AWS Certified Cloud Practitioner: Test 3

Question 1

Which descriptions are correct regarding cloud deployment models? (Select TWO.)
A.With hybrid cloud, multiple private clouds are conected
B.With the private cloud the consumers organization typically incurs OPEX costs for usage
C.With the public cloud the consumers organization typically incurs OPEX costs for usage
D.With the public cloud the consumers organization typically owns and manages the infrastrucuture
E. With the private cloud the consumers organization typically owns and manages the infrastrucuture

Answer 1

C.With the public cloud the consumers organization typically incurs OPEX costs for usage
E. With the private cloud the consumers organization typically owns and manages the infrastrucuture

Explanation:
With public cloud the consumer organization typically incurs OPEX costs as they do not own the infrastructure and just pay usage costs.

CORRECT: “With the public cloud the consumer organization typically incurs OPEX costs for usage” is a correct answer.

CORRECT: “With the private cloud the consumer organization typically owns and manages the infrastructure” is also a correct answer.

INCORRECT: “With the public cloud the consumer organization typically owns and manages the infrastructure” is incorrect as that is the situation with private clouds.

INCORRECT: “With the private cloud the consumer organization typically incurs OPEX costs for usage” is incorrect. With the private cloud the consumer organization typically owns the infrastructure and will often manage it themselves or use a third-party organization to manage it for them. This model is largely CAPEX driven.

INCORRECT: “With the hybrid cloud, multiple private clouds are connected” is incorrect. Hybrid clouds are created when you connect private and public clouds together.

Question 2

What tool provides real time guidance to help you provision your resources following best practices in the areas of cost optimization, performance, security and fault tolerance?
A.AWS Personal health Dashboard
B.AWS Trusted Advisor
C.AWS Inspector
D.AWS IAM

Answer 2

B.AWS Trusted Advisor

Explanation:
Trusted Advisor is an online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following best practices. Advisor will advise you on Cost Optimization, Performance, Security, and Fault Tolerance

CORRECT: “AWS Trusted Advisor” is the correct answer.

INCORRECT: “AWS Inspector” is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

INCORRECT: “AWS Personal Health Dashboard” is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

INCORRECT: “AWS IAM” is incorrect. AWS Identity and Access Management is an identity service that provide authentication and authorization services.

Question 3

Which AWS service is known as a "serverless" service and runs code as functions triggered by events?
A.Amazon ECS
B.Amazon CodeDeploy
C.Amazon Cognito
D.AWS Lambda

Answer 3

D.AWS Lambda

Explanation:
AWS Lambda lets you run code as functions without provisioning or managing servers. Lambda-based applications (also referred to as serverless applications) are composed of functions triggered by events. With serverless computing, your application still runs on servers, but all the server management is done by AWS.

CORRECT: “AWS Lambda” is the correct answer.

INCORRECT: “Amazon ECS” is incorrect. Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.

INCORRECT: “Amazon CodeDeploy” is incorrect. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Lambda, and your on-premises servers.

INCORRECT: “Amazon Cognito” is incorrect. Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.

Question 4

Which of the following represent economic advantages of moving to the AWS cloud? (Select TWO.)
A.Increase efficiencies through automation
B.Reduce the rate of change
C.Increase time to market for new applications
D.Reduce the need to manage applications
E.Reduce the need to manage infrastructure

Answer 4

A.Increase efficiencies through automation
E.Reduce the need to manage infrastructure

Explanation:
With the AWS Cloud you can increase efficiency through the use of automation and reduce the need to manage infrastructure, allowing you to concentrate on managing applications instead.

CORRECT: “Increase efficiencies through automation” is a correct answer.

CORRECT: “Reduce the need to manage infrastructure” is also a correct answer.

INCORRECT: “Reduce the need to manage applications” is incorrect. You do not reduce the need to manage applications in most cases.

INCORRECT: “Reduce the rate of change” is incorrect. Reducing the rate of change is not something organization’s strive for in the cloud (usually faster development cycles are preferred) so it does not represent a valid economic advantage/

INCORRECT: “Increase time to market for new applications” is incorrect. You want to reduce not increase time to market for new applications

Question 5

Which service can be used to cost-effectively move exabytes of data into AWS?
A.AWS Snowmobile
B.S3 Transfer Accerleration
C.S3 Cross-Region Replication (CRR)
D.AWS Snowball

Answer 5

A.AWS Snowmobile

Explanation:
Explanation

With AWS Snowmobile you can move 100PB per snowmobile. AWS call this an “Exabyte-scale data transfer service”.

CORRECT: “AWS Snowmobile” is the correct answer.

INCORRECT: “AWS Snowball” is incorrect. With AWS Snowball you can move up to 80TB per device. AWS call this a “petabyte-scale data transfer service”.

INCORRECT: “S3 Transfer Acceleration” is incorrect. S3 Transfer Acceleration is meant speed up uploads to Amazon S3 but would not be used for exabytes of data.

INCORRECT: “S3 Cross-Region Replication (CRR)” is incorrect. S3 Cross-Region Replication is used for copying data between regions, not into AWS. It is also unsuitable for moving such as huge amount of data.

Question 6

Which authentication method is used to authenticate programmatic calls to AWS services?
A.Key pair
B.Server certififcate
C.Console password
D.Access keys

Answer 6

D.Access keys

Explanation:
Access keys are a combination of an access key ID and a secret access key. They are used to make programmatic calls to AWS using the API.

CORRECT: “Access keys” is the correct answer.

INCORRECT: “Console password” is incorrect. Console passwords are used for signing users into the AWS Management Console, not for making programmatic calls to AWS services.

INCORRECT: “Server certificate” is incorrect. Server certificates can be used to authenticate to some AWS services using HTTPS.

INCORRECT: “Key pair” is incorrect. Key pairs should not be confused with access keys. Key pairs are used for authenticating to Amazon EC2 instances.

Question 7

When using Amazon IAM, what authentication methods are available to use? (Select TWO.)
A.Server certificates
B.Client certificates
C.AES 256
D.Access Keys
E.AWS KMS

Answer 7

A.Server certificates
D.Access Keys\

Explanation:
Supported authentication methods include console passwords, access keys and server certificates.

Access keys are a combination of an access key ID and a secret access key and can be used to make programmatic calls to AWS.

Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services.

CORRECT: “Access keys” is a correct answer.

CORRECT: “Server certificates” is also a correct answer.

INCORRECT: “Client certificates” is incorrect. Client certificates are not a valid IAM authentication method.

INCORRECT: “AWS KMS” is incorrect. AWS Key Management Service (KMS) is used for managing encryption keys and is not used for authentication..

INCORRECT: “AES 256” is incorrect. AES 256 is an encryption algorithm, not an authentication method.

Question 8

Which service can an organization use to track API activity within their account?
A.AWS CloudTrail
B.Amazon CloudWatch
C.AWS IAM
D.AWS CloudHSM

Answer 8

A.AWS CloudTrail

Explanation:
AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket. CloudTrail is for auditing (CloudWatch is for performance monitoring).

CloudTrail is about logging and saves a history of API calls for your AWS account. Provides visibility into user activity by recording actions taken on your account. API history enables security analysis, resource change tracking, and compliance auditing

CORRECT: “AWS CloudTrail” is the correct answer.

INCORRECT: “Amazon CloudWatch” is incorrect. Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. CloudWatch is for performance monitoring (CloudTrail is for auditing). Used to collect and track metrics, collect and monitor log files, and set alarms.

INCORRECT: “AWS IAM” is incorrect. AWS Identity and Access Management is an identity service that provide authentication and authorization services

INCORRECT: “AWS CloudHSM” is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

Question 9

Which service provides the ability to simply upload applications and have AWS handle the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring?
A.Amazon EC2
B.AWS OpsWork
C.AWS BeanStalk
D.Amazon EC2 Auto Scaling

Answer 9

C.AWS BeanStalk

Explanation;
AWS Elastic Beanstalk can be used to quickly deploy and manage applications in the AWS Cloud. Developers upload applications and Elastic Beanstalk handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring. Considered a Platform as a Service (PaaS) solution. Supports Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web applications.

CORRECT: “AWS Elastic Beanstalk” is the correct answer.

INCORRECT: “Amazon EC2” is incorrect. Amazon EC2 is an IaaS solution that provides unmanaged instances that you can deploy with a variety of operating systems.

INCORRECT: “Amazon EC2 Auto Scaling” is incorrect. Amazon EC2 Auto Scaling provides elasticity for your applications by automatically launching or terminating EC2 instances according to application load or schedules you define.

INCORRECT: “AWS OpsWorks” is incorrect. AWS OpsWorks provides a managed service for Chef and Puppet. This service is involved with automation and configuration management.

Question 10

Which AWS service lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments?
A.AWS OpsWorks
B.AWS Elastic Beanstalk
C.AWS System Manager
D.AWS CloudFormation

Answer 10

A.AWS OpsWorks

Explanation

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

CORRECT: “AWS OpsWorks” is the correct answer.

INCORRECT: “AWS Elastic Beanstalk” is incorrect. This service does not use Chef or Puppet.

INCORRECT: “AWS CloudFormation” is incorrect. This service does not use Chef or Puppet.

INCORRECT: “AWS Systems Manager” is incorrect. This service does not use Chef or Puppet.

Question 11

What are Edge locations used for?
A.They are the public-facing APIs for Amazon S3
B.They are used for CloudFront for caching content
C.They are used for terminating VPN connections
D.They are used by regions for inter-region connectivity

Answer 11

B.They are used for CloudFront for caching content

Explanation:
An edge location is used by CloudFront and is the location where content is cached (separate to AWS regions/AZs). Requests are automatically routed to the nearest edge location. Edge locations are not tied to Availability Zones or regions

CORRECT: “They are used by CloudFront for caching content” is the correct answer.

INCORRECT: “They are used for terminating VPN connections” is incorrect. They have nothing to do with VPN connections.

INCORRECT: “They are the public-facing APIs for Amazon S3” is incorrect. Amazon S3 does not run from Edge Locations.

INCORRECT: “They are used by regions for inter-region connectivity” is incorrect. They are not used for connectivity between regions.

Question 12

Which feature enables fast, easy, and secure transfers of files over long distances between a client and an Amazon S3 bucket?
A.Multipart Upload
B.S3 Static Websites
C.S3 Transfer Acceleration
D.S3 Copy

Answer 12

C.S3 Transfer Acceleration

Explanation:
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. S3 Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations.

CORRECT: “S3 Transfer Acceleration” is the correct answer.

INCORRECT: “S3 Static Websites” is incorrect. S3 can also be used to host static websites but this does not assist with the performance of uploads to S3.

INCORRECT: “S3 Copy” is incorrect. With S3 copy you can create a copy of objects up to 5GB in size in a single atomic operation.

INCORRECT: “Multipart Upload” is incorrect. Multipart upload can be used to speed up uploads to S3.

Question 13

Which of the below AWS services supports automated backups as a default configuration?
A.Amazon S3
B.Amazon RDS
C.Amazon EBS
D.Amazon EC2

Answer 13

B.Amazon RDS

Explanation:
Amazon RDS automated backups allow point in time recovery to any point within the retention period down to a second. When automated backups are turned on for your DB Instance, Amazon RDS automatically performs a full daily snapshot of your data (during your preferred backup window) and captures transaction logs (as updates to your DB Instance are made). Automated backups are enabled by default and data is stored on S3 and is equal to the size of the DB

CORRECT: “Amazon RDS” is the correct answer.

INCORRECT: “Amazon S3” is incorrect. Amazon S3 objects are replicated across multiple facilities. You can also archive data onto Amazon Glacier and use versioning to maintain copies of older versions of objects

INCORRECT: “Amazon EC2” is incorrect. EC2 instances using EBS volumes can be backed up by creating a snapshot of the EBS volume.

INCORRECT: “Amazon EBS” is incorrect. EC2 instances using EBS volumes can be backed up by creating a snapshot of the EBS volume.

Question 14

Your CTO wants to move to cloud. What cost advantages are there to moving to cloud?
A.You can reduce your marketing costs
B.You get free data transfer into and out of the cloud
C.You don’t need to pay for application licensing
D.You provision only what you need and adjust to peak load

Answer 14

D.You provision only what you need and adjust to peak load

Explanation:
One of the best benefits of cloud is that you can launch what you need to and automatically adjust your resources as demand changes. This means you only ever pay for what you’re using.

CORRECT: “You provision only what you need and adjust to peak load” is the correct answer.

INCORRECT: “You can reduce your marketing costs” is incorrect. You don’t reduce marketing costs when moving to the cloud, your organization still needs to do the same amount of marketing.

INCORRECT: “You don’t need to pay for application licensing” is incorrect. It is not true that you don’t need to pay for application licensing in the cloud. You still pay for your application licenses when running on Amazon EC2.

INCORRECT: “You get free data transfer into and out of the cloud” is incorrect. You do not get free bi-directional data transfer into and out of the cloud. AWS charge for outbound data transfer.

Question 15

What is a specific benefit of an Enterprise Support plan?
A.Included Cloud Support Associate
B.Included AWS Solutions Architect
C.Included Technical Account Manager
D.Included technical support manager

Answer 15

C.Included Technical Account Manager

Explanation:
Only the Enterprise Support plan gets a Technical Account Manager (TAM).

You do not get an AWS Solutions Architect with any plan.

Cloud Support Associates are provided in the Developer plan.

There’s no such thing as a Technical Support Manager in the AWS support plans.

CORRECT: “Included Technical Account Manager” is the correct answer.

INCORRECT: “Included Technical Support Manager” is incorrect as explained above.

INCORRECT: “Included AWS Solutions Architect” is incorrect as explained above.

INCORRECT: “Included Cloud Support Associate” is incorrect as explained above.

Question 16

Which AWS services are associated with Edge Locations? (Select TWO.)
A.AWS Direct Connect
B.Amazon CloudFront
C.AWS Config
D.AWS Shield
E.Amazon EBS

Answer 16

B.Amazon CloudFront
D.AWS Shield
Explanation:
Edge Locations are parts of the Amazon CloudFront content delivery network (CDN) that are all around the world and are used to get content closer to end-users for better performance.

AWS Shield which protects against Distributed Denial of Service (DDoS) attacks is available globally on Amazon CloudFront Edge Locations.

CORRECT: “Amazon CloudFront” is a correct answer.

CORRECT: “AWS Shield” is also a correct answer.

INCORRECT: “AWS Direct Connect” is incorrect. AWS Direct Connect is a networking service used for creating a hybrid cloud between on-premises and AWS Cloud using a private network connection

INCORRECT: “Amazon EBS” is incorrect. Amazon EBS is a storage service.

INCORRECT: “AWS Config” is incorrect. AWS Config is used for evaluating the configuration state of AWS resources.

Question 17

Which AWS support plan comes with a Technical Account Manager (TAM)?
A.Basic
B.Developer
C.Business
D.Enterprise

Answer 17

D.Enterprise

Explanation:
Only the Enterprise plan comes with a TAM.
CORRECT: “Enterprise” is the correct answer.

INCORRECT: “Basic” is incorrect as this plan does not come with a TAM.

INCORRECT: “Developer” is incorrect as this plan does not come with a TAM.

INCORRECT: “Business” is incorrect as this plan does not come with a TAM.

Question 18

Which of the options below are recommendations in the security pillar of the well-architected framework? (Select TWO.)
A.Protect data when it is at rest only
B.Enable traceability
C.Apply security at the application
D.Automate security best practices
E.Expect to be secure

Answer 18

B.Enable traceability
D.Automate security best practices

Explanation:
The security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies

There are six design principles for security in the cloud:

– Implement a strong identity foundation.

– Enable traceability.

– Apply security at all layers.

– Automate security best practices.

– Protect data in transit and at rest.

– Prepare for security events.

CORRECT: “Enable traceability” is the correct answer.

CORRECT: “Automate security best practices” is the correct answer.

INCORRECT: “Apply security at the application layer” is incorrect. Please refer to the design principles above.

INCORRECT: “Protect data when it is at rest only” is incorrect. Please refer to the design principles above.

INCORRECT: “Expect to be secure” is incorrect. Please refer to the design principles above.

Question 19

To ensure the security of your AWS account, what are two AWS best practices for managing access keys? (Select TWO.)
A.Dont create any access keys, use IAM roles instead
B.Dont generate an access key for the root account user
C.Use MFA for access keys
D.Where possible, use IAM roles with temporary security credentials
E.Rotate access keys daily

Answer 19

B.Dont generate an access key for the root account user
D.Where possible, use IAM roles with temporary security credentials

Explanation:
Best practices include:

– Don’t generate an access key for the root account user.

– Use Temporary Security Credentials (IAM Roles) Instead of Long-Term Access Keys.

– Manage IAM User Access Keys Properly.

CORRECT: “Don’t generate an access key for the root account user” is a correct answer.

CORRECT: “Where possible, use IAM roles with temporary security credentials” is also a correct answer.

INCORRECT: “Don’t create any access keys, use IAM roles instead” is incorrect. You should use IAM roles where possible, but AWS do not recommend that you don’t create any access keys as they also have a purpose

INCORRECT: “Rotate access keys daily” is incorrect. Rotating access keys is a recommended practice, but doing it daily would be excessive and hard to manage.

INCORRECT: “Use MFA for access keys” is incorrect. You can use MFA for securing accounts, but it does not secure access keys

Question 20

Which IAM entity can be used for assigning permissions to multiple users?
A.IAM password policy
B.IAM Role
C.IAM user
D.IAM Group

Answer 20

D.IAM Group

Explanation:
Explanation

Groups are collections of users and have policies attached to them. You can use groups to assign permissions to multiple users. To do this place the users in the group and then create an IAM policy with the correct permissions and attach it to the group.

You do not use an IAM User, Role, or password policy to assign permissions to multiple users.

CORRECT: “IAM Group” is the correct answer.

INCORRECT: “IAM User” is incorrect as explained above.

INCORRECT: “IAM Role” is incorrect as explained above.

INCORRECT: “IAM password policy” is incorrect as explained above.

Question 21

What are the charges for using Amazon Glacier? (Select TWO.)
A.Retrieval requests
B.Data storage
C.Data transferred into Glacier
D.Number of availability zones
E.Enhanced networking

Answer 21

A.Retrieval requests
B.Data storage

Explanation:
With Amazon Glacier you pay for storage on a per GB / month basis, retrieval requests and quantity (based on expedited, standard, or bulk), and data transfer out of Glacier.
CORRECT: “Retrieval requests” is the correct answer.

CORRECT: “Data storage” is the correct answer.

INCORRECT: “Data transferred into Glacier” is incorrect. You do not pay for data transferred in and there are no minimum storage fees.

INCORRECT: “Enhanced networking” is incorrect. Enhanced networking is a feature of EC2.

INCORRECT: “Number of Availability Zones” is incorrect. You do not pay for the number of AZs.

Question 22

Which IAM entity is associated with an access key ID and secret access key?
A.IAM Policy
B.IAM user
C.IAM Group
D.IAM Role

Answer 22

B.IAM user

Explanation:
An access key ID and secret access key are used to sign programmatic requests to AWS. They are associated with an IAM user.

You cannot associate an access key ID and secret access key with an IAM Group, Role or Policy.

CORRECT: “IAM User” is the correct answer.

INCORRECT: “IAM Group” is incorrect as explained above.

INCORRECT: “IAM Role” is incorrect as explained above.

INCORRECT: “IAM Policy” is incorrect as explained above.

Question 23

What is the best way for an organization to transfer hundreds of terabytes of data from their on-premise data center into Amazon S3 with limited bandwidth available?
A.Use Amazon CloudFront
B.Use AWS Snowball
C.Use S3 Transfer Acceleration
D.Apply Compression before uploading

Answer 23

B.Use AWS Snowball

Explanation:
Snowball is a petabyte-scale data transport solution that uses devices designed to be secure to transfer large amounts of data into and out of the AWS Cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns

CORRECT: “Use AWS Snowball” is the correct answer.

INCORRECT: “Use S3 Transfer Acceleration” is incorrect. Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. However, for these volumes of data Snowball is a better choice.

INCORRECT: “Apply compression before uploading” is incorrect as for this volume of data Snowball should be used.

INCORRECT: “Use Amazon CloudFront” is incorrect as this cannot be used for uploading large quantities of data to Amazon S3.

Question 24

Which AWS service does API Gateway integrate with to enable users from around the world to achieve the lowest possible latency for API requests and responses?    
A.AWS Lambda
B.Amazon S3 Transfer Accerleration
C.AWS Direct Connect
D.Amazon Cloudfront

Answer 24

D.Amazon Cloudfront

Explanation:
Amazon CloudFront is used as the public endpoint for API Gateway. Provides reduced latency and distributed denial of service protection through the use of CloudFront.

CORRECT: “Amazon CloudFront” is the correct answer.

INCORRECT: “AWS Direct Connect” is incorrect. AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

INCORRECT: “Amazon S3 Transfer Acceleration” is incorrect. Amazon S3 Transfer Acceleration is a bucket-level feature that enables faster data transfers to and from Amazon S3.

INCORRECT: “AWS Lambda” is incorrect. AWS Lambda lets you run code without provisioning or managing servers.

Question 25

Which AWS database service provides a fully managed data warehouse that can be analyzed using SQL tools and business intelligence tools?    
A.Amazon RDS
B.Amazon DynamoDB
C.Amazon RedShift
D.Amazon ElastiCache

Answer 25

C.Amazon RedShift
Explanation:
Amazon RedShift is a fully managed data warehouse service designed to handle petabytes of data for analysis. Data can be analyzed with standard SQL tools and business intelligence tools. RedShift allows you to run complex analytic queries against petabytes of structured data.

CORRECT: “Amazon RedShift” is the correct answer.

INCORRECT: “Amazon RDS” is incorrect. RDS is Amazon’s transactional relational database.

INCORRECT: “Amazon DynamoDB” is incorrect. DynamoDB is Amazon’s non-relational database service.

INCORRECT: “Amazon ElastiCache” is incorrect. ElastiCache is a data caching service that is used to help improve the speed/performance of web applications running on AWS.

Question 26

Which of the options below are recommendations in the performance efficiency pillar of the well-architected framework? (Select TWO.)
A.Democratie advanced technologies
B.Mechanical complexity
C.User serverless architectures
D.Go global in days
E.Rarely experiment

Answer 26

A.Democratie advanced technologies
C.User serverless architectures

Explanation:
The performance efficiency pillar includes the ability to use computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technologies evolve.

There are five design principles for performance efficiency in the cloud:

– Democratize advanced technologies.

– Go global in minutes.

– Use serverless architectures.

– Experiment more often.

– Mechanical sympathy.

CORRECT: “Democratize advanced technologies” is a correct answer.

CORRECT: “Use serverless architectures” is also a correct answer.

INCORRECT: “Go global in days” is incorrect. Please refer to the design principles above.

INCORRECT: “Rarely experiment” is incorrect. Please refer to the design principles above.

INCORRECT: “Mechanical complexity” is incorrect. Please refer to the design principles above.

Question 27

Under the AWS shared responsibility model, which of the following is an example of security in the AWS Cloud?
A.Firewall configuration
B.Managing edge locations
C.Global Infrastructure
D.Physical security

Answer 27

A.Firewall configuration

Explanation:
Firewall configuration is an example of “security in the cloud”. This is the customer’s responsibility, not an AWS responsibility.

CORRECT: “Firewall configuration” is the correct answer.

INCORRECT: “Managing edge locations” is incorrect. This is an example of “security of the cloud” and is an AWS responsibility.

INCORRECT: “Physical security” is incorrect. This is an example of “security of the cloud” and is an AWS responsibility.

INCORRECT: “Global infrastructure” is incorrect. This is an example of “security of the cloud” and is an AWS responsibility.

Question 28

Which of the following statements are correct about the benefits of AWS Direct Connect? (Select TWO.)
A.Increased reliability (predictable performance)
B.Increased bandwidth (predictable bandwidth)
C.Lower cost than VPN
D.Uses redundant paths across the Internet
E.Quick to implement

Answer 28

A.Increased reliability (predictable performance)
B.Increased bandwidth (predictable bandwidth)

Explanation:
AWS Direct Connect is a network service that provides an alternative to using the Internet to connect customers’ on premise sites to AWS.

Data is transmitted through a private network connection between AWS and a customer’s data center or corporate network.

Benefits of AWS Direct Connect:

– Reduce cost when using large volumes of traffic.

– Increase reliability (predictable performance).

– Increase bandwidth (predictable bandwidth).

– Decrease latency.

CORRECT: “Increased reliability (predictable performance)” is a correct answer.

CORRECT: “Increased bandwidth (predictable bandwidth)” is also a correct answer.

INCORRECT: “Quick to implement” is incorrect. Direct Connect is not fast to implement as it can take weeks to months to setup (use VPN for fast deployment times).

INCORRECT: “Lower cost than a VPN” is incorrect. Direct Connect is more expensive than VPN.

INCORRECT: “Uses redundant paths across the Internet” is incorrect. Direct Connect uses private network connections, it does not use redundant paths over the Internet.

Question 29

What is a benefit of moving an on-premises database to Amazon Relational Database Service (RDS)?
A.You can scale vertically without downtime
B.There is no database administration required
C.There is no need to manage operating systems
D.You can run any database engine

Answer 29

C.There is no need to manage operating systems

Explanation:
With Amazon RDS, which is a managed service, you do not need to manage operating systems. This reduces operational costs.

CORRECT: “There is no need to manage operating systems” is the correct answer.

INCORRECT: “You can scale vertically without downtime” is incorrect. You cannot scale vertically without downtime. When scaling with RDS you must change the instance type, and this requires a short period of downtime while the instances’ operating system reboots.

INCORRECT: “There is no database administration required” is incorrect. There is still database administration required in the cloud. You don’t manage the underlying operating system but still need to manage your own tables and data within the DB.

INCORRECT: “You can run any database engine” is incorrect. You cannot run any database engine with RDS. The options are MySQL, Microsoft SQL, MariaDB, Oracle, PostgreSQL and Aurora.

Question 30

Which service can be used to easily create multiple accounts?
A.AWS IAM
B.AWS CloudFormation
C.AWS Organization
D.Amazon Connect

Answer 30

C.AWS Organization

Explanation:
AWS Organizations can be used for automating AWS account creation via the Organizations API.

CORRECT: “AWS Organizations” is the correct answer.

INCORRECT: “AWS IAM” is incorrect. You cannot use IAM for creating accounts.

INCORRECT: “AWS CloudFormation” is incorrect. You could theoretically use AWS CloudFormation to automate the account creation along with some scripting, but that is certainly not an easy way to reach this result.

INCORRECT: “Amazon Connect” is incorrect. Amazon Connect is a self-service, cloud-based contact center service that makes it easy for businesses to deliver better customer service at a lower cost.

Question 31

Which of the options below are recommendations in the reliability pillar of the well-architected framework? (Select TWO.)
A.Scale vertically to increase aggregate system availability
B.Use ad-hoc recovery procedures
C.manage change in automation
D.Attempt to accurately estimate capacity requirements
E.Automatically recover from failure

Answer 31

C.manage change in automation
E.Automatically recover from failure

Explanation:
The reliability pillar includes the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

There are five design principles for reliability in the cloud:

– Test recovery procedures.

– Automatically recover from failure.

– Scale horizontally to increase aggregate system availability.

– Stop guessing capacity.

– Manage change in automation.

CORRECT: “Automatically recover from failure” is a correct answer.

CORRECT: “Manage change in automation” is also a correct answer.

INCORRECT: “Use ad-hoc recovery procedures” is incorrect. Please refer to the design principles above.

INCORRECT: “Scale vertically to increase aggregate system availability” is incorrect. Please refer to the design principles above.

INCORRECT: “Manage change in automation” is incorrect. Please refer to the design principles above.

Question 32

How can a company separate costs for storage, Amazon EC2, Amazon S3, and other AWS services by department?
A.Use AWS Organizations
B.Create a seperate VPC for each department
C.Add department-specific tags to each resource
D.Create a separate AWS Account for each department

Answer 32

C.Add department-specific tags to each resource

Explanation:
A tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value.

You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make it easier for you to categorize and track your AWS costs.
AWS provides two types of cost allocation tags, an AWS generated tags and user-defined tags. AWS defines, creates, and applies the AWS generated tags for you, and you define, create, and apply user-defined tags. You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.

CORRECT: “Add department-specific tags to each resource” is the correct answer.

INCORRECT: “Create a separate VPC for each department” is incorrect. This is unnecessary and would not help with separating costs.

INCORRECT: “Create a separate AWS account for each department” is incorrect. This is overly complex and unnecessary.

INCORRECT: “Use AWS Organizations” is incorrect. Consolidated billing can separate bills by account but for department based cost separation cost allocation tags should be used.

Question 33

Which service provides a way to convert video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs?
A.Amazon Rekognition
B.AWS Glue
C.Amazon Comprehend
D.Amazon Elastic Transcoder

Answer 33

D.Amazon Elastic Transcoder

Explanation:
Amazon Elastic Transcoder is a highly scalable, easy to use and cost-effective way for developers and businesses to convert (or “transcode”) video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs.

CORRECT: “Amazon Elastic Transcoder” is the correct answer.

INCORRECT: “AWS Glue” is incorrect. AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

INCORRECT: “Amazon Rekognition” is incorrect. Amazon Rekognition makes it easy to add image and video analysis to your applications.

INCORRECT: “Amazon Comprehend” is incorrect. Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find insights and relationships in text.

Question 34

How does the consolidated billing feature of AWS Organizations treat Reserved Instances that were purchased by another account in the organization?
A.All accounts in the organization are treated as one account for volume discounts but not for reserved instance
B.Only the master account can benefit from the hourly cost benefit of the reserved instances
C.AWS Organization does not support any volume or reserved instance benefits across accounts, it is just a method of aggregating bills
D.All accounts in the organization are treated as one account so any account can receive the hourly cost benefit

Answer 34

D.All accounts in the organization are treated as one account so any account can receive the hourly cost benefit

Explanation:
For billing purposes, the consolidated billing feature of AWS Organizations treats all the accounts in the organization as one account. This means that all accounts in the organization can receive the hourly cost benefit of Reserved Instances that are purchased by any other account.

CORRECT: “All accounts in the organization are treated as one account so any account can receive the hourly cost benefit” is the correct answer.

INCORRECT: “Only the master account can benefit from the hourly cost benefit of the reserved instances” is incorrect as explained above.

INCORRECT: “All accounts in the organization are treated as one account for volume discounts but not for reserved instances” is incorrect as explained above..

INCORRECT: “AWS Organizations does not support any volume or reserved instance benefits across accounts, it is just a method of aggregating bills” is incorrect as explained above.

Question 35

To gain greater discounts, which services can be reserved? (Select TWO.)
A.AWS Lambda
B.Amazon S3
C.Amazon CloudWatch
D.Amazon RedShift
E.Amazon DynamoDB

Answer 35

D.Amazon RedShift
E.Amazon DynamoDB

Explanation:
Reservations provide you with greater discounts, up to 75%, by paying for capacity ahead of time. Some of the services you can reserve include: EC2, DynamoDB, ElastiCache, RDS, and RedShift.

CORRECT: “Amazon RedShift” is a correct answer.

CORRECT: “Amazon DynamoDB” is also a correct answer.

INCORRECT: “Amazon S3” is incorrect. You cannot reserve Amazon S3, you pay for what you use.

INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a service that provides functions and cannot be reserved.

INCORRECT: “Amazon CloudWatch” is incorrect. You cannot reserve Amazon CloudWatch which is a monitoring service.

Question 36

Which database allows you to scale at the push of a button without incurring any downtime?
A.Amazon RDS
B.Amazon RedShift
C.Amazon EMR
D.Amazon DynamoDB

Answer 36

D.Amazon DynamoDB

Explanation:
Amazon Dynamo DB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Push button scaling means that you can scale the DB at any time without incurring downtime.

All other databases are based on EC2 instances and therefore you must increase the instance size to scale which will incur downtime.

CORRECT: “Amazon DynamoDB” is the correct answer.

INCORRECT: “Amazon RDS” is incorrect as explained above.

INCORRECT: “Amazon EMR” is incorrect as explained above.

INCORRECT: “Amazon RedShift” is incorrect as explained above.

Question 37

What are the advantages of Availability Zones? (Select TWO.)
A.They enable you to connect your on-premise networks to AWS to form a hybrid cloud
B.They provide fault isolation
C.They allow regional disaster recovery
D.They are connected by low-latency network connections
E.They enable the caching of data for faster delivery to end users

Answer 37

B.They provide fault isolation
D.They are connected by low-latency network connections

Explanation:
Each AWS region contains multiple distinct locations called Availability Zones (AZs). Each AZ is engineered to be isolated from failures in other AZs. An AZ is a data center, and in some cases, an AZ consists of multiple data centers.

AZs within a region provide inexpensive, low-latency network connectivity to other zones in the same region. This allows you to replicate your data across data centers in a synchronous manner so that failover can be automated and be transparent for your users.

CORRECT: “They provide fault isolation” is a correct answer.

CORRECT: “They are connected by low-latency network connections” is also a correct answer.

INCORRECT: “They allow regional disaster recovery” is incorrect. An AZ enables fault tolerance and high availability for your applications within a region not across regions.

INCORRECT: “They enable the caching of data for faster delivery to end users” is incorrect. CloudFront is the technology that is used to enable caching of data for faster delivery to end users.

INCORRECT: “They enable you to connect your on-premises networks to AWS to form a hybrid cloud” is incorrect. Direct Connect is the technology that is used to connect your on-premises network to AWS to form a hybrid cloud.

Question 38

You have been running an on-demand Amazon EC2 instance running Linux for 4hrs, 5 minutes and 6 seconds. How much time will you be billed for?
A.4hrs
B.4hrs, 5mins and 6 seconds
C.4hrs, 6 mins
D.5hrs

Answer 38

B.4hrs, 5mins and 6 seconds

Explanation:
On-demand, Reserved and Spot Amazon EC2 Linux instances are charged per second with a minimum charge of 1 minute. Therefore, as the minimum has been exceeded, exactly 4hrs, 5mins and 6 seconds will be charged.

CORRECT: “4hrs, 5mins, and 6 seconds” is the correct answer.

INCORRECT: “5hrs” is incorrect as explained above.

INCORRECT: “4hrs, 6mins” is incorrect as explained above.

INCORRECT: “4hrs” is incorrect as explained above.

Question 39

You are concerned that you may be getting close to some of the default service limits for several AWS services. What AWS tool can be used to display current usage and limits?    
A.AWS CloudWatch
B.AWS Personal Health Dashboard
C.AWS Trusted Advisor
D.AWS Systems Manager

Answer 39

C.AWS Trusted Advisor

Explanation:
Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Offers a Service Limits check (in the Performance category) that displays your usage and limits for some aspects of some services.

CORRECT: “AWS Trusted Advisor” is the correct answer.

INCORRECT: “AWS CloudWatch” is incorrect. Amazon CloudWatch is a monitoring and management service built for developers, system operators, site reliability engineers (SRE), and IT managers.

INCORRECT: “AWS Personal Health Dashboard” is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

INCORRECT: “AWS Systems Manager” is incorrect. AWS Systems Manager gives you visibility and control of your infrastructure on AWS.

Question 40

Which AWS Support plan provides access to architectural and operational reviews, as well as 24/7 access to Cloud Support Engineers through email, online chat, and phone?
A. Enterprise
B.Basic
C.Developer
D.Business

Answer 40

A. Enterprise

Explanation:
Only the enterprise plan provides Well-Architected Reviews and Operational Reviews. 24/7 access to Cloud Support Engineers through email, online chat, and phone is offered on the business and enterprise plans.

CORRECT: “Enterprise” is the correct answer.

INCORRECT: “Basic” is incorrect. Basic only includes: 24x7 access to customer service, documentation, whitepapers, and support forums.

INCORRECT: “Business” is incorrect as it does not provide access to architectural and operational reviews.

INCORRECT: “Developer” is incorrect as you get support from Cloud Support Associates, not Engineers and also do not get access to architectural and operational reviews.

Question 41

You need to run a production process that will use several EC2 instances and run constantly on an ongoing basis. The process cannot be interrupted or restarted without issue. What EC2 pricing model would be best for this workload?
A.Reserved instances
B.Spot instances
C.Flexible instances
D.On-demand instances

Answer 41

A.Reserved instances

Explanation:
Reserved Instance (RIs) provide you with a significant discount (up to 75%) compared to On-Demand instance pricing. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs.

In this scenario for a stable process that will run constantly on an ongoing basis RIs will be the most affordable solution.

CORRECT: “Reserved instances” is the correct answer.

INCORRECT: “Spot instances” is incorrect as the instance cannot be terminated.

INCORRECT: “On-demand instances” is incorrect as this would not be the most cost-effective option.

INCORRECT: “Flexible instances” is incorrect as there’s no such thing.

Question 42

A security operations engineer needs to implement threat detection and monitoring for malicious or unauthorized behavior. Which service should be used?
A.AWS CloudHSM
B.Amazon GuardDuty
C.AWS Shield
D.AWS KMS

Answer 42

B.Amazon GuardDuty

Explanation:
Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

CORRECT: “AWS GuardDuty” is the correct answer.

INCORRECT: “AWS Shield” is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.

INCORRECT: “AWS KMS” is incorrect. AWS Key Management Service gives you centralized control over the encryption keys used to protect your data.

INCORRECT: “AWS CloudHSM” is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

Question 43

What technology enables compute capacity to adjust as loads change?
A.Auto Scaling
B.Load balancing
C.Round Robin
D.Automatic failover

Answer 43

A.Auto Scaling

Explanation:
Auto Scaling allows the dynamic adjustment of provisioned resources based on demand. For instance, you can use Amazon EC2 Auto Scaling to launch additional EC2 instances when CloudWatch metrics report the CPU utilization has reached a certain threshold.

CORRECT: “Auto Scaling” is the correct answer.

INCORRECT: “Load balancing” is incorrect. This technology is more focused on high availability by distributing connections to multiple instances.

INCORRECT: “Automatic failover” is incorrect. This is a technology that enables high availability by failing over to standby resources in the event of a service disruption.

INCORRECT: “Round robin” is incorrect. This is typically associated with the Domain Name Service (DNS) where responses are provided from a pool of addresses in a sequential and circular fashion.

Question 44

Which statement best describes Amazon Route 53?
A.Amazon Route 53 enables hybrid cloud models by exteneding an organizations on-premise networks into AWS Cloud
B.Amazon Route S3 is a highly available and scalable Domain Name System (DNS) service
C.Amazon Route 53 is a service that enables routing within VPCs in an account
D.Amazon Route 53 is a service for distributing incoming connections between a fleet of registered EC2 instances

Answer 44

B.Amazon Route S3 is a highly available and scalable Domain Name System (DNS) service

Explanation:
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.

CORRECT: “Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service” is the correct answer.

INCORRECT: “Amazon Route 53 is a service that enables routing within VPCs in an account” is incorrect. The VPC router performs routing within a VPC.

INCORRECT: “Amazon Route 53 enables hybrid cloud models by extending an organization’s on-premise networks into the AWS cloud” is incorrect. Direct Connect enables hybrid cloud models by extending an organization’s on-premise networks into the AWS cloud.

INCORRECT: “Amazon Route 53 is a service for distributing incoming connections between a fleet of registered EC2 instances” is incorrect. Auto Scaling is a service for distributing incoming connections between a fleet of registered EC2 instances.

Question 45

Which of the options below are recommendations in the cost optimization pillar of the well-architected framework? (Select TWO.)
A.Analyze and attribute expenditure
B.Manage your services independently
C.Adopt a consumption model
D.Adopt a capital expenditure model
E.Start spending money on data center operations

Answer 45

A.Analyze and attribute expenditure
C.Adopt a consumption model

Explanation

The cost optimization pillar includes the ability to avoid or eliminate unneeded cost or suboptimal resource.

There are five design principles for cost optimization in the cloud:

– Adopt a consumption model.

– Measure overall efficiency.

– Stop spending money on data center operations.

– Analyze and attribute expenditure.

– Use managed services to reduce cost of ownership.

CORRECT: “Adopt a consumption model” is the correct answer.

CORRECT: “Analyze and attribute expenditure” is the correct answer.

INCORRECT: “Adopt a capital expenditure model” is incorrect. Please refer to the design principles above.

INCORRECT: “Start spending money on data center operations” is incorrect. Please refer to the design principles above.

INCORRECT: “Manage your services independently” is incorrect. Please refer to the design principles above.

Question 46

How does Amazon EC2 Auto Scaling help with resiliency?
A.By automating the failover of applications
B.By launching and terminating instances as needed
C.By changing instance types to increase security
D.By distributing connections to EC2 instances

Answer 46

B.By launching and terminating instances as needed

Explanation:
Amazon EC2 Auto Scaling launches and terminates instances as demand changes. This helps with resiliency and high availability as it can also be set to ensure a minimum number of instances are always available.

CORRECT: “By launching and terminating instances as needed” is the correct answer.

INCORRECT: “By distributing connections to EC2 instances” is incorrect. Auto Scaling is not responsible for distributing connections to EC2 instances, that is a job for an Elastic Load Balancer (ELB).

INCORRECT: “By changing instance types to increase capacity” is incorrect. Auto Scaling does not change the instance type. You have to create a new launch configuration if you need to increase your instance size, this is not automatic.

INCORRECT: “By automating the failover of applications” is incorrect. Auto Scaling does not do application failover.

Question 47

Which AWS services can be used as infrastructure automation tools? (Select TWO.)
A.Amazon CloudFront
B.Amazon QuickSight
C.AWS Batch
D.AWS CloudFormation
E.AWS OpsWorks

Answer 47

D.AWS CloudFormation
E.AWS OpsWorks
Explanation:
AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment. AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

CORRECT: “AWS CloudFormation” is a correct answer.

CORRECT: “AWS OpsWorks” is also a correct answer.

INCORRECT: “Amazon CloudFront” is incorrect. Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds.

INCORRECT: “AWS Batch” is incorrect. AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.

INCORRECT: “Amazon QuickSight” is incorrect. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.

Question 48

Which Amazon EC2 Reserved Instance type enables you to match your capacity reservation to predictable recurring dates and times?
A.Scheduled RI
B.Standard RI
C.Convertible RI
D.Customized RI

Answer 48

A.Scheduled RI

Explanation:
With RIs, you can choose the type that best fits your applications needs.

Standard RIs: These provide the most significant discount (up to 75% off On-Demand) and are best suited for steady-state usage.

Convertible RIs: These provide a discount (up to 54% off On-Demand) and the capability to change the attributes of the RI as long as the exchange results in the creation of Reserved Instances of equal or greater value. Like Standard RIs, Convertible RIs are best suited for steady-state usage.

Scheduled RIs: These are available to launch within the time windows you reserve. This option allows you to match your capacity reservation to a predictable recurring schedule that only requires a fraction of a day, a week, or a month.

CORRECT: “Scheduled RI” is the correct answer.

INCORRECT: “Standard RI” is incorrect as it does not allow you to match your capacity reservation to predictable recurring dates and times.

INCORRECT: “Convertible RI” is incorrect as it does not allow you to match your capacity reservation to predictable recurring dates and times.

INCORRECT: “Customized RI” is incorrect. This is not a valid type of RI

Question 49

An Amazon EC2 instance running the Amazon Linux 2 AMI is billed in what increment?
A.Per CPU
B.Per hour
C.Per GB
D.Per second

Answer 49

D.Per second

Explanation:
Amazon EC2 instances running Linux are billed in one second increments, with a minimum of 60 seconds.

CORRECT: “Per second” is the correct answer.

INCORRECT: “Per hour” is incorrect. You do not pay per hour.

INCORRECT: “Per CPU” is incorrect. You do not pay per CPU.

INCORRECT: “Per GB” is incorrect. You pay for Amazon EBS on a per GB of provisioned storage basis.

Question 50

Which AWS service provides on-demand downloads of AWS security and compliance reports?
A.Amazon Inspector
B.AWS Artifact
C.AWS Trusted Advisor
D.AWS Directory Service

Answer 50

B.AWS Artifact

Explanation;AWS Artifact is the go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

CORRECT: “AWS Artifact” is the correct answer.

INCORRECT: “AWS Directory Service” is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is an AWS-managed directory service built on actual Microsoft Active Directory and powered by Windows Server 2012 R2.

INCORRECT: “AWS Trusted Advisor” is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.

INCORRECT: “Amazon Inspector” is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Question 51

Which pricing options are available when using Amazon EC2 Reserved Instances? (Select TWO.)
A.Capacity upfront
B.Mainly upfront
C.All upfront
D.Partial upfront
E.Enterprise upfront

Answer 51

C.All upfront
D.Partial upfront

Explanation:
Amazon EC2 Reserved Instances (RI) provide a significant discount (up to 75%) compared to On-Demand pricing and provide a capacity reservation when used in a specific Availability Zone. Payment options include All Upfront, Partial Upfront, and No Upfront.

CORRECT: “All upfront” is a correct answer.

CORRECT: “Partial upfront” is also a correct answer.

INCORRECT: “Capacity upfront” is incorrect as this is not a pricing option.

INCORRECT: “Mainly upfront” is incorrect as this is not a pricing option.

INCORRECT: “Enterprise upfront” is incorrect as this is not a pricing option.

Question 52

What is the best way to apply an organizational system to EC2 instances so they can be identified by descriptors such as purpose or department?
A. Use the instance meta-data
B.Apply tags
C.Organize the instances into separate subnets
D.Use descriptive hostnames

Answer 52

B.Apply tags

Explanation:
To help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define. Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment.

CORRECT: “Apply tags” is the correct answer.

INCORRECT: “Use descriptive hostnames” is incorrect. Using descriptive hostnames or is a messy way to try and organize resources and lacks the power and flexibility of tagging.

INCORRECT: “Organize the instances into separate subnets” is incorrect. Organizing instances into separate subnets is also not an ideal method for organizing resources.

INCORRECT: “Use the instance meta-data” is incorrect. Storing information in instance meta-data is possible but you need to retrieve the information, tags enable you to do this more easily.

Question 53

What are the benefits of using Amazon Rekognition with image files?
A.Can be used to identify objects in an image
B.Can be used to transcode audio
C.Can be used to resize images
D.Can help with image compression

Answer 53

A.Can be used to identify objects in an image

Explanation

Rekognition Image is a deep learning powered image recognition service that detects objects, scenes, and faces; extracts text; recognizes celebrities; and identifies inappropriate content in images. It also allows you to search and compare faces.

CORRECT: “Can be used to identify objects in an image” is the correct answer.

INCORRECT: “Can be used to resize images” is incorrect. You cannot use Rekognition to resize images.

INCORRECT: “Can be used to transcode audio” is incorrect. You should use the Elastic Transcoder service to transcode audio.

INCORRECT: “Can help with image compression” is incorrect. You cannot use Rekognition to compress images.

Question 54

How can an organization track resource inventory and configuration history for the purpose of security and regulatory compliance?
A.Run a report with AWS artifact
B.Configure AWS COnfig with the resource types
C.Create an Amazon CloudTrail trail
D.Implement Amazon GuardDuty

Answer 54

B.Configure AWS COnfig with the resource types

Explanation:
AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

CORRECT: “Configure AWS Config with the resource types” is the correct answer.

INCORRECT: “Create an Amazon CloudTrail trail” is incorrect. CloudTrail tracks API activity. This means it is used to monitor who does what on Amazon. It does not provide a resource inventory or configuration history.

INCORRECT: “Implement Amazon GuardDuty” is incorrect. Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

INCORRECT: “Run a report with AWS Artifact” is incorrect. AWS Artifact is used for obtaining on-demand security and compliance reports and select online agreements. This service provides access to AWS security and compliance reports such as SOC and PCI. You don’t use Artifact to track your own resource inventory and configuration history.

Question 55

Which IAM entity can be used for assigning permissions to AWS services?
A.IAM Role
B.IAM Policy
C.IAM Access Key ID and Secret Access Key
D.Security Token Service (STS)

Answer 55

A.IAM Role

Explanation:
With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. username and password). To do so you can create a role and assign an IAM policy to the role that has the permissions required.

CORRECT: “IAM Role” is the correct answer.

INCORRECT: “IAM Access Key ID and Secret Access Key” is incorrect. An access key ID and secret access key are assigned to IAM users and used for programmatic access using the API or CLI.

INCORRECT: “IAM Policy” is incorrect. An IAM policy is a policy document that is used to define permissions that can be applied to users, groups and roles. You don’t apply the policy to the service, you apply it to the role. The role is then used to assign permissions to the AWS service.

INCORRECT: “Security Token Service (STS)” is incorrect. This service is used for gaining temporary security credentials.

Question 56

Which Amazon EC2 pricing model is the most cost-effective for an always-up, right-sized database server running a project that will last 1 year?
A.Convertible Reserved Instances
B.Spot Instacnes
C.on-Demand instances
D.Standard Reserved Instances

Answer 56

D.Standard Reserved Instances

Explanation:
Reserved Instances (RIs) provide you with a significant discount (up to 72%) compared to On-Demand instance pricing. Standard reserved instances offer the most cost savings. RIs are based on a 1 or 3 year contract so they are suitable for workloads that will run for the duration of the contract period.

CORRECT: “Standard Reserved Instances” is the correct answer.

INCORRECT: “Convertible Reserved Instances” is incorrect. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs. However, this is not required for a right-sized server.

INCORRECT: “On-Demand Instances” is incorrect. This pricing model offers not discounts.

INCORRECT: “Spot Instances” is incorrect. Though you can achieve greater cost savings with Spot instances, the instances can be terminated when AWS need the capacity back.

Question 57

What are the benefits of using reserved instances? (Select TWO.)
A.Uses dedicated hardware
B.High availability
C.Reduced cost
D.MOre flexibility
E.Reserve capacity

Answer 57

C.Reduced cost
E.Reserve capacity

Explanation:
With reserved instances you commit to a 1- or 3-year term and get a significant discount from the on-demand rate. You can also reserve capacity in an availability zone with reserved instances.

CORRECT: “Reduced cost” is a correct answer.

CORRECT: “Reserve capacity” is also a correct answer.

INCORRECT: “More flexibility” is incorrect. You don’t get more flexibility with reserved instances. If you need flexibility on-demand is better but more costly.

INCORRECT: “Uses dedicated hardware” is incorrect. Reserved instances are different to dedicated instances. Dedicates instances and dedicates hosts use dedicated hardware but reserved instances do not.

INCORRECT: “High availability” is incorrect. You do not get high availability with reserved instances; this is a pricing model.

Question 58

Which of the below is a fully managed Amazon search service based on open source software?
A.Amazon ElastiSearch
B.AWS Elastic Beanstalk
C.Amazon CloudSearch
D.AWS OpsWorks

Answer 58

A.Amazon ElastiSearch

Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time. Elasticsearch is based on open source software
CORRECT: “Amazon Elasticsearch” is the correct answer.

INCORRECT: “AWS Elastic Beanstalk” is incorrect. AWS Elastic Beanstalk is used for deploying and managing EC2 instances and related services on AWS.

INCORRECT: “AWS OpsWorks” is incorrect. AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet.

INCORRECT: “Amazon CloudSearch” is incorrect. Amazon CloudSearch is a managed service in the AWS Cloud. Unlike Elasticsearch, this is not based on open source software.

Question 59

Which AWS tools can be used for automation? (Select TWO.)
A.Amazon Elastic File System (EFS)
B.AWS Elastic Beanstalk
C.AWS CLoudFormation
D.Elastic Load Balcing
E.AWS Lambda

Answer 59

B.AWS Elastic Beanstalk
C.AWS CLoudFormation

Explanation:L>
AWS Elastic Beanstalk and AWS CloudFormation are both examples of automation. Beanstalk is a platform service that leverages the automation capabilities of CloudFormation to build out application architectures.

CORRECT: “AWS Elastic Beanstalk” is a correct answer.

CORRECT: “AWS CloudFormation” is also a correct answer.

INCORRECT: “Elastic Load Balancing” is incorrect. Elastic Load Balancing (ELB) is used for distributing incoming connections to Amazon EC2 instances. This is not an example of automation; it is load balancing.

INCORRECT: “Amazon Elastic File System (EFS)” is incorrect. Amazon EFS is a file system.

INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a compute service, not an automation service.

Question 60

Which service can be used to create sophisticated, interactive graph applications?
A.AWS X-Ray
B.Amazon Athena
C.Amazon Red Shift
D.Amazon Neptune

Answer 60

D.Amazon Neptune

Explanation:
Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets. With Amazon Neptune, you can create sophisticated, interactive graph applications that can query billions of relationships in milliseconds.

CORRECT: “Amazon Neptune” is the correct answer.

INCORRECT: “Amazon RedShift” is incorrect. Amazon Redshift is a fast, scalable data warehouse that makes it simple and cost-effective to analyze all your data across your data warehouse and data lake.

INCORRECT: “AWS X-Ray” is incorrect. AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture.

INCORRECT: “Amazon Athena” is incorrect. Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Question 61

When using AWS Organizations with consolidated billing what are two valid best practices? (Select TWO.)
a.aLAWAYS ENABLE MULTI-FACOTR AUTHENTICATION (mfa) on the root account
B.USe the paying account for deploying resource
C.Always use a straightforward password on the root account
D.Never exceed the limit of 20 linked accounts
E.The paying account should be used for billing purposes only

Answer 61

a.aLAWAYS ENABLE MULTI-FACOTR AUTHENTICATION (mfa) on the root account
E.The paying account should be used for billing purposes only

Explanation;
When using AWS Organizations with consolidated billing, best practices include:

– Always enable multi-factor authentication (MFA) on the root account.

– Always use a strong and complex password on the root account.

– The Paying account should be used for billing purposes only. Do not deploy resources into the Paying account.

There is a default limit of 20 linked accounts but this can be extended and there is no reason why you should stick to a maximum of 20 accounts.

CORRECT: “Always enable multi-factor authentication (MFA) on the root account” is a correct answer.

CORRECT: “The paying account should be used for billing purposes only” is also a correct answer.

INCORRECT: “Always use a straightforward password on the root account” is incorrect as you should use a complex password.

INCORRECT: “Use the paying account for deploying resources” is incorrect as you should deploy resources in the linked accounts.

INCORRECT: “Never exceed the limit of 20 linked accounts” is incorrect as you can extend the default limit.

Question 62

Which service allows an organization to view operational data from multiple AWS services through a unified user interface and automate operational tasks?
A.AWS Config
B.Amazon CloudWatch
C.AWS SYstem Manager
D.AWS Opsworks

Answer 62

C.AWS SYstem Manager

Explanation:
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.
CORRECT: “AWS Systems Manager” is the correct answer.

INCORRECT: “AWS Config” is incorrect. AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

INCORRECT: “AWS OpsWorks” is incorrect. AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet.

INCORRECT: “Amazon CloudWatch” is incorrect. Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You use CloudWatch for performance monitoring, not automating operational tasks.

Question 63

Which of the below is an example of an architectural benefit of moving to the cloud?
A.Elasticity
B.Proprietary Hardware
C.Vertical scalability
D.Monolithic services

Answer 63

A.Elasticity

Explanation:
A key architectural benefit of moving to the cloud is that you get elasticity. This means your applications can scale as demand increases and scale back as demand decreases. This reduces cost as you only pay for what you use, when you need it.

CORRECT: “Elasticity” is the correct answer.

INCORRECT: “Monolithic services” is incorrect. Monolithic services are not a design patter of the public cloud. Developers and architects prefer service oriented or micro-service architectures instead.

INCORRECT: “Proprietary hardware” is incorrect. You do not get to choose your hardware in AWS as the infrastructure on which your services run is managed and operated by AWS. So you cannot use proprietary hardware.

INCORRECT: “Vertical scalability” is incorrect. Vertical scalability is not unique to the cloud, nor is it something we aspire to as architects. Most of the time horizontal scalability is preferred and is something that the AWS cloud provides for many services

Question 64

Which statement best describes elasticity in the cloud?
A.A pricing model that allows upfront payments and term commitments to reduce costs
B.The ability to scale resources up or down and only pay for what yopu use
C.The ability for a system to recover from the failure of a singgle component
D.A flexible model of code development that results in faster deployment times

Answer 64

B.The ability to scale resources up or down and only pay for what yopu use

Explanation:
Elasticity is the ability to scale resources up or down and only pay for what you use. A great example is Auto Scaling which launches and terminates EC2 instances based on the amount of load.

CORRECT: “The ability to scale resources up or down and only pay for what you use” is the correct answer.

INCORRECT: “The ability for a system to recover from the failure of a single component” is incorrect. This is a description of fault tolerance.

INCORRECT: “A flexible model of code development that results in faster deployment times” is incorrect. This is a description of agile development.

INCORRECT: “A pricing model that allows upfront payments and term commitments to reduce cost” is incorrect. This is a description of reserved instances.

Question 65

Under the AWS shared responsibility model what is AWS responsible for? (Select TWO.)
A.Physical secufrity of the data center
B.COnfiguration of security groups
C.Replacement and disposal of disk drives
D.Patch management of operating systems
E.Encryption of customer data

Answer 65

A.Physical secufrity of the data center
C.Replacement and disposal of disk drives

Explanation:
AWS are responsible for “Security of the Cloud” and customers are responsible for “Security in the Cloud”.

AWS are responsible for items such as the physical security of the DC, replacement of old disk drives, and patch management of the infrastructure.

Customers are responsible for items such as configuring security groups, network ACLs, patching their operating systems and encrypting their data

CORRECT: “Physical security of the data center” is the correct answer.

CORRECT: “Replacement and disposal of disk drives” is the correct answer.

INCORRECT: “Configuration of security groups” is incorrect as this is a customer responsibility.

INCORRECT: “Patch management of operating systems” is incorrect as this is a customer responsibility.

INCORRECT: “Encryption of customer data” is incorrect as this is a customer responsibility.