EC2 instance is calculated by the hour or second based on the size of the instance, operating system, and the AWS Region where the instances are launched.

By Number of Requests is incorrect because Amazon S3 pricing is based on the size of your objects. It is AWS Lambda that charges based on the number of requests for your functions and the duration it takes for your code to execute.

Question 33

An organization is mandated to secure its Amazon S3 bucket and ensure that it cannot have any public objects to satisfy the compliance requirements.

What S3 feature should be used to easily accomplish this?
A.Network ACL
B.Block Public Access
C.Security Groups
D.VPC EndPoint

Answer 33

B.Block Public Access

Explanation:
Amazon S3 provides Block Public Access settings for buckets and accounts to help you manage public access to Amazon S3 resources. By default, new buckets and objects don’t allow public access, but users can modify bucket policies or object permissions to allow public access. Amazon S3 Block Public Access provides settings that override these policies and permissions so that you can limit public access to these resources.

With Amazon S3 Block Public Access, account administrators and bucket owners can easily set up centralized controls to limit public access to their Amazon S3 resources that are enforced regardless of how the resources are created.

When Amazon S3 receives a request to access a bucket or an object, it determines whether the bucket or the bucket owner’s account has a Block Public Access setting. If there is an existing Block Public Access setting that prohibits the requested access, then Amazon S3 rejects the request. Amazon S3 Block Public Access provides four settings. These settings are independent and can be used in any combination, and each setting can be applied to a bucket or to an entire AWS account.

If a bucket has Block Public Access settings that are different from its owner’s account, Amazon S3 applies the most restrictive combination of the bucket-level and account-level settings. Thus, when Amazon S3 evaluates whether an operation is prohibited by a Block Public Access setting, it rejects any request that would violate either a bucket-level or an account-level setting.

Hence, the correct answer is: Block Public Access.

Network ACL is incorrect because a Network ACL is primarily used for VPCs and not in S3 buckets. Amazon S3 has access control lists (ACLs) that enable you to manage access to buckets and objects. Remember that a Network ACL and S3 ACL are different from each other.

Security Group is incorrect because Amazon S3 doesn’t have a security group.

VPC Endpoint is incorrect because this feature doesn’t ensure that your objects are not accessible publicly. It just enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Question 34

Which AWS service provides automated reference deployments for key workloads in AWS via CloudFormation templates?
A.AWS Config
B.AWS OpsWorks
C.AWS Quick Starts
D.AWS Systems Manager Automation

Answer 34

C.AWS Quick Starts

Explanation:
AWS Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices for security and high availability. These accelerators reduce hundreds of manual procedures into just a few steps, so you can build your production environment quickly and start using it immediately.

Quick Starts provides automated reference deployments for key workloads on the AWS Cloud via CloudFormation templates. Each Quick Start launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.

Hence, the correct answer is: AWS Quick Starts.

AWS Systems Manager Automation is incorrect because it doesn’t provide you with automated reference deployments for key workloads. Systems Manager Automation only simplifies the common maintenance and deployment tasks of EC2 instances and other AWS resources.

AWS Config is incorrect because it does not provide automated reference deployments in AWS via CloudFormation templates. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config as your framework for creating and deploying governance and compliance rules across your AWS accounts and regions.

AWS OpsWorks is incorrect because this is not a reference deployment service. OpsWorks is a configuration management service that helps customers configure and operate applications, both on-premises and in the AWS Cloud, using Chef and Puppet.

Question 35

Which of the following services protects your web applications from application-layer attacks such as SQL injection and cross-site scripting?
A.Network Access Control List
B.AWS Shield
C.Security Group
D.AWS WAF

Answer 35

D.AWS WAF

Explanation:
AWS Web Application Firewall (WAF) gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers.

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

Hence, the correct answer is AWS WAF.

Network Access Control List is incorrect because this is just a security layer for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. This cannot protect you from SQL injection and cross-site scripting.

Security Group is incorrect because this simply acts as a virtual firewall for your instance to control inbound and outbound traffic. You attach it to an instance and the traffic allowed is controlled via security group rules. This is not related to application-layer attacks.

AWS Shield is incorrect since this is not a suitable service to protect your web applications from common web exploits. AWS Shield is a managed DDoS protection service that safeguards applications running on AWS.

Question 36

Which of the following is an AWS hybrid storage service that allows you to connect your on-premises data storage to Amazon S3 and simplify storage management?
A.AWS Direct Connecr
B.AWS Storage Gateway
D.Amazon S3 Gateway Endpoint

Answer 36

B.AWS Storage Gateway

Explanation

AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage in S3. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. These include moving backups to the cloud, using on-premises file shares backed by cloud storage, and providing low latency access to data in AWS for on-premises applications.

Storage Gateway supports three key hybrid cloud use cases:

1. Move backups and archives to the cloud
2. Reduce on-premises storage with cloud-backed file shares
3. Provide on-premises applications low latency access to data stored in AWS.

Hence, the correct option is: AWS Storage Gateway.

AWS Direct Connect is incorrect because this does not simplify your management with S3 storage. It only establishes a dedicated connection between your on-premises data center and your AWS cloud resources.

Amazon S3 Gateway Endpoint is incorrect because this is just a VPC endpoint for Amazon S3 that enables AWS services in your VPC to use private IP addresses to access Amazon S3 with no exposure to the public Internet. Since the question asks you to simplify storage management and connect your on-premises storage to S3, AWS Storage Gateway is the appropriate answer.

Internet Gateway is incorrect because this is basically a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the public Internet. It is not a hybrid cloud storage service, unlike AWS Storage Gateway.

Question 37

Which of the following services can establish a connection from your on-premises environment and resources hosted on AWS? (Select TWO.)
A.Amazon Connect
B.AWS Site-to-Site VPN
C.AWS Directory Service
D.AWS Direct Connect
E.AWS Snowcone

Answer 37

B.AWS Site-to-Site VPN
D.AWS Direct Connect

Explanation:
The correct options are:

• AWS Direct Connect
• AWS Site-to-Site VPN

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

AWS Site-to-Site VPN creates a secure connection between your data center or branch office and your AWS cloud resources. For globally distributed applications, the Accelerated Site-to-Site VPN option provides even greater performance by working with AWS Global Accelerator.

Amazon Connect is incorrect because this is not a VPN connectivity option. It is a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost.

AWS Directory Service is incorrect because this is not a service for a dedicated network connection from your premises to AWS. Directory Service is a managed service offering directory that contains information about your organization, including users, groups, computers, and other resources.

AWS Snowcone is incorrect because this is just a portable data transfer device with secure edge computing capability. You can use this to transfer data from your on-premises data to AWS. However, it can’t be used in establishing a dedicated networking connection between your on-premises data center and AWS.

Question 38

A company is using Cost Explorer to gain an understanding of its cost trends in AWS. How many months of historical data can Cost Explorer store and display?
A.15 Months
B.6 Months
C.12 months
D.3 months

Answer 38

C.12 months

Explanation:
AWS Cost Explorer is a tool that enables you to view and analyze your costs and usage. You can explore your usage and costs using the main graph, the Cost Explorer cost and usage reports, or the Cost Explorer RI reports. It also identifies areas that need further inquiry and sees trends that you can use to understand your costs.

Cost Explorer can display up to 12 months of historical data, the current month, and the forecasted costs for the next three months.

Hence, the correct answer is: 12 Months.

The option that says: 15 Months is incorrect because this is beyond the capacity of Cost Explorer. This is only applicable in Amazon Cloudwatch which enables you to view both up-to-the-minute data, historical data, and kept for 15 months.

The option that says: 6 Months and 3 Months are both incorrect because you can view data for up to the last 12 months using AWS Cost Explorer.

Question 39

In AWS, \_\_\_\_\_\_\_ is a managed service that enables you to easily create and control the encryption keys used for cryptographic operations without having to manage your own hardware module.
A.AWS System Manager
B.AWS IAM
C.AWS KMS
D.AWS CloudHSM

Answer 39

C.AWS KMS

Explanation:
AWS KMS is a managed service that easily enables you to create and control the keys used for cryptographic operations. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services.

KMS is a managed service that enables you to encrypt your data easily. It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services.

Hence, the correct answer is: AWS KMS.

AWS Systems Manager is incorrect because this service simply gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. You cannot encrypt data in your AWS resources using AWS SSM.

AWS IAM is incorrect because this is just a service used to manage users, roles, and groups to AWS services and resources securely. This service does not provide a highly available HSM to encrypt data.

AWS CloudHSM is incorrect because this provides hardware security modules in the AWS Cloud that you can manage and control. Remember that in the scenario, the requirement is that you must be able to manage your encryption keys without having to manage your own hardware module. A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys. If you want a managed service to create and control your encryption keys, but don’t want to operate your own HSM, consider using AWS Key Management Service.

Question 40

The security team needs to automate security vulnerability assessments throughout their development and production environments. Which service should they use to comply with this requirement?
A.Amazon Inspector
B.Amazon Macie
C.AWS WAF
D.AWS Shield

Answer 40

A.Amazon Inspector

Explanation:
Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of the development and IT operations. Amazon Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions.

Amazon Inspector is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances.

Hence, the correct answer in this scenario is: Amazon Inspector.

AWS Shield is incorrect because this option is not a security assessment service. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. In addition, AWS Shield is mainly used to protect web applications, TCP-based applications, and UDP-based game servers against a DDoS attack.

AWS WAF is incorrect since this is a web application firewall that helps protect your web applications from common web exploits such as XSS and SQL injection, and not for automated security vulnerability assessments. You use AWS WAF to create custom rules that block common attack patterns and rules that are designed for your specific application.

Amazon Macie is incorrect because it is just a security service and not suitable for automated security assessment service. It uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Question 41

Which feature will customers have access to by using the AWS Business Support plan?
A.Access to online self-paced labs
B.Concierge Support Team
C.Architecture Support
D.Technical Account Manager

Answer 41

C.Architecture Support

Explanation:
AWS Business Support Plan is used if you have production workloads on AWS and want 24x7 access to technical support and architectural guidance in the context of your specific use-cases.

In addition to what is available with Basic Support, Business Support provides:

AWS Trusted Advisor - Access to the full set of Trusted Advisor checks and guidance to provision your resources following best practices to help reduce costs, increase performance and fault tolerance, and improve security.

AWS Personal Health Dashboard - A personalized view of the health of AWS services, and alerts when your resources are impacted. Also includes the Health API for integration with your existing management systems.

Enhanced Technical Support – 24x7 access to Cloud Support Engineers via phone, chat, and email. You can have an unlimited number of contacts that can open an unlimited amount of cases. Response times are as follows:

General Guidance - < 24 hours

System Impaired - < 12 hours

Production System Impaired - < 4 hours

Production System Down - < 1 hour

Architecture Support – Contextual guidance on how services fit together to meet your specific use-case, workload, or application.

AWS Support API - Programmatic access to AWS Support Center features to create, manage, and close your support cases, and operationally manage your Trusted Advisor check requests and status.

Third-Party Software Support - Guidance, configuration, and troubleshooting of AWS interoperability with many common operating systems, platforms, and application stack components.

Access to Proactive Support Programs – Ability to purchase Infrastructure Event Management for an additional fee. This provides Architecture and scaling guidance, and real-time operational support during the preparation and execution of planned events, product launches, and migrations.

Hence, the correct answer is: Architecture Support.

The other options are all incorrect because these are provided in the Enterprise Support Plan and are not available in the Business Support Plan:

Access to online self-paced labs

Concierge Support Team

Technical Account Manager

Question 42

Which service enables you to set up directories in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory?
A.AWS Direct Connect
B.Amazon Connect
C.AWS Site-to-Site VPN
D.AWS Directory Service

Answer 42

D.AWS Directory Service

Explanation:
AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud.

Directory Service makes it easy to set up and run directories in the AWS Cloud or connect your AWS resources with an existing on-premises Microsoft Active Directory.

Once your directory is created, you can use it for a variety of tasks:

• Manage users and groups
• Provide single sign-on to applications and services
• Create and apply group policy
• Securely connect to Amazon EC2 Linux and Windows instances
• Simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads
• You can use AWS Managed Microsoft AD to enable multi-factor authentication by integrating with your existing RADIUS-based MFA infrastructure to provide an additional layer of security when users access AWS applications.

Hence, the correct answer is: AWS Directory Service.

Amazon Connect is incorrect because it is an omnichannel cloud contact center service that helps companies provide superior customer service across voice and chat at a lower cost than traditional contact center systems. This service can’t be used to create directories.

AWS Direct Connect and AWS Site-to-Site VPN are both incorrect because these are primarily used to establish a connection between on-premises and AWS. These services are not capable of setting up directories in the AWS cloud.

Question 43

Which is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy?
A.AWS CodeBuild
B.AWS CodeDeploy
C.AWS CodeCommit
D.AWS CodePipelimne

Answer 43

A.AWS CodeBuild

Explanation:
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue.

CodeBuild provides these benefits:

Fully managed – CodeBuild eliminates the need to set up, patch, update, and manage your own build servers.

On-demand – CodeBuild scales on-demand to meet your build needs. You pay only for the number of build minutes you consume.

Out of the box – CodeBuild provides preconfigured build environments for the most popular programming languages. All you need to do is point to your build script to start your first build.

Hence, the correct answer is: AWS CodeBuild.

AWS CodeDeploy, AWS CodePipeline, and AWS CodeCommit are all incorrect because these services are not suitable to build and test applications in AWS Cloud. CodeDeploy is primarily used to automate code deployments to any instance, including EC2 instances and instances running on-premises. CodePipeline is a continuous delivery service while CodeCommit is a fully-managed source control service.

Question 44

A company plans to restrict access to content served from an Amazon S3 bucket using Amazon CloudFront. Which of the following features can you use to satisfy this requirement?
A.Service Control Policies
B.Stick Sessions
C.Origin Access Identity
D.Server name indication

Answer 44

C.Origin Access Identity

Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services.

An Origin Access Identity is used for sharing private content through CloudFront. The OAI is a virtual user identity that will be used to give your CloudFront distribution permission to fetch a private object from your origin server.

You can restrict access to content that you serve from Amazon S3 buckets by configuring this to your services:

Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.

Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.

After the S3 and CloudFront configuration, your users can only access your files through CloudFront and not directly from the S3 bucket.

Hence, the correct answer is: Origin Access Identity.

Service Control Policies is incorrect because this is an AWS Organization policy and not an Amazon CloudFront feature. It is used to manage permissions in your organization and helps you ensure your accounts stay within your organization’s access control guidelines.

Server Name Indication and Sticky Sessions are both incorrect because these are features of an Application Load Balancer. Server Name Indication is mainly used to host multiple secure applications, each with its own TLS certificate, on a single load balancer listener. Sticky sessions are a mechanism to route requests from the same client to the same target. If you need to restrict access directly in an Amazon S3 bucket, use Amazon CloudFront OAI instead.

Question 45

A company plans to deploy an enterprise web application that will be accessed globally. The architecture must provide the highest redundancy and fault tolerance to avoid user disruptions.

How should the Amazon EC2 instances be deployed to meet the above requirements?
A.Deploy to three AWS Regions with one Availability Zone for each region
B.Deploy in a single Availability Zone
C.Deploy to multiple Availability Zones across three AWS regions
D.Deploy to multiple Availability Zones in a single AWS Region

Answer 45

C.Deploy to multiple Availability Zones across three AWS regions

Explanation:
When you launch an instance, you can select your preferred Availability Zone or let AWS choose one for you. If you distribute your instances across multiple Availability Zones and one instance fails, you can design your application so that an instance in another Availability Zone can handle requests. You can also deploy your applications to multiple AWS Regions to achieve high availability.

High Availability (HA) describes systems that are dependable enough to operate continuously without fail. They are well-tested and sometimes equipped with redundant components.

Hence, the correct answer is: Deploy to multiple Availability Zones across three AWS Regions.

The option that says: Deploy in a single Availability Zone in a single AWS Region is incorrect because if just a single Availability Zone goes down, the system will immediately experience an outage. Conversely, if the entire AWS Region experienced an outage, the application will not be available anymore since there is no secondary AWS Region used in this architecture.

The option that says: Deploy to three AWS Regions with one Availability Zone per each region is incorrect. Although it provides high availability, it is still better to deploy the application to multiple Availability Zones instead of just one.

The option that says: Deploy to multiple Availability Zones in a single AWS Region is incorrect because if there is an AWS Region outage, the enterprise application will not be able to recover or even failover to a secondary region.

Question 46

The root AWS account of your company was compromised and fortunately, there was no major data leak. What should you do to prevent this from happening again? (Select TWO.)
A.Enable MFA
B.Configure a strong password policy for your users
C.Disable the rotation of credentials \
D.Share your root user access keys
D,Grant full access for your IAM users

Answer 46

A.Enable MFA
B.Configure a strong password policy for your users
Explanation:
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

The AWS IAM security best practices are:

Enable MFA - users have a device that generates a response to an authentication challenge.

Configure a Strong Password Policy for your Users -allow users to change their own passwords, require that they create strong passwords and that they rotate their passwords periodically.

Lock Away Your AWS Account Root User Access Keys - the access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information.

Grant Least Privilege - start with a minimum set of permissions and grant additional permissions as necessary.

Rotate Credentials Regularly - if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources.

Hence, the correct options that correctly describe security best practices in IAM are:

• Enable MFA
• Configure a strong password policy for your users

The following options are not the best practices in securing your account using AWS IAM:

Disable the rotation of credentials

Grant full access for your IAM users

Share your root user access keys

Question 47

Which of the following support plans provides access to the AWS Personal Health Dashboard?
A.Basic,Developer,Business,Enterprise
B.Developer, Business, Enterprise
C.Basic, Developer, Business
D.Basic, Business, Enterprise

Answer 47

A.Basic,Developer,Business,Enterprise

Explanation:
AWS Support Plans offers a range of plans that provide access to tools and expertise that support your AWS solutions’ success and operational health. All support plans offer 24x7 access to customer service, AWS documentation, whitepapers, and support forums. For technical support and more resources to plan, deploy, and improve your AWS environment, you can select a support plan that best aligns with your AWS use case.

Basic Support is included for all AWS customers and includes:

Customer Service & Communities - 24x7 access to customer service, documentation, whitepapers, and support forums.

AWS Trusted Advisor - Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices to increase performance and improve security.

AWS Personal Health Dashboard - A personalized view of the health of AWS services, and alerts when your resources are impacted.

Hence, the correct answer is: Basic, Developer, Business, and Enterprise support plans.

All other choices are incorrect because all AWS Support Plans provide access to the AWS Personal Health Dashboard.

Question 48

Which AWS services should you use to upload SSL certificates? (Select TWO.)
A.AWS Certificate Manager
B.Amazon ECR
C.AWS Systems Manager
D.AWS KMS
E.AWS IAM

Answer 48

A.AWS Certificate Manager
E.AWS IAM

Explanation:
AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. You can provide certificates for supported AWS services either by issuing them directly with ACM or by importing third-party certificates into the ACM management system. ACM certificates can secure multiple domain names and multiple names within a domain.

ACM is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

You can use IAM as a certificate manager only when you must support HTTPS connections in a region not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with AWS.

Hence, the correct options are:

• AWS Certificate Manager
• AWS Identity and Access Management

AWS Systems Manager, Amazon Elastic Container Registry, and AWS Key Management Service are all incorrect because these services are not capable of storing SSL certificates.

Question 49

Which AWS team can assist you when your AWS resources are impacted by potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents?
A.AWS Support API
B.Architecture Support
C.AWS Abuse
D.Concierge Support

Answer 49

C.AWS Abuse

Explanation:
AWS Abuse addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents. When abuse is reported, we alert customers so they can take the remediation action that is necessary. Customers want to build automation for handling abuse events and the actions to remediate them.

The AWS Abuse team can assist you when AWS resources are used to engage in the following types of abusive behavior:

Spam: You are receiving unwanted emails from an AWS-owned IP address, or AWS resources are used to spam websites or forums.

Port scanning: Your logs show that one or more AWS-owned IP addresses are sending packets to multiple ports on your server, and you believe this is an attempt to discover unsecured ports.

Denial-of-service (DoS) attacks: Your logs show that one or more AWS-owned IP addresses are used to flood ports on your resources with packets, and you believe that this is an attempt to overwhelm or crash your server or the software running on your server.

Intrusion attempts: Your logs show that one or more AWS-owned IP addresses are used to attempt to log in to your resources.

Hosting objectionable or copyrighted content: You have evidence that AWS resources are used to host or distribute illegal content or distribute copyrighted content without the consent of the copyright holder.

Distributing malware: You have evidence that AWS resources are used to distribute software that was knowingly created to compromise or cause harm to computers or machines on which it is installed.

Hence, the correct answer is AWS Abuse.

Concierge Support is incorrect because this is just a team of experts that quickly and efficiently assist you with your billing and account inquiries, and work with you to implement billing and account best practices so that you can focus on running your business.

AWS Support API is incorrect because this is not a team in AWS, but a collection of APIs that provides programmatic access to AWS Support Center features. This is primarily used to create, manage, and close your support cases, and operationally manage your Trusted Advisor check requests and status.

Architecture Support is incorrect because this team only guides a customer on how AWS services fit together to meet a specific architecture, use-case, workload, or application.

Question 50

Which AWS service provides tracing and monitoring capabilities for your Lambda function?
A.AWS X-Ray
B.Amazon Inspector
C.AWS Shield
D.Amazon Macie

Answer 50

A.AWS X-Ray

Explanation:
AWS X-Ray can trace requests made to your serverless applications built using AWS Lambda. It enables you to gain insights into the performance of serverless applications, allowing you to pinpoint the root cause of issues so that you can address them.

X-Ray makes it easy for you to:

Create a service map – By tracking requests made to your applications, X-Ray can create a map of services used by your application.

Identify errors and bugs – X-Ray can automatically highlight bugs or errors in your application code by analyzing the response code for each request made to your application.

Build your own analysis and visualization apps – X-Ray provides a set of query APIs that you can use to build your own analysis and visualization apps that use the data that X-Ray records.

Hence, the correct answer is: AWS X-Ray.

Amazon Inspector is incorrect because this is just a security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector cannot debug, trace, or monitor a Lambda function. It is primarily used to automatically assess applications for exposure, vulnerabilities, and deviations from AWS best practices.

AWS Shield is incorrect because this service cannot identify errors and bugs in your application or AWS Lambda function code. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Amazon Macie is incorrect because this is simply a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. This option doesn’t have tracing and monitoring capabilities.

Question 51

A company is planning to launch an Amazon EC2 instance with an attached EBS volume in a default configuration. You will be charged only for the EBS storage in which instance state?
A.Terminated
B.Pending
C.Stopped
D.Running

Answer 51

C.Stopped

Explanation:
When you launch an instance, it enters the PENDING state. The instance type that you specified at launch determines the hardware of the host computer for your instance. We use the Amazon Machine Image (AMI) you specified at launch to boot the instance. After the instance is ready for you, it enters the RUNNING state. You can connect to your running instance and use it the way that you’d use a computer sitting in front of you.

As soon as your instance transitions to the RUNNING state, you’re billed for each second, with a one-minute minimum, that you keep the instance running, even if the instance remains idle and you don’t connect to it.

When you STOP an instance, AWS shuts it down. AWS doesn’t charge users for a stopped instance, or data transfer fees, but AWS does charge for the storage for any Amazon EBS volumes. Each time you start a stopped instance, AWS charges a minimum of one minute for usage. After one minute, AWS charges only for the seconds you use.

By default, Amazon EBS root device volumes are automatically deleted when the instance terminates. However, by default, any additional EBS volumes that you attach at launch, or any EBS volumes that you attach to an existing instance persist even after the instance terminates. This behavior is controlled by the volume’s DeleteOnTermination attribute, which you can modify.

Hence, the correct answer in this scenario is: Stopped.

Running is incorrect because in this state, you are billed for the compute, memory, storage, and network of an EC2 instance. Take note that the scenario asks for the instance state where you’ll only be charged for the EBS storage.

Terminated is incorrect because you won’t be charged in this state and both the instance and EBS storage will be deleted by default. Remember that it was stated in the scenario that the Amazon EC2 instance with an attached EBS volume is using a default configuration.

Pending is incorrect because it is still preparing the instance to enter the running state. If the instance is not running, then you are not billed for the instance usage.

Question 52

A Systems Administrator needs to create an account that will be used for long-term programmatic access to AWS. Which of the following IAM entities should be used to comply with this requirement?
A.IAM User
B.IAM Group
C.IAM Role
D.IAM Policy

Answer 52

A.IAM User

Explanation

AWS Identity and Access Management enable you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM Users make use of access keys for long-term programmatic credentials. Access keys consist of two parts: an access key ID and a secret access key. You can use access keys to sign programmatic requests to the AWS CLI or AWS API.

Hence, the correct answer is: IAM User.

IAM Role is incorrect because it does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

IAM Group is incorrect because this is basically used to group together multiple IAM users. IAM Groups let you specify permissions for multiple users, making it easier to manage the permissions for those users. An IAM Group doesn’t provide a long-term programmatic credential, unlike an IAM User.

IAM Policy is incorrect because this is just used to define permissions to IAM Users and Roles. IAM Policy does not have long-term credentials.

Question 53

Which service lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers, or custom URIs?
A.Network ACLs
B.AWS WAF
C.Security Group
D.AWS Trusted Advisor

Answer 53

B.AWS WAF

Explanation:
AWS Web Application Firewall gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

AWS WAF conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting.

Hence, the correct answer is: AWS WAF.

AWS Trusted Advisor is incorrect because this is just an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. The AWS Trusted Advisor is not capable of filtering web traffic.

Network Access Control List and Security Group are both incorrect because these are just security layers inside your VPC. If you need to filter web traffic, AWS WAF is a suitable service to use.

Question 54

What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?
A.AWS Secrets Manager
B.AWS Artifact
C.AWS IAM
D.AWS KMS

Answer 54

A.AWS Secrets Manager

Explanation:
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.

Secrets Manager offers secret rotation with built-in integration for Amazon RDS, Amazon Redshift, and Amazon DocumentDB.

Hence, the correct answer is: AWS Secrets Manager.

AWS Systems Manager Parameter Store is incorrect. Although it can store database passwords and other credentials, it doesn’t provide automatic rotation of secrets, unlike AWS Secrets Manager.

AWS Artifact is incorrect because the question isn’t about a central repository for compliance-related information. AWS Artifact provides on-demand access to AWS’ security and compliance reports and select online agreements. The compliance reports include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

AWS IAM is incorrect because this is simply a service that allows you to manage users, roles, and groups to AWS services and resources securely. IAM cannot encrypt secrets at rest using encryption keys or automatically rotate secrets.

q

Question 55

Which service should you use to run complex analytic queries against terabytes to petabytes of structured data?
A.Amazon S3
B.Amazon RedShift
C.Amazon Neptune
D.Amazon DynamoDB

Answer 55

B.Amazon RedShift

Explanation:
Amazon Redshift is a fully-managed petabyte-scale cloud-based data warehouse product designed for large scale data set storage and analysis. It allows you to run complex analytic queries against terabytes to petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution.

Amazon Redshift has a feature of deepest integration with your data lake and AWS services. It lets you quickly and simply work with your data in open formats, including Avro, CSV, Grok, Amazon Ion, JSON, ORC, Parquet, RCFile, RegexSerDe, Sequence, Text, and TSV.

Hence, the correct answer is: Amazon Redshift.

Amazon DynamoDB is incorrect because it is a NoSQL Database Service and not a cloud-based data warehouse for online analytic processing (OLAP) and business intelligence (BI) applications. DynamoDB is used for key-value and document database that delivers single-digit millisecond performance. It can also store the metadata of assets such as images, pages, and links, but this service does not natively support SQL.

Amazon S3 is incorrect because this is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon S3 is not a cloud-based data warehouse. It is primarily used for static website hosting, data storage, and archiving.

Amazon Neptune is incorrect because this is a Graph Database service that makes it easy for you to build and run applications that work with highly connected datasets. It is mainly used for recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security but not for running complex analytic queries.

Question 56

A developer needs to collect and process large streams of data records in real-time. Which AWS service should be used for this task?
A.Amazon SQS
B.AWS CloudTrail
C.Amazon CloudWatch
D.Amazon Kinesis Data Streams

Answer 56

D.Amazon Kinesis Data Streams

Explanation:
Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events. The data collected is available in milliseconds to enable real-time analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing, and more.

Kinesis Data Streams helps you in collecting and processing large streams of data records in real-time. It can also create data-processing applications, known as Kinesis Data Streams applications. A typical Kinesis Data Streams application reads data from a data stream as data records.

Hence, the correct answer for this scenario is: Amazon Kinesis Data Streams.

AWS CloudTrail is incorrect because this is a service that records important information about each action in your AWS environment, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the AWS service. It is not a suitable service to capture large streams of data records in real-time.

Amazon CloudWatch is incorrect because this is a monitoring service for AWS cloud resources and the applications you run on AWS. It collects and tracks metrics, collects and monitors log files, and sets alarms. In the scenario, you need to process data in real-time but CloudWatch cannot collect large streams of data records.

Amazon SQS is incorrect because it does not provide the real-time processing required for the scenario. Amazon SQS is just a fully managed message queuing service that enables you to decouple and scale microservices or distributed systems.

Question 57

The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. Which of the following must be used to satisfy this requirement?
A.Resource-based policy
B.AWS Secrets Manager
C.AWS Systems Manager
D.Service Control Policy

Answer 57

D.Service Control Policy

Explanation:
AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance.

In SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for limiting access to AWS services, resources, and API actions.

Hence, the correct answer in this scenario is: Service Control Policies.

Resource-based policy is incorrect. Although it can be used to control access, they are linked directly to a specific AWS resource and not managed through AWS Organizations.

AWS Systems Manager is incorrect because this just automates common maintenance and deployment tasks of EC2 instances and other AWS resources. It doesn’t provide you control of services across multiple AWS accounts.

AWS Secrets Manager is incorrect because it only helps you protect secrets or credentials that are needed to access your applications, services, and IT resources. You can’t restrict AWS services in your AWS Organizations using this service. The AWS Secrets Manager only enables you to easily rotate, manage, and retrieve credentials.

Question 58

What is the MOST affordable AWS Support plan that provides users access to the AWS Support API?
A.Enterprise
B.Developer
C.Business
D.Basic

Answer 58

C.Business

Explanation:
AWS Support Plans offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. All support plans offer 24x7 access to customer service, AWS documentation, whitepapers, and support forums. For technical support and more resources to plan, deploy, and improve your AWS environment, you can select a support plan that best aligns with your AWS use case.

In addition to what is available with Basic Support, Business Support provides:

AWS Support API - Lets you create support cases and add correspondence to them throughout investigations of your issues and interactions with the AWS Support staff.

AWS Trusted Advisor - Access to the full set of Trusted Advisor checks and guidance to provision your resources following best practices to help reduce costs, increase performance and fault tolerance, and improve security.

AWS Personal Health Dashboard- Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices to increase performance and improve security.

Enhanced Technical Support - 24x7 access to Cloud Support Engineers via phone, chat, and email. You can have an unlimited number of contacts that can open an unlimited amount of cases.

Hence, the correct answer is: Business support plan.

The option that says: Enterprise is incorrect. Although it will provide you AWS Support API access, this support plan is more expensive than the Business support plan.

The option that says: Basic and Developer are both incorrect because these support plans don’t offer access to AWS Support API for programmatic case management

Question 59

A customer plans to use Amazon S3 to store their less frequently accessed data and reduce their costs. The data is re-creatable and will be used as a secondary backup. Which of the following storage classes is the cheapest and most suitable option?
A.S3 Glacier
B.S3 One Zone-IA
C.S3 Standard
D.S3 Glacier Deep Archive

Answer 59

B.S3 One Zone-IA

Explanation:
S3 One Zone-IA is for data that is accessed less frequently but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a minimum of three Availability Zones. Amazon S3 stores the object data in only one Availability Zone, making it less expensive than S3 Standard-IA. However, the data is not resilient to the physical loss of the Availability Zone resulting from disasters, such as earthquakes and floods.

S3 One Zone-IA is a good choice for storing secondary backup copies of on-premises data or easily re-creatable data. You can also use it as cost-effective storage for data that is replicated from another AWS Region using S3 Cross-Region Replication.

Hence, the correct answer is: S3 One Zone-IA.

S3 Standard is incorrect because it is not the cheapest option available.

S3 Glacier and S3 Glacier Deep Archive are both incorrect because they are designed for low-cost data archiving. These storage classes have retrieval options that range from a few minutes to hours.

Question 60

Which tool can help you estimate the cost savings when moving to AWS and provides a detailed set of reports which can be used in executive presentations?
A.AWS Pricing Calculator
B.AWS TCO Calculator
C.AWS Cost Explorer
D.AWS Budgets

Answer 60

B.AWS TCO Calculator

Explanation:
AWS helps you reduce the Total Cost of Ownership (TCO) by reducing the need to invest in large capital expenditures. It provides a pay-as-you-go model that empowers you to invest in the capacity you need and use it only when the business requires it. This tool considers all the costs to run a solution, including physical facilities, power, and cooling, to provide a realistic, end-to-end comparison of your costs.

TCO calculators allow you to estimate the cost savings when using AWS and provide a detailed set of reports that can be used in executive presentations. The calculators also give you the option to modify assumptions that best meet your business needs.

Hence, the correct answer is: AWS TCO Calculator.

AWS Cost Explorer is incorrect because this service just allows you to explore your usage and costs of already running resources in AWS. Cost Explorer is not a suitable service for comparing the cost of on-premises and AWS.

AWS Budgets is incorrect because this is primarily used to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. The question asks which tool should be used to estimate cost. AWS Budgets only helps you plan your service usage, service costs, and instance reservations.

AWS Pricing Calculator is incorrect since this just helps customers and prospects estimate their monthly AWS bill more efficiently. This service is not the correct calculator for estimating cost savings when using AWS rather than traditional data centers.

Question 61

Which of the following provides a collection of technical resources to help you build more effectively and efficiently in the AWS Cloud?
A.AWS Config
B.AWS Organizations
C.AWS Architecture Center
D.AWS Trusted Advisor

Answer 61

C.AWS Architecture Center

Explanation:
The AWS Architecture Center provides a collection of technical resources to help you build more effectively and efficiently in the AWS Cloud.

Technology domains:

Analytics & Big Data - build secure, reliable, cost-effective data-processing architectures.

Compute & HPC - develop, deploy, run, and scale your applications.

Containers - secure, reliable, and scalable way to run containers.

Databases - choose the right database for your use case and access patterns.

Machine Learning - build effective and efficient ML architectures.

Migration - move existing applications to the AWS Cloud.

Security, Identity, & Compliance - meet your security and compliance goals using AWS infrastructure and services.

Storage - design reliable, scalable, and secure data storage architectures.

Hence, the correct answer is: AWS Architecture Center.

AWS Trusted Advisor is incorrect because this is just an online tool that provides real-time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor provides recommendations for Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits.

AWS Organizations is incorrect because this is only a service that centrally governs your environment as you grow and scale your workloads on AWS. This is mainly used in consolidated billing and management of multiple AWS accounts.

AWS Config is incorrect because this is simply a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config as your framework for creating and deploying governance and compliance rules across your AWS accounts and regions.

Question 62

Which of the following are the capabilities provided by Amazon Route 53? (Select TWO.)
A.Resource mtrics collection
B.DDos Protection
C.Web traffic filtering
D.Domain Registration
E.DNS Resolution

Answer 62

D.Domain Registration
E.DNS Resolution

Explanation:
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by translating names like www.tutorialsdojo.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.

Route 53 key features are:

• Resolver - get recursive DNS for your Amazon VPC and on-premises networks.
• Traffic flow - route end users to the best endpoint for your application based on geoproximity, latency, health, and other considerations.
• Latency based routing - route end users to the AWS region that provides the lowest possible latency.
• Geo DNS - route end users to a particular endpoint that you specify based on the end user’s geographic location.
• Private DNS for Amazon VPC - Manage custom domain names for your internal AWS resources without exposing DNS data to the public Internet.
• DNS Failover - automatically route your website visitors to an alternate location to avoid site outages.
• Health Checks and Monitoring - monitor your application’s health and performance, as well as your web servers and other resources.
• Domain Registration - search for and register available domain names or transfer in existing domain names.

Hence, the correct options that correctly describe Amazon Route 53 are:

• DNS Resolution
• Domain Registration

Web traffic filtering is incorrect because it is simply a feature of AWS Web Application Firewall (WAF) that helps in creating rules for filtering web traffic based on the criteria you choose.

Resource metrics collection is incorrect because this is just a feature that gives data about the performance of your system using Amazon CloudWatch.

DDoS Protection is incorrect because this is an AWS Shield feature that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.

Question 63

Which of the following AWS services does Amazon EBS use natively for encryption?
A.Amazon S3 SSE
B.AWS WAF
C.AWS Shield
D.AWS KMS

Answer 63

D.AWS KMS

Explanation:
AWS KMS is a managed service that enables you to create and control the keys used for cryptographic operations easily. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services.

Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots.

Hence, the correct answer is: AWS KMS.

AWS S3 SSE is incorrect because this is a server encryption type used by Amazon S3, not EBS.

AWS WAF is incorrect because this is only a web application firewall that helps protect your web applications or APIs against common web exploits. WAF is mainly used to create a traffic filter, and not for EBS encryption.

AWS Shield is incorrect because this is not an encryption service. AWS Shield is a managed DDOS protection service that safeguards applications running on AWS.

Question 64

What types of caching solutions are available in Amazon ElastiCache? (Select TWO.)
A.Amazon ElastiCache for Serverles
B.Amazon ElastiCache for Redis
C.Amazon ElastiCache for Memcached
D.Amazon ElastiCache for Apache Ignite
E.Amazon ElastiCache for Apache Kafka

Answer 64

B.Amazon ElastiCache for Redis
C.Amazon ElastiCache for Memcached

Explanation:
Amazon ElastiCache allows you to seamlessly set up, run, and scale popular open-Source compatible in-memory data stores in the cloud. Build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores.

The different types of ElastiCache services are:

ElastiCache for Redis - it is a blazing fast in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications.

ElastiCache for Memcached- a Memcached-compatible in-memory key-value store service that can be used as a cache or a data store.

ElastiCache for Redis Global Database - you can write to your ElastiCache for Redis cluster in one region and have the data available to be read from two other cross-region replica clusters, thereby enabling low-latency reads and disaster recovery across regions.

Hence, the correct answers are:

• ElastiCache for Redis
• ElastiCache for Memcached

All the other options are incorrect since these are not a type of service in Amazon ElastiCache:

• Amazon ElastiCache for Apache Spark
• Amazon ElastiCache for Apache Kafka
• Amazon ElastiCache for Apache Ignite

Question 65

A company plans to work with a third-party provider to deploy a new application that will be accessed globally. You need to delegate permissions to access resources without using permanent credentials.

Which of the following should you use?
A.IAM User
B.Service CVontrol Policy
C.IAM Group
D.IAM Role

Answer 65

D.IAM Role

Explanation:
AWS Identity and Access Management enable you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM Roles are a secure way to grant permissions to entities you trust without creating dedicated user accounts.

Hence, the correct answer is: IAM Role.

Service Control Policy is incorrect because this is a feature of AWS Organizations. SCP is a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects. SCPs are similar to IAM permission policies except that they don’t grant any permissions. Instead, SCPs are just filters that allow only the specified services and actions to be used in affected accounts.

IAM User is incorrect because this is only an IAM entity that you create in AWS to represent the person or application that uses it to interact with AWS. IAM users are for creating accounts with long term credentials.

IAM Group is incorrect because this is simply a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. IAM Group does not provide temporary credentials to access your AWS resources.