AWS Certified Cloud Practitioner Practice Exam (4) Flashcards
Which of the following are types of AWS Identity and Access Management (IAM) identities? (Choose TWO) A.AWS Resource Groups B.IAM Policies C.IAM Users D.IAM Roles E.AWS Organizations
C.IAM Users
D.IAM Roles
Explanation:
Identities on AWS include users (or groups) and roles. Customers create these identities on AWS to manage access to AWS resources and determine the actions that each identity can perform on those resources.
IAM Roles:
An IAM role is an IAM identity that you can create in your account that has specific permissions. IAM roles allow you to delegate access (for a limited time) to users, applications or services that normally don't have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account. Or you might want to allow a mobile app to use AWS resources. Sometimes you want to give AWS access to users who already have identities defined outside of AWS, such as in your corporate directory. Or, you might want to grant access to your account to third parties so that they can perform an audit on your resources. For these scenarios, you can delegate access to AWS resources using an IAM role.
IAM Users:
An IAM user is an entity that you create in AWS to represent the person or service that uses it to directly interact with AWS. A primary use for IAM users is to grant individuals access to the AWS Management Console for interactive tasks and / or to make programmatic requests to AWS services using the API or CLI. A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI. When you create an IAM user, you grant it permissions by making it a member of a group that has appropriate permission policies attached (recommended), or by directly attaching policies to the user.
Additional information:
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone (or any service, application, …etc) who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.
The other options are incorrect:
“AWS Organizations” is incorrect. AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.
“IAM Policies” is incorrect. IAM policies let you allow or deny access to AWS services (such as Amazon S3), individual AWS resources (such as a specific S3 bucket), or individual API actions (such as s3:CreateBucket). An IAM policy can be applied only to IAM users, groups, or roles, and it can never restrict the root identity of the AWS account (The AWS root account). It is important to note that while IAM Policies are used by IAM Identities, the policy itself is not a form of IAM Identity.
“AWS Resource Groups” is incorrect. Resource Groups are a way to manage multiple resources (such as EC2 instances, S3 buckets, …) as a group rather than move from one AWS service to another for each task.
Which AWS Service helps enterprises extend their on-premises storage to AWS in a cost-effective manner? A.AWS Data Pipeline B.Amazon Aurora C.AWS Storage gateway D.Amazon EFS
C.AWS Storage gateway
Explanation:
Enterprises can extend their on-premises storage to AWS Cloud for long-term backup retention and archiving, optimizing costs and increasing resilience and availability. AWS Storage Gateway is a hybrid storage service that enables on-premises applications to seamlessly use AWS cloud storage. Enterprises can use the service for backup and archiving, disaster recovery, cloud data processing, storage tiering, and migration. The storage gateway connects to AWS storage services, such as Amazon S3, Amazon S3 Glacier, Amazon S3 Glacier Deep Archive, Amazon EBS, and AWS Backup, providing storage for files, volumes, snapshots, and virtual tapes in AWS.
The other options are incorrect:
Amazon Aurora is incorrect. Amazon Aurora is a MySQL and PostgreSQL-compatible relational database service.
Amazon EFS is incorrect. Amazon Elastic File System (Amazon EFS) provides fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth. Although EFS can be used in hybrid environments, it is not as cost-effective as Storage Gateway.
AWS Data Pipeline is incorrect. AWS Data Pipeline is a web service that helps customers reliably process and move data between different AWS compute and storage services, as well as on-premises data sources. AWS Data Pipeline is not a storage service.
Which of the following is true regarding the AWS availability zones and edge locations?
A.An availability zone exists within an edge location to distribute content globally with low latency
B.An Availability Zones is a geographic location where AWS provides multiple physically separated and isolated edge locations
C.An AWS Availability Zone is an isolated location within an AWS Region, however edge locations are located in multiple cities worldwide
D.Edge locations are located in separate Availability Zones worldwide to serve global customers
C.An AWS Availability Zone is an isolated location within an AWS Region, however edge locations are located in multiple cities worldwide
Explanation:
In AWS, each Region has multiple, isolated locations known as Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities.
Edge locations may or may not exist within a region. They are located in most major cities around the world. Edge locations are specifically used by CloudFront (CDN) to distribute content to global users with low latency.
The other options are incorrect:
“An availability zone exists within an edge location to distribute content globally with low latency” is incorrect. An availability zone exists within an AWS Region, not within an edge location
“Edge locations are located in separate Availability Zones worldwide to serve global customers” is incorrect. Edge locations are located in most major cities around the world. Edge locations may or may not exist within a given AWS Region.
“An Availability Zone is a geographic location where AWS provides multiple, physically separated and isolated edge locations” is incorrect. An availability zone exists within an AWS Region. Edge locations are located in most major cities around the world. Edge locations may or may not exist within a given AWS Region
Which of the below options is a best practice for making your application on AWS highly available?
A.Deploy the application code on at least two servers in the same Avaialbility Zone
B.Deploy the application to at least two Availability Zones
C.Reqrite the application code to handle all incoming requests
D.Use AWS Direct Connect to access the application
B.Deploy the application to at least two Availability Zones
Explanation:
Each AWS Region contains multiple distinct locations, or Availability Zones. Each Availability Zone is engineered to be independent from failures in other Availability Zones. Deploying your application to multiple Availability Zones will increase the availability of your application. If one availability zone encounters an issue, the other availability zones can still serve your application.
The other options are incorrect:
“Use AWS Direct Connect to access the application” is incorrect. AWS Direct Connect is an AWS offering that facilitates the establishment of a dedicated network connection from your premises to AWS.
“Deploy the application code on at least two servers in the same Availability Zone” is incorrect. Using more AWS servers in the same Availability Zone would help with performance so long as the Availability Zone had no issues, but being deployed to only one Availability Zone constitutes a single point of failure and is therefore not a best practice.
“Rewrite the application code to handle all incoming requests” is incorrect. There is no relation between the application code and “high availability”. Even perfectly written code that never crashes will become unavailable if the infrastructure it runs on fails.
A company’s AWS workflow requires that it periodically perform large-scale image and video processing jobs. The customer is seeking to minimize cost and has stated that the amount of time it takes to process these jobs is not critical, but that cost minimization is the most important factor in designing the solution. Which EC2 instance class is best suited for this processing?
A.EC2 Reserved Instances - All Upfront
B.EC2 On-Demand Instances
C.EC2 Reserved Instances - No Upfront
D.EC2 Spot Instances
D.EC2 Spot Instances
Explanation A Spot Instance is an unused EC2 instance that is available for less than the On-Demand price. Because Spot Instances enable customers to request unused EC2 instances at steep discounts, customers can lower their Amazon EC2 costs significantly. Spot Instances run whenever capacity is available, and the maximum price per hour for the request exceeds the Spot price. The risk with Spot instances is that a running instance can be interrupted due to changes in demand and pricing for a specific class of Spot instances, as there is no guarantee of availability at any time. Spot Instances are well-suited for data analysis, batch jobs, background processing, and optional tasks, as well as for workloads that are not time critical.
The other options are incorrect:
“EC2 On-Demand Instances” is incorrect. The Spot option provides discounts up to 90% off compared to the On-Demand price, making this option less cost effective than the Spot Instance option.
“EC2 Reserved Instances - All Upfront” and “EC2 Reserved Instances - No Upfront”are incorrect. Use of reservations means that the customer will be charged the agreed upon Reserved Instance hourly rate irrespective of if the instance is running or not. Because these jobs are both periodic and non-time sensitive, Spot Instances are better suited for the task, and they offer a lower price point than Reserved Instances.
You decide to buy a reserved instance for a term of one year. Which option provides the largest total discount?
A.No up-front reservation
B.All up-front reservation
C.All reserved instance payment options provide the same discount level
D.Partial up-front reservation
B.All up-front reservation
Explanation:
There are three payment options available when purchasing reserved instances:
1- No up-front
2- Partial up-front
3- All up-front.
The general rule is: “the more you spend upfront, the more discounts you get.”
With the All Upfront option, you pay for the entire Reserved Instance term with one upfront payment. This option provides you with the largest discount compared to On-Demand instance pricing.
The other options are incorrect:
“No up-front reservation” is incorrect. The No up-front option does not require any upfront payment and provides a discounted hourly rate for the duration of the term. But the price will be higher compared to other options because there was no up-front payment.
“Partial up-front reservation” is incorrect. With the Partial Upfront option, you make a low upfront payment and are then charged a discounted hourly rate for the instance for the duration of the Reserved Instance term. The price of the instance will be more than the price of the instance purchased using the “All up-front option” because, with the Partial up-front option, you pay less up-front. Hence, the correct answer is All up-front.
Which AWS Service provides integration with Chef to automate the configuration of EC2 instances?
A.AWS OpsWorks
B.AWS CloudFormation
C.AutoScaling
D.AWS Config
A.AWS OpsWorks
Explanation:
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.
The other options are incorrect:
AWS CloudFormation is incorrect. AWS CloudFormation allows customers to provision infrastructure as code.
AutoScaling is incorrect. AutoScaling is used to increase or decrease capacity based on demand.
AWS Config is incorrect. AWS Config is a service that enables customers to monitor, assess, and audit all changes made to AWS resources.
A key practice when designing solutions on AWS is to minimize dependencies between components so that the failure of a single component does not impact other components. What is this practice called?
A.Tightly coupling
B.Scalable coupling
C.Loosely coupling
D.Elastic coupling
C.Loosely coupling
Explanation:
The concept of loosely coupling an application refers to breaking the application into components that perform aspects of a task independently of one another. Using this design concept minimizes the risk that a change or a failure in one component will impact other components.
Which of the following are examples of AWS-managed databases? (Choose TWO) A.MySQL on Amazon EC2 B.Amazon RDS for MySQL C.Microsoft SQL Server on Amazon EC2 D.Amazon DocumentDB E.Amazon CloudSearch
B.Amazon RDS for MySQL
D.Amazon DocumentDB
Explanation;
AWS-managed databases are a database as a service offering from AWS where AWS manages the underlying hardware, storage, networking, backups, and patching. Users of AWS-managed databases simply connect to the database endpoint, and do not have to concern themselves with any aspects of managing the database. Examples of AWS-managed databases include: Amazon RDS ( Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server), Amazon DocumentDB, Amazon Redshift, and Amazon DynamoDB.
The other options are incorrect:
“Microsoft SQL Server on Amazon EC2” and “MySQL on Amazon EC2” are incorrect. Microsoft SQL Server on Amazon EC2 and MySQL on Amazon EC2 are customer-managed databases, not AWS-managed databases. Any database that is running on EC2 is managed by the customer, and not by AWS.
Note: Customers can install and run any database engine - or any Software - on Amazon EC2, but in this case, the customer is responsible for managing the software, not AWS.
“Amazon CloudSearch” is incorrect. Amazon CloudSearch is a managed service in the AWS Cloud that makes it simple and cost-effective to set up, manage, and scale a search solution for your website or application.
A customer is seeking to store objects in their AWS environment and to make those objects downloadable over the internet. Which AWS Service can be used to accomplish this? A.Amazon S3 B.Amazon EBS C.Amazon EFS D.Amazon Instance Store
A.Amazon S3
Explanation:
Amazon S3 provides a simple web service interface that you can use to store and retrieve any amount of data, any time, from anywhere on the internet. Amazon S3 assigns a URL for each object you upload. URLs are used to download the objects you want at any time. Amazon S3 is the only AWS service that provides object level storage.
The other options are incorrect:
Amazon EFS is incorrect. Amazon Elastic File System (Amazon EFS) is not an object store. Amazon EFS is a shared file storage system that scales automatically with use.
Amazon Elastic Block Store (EBS) is incorrect. Amazon Elastic Block Store (Amazon EBS) is not an object store. Amazon EBS is a block storage service that is used to create volumes for use with Amazon EC2 and Amazon RDS.
Amazon Instance Store is incorrect. Amazon EC2 Instance Store is not an object store. Amazon EC2 Instance Store provides ephemeral block-level storage that is physically attached to Amazon EC2 instances.
Which of the following should be taken into account when performing a TCO analysis regarding the costs of running an application on AWS VS on-premises? (Choose TWO) A.Software architecture B>Software compatibility C.Labor and IT costs D.Cooling and power consumption E.Amazon EBS computing power
C.Labor and IT costs
D.Cooling and power consumption
Explanation:
Weighing the financial considerations of owning and operating a data center facility versus employing a cloud infrastructure requires detailed and careful analysis. In practice, it is not as simple as just measuring potential hardware expense alongside utility pricing for compute and storage resources. The Total Cost of Ownership (TCO) is often the financial metric used to estimate and compare direct and indirect costs of a product or a service. Cooling and power consumption, data center space, data center real estate and Labor IT cost are examples of the indirect costs of a physical data center and should be included in TCO analysis.
Additional information:
Labor IT costs include the cost of the sizable IT infrastructure teams that are needed to handle the “heavy lifting” of managing physical infrastructure:
1- Hardware procurement teams are needed. These teams have to spend a lot of time evaluating hardware, negotiating contracts, holding hardware vendor meetings, managing delivery and installation, etc. It’s expensive to have a staff with sufficient knowledge to do this well.
2- Data center design and build teams are needed to create and maintain reliable and cost-effective facilities. These teams need to stay up-to-date on data center design and be experts in managing heterogeneous hardware and the related supply chain, managing legacy software, moving facilities, scaling and managing physical growth—all the tasks that an enterprise needs to do well if it wants to achieve low incremental costs.
3- Operations staff is needed 24/7/365 in each facility.
4- Database administration teams are needed to manage the databases. This staff is responsible for installing, patching, upgrades, migration, backups, snapshots and recovery of databases, ensuring availability, troubleshooting, and performance enhancements.
5- Networking teams are needed for running a highly available network. Expertise is needed to design, debug, scale, and operate the network and deal with the external relationships necessary to have cost-effective Internet transit.
6- Security personnel are needed at all phases of the design, build, and operations process.
The other options are incorrect.
“Software compatibility” and “Software architecture” are incorrect. In the scenario, the Total Cost of Ownership (TCO) is the total cost of owning and operating a data center, including facilities, physical servers, storage devices, networking equipment, cooling and power consumption, data center space, Labor, and IT costs. “Software compatibility” and “software architecture” are not part of the total cost of owning and operating a data center (TCO), and thus are incorrect answers.
“Amazon EBS computing power” is incorrect. Amazon EBS is a block storage service that creates volumes to be used by EC2 instances.
You have just hired a skilled sys-admin to join your team. As usual, you have created a new IAM user for him to interact with AWS services. On his first day, you ask him to create snapshots of all existing Amazon EBS volumes and save them in a new Amazon S3 bucket. However, the new member reports back that he is unable to create neither EBS snapshots nor S3 buckets. What might prevent him from doing this simple task?
A.EBS and S3 are accessible only to the root account owner
B.There is a non-explicit deny to all new users
C.The systems administrator must contact AWS Support first to activate his new IAM account
D.There is no enough space in S3 to store the snapshots
B.There is a non-explicit deny to all new users
Explanation;
When a new IAM user is created, that user has NO access to any AWS service. This is called a non-explicit deny. For that user, access must be explicitly allowed via IAM permissions.
The other options are incorrect:
“EBS and S3 are accessible only to the root account owner” is incorrect. EBS and S3 are accessible to any IAM User, Group, or Role with an attached policy that grants those permissions.
“The systems administrator must contact AWS Support first to activate his new IAM account” is incorrect. Account activation is not required for new IAM users. Account activation is required only for the AWS root account owner, and usually, this process is done automatically without contacting AWS Support.
“There is not enough space in S3 to store the snapshots” is incorrect. Amazon S3 provides virtually unlimited storage capacity.
A company is developing a mobile application and wants to allow users to use their Amazon, Apple, Facebook, or Google identities to authenticate to the application. Which AWS Service should the company use for this purpose? A.Amazon Inspector B.Amazon GuardDuty C.Amazon Cognito D.Amazon EBS
C.Amazon Cognito
Explanation:
Amazon Cognito lets customers add user sign-up, sign-in, and access control to their web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
The other options are incorrect:
Amazon GuardDuty is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.
With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in the AWS Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Amazon Inspector is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Amazon EBS is incorrect. Amazon Elastic Block Store (Amazon EBS) provides persistent block level storage volumes for use with Amazon EC2 instances.
Your company requires a response time of less than 15 minutes from support interactions about their business-critical systems that are hosted on AWS if those systems go down. Which AWS Support Plan should this company use? A.AWS Developer Support B. AWS Basic Support C.AWS Business Support D.AWS Enterprise Support
D.AWS Enterprise Support
Explanation:
AWS support plans provide different response times based on the case’s severity. For example, the Enterprise plan provides General Guidance within 24 hours. However, if the case involves a business-critical system being down, the company will get a response within 15 minutes.
The other options are incorrect.
Business is incorrect. The AWS Business Support Plan offers a 1-hour response time for a production system down, which does not meet the 15-minute criteria set forth in the question stem.
Developer is incorrect. The AWS Developer Support Plan offers a 12-hour response time for an impaired or down system, which does not meet the 15-minute criteria set forth in the question stem.
Basic is incorrect. Technical Support is not part of the Basic support plan
What features does AWS offer to help protect your data in the Cloud? (Choose TWO) A.Data encryption B.Access Control C.Load Balancing D.Physical MFA devices E.Unlimited storage
A.Data encryption
B.Access Control
Explanation:
AWS offers a lot of services and features that help you protect your data in the cloud. You can protect your data by encrypting it in transit and at rest. You can use CloudTrail to log API and user activity, including who, what, and from where calls were made. You can also use AWS Identity and Access Management (IAM) to control who can access or change your data. You can also use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
The customer is responsible for protecting their data in the following ways:
1- Data encryption (at rest and in transit)
2- Setting up access control
3- Monitoring user activity
4- Applying MFA
5- Using advanced managed security services such as Amazon Macie.
Additional information:
Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved. The fully managed service continuously monitors data access activity for anomalies, and generates detailed alerts when it detects risk of unauthorized access or inadvertent data leaks. Today, Amazon Macie is available to protect data stored in Amazon S3, with support for additional AWS data stores coming later this year.
The other options are incorrect:
“Load balancing” is incorrect. There is no relation between Load Balancing and data protection. Load Balancing is the process of distributing incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions.
“Physical MFA devices” is incorrect. MFA can help protect your data, but AWS does not provide physical MFA devices.
“Unlimited storage” is incorrect. AWS offers virtually unlimited storage for its customers, but this has nothing to do with data protection.
