AWS Certified Cloud Practitioner: Test 6

Question 1

Which AWS service provides the ability to detect inadvertent data leaks of personally identifiable information (PII) and user credential data?
A.Amazon GuardDuty
B.Amazon macie
C.Amazon Inspector
D.AWS Shield

Answer 1

B.Amazon macie

Explanation:
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in Amazon S3.

Macie applies machine learning and pattern matching techniques to the Amazon S3 buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).

CORRECT: “Amazon Macie” is the correct answer.

INCORRECT: “Amazon GuardDuty” is incorrect. This is a service that analyzes your resources using anomaly detection and machine learning. It does not detect personally identifiable information.

INCORRECT: “Amazon Inspector” is incorrect. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. It does not detect personally identifiable information.

INCORRECT: “AWS Shield” is incorrect. This service is involved with protecting your resources of distributed denial of service (DDoS) attacks.

Question 2

To reduce cost, which of the following services support reservations? (Select TWO.)
A.Amazon RedShift
B.Amazon ElasticCache
C.Amazon S3
D.Amazon CloudFormation
E.AWS BeanStalk

Answer 2

A.Amazon RedShift
B.Amazon ElasticCache

Explanation:
Amazon ElastiCache and Amazon Redshift both support reserved nodes. Reservations can be used to gain a large discount from the on-demand rate in exchange for the commitment to a contract for 1 or 3 years.

CORRECT: “Amazon ElastiCache” is a correct answer.

CORRECT: “Amazon RedShift” is also a correct answer.

INCORRECT: “Amazon CloudFormation” is incorrect as you do not pay for CloudFormation.

INCORRECT: “AWS Elastic Beanstalk” is incorrect as you do not pay for Elastic Beanstalk.

INCORRECT: “Amazon S3” is incorrect as you pay for usage and cannot reserve capacity.

Question 3

How can a company configure automatic, asynchronous copying of objects in Amazon S3 buckets across regions?
A.This is done by default by AWS
B.Using cross- region replication
C.Using lifecycle actions
D.By configuring multi-master replication

Answer 3

B.Using cross- region replication

Explanation:
Cross-region replication (CRR) enables automatic, asynchronous copying of objects across buckets in different AWS Regions. Buckets configured for cross-region replication can be owned by the same AWS account or by different account

CORRECT: “Using cross-region replication” is the correct answer.

INCORRECT: “This is done by default by AWS” is incorrect as this is not true.

INCORRECT: “By configuring multi-master replication” is incorrect. Multi-master replication is not something you can do with Amazon S3 (Amazon Aurora has this feature).

INCORRECT: “Using lifecycle actions” is incorrect. Lifecycle actions cannot be configured to move to another storage class in a different region.

Question 4

Which of the following acts as a virtual firewall at the Amazon EC2 instance level to control traffic for one or more instances?
A.Route table
B.Network Access Control Lists (ACL)
C.Security groups
D.Virtual Private Gateways (VPG)

Answer 4

C.Security groups

Explanation:
A security group is an instance-level firewall that can be used to control traffic the that reaches (ingress/inbound) and is sent out from (egress/outbound) your EC2 instances. Rules are created for inbound or outbound traffic. A security group can be attached to multiple EC2 instances.

CORRECT: “Security groups” is the correct answer.

INCORRECT: “Network Access Control Lists (ACL)” is incorrect as this is subnet-level firewall. You do not attach a Network ACL to an instance, you attach it to a subnet.

INCORRECT: “Virtual private gateways (VPG)” is incorrect. A VPG is the Amazon side of an AWS Managed VPN.

INCORRECT: “Route table” is incorrect as this is not a firewall but a table of routes for directing traffic between subnets within a VPC.

Question 5

A startup eCommerce company needs to quickly deliver new website features in an iterative manner, minimizing the time to market.

Which AWS Cloud feature allows this?
A.Agility
B.High availability
C.Reliability
D.Elasticity

Answer 5

A.Agility

Explanation:
In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes.

This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower.

CORRECT: “Agility” is the correct answer.

INCORRECT: “High availability” is incorrect as this is associated with increased resilience, not agility.

INCORRECT: “Elasticity” is incorrect as this associated with the ability to adjust to demand and reduce the need to guess capacity requirements.

INCORRECT: “Reliability” is incorrect as this does not assist with bringing features to market faster.

Question 6

A company is using the AWS CLI and programmatic access of AWS resources from its on-premises network.

What is a mandatory requirement in this scenario?
A.using an Amazon EC2 key pair
B.Using an AWS Direct Connect connection
C.Using Amazon API Gateway
D.Using an AWS access key and a secret key

Answer 6

D.Using an AWS access key and a secret key

Explanation:
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests.

CORRECT: “Using an AWS access key and a secret key” is the correct answer.

INCORRECT: “Using an AWS Direct Connect connection” is incorrect. It is not a requirement that you use a Direct Connect connection. You can access public services via the API using the internet. For private services you can use Direct Connect, a VPN, or a bastion host.

INCORRECT: “Using Amazon API Gateway” is incorrect. You do not need API Gateway for programmatic access to the AWS API.

INCORRECT: “Using an Amazon EC2 key pair” is incorrect. A key pair is used to securely access EC2 resources and should not be confused with access keys.

Question 7

Your company has recently migrated to AWS. How can your CTO monitor the organization’s costs?
A.AWS CloudTrail
B.AWS Simple Monthly Calculator
C.AWS Cost Explorer
D.AWS Consolidated billing

Answer 7

C.AWS Cost Explorer

Explanation:
AWS Cost Explorer – enables you to visualize your usage patterns over time and to identify your underlying cost drivers.
CORRECT: “AWS Cost Explorer” is the correct answer.

INCORRECT: “AWS CloudTrail” is incorrect. AWS CloudTrail provides a record of API activity in your account. I.e. who did what to which resource..

INCORRECT: “AWS Consolidated Billing” is incorrect. AWS Consolidated Billing is a feature of AWS Organizations that allows you to consolidate billing across multiple linked accounts and benefit from volume pricing discounts.

INCORRECT: “AWS Simple Monthly calculator” is incorrect. AWS Simple Monthly calculator – shows you how much you would pay in AWS if you move your resources.

Question 8

Which AWS service is suitable for an event-driven workload?
A.AWS Lambda
B.Amazon Lumberyard
C.AWS Elastic Beanstalk
D.Amazon EC2

Answer 8

A.AWS Lambda

Explanation:
AWS Lambda is an event-driven service. For example you can configure an Amazon S3 bucket with event notifications that trigger an AWS Lambda function when data is uploaded to an S3 bucket.

CORRECT: “AWS Lambda” is the correct answer.

INCORRECT: “Amazon EC2” is incorrect as this is not an event-driven service.

INCORRECT: “AWS Elastic Beanstalk” is incorrect as this is not an event-driven service.

INCORRECT: “Amazon Lumberyard” is incorrect as this is a game engine service.

Question 9

Which AWS security tool uses an agent installed in EC2 instances and assesses applications for vulnerabilities and deviations from best practices?    
A.AWS Inspector
B.AWS Personal Health Dashboard
C.AWS Trusted Advisor
D.AWS TCO Calculator

Answer 9

A.AWS Inspector

Explanation:
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. Inspector uses an agent installed on EC2 instances.

CORRECT: “AWS Inspector” is the correct answer.

INCORRECT: “AWS Trusted Advisor” is incorrect. Trusted Advisor is an online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment.

INCORRECT: “AWS Personal Health Dashboard” is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

INCORRECT: “AWS TCO Calculator” is incorrect. The AWS TCO calculator can be used to compare the cost of running your applications in an on-premises or colocation environment to AWS.

Question 10

Which type of Elastic Load Balancer operates at the TCP connection level?
A. Amazon Route 53 Load Balancer
B.Network Load Balancer (NLB)
C.Classic Load balancer (CLB)
D.Application Load Balancer (ALB)

Answer 10

B.Network Load Balancer (NLB)

Explanation:
A Network Load Balancer functions at the fourth layer of the Open Systems Interconnection (OSI) model. NLBs direct connections based on information at the TCP connection level.

CORRECT: “Network Load Balancer (NLB)” is the correct answer.

INCORRECT: “Application Load Balancer (ALB)” is incorrect. ALBs process traffic at the application level (layer 7) based on information in the HTTP/HTTPS headers.

INCORRECT: “Classic Load Balancer (CLB)” is incorrect. CLBs process traffic at the TCP, SSL, HTTP and HTTPS levels (layer 4 & 7).

INCORRECT: “Amazon Route 53 Load Balancer” is incorrect. There is no feature called a load balancer that is associated with Route 53. You can perform a type of load balancing using multivalue answer routing.

Question 11

The AWS Cost Management tools give users the ability to do which of the following? (Select TWO.)
A.Break down AWS costs by day service and linked AWS account
B.Create budgets and receive notification's if current or forecasted usage exceeds the budgets
C.Switch automatically to resevered instances or spot instances, whichever is most cost-effective
D.Move data stored in Amazon S3 to a more cost-effective storage class
E.Terminate all AWS resources automatically if budget thresholds are exceeded

Answer 11

A.Break down AWS costs by day service and linked AWS account
B.Create budgets and receive notification’s if current or forecasted usage exceeds the budgets

Explanation:
AWS has a set of solutions to help you with cost management and optimization. This includes services, tools, and resources to organize and track cost and usage data, enhance control through consolidated billing and access permission, enable better planning through budgeting and forecasts, and further lower cost with resources and pricing optimizations.

However, these tools do not terminate resources, manipulate resources, or make changes to pricing models.

CORRECT: “Break down AWS costs by day, service, and linked AWS account” is the correct answer.

CORRECT: “Create budgets and receive notifications if current or forecasted usage exceeds the budgets” is the correct answer.

INCORRECT: “Terminate all AWS resources automatically if budget thresholds are exceeded” is incorrect as explained above.

INCORRECT: “Switch automatically to Reserved Instances or Spot Instances, whichever is most cost-effective” is incorrect as explained above.

INCORRECT: “Move data stored in Amazon S3 to a more cost-effective storage class” is incorrect as explained above.

Question 12

What methods are available for scaling an Amazon RDS database? (Select TWO.)
A.You can scale out automatically with EC2 auto scaling
B.You can scale up automatically using AWS auto scaling
C.You can scale out by implementing Elastic Load Balancing
D,You can scale up by increasing storage capacity
E.You can scale up by moving to a larger instance size

Answer 12

D,You can scale up by increasing storage capacity
E.You can scale up by moving to a larger instance size

Explanation:
To handle a higher load in your database, you can vertically scale up your master database with a simple push of a button. There are currently over 18 instance sizes that you can choose from when resizing your RDS MySQL, PostgreSQL, MariaDB, Oracle, or Microsoft SQL Server instance.

For Amazon Aurora, you have 5 memory-optimized instance sizes to choose from. The wide selection of instance types allows you to choose the best resource and cost for your database server.

In addition to scaling your master database vertically, you can also improve the performance of a read-heavy database by using read replicas to horizontally scale your database. RDS MySQL, PostgreSQL, and MariaDB can have up to 5 read replicas, and Amazon Aurora can have up to 15 read replicas.

CORRECT: “You can scale up by moving to a larger instance size” is a correct answer.

CORRECT: “You can scale up by increasing storage capacity” is also a correct answer.

INCORRECT: “You can scale out automatically with EC2 Auto Scaling” is incorrect. You cannot use EC2 Auto Scaling with Amazon RDS.

INCORRECT: “You can scale out by implementing Elastic Load Balancing” is incorrect. You cannot use Elastic Load Balancing with RDS.

INCORRECT: “You can scale up automatically using AWS Auto Scaling” is incorrect. You cannot use EC2 Auto Scaling or AWS (Application) Auto Scaling to automatically scale your RDS database. EC2 Auto Scaling is involved with launching additional instances (scale out) and this is not a method of scaling an RDS database. Application auto scaling is involved with automatically adjusting the assignment of resources to the database which is not supported with RDS (you can do it with DynamoDB).

Question 13

Based on the shared responsibility model, which of the following security and compliance tasks is AWS responsible for?
A.Encrypting data in transit
B.Updating operating systems
C.Granting access to individuals and services
D.Updating Amazon EC2 host firmware

Answer 13

D.Updating Amazon EC2 host firmware

Explanation:
AWS are responsible for updating Amazon EC2 host firmware. This is considered “security of the cloud”. All other tasks are the responsibility of the customer.

CORRECT: “Updating Amazon EC2 host firmware” is the correct answer.

INCORRECT: “Granting access to individuals and services” is incorrect. This is something a customer must perform to control access to the resources they use on AWS.

INCORRECT: “Encrypting data in transit” is incorrect. Encryption at rest and in-transit is a customer responsibility.

INCORRECT: “Updating operating systems” is incorrect. Customers are responsible for patching operating systems on Amazon EC2. AWS are only responsible for the host servers.

Question 14

Which AWS service can serve a static website?
A.Amazon S3
B.Amazon Route 53
C.AWS X-Ray
D.Amazon QuickSight

Answer 14

A.Amazon S3

Explanation:
You can use Amazon S3 to host a static website. On a static website, individual webpages include static content. They might also contain client-side scripts.

To host a static website on Amazon S3, you configure an Amazon S3 bucket for website hosting and then upload your website content to the bucket. When you configure a bucket as a static website, you must enable website hosting, set permissions, and create and add an index document. Depending on your website requirements, you can also configure redirects, web traffic logging, and a custom error document.

CORRECT: “Amazon S3” is the correct answer.

INCORRECT: “Amazon Route 53” is incorrect. This is an intelligent DNS service.

INCORRECT: “Amazon QuickSight” is incorrect. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.

INCORRECT: “AWS X-Ray” is incorrect. This is used for tracing and debugging applications.

Question 15

Which AWS technology can be referred to as a “virtual hard disk in the cloud”?
A.Amazon EFS Filesystem
B.Amazon ENI
C.Amazon EBS volume
D.Amazon S3 Bucket

Answer 15

C.Amazon EBS volume

Explanation:
An Amazon Elastic Block Store (EBS) volume is often described as a “virtual hard disk in the cloud”. EBS volumes are block-level storage volumes that are attached to EC2 instances much as you would attach a virtual hard disk to a virtual machine in a virtual infrastructure.

CORRECT: “Amazon EBS volume” is the correct answer.

INCORRECT: “Amazon EFS Filesystem” is incorrect. An Amazon EFS filesystem is a file-level storage system that is accessed using the NFS protocol. Filesystems are mounted at the file, rather than the block level and are therefore not similar to a virtual hard disk.

INCORRECT: “Amazon S3 Bucket” is incorrect. Amazon S3 is an object-level storage service and is not mounted or attached. You use a REST API over HTTPS to access objects in an object store.

INCORRECT: “Amazon ENI” is incorrect. An Amazon Elastic Network Interface is a networking construct, not a storage construct.

Question 16

In which ways does AWS’ pricing model benefit organizations?
A.Reduce the cost of maintaining idle resources
B.Focus spend on capital expenditure, rather than operational expenditure
C.Eliminate licensing costs
D.Reduces the people costs of application development

Answer 16

A.Reduce the cost of maintaining idle resources

Explanation:
Using AWS you can provision only what you need and adjust resources automatically and elastically. This reduces the amount of resources that are sitting idle which reduces cost.

CORRECT: “Reduce the cost of maintaining idle resources” is the correct answer.

INCORRECT: “Eliminates licensing costs” is incorrect. AWS does not eliminate licensing costs or application development costs as you still need to licence and develop your application.

INCORRECT: “Focus spend on capital expenditure, rather than operational expenditure” is incorrect. AWS allows you to focus your spend on operational costs, not capital costs.

INCORRECT: “Reduces the people cost of application development” is incorrect as you still need people to develop applications.

Question 17

Which AWS Cloud design principles can help increase reliability? (Select TWO.)
A.Using monolithic architecture
B.Adopting a consumption model
C.Automatically recovering from failure
D.Testing recovery procedures
E.Measuring overall efficiency

Answer 17

C.Automatically recovering from failure
D.Testing recovery procedures

Explanation:
Recovery procedures should always be tested ahead of any outage of disaster recovery situation. This is the only way to be sure your recovery procedures are effective.

When designing systems it is also a good practice to implement automatic recovery when possible. This reduces or eliminates the operational burden and potential downtime associated with a failure of a system or application component.

CORRECT: “Testing recovery procedures” is the correct answer.

CORRECT: “Automatically recovering from failure” is the correct answer.

INCORRECT: “Using monolithic architecture” is incorrect. A monolithic architecture means you have multiple components of an application running on a single system. This results in a bigger issue if that system fails. A distributed architecture is preferred.

INCORRECT: “Measuring overall efficiency” is incorrect. Efficiency has more of a bearing on cost management than reliability.

INCORRECT: “Adopting a consumption model” is incorrect. A consumption model has benefits more aligned with cost and agility than reliability.

Question 18

Under the AWS shared responsibility model, which of the following are customer responsibilities? (Select TWO.)
A.Amazon RDS instance patching
B.Network and firewall configurations
C.Physical security of data center facilities
D.Compute capacity availability
E.Setting up server side encryption on an Amazon S3 bucket

Answer 18

B.Network and firewall configurations
E.Setting up server side encryption on an Amazon S3 bucket
Explanation

As a customer on AWS you take responsibility for encrypting data. This includes encrypting data at rest and data in transit. Another security responsibility the customer owns is setting network and firewall configurations. For instance, you must configure Network ACLs and Security Groups, and any operating system-level firewalls on your EC2 instances.

CORRECT: “Setting up server-side encryption on an Amazon S3 bucket” is a correct answer.

CORRECT: “Network and firewall configurations” is also a correct answer.

INCORRECT: “Amazon RDS instance patching” is incorrect. With RDS you can define the maintenance window but AWS actually perform the patching for you.

INCORRECT: “Physical security of data center facilities” is incorrect as this is security of the cloud and is an AWS responsibility.

INCORRECT: “Compute capacity availability” is incorrect as this is an AWS responsibility.

Question 19

Where do Amazon Identity and Access Management (IAM) accounts need to be created for a global organization?
A.Create them globally, and then replicate them regionally
B.Just create them once, as IAM is a global service
C.In each geographical area where the users are located
D.In each region where the users are located

Answer 19

B.Just create them once, as IAM is a global service

Explanation:
IAM is a global service so you only need to create your users once and can then use those user accounts anywhere globally. The other options are all incorrect. as you do not create IAM accounts regionally, replicate them regionally, or create them within geographical areas.

CORRECT: “Just create them once, as IAM is a global service” is the correct answer.

INCORRECT: “In each region where the users are located” is incorrect as explained above.

INCORRECT: “Create them globally, and then replicate them regionally” is incorrect as explained above.

INCORRECT: “In each geographical area where the users are located” is incorrect as explained above.

Question 20

What do you need to log into the AWS console?
A.Access key and secret ID
B.User name and password
C.Certificate
D.Key pair

Answer 20

B.User name and password

Explanation:
You can log into the AWS console using a user name and password. You cannot log in to the AWS console using a key pair, access key & secret ID or certificate.

CORRECT: “User name and password” is the correct answer.

INCORRECT: “Key pair” is incorrect as explained above.

INCORRECT: “Access key and secret ID” is incorrect as explained above.

INCORRECT: “Certificate” is incorrect as explained above

Question 21

Which of the following statements about AWS’s pay-as-you-go pricing model is correct?
A.It is relevant only for Amazon EC2, Amazon S3, and Amazon DynamoDB
B.It results in reduced capital expenditures
C.It reduces operational expenditures
D.It requires payment up front for AWS services

Answer 21

B.It results in reduced capital expenditures

Explanation:
The pay-as-you-go pricing model means you only pay for the services and consumption you actually use. You are charged for compute, storage and outbound data transfer. This model reduces capital expenditure as you pay a monthly bill (operational expenditure).

CORRECT: “It results in reduced capital expenditures” is the correct answer.

INCORRECT: “It requires payment up front for AWS services” is incorrect. You can pay upfront for some services such as EC2 reserved instances to get better pricing but most services are offered on a consumption basis.

INCORRECT: “It is relevant only for Amazon EC2, Amazon S3, and Amazon DynamoDB” is incorrect. This is not true most AWS services are offered on a pay-as-you-go pricing model.

INCORRECT: “It reduces operational expenditures” is incorrect. This is not true, it reduces capital expenditures.

Question 22

How can a systems administrator specify a script to be run on an EC2 instance during launch?
A.User Data
B.AWS Config
C.Metadata
D.Run Command

Answer 22

A.User Data

Explanation:
When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts.

You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives. User data is data that is supplied by the user at instance launch in the form of a script. User data is limited to 16KB. User data and meta data are not encrypted.

CORRECT: “User Data” is the correct answer.

INCORRECT: “Metadata” is incorrect as metadata retrieves information about the instance.

INCORRECT: “Run Command” is incorrect as this operates separately to the launch process.

INCORRECT: “AWS Config” is incorrect as this service stores configuration information relating to AWS services.

Question 23

You are evaluating AWS services that can assist with creating scalable application environments. Which of the statements below best describes the Elastic Load Balancer service?
A.Automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses
B.A network service that provides an alternative to using the Internet to connect customers on-premise sites to AWS
C.Helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application
D.A highly available and scalable Domain Name System(DNS) service

Answer 23

A.Automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses

Explanation:
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses.

Elastic Load Balancing provides fault tolerance for applications by automatically balancing traffic across targets – Amazon EC2 instances, containers and IP addresses – and Availability Zones while ensuring only healthy targets receive traffic.

CORRECT: “Automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses” is the correct answer.

INCORRECT: “Helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application” is incorrect as this describes EC2 Auto Scaling.

INCORRECT: “A highly available and scalable Domain Name System (DNS) service” is incorrect as this describes Amazon Route 53.

INCORRECT: “A network service that provides an alternative to using the Internet to connect customers’ on-premise sites to AWS” is incorrect as this describes AWS Direct Connect.

Question 24

A web application running on AWS has been received malicious requests from the same set of IP addresses.

Which AWS service can help secure the application and block the malicious traffic?
A.AWS IAM
B.Amazon SNS
C.Amazon GuardDuty
D.AWS WAF

Answer 24

D.AWS WAF

Explanation:
The AWS Web Application Firewall (WAF) is used to protect web applications or APIs against common web exploits. Rules can be created that block traffic based on source IP address.

CORRECT: “AWS WAF” is the correct answer.

INCORRECT: “AWS IAM” is incorrect. The Identity and Access Management service is used for creating users, groups, roles and policies. It is not used for controlling network access.

INCORRECT: “Amazon GuardDuty” is incorrect. This is a service that analyzes your resources using anomaly detection and machine learning. It can alert and trigger other tools to take action but it is not a network firewall service.

INCORRECT: “Amazon SNS” is incorrect as this is service is used for sending notifications using a publisher/subscriber model

Question 25

How can you deploy your EC2 instances so that if a single data center fails you still have instances available?
A.Across VPCs
B.Across subnets
C.Across Availability zones
D.Across regions

Answer 25

C.Across Availability zones

Explanation:
An AZ spans one or more data centers and each AZ is physically isolated from other AZs and connected by high speed networking. If you want to deploy a highly available application you should spread your instances across AZs and they will be resilient to the failure of a single DC

CORRECT: “Across Availability Zones” is the correct answer.

INCORRECT: “Across regions” is incorrect. You could deploy your instances across separate regions but this is not necessary to create a highly available application and introduces complexity and cost. For example you may need multiple ELBs (one per region), complex name resolution and potential data transfer charges.

INCORRECT: “Across subnets” is incorrect. Subnets are created within AZs. Therefore, if you deploy resources into multiple subnets within an AZ and a data center fails, you may lose all of your instances.

INCORRECT: “Across VPCs” is incorrect. You should deploy across AZs within a VPC.

Question 26

Which AWS technology enables you to group resources that share one or more tags?
A.Tag groups
B.Resource groups
C.Consolidation groups
D.Organization groups

Answer 26

B.Resource groups

Explanation:
You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time.

Resource groups make it easy to group resources using the tags that are assigned to them. You can group resources that share one or more tags.

CORRECT: “Resource groups” is the correct answer.

INCORRECT: “Tag groups” is incorrect as this is not a feature.

INCORRECT: “Organization groups” is incorrect as this is not a feature.

INCORRECT: “Consolidation groups” is incorrect as this is not a feature.

Question 27

Your manager has asked you to explain the benefits of using IAM groups. Which of the below statements are valid benefits? (Select TWO.)
A.Groups let you sepcify permissions for multiple users, which can make it easier to manage the permissions for those users
B.You can restrict access to the subnets in your VPC
C.Enables you to attach IAM permission policies to more than one user at a time
D.Provide the ability to nest groups to create an organizational hierarchy
E.Provide the ability ot create customer permission policies

Answer 27

A.Groups let you sepcify permissions for multiple users, which can make it easier to manage the permissions for those users

C.Enables you to attach IAM permission policies to more than one user at a time

Explanation

Groups are collections of users and have policies attached to them. This enables you to organize groups of users by job function or role and apply relevant policies to the group.

You can use groups to assign permissions to users and should follow the principal of least privilege when assigning permissions.

CORRECT: “Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users” is a correct answer.

CORRECT: “Enables you to attach IAM permission policies to more than one user at a time” is also a correct answer.

INCORRECT: “You can restrict access to the subnets in your VPC” is incorrect as this describes Network ACLs.

INCORRECT: “Provide the ability to create custom permission policies” is incorrect as this describes IAM policies.

INCORRECT: “Provide the ability to nest groups to create an organizational hierarchy” is incorrect. You cannot nest groups (groups within groups).

Question 28

Under the shared responsibility model, which of the following tasks are the responsibility of the AWS customer? (Select TWO.)
A.Ensuring that users have received security training in the use of AWS services
B.Ensuring that access to data centers is restricted
C.Ensuring that AWS NTP servers are set to the correct time
D. Ensuring that application data is encrypted at rest
E.Ensuring that hardware is disposed of properly

Answer 28

A.Ensuring that users have received security training in the use of AWS services
D. Ensuring that application data is encrypted at rest
As a customer on AWS you take responsibility for encrypting data. This includes encrypting data at rest and data in transit. It’s also a customer’s responsibility to properly train their staff in security best practices and procedures for the AWS services they use.

CORRECT: “Ensuring that application data is encrypted at rest” is a correct answer.

CORRECT: “Ensuring that users have received security training in the use of AWS services” is also a correct answer.

INCORRECT: “Ensuring that AWS NTP servers are set to the correct time” is incorrect. Network Time Protocol (NTP) servers are an AWS responsibility.

INCORRECT: “Ensuring that access to data centers is restricted” is incorrect as this is security of the cloud and is an AWS responsibility.

INCORRECT: “Ensuring that hardware is disposed of properly” is incorrect as this is an AWS responsibility.

Question 29

Which AWS Glacier data access option retrieves data from an archive in 1-5 minutes?
A.Standard 
B.Expedited
C.Express
D.Accerlerated

Answer 29

B.Expedited

Explanation;
Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes.

CORRECT: “Expedited” is the correct answer.

INCORRECT: “Standard” is incorrect. Standard takes 3-5 hours.

INCORRECT: “Express” is incorrect as this is not a retrieval option.

INCORRECT: “Accelerated” is incorrect as this is not a retrieval option.

Question 30

Which HTTP code indicates a successful upload of an object to Amazon S3
A.200
B.500
C.400
E.300

Answer 30

A.200

Explanation:
HTTP response status codes indicate whether a specific HTTP request has been successfully completed.

• A HTTP 200 codes indicates a successful upload.
• A HTTP 300 code indicates a redirection.
• A HTTP 400 code indicates a client error.
• A HTTP 500 code indicates a server error.

CORRECT: “200” is the correct answer.

INCORRECT: “300” is incorrect as explained above.

INCORRECT: “400” is incorrect as explained above.

INCORRECT: “500” is incorrect as explained above.

Question 31

According to the AWS Well-Architected Framework, what change management steps should be taken to achieve reliability in the AWS Cloud? (Select TWO.)
A.Use AWS CloudTrail to record AWS API calls into an auditable log file
B.Use AWS Certificate Manager to create a catalog approved services
C.Use Amazon GuardDuty to record API activity to an S3 bucket
D.Use services limits to prevent users from creating or making changes to AWS resources
E.Use AWS COnfig to generate an inventory of AWS resources

Answer 31

A.Use AWS CloudTrail to record AWS API calls into an auditable log file
E.Use AWS COnfig to generate an inventory of AWS resources

Explanation

AWS Config can be used to track the configuration state of your resources and how the state has changed over time. With CloudTrail you can audit who made what API calls on what resources at what time. This can help with identifying changes that cause reliability issues.

CORRECT: “Use AWS Config to generate an inventory of AWS resources” is the correct answer.

CORRECT: “Use AWS CloudTrail to record AWS API calls into an auditable log file” is the correct answer.

INCORRECT: “Use service limits to prevent users from creating or making changes to AWS resources” is incorrect. Service limits result in a maximum limit for launching resources, but you can still make changes to existing resources (so long as you don’t exceed the limit).

INCORRECT: “Use AWS Certificate Manager to create a catalog of approved services” is incorrect. Certificate manager is used for issuing and managing SSL/TLS certificates, it does not maintain a catalog of approved services.

INCORRECT: “Use Amazon GuardDuty to record API activity to an S3 bucket” is incorrect. GuardDuty does not record API activity to an S3 bucket.

Question 32

You need to connect your company’s on-premise network into AWS and would like to establish an AWS managed VPN service. Which of the following configuration items needs to be setup on the Amazon VPC side of the connection?
A.A Virtual Private Gateway
B.A Network Address Translation device
C.A customer gateway
D.A firewall

Answer 32

A.A Virtual Private Gateway

Explanation:
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.
CORRECT: “A Virtual Private Gateway” is the correct answer.

INCORRECT: “A Customer Gateway” is incorrect. A customer gateway is a physical device or software application on your side of the VPN connection.

INCORRECT: “A Network Address Translation device” is incorrect. NAT devices and firewalls are not required for an AWS managed VPN.

INCORRECT: “A Firewall” is incorrect. A firewall is not required for a VPN connection.

Question 33

Which of the following are examples of horizontal scaling? (Select TWO.)
A.Add more instances as demand increases
B.Add more CPU/RAM to existing instances as demand increases
C,Scalability is limited by maximum instance size
D.Automatic scaling using services such as AWS Auto Scaling
E.Requires a restart to scale up or down

Answer 33

A.Add more instances as demand increases
D.Automatic scaling using services such as AWS Auto Scaling

Explanation:
With horizontal scaling you add more instances to a fleet of instances to service demand as it increases. This can be achieved automatically by using AWS Auto Scaling to add instances in response to CloudWatch performance metrics.

With vertical scaling you are adding CPU, RAM or storage to an existing instance. This may involve modifying the instance type which typically requires a restart. With vertical scaling on AWS scalability is limited by the maximum instance size.

CORRECT: “Add more instances as demand increases” is a correct answer.

CORRECT: “Automatic scaling using services such as AWS Auto Scaling” is also a correct answer.

INCORRECT: “Add more CPU/RAM to existing instances as demand increases” is incorrect as this is an example of vertical scaling.

INCORRECT: “Requires a restart to scale up or down” is incorrect as horizontal scaling does not require a restart of existing instances/applications.

INCORRECT: “Scalability is limited by maximum instance size” is incorrect as with horizontal scaling you add more instances.

Question 34

What is the easiest way to store a backup of an EBS volume on Amazon S3?
A.Use S3 lifecycle actions to backup the volume
B.Write a customer script to copy the data into a bucket
C.Use Amazon Kinesis to process the data and store the results in S3
D.Create a snapshot of the volume

Answer 34

D.Create a snapshot of the volume

Explanation:
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

CORRECT: “Create a snapshot of the volume” is the correct answer.

INCORRECT: “Write a custom script to copy the data into a bucket” is incorrect. Writing a custom script could work but would not be the easiest method.

INCORRECT: “Use S3 lifecycle actions to backup the volume” is incorrect. You cannot apply S3 lifecycle actions to EBS volumes.

INCORRECT: “Use Amazon Kinesis to process the data and store the results in S3” is incorrect. Amazon Kinesis is used for processing streaming data, not data in EBS volumes.

Question 35

Which of the following are NOT features of AWS IAM? (Select TWO.)
A.Charged for what you use
B.Identity federation
C.Logon using local user accounts
D.Shared access to your AWS account
E.PCI DSS compliance

Answer 35

A.Charged for what you use
C.Logon using local user accounts

Explanation:
You cannot use IAM to create local user accounts on any system. You are also not charged for what you use, IAM is free to use

The other options are all features of AWS IAM.

CORRECT: “Logon using local user accounts” is the correct answer.

CORRECT: “Charged for what you use” is the correct answer.

INCORRECT: “Shared access to your AWS account” is incorrect as explained above.

INCORRECT: “Identity federation” is incorrect as explained above.

INCORRECT: “PCI DSS compliance” is incorrect as explained above.

Question 36

Which AWS support plans provide 24x7 access to customer service?
A.All plans
B.Business
C.Basic
D.Developer

Answer 36

A.All plans

Explanation:Explanation

All support plans provide 24×7 access to customer service, documentation, whitepapers, and support forums.

CORRECT: “All plans” is the correct answer.

INCORRECT: “Basic” is incorrect as explained above.

INCORRECT: “Business” is incorrect as explained above.

INCORRECT: “Developer” is incorrect as explained above.

Question 37

Which AWS service makes it easy to coordinate the components of distributed applications as a series of steps in a visual workflow?
A.AWS Step Functions
B.Amazon SNS
C.Amazon SWF
D.Amazon SES

Answer 37

A.AWS Step Functions

Explanation:
AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. AWS Step Functions lets you build visual workflows that enable fast translation of business requirements into technical requirements.

CORRECT: “AWS Step Functions” is the correct answer.

INCORRECT: “Amazon SWF” is incorrect. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. SWF is not a visual workflow tool.

INCORRECT: “Amazon SNS” is incorrect. Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service.

INCORRECT: “Amazon SES” is incorrect. Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails.

Question 38

Which AWS service can be used to run Docker containers?
A.Amazon AMI
B.Amazon ECR
C.AWS Lambda
D.AWS Fargate

Answer 38

D.AWS Fargate

Explanation:
AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).

Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

CORRECT: “Amazon ECS” is the correct answer.

INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a serverless technology that lets you run code in response to events as functions

INCORRECT: “Amazon ECR” is incorrect. Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images

INCORRECT: “Amazon AMI” is incorrect. Amazon Machine Images (AMI) store configuration information for Amazon EC2 instances.

Question 39

Which AWS service is designed to be used for operational analytics?
A.Amazon QuickSight
B.Amazon Elasticsearch Service
C.Amazon EMR
D.Amazon Athena

Answer 39

B.Amazon Elasticsearch Service

Explanation:
Amazon Elasticsearch Service is involved with operational analytics such as application monitoring, log analytics and clickstream analytics. Amazon Elasticsearch Service allows you to search, explore, filter, aggregate, and visualize your data in near real-time.
CORRECT: “Amazon Elasticsearch Service” is the correct answer.

INCORRECT: “Amazon EMR” is incorrect. For big data processing using the Spark and Hadoop frameworks, Amazon EMR provides a managed service for processing vast amounts data.

INCORRECT: “Amazon Athena” is incorrect. Amazon Athena is used to analyze data directly in S3 and Glacier using standard SQL queries.

INCORRECT: “Amazon QuickSight” is incorrect. Amazon QuickSight provides a fast, cloud-powered business analytics service, that that makes it easy to build stunning visualizations and rich dashboards that can be accessed from any browser or mobile device.

Question 40

Where are Amazon EBS snapshots stored?
A.On Amazon S3
B.On an Amazon EBS instance store
C.On an Amazon EFS Filesystem
D.Within the EBS block store

Answer 40

A.On Amazon S3

Explanation:
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

CORRECT: “On Amazon S3” is the correct answer.

INCORRECT: “On an Amazon EBS instance store” is incorrect as explained above.

INCORRECT: “On an Amazon EFS filesystem” is incorrect as explained above.

INCORRECT: “Within the EBS block store” is incorrect as explained above

Question 41

Which resource should you use to access AWS security and compliance reports?
A.AWS Artifact
B.AWS Business Associated Addendum (BAA)
C.AWS Organizations
D.AWS IAM

Answer 41

A.AWS Artifact

Explanation:
AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements.

CORRECT: “AWS Artifact” is the correct answer.

INCORRECT: “AWS Business Associate Addendum (BAA)” is incorrect. The Business Associate Addendum (BAA) is an agreement you can choose to accept within AWS Artifact Agreements.

INCORRECT: “AWS IAM” is incorrect. AWS Identity and Access Management (IAM) is the service used for creating and managing users, groups, roles and policies.

INCORRECT: “AWS Organizations” is incorrect. AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance.

Question 42

According to the AWS Shared Responsibility Model, which of the following is a shared control?
A.Awareness and training
B.Operating system patching
C.Protection of infrastructure
D.Clinet-side data encryption

Answer 42

A.Awareness and training

Explanation;
Shared Controls are controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include patch management, configuration management, and awareness and training.

CORRECT: “Awareness and training” is the correct answer.

INCORRECT: “Operating system patching” is incorrect. Though patch management is a shared control, operating system patching specifically is a customer responsibility.

INCORRECT: “Protection of infrastructure” is incorrect. Protection of infrastructure is solely an AWS responsibility.

INCORRECT: “Client-side data encryption” is incorrect. Client and server-side data encryption are both customer responsibilities.

Question 43

What are the advantages of running a database service such as Amazon RDS in the cloud versus deploying on-premise? (Select TWO.)
A.You can use any database software you like, allowing greater flexibility
B.High availability is easier to implement due to built-in functionality
for deploying read replicas and multi-AZ
C.You have full control of the operating system and can install your own operational tools
D.Scalability is improved as it is quicker to implement and there is an abundance of capacity
E.There are no costs for replicationg data between DBs in different data centers or regions

Answer 43

B.High availability is easier to implement due to built-in functionality
D.Scalability is improved as it is quicker to implement and there is an abundance of capacity

Explanation:
The advantages of using Amazon RDS include being able to easily scale by increasing your instance type without having to go through a long procurement cycle for getting new hardware or worrying about whether capacity exists on your existing private cloud infrastructure. You can also implement fault tolerance and scalability features through multi-AZ and read replicas easily

With Amazon RDS you do not have control of the operating system and you cannot use any database software you like as you are restricted to a list of several engines. There are costs for replicating data between AZs and regions so this must be taken into account in any cost analysis.

CORRECT: “Scalability is improved as it is quicker to implement and there is an abundance of capacity” is a correct answer.

CORRECT: “High availability is easier to implement due to built-in functionality for deploying read replicas and multi-AZ” is also a correct answer.

INCORRECT: “You have full control of the operating system and can install your own operational tools” is incorrect as explained above.

INCORRECT: “You can use any database software you like, allowing greater flexibility” is incorrect as explained above.

INCORRECT: “There are no costs for replicating data between DBs in different data centers or regions” is incorrect as explained above.

Question 44

Which AWS database service is schema-less and can be scaled dynamically without incurring downtime?
A.Amazon RDS
B.Amazon RedShift
C.Amazon Aurora
D.Amazon DynamoDB

Answer 44

D.Amazon DynamoDB

Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Push button scaling means that you can scale the DB at any time without incurring downtime. DynamoDB is schema-less.

All other options are SQL type of databases and therefore have a schema. They also rely on EC2 instances so cannot be scaled dynamically without incurring downtime (you have to change instance types).

CORRECT: “Amazon DynamoDB” is the correct answer.

INCORRECT: “Amazon RDS” is incorrect as explained above.

INCORRECT: “Amazon Aurora” is incorrect as explained above.

INCORRECT: “Amazon RedShift” is incorrect as explained above.

Question 45

What advantages does the AWS cloud provide in relation to cost? (Select TWO.)
A.One-off payments for on-demand resources
B.Fine-grained billing
C.Itemized power costs
D.Ability to turn off resources and not pay for them
E.Eneterprise licensing discounts

Answer 45

B.Fine-grained billing
D.Ability to turn off resources and not pay for them

Explanation:
With the AWS cloud you get fine-grained billing and can turn off resources you are not using easily and not have to pay for them (pay for what you use model).

CORRECT: “Fine-grained billing” is a correct answer.

CORRECT: “Ability to turn off resources and not pay for them” is also a correct answer.

INCORRECT: “One-off payments for on-demand resources” is incorrect. You do not get the option for one-off payments for on-demand resources. You can for reserved instances which can be paid all upfront.

INCORRECT: “Enterprise licensing discounts” is incorrect. You do not get enterprise licensing discounts from AWS and you do not pay anything for power as the cost is built in.

INCORRECT: “Itemized power costs” is incorrect. You do not get any power costs on your bill

Question 46

Which AWS service or feature helps restrict the AWS service, resources, and individual API actions the users and roles in each member account can access?
A.AWS Shield
B.AWS Organizations
C.Amazon Cognito
D.AWS Firewall Manager

Answer 46

B.AWS Organizations

Explanation:
AWS Organizations offers the following policy types:

Service control policies (SCPs) offer central control over the maximum available permissions for all of the accounts in your organization.

Tag policies help you standardize tags across resources in your organization’s accounts.

SCPs are used to restrict access within member accounts. For instance you can create an SCP that restricts a specific API action such as deploying a particular Amazon EC2 instance type. The policy would then prevent anyone, including administrators, from being able to launch EC2 instances using that instance type.

CORRECT: “AWS Organizations” is the correct answer.

INCORRECT: “Amazon Cognito” is incorrect as this service is used for providing sign-in and sign-up services for mobile applications.

INCORRECT: “AWS Shield” is incorrect as this is a security service for protecting against DDoS attacks.

INCORRECT: “AWS Firewall Manager” is incorrect as this service is used for managing various security services within AWS.

Question 47

Which feature of Amazon S3 enables you to create rules to control the transfer of objects between different storage classes?
A.Object sharing
B.Bucket policies
C.Lifecycle Management
D.Versioning

Answer 47

C.Lifecycle Management

Explanation:
To manage your objects so that they are stored cost effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. There are two types of actions:

• Transition actions—Define when objects transition to another storage class. For example, you might choose to transition objects to the S3 Standard-IA storage class 30 days after you created them, or archive objects to the S3 Glacier storage class one year after creating them.
• Expiration actions—Define when objects expire. Amazon S3 deletes expired objects on your behalf. The lifecycle expiration costs depend on when you choose to expire objects.

CORRECT: “Lifecycle management” is the correct answer.

INCORRECT: “Object sharing” is incorrect. Object sharing refers to the ability to make any object publicly available via a URL.

INCORRECT: “Versioning” is incorrect. Versioning enabled you to automatically keep multiple versions of an object (when enabled).

INCORRECT: “Bucket policies” is incorrect. Bucket policies are used for controlling access to buckets, they can’t be used to move data between storage classes.

Question 48

How can a company facilitate the sharing of data over private connections between two accounts they own within a region?
A.Create a VPC peering connection
B.Create an internal LEB
C.Configure matching CIDR address ranges
D.Create a subnet peering connection

Answer 48

A.Create a VPC peering connection

Explanation:
A VPC peering connection helps you to facilitate the transfer of data. For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.

CORRECT: “Create a VPC peering connection” is the correct answer.

INCORRECT: “Create an internal ELB” is incorrect. An internal ELB will not help you to transfer data between accounts.

INCORRECT: “Create a subnet peering connection” is incorrect. You cannot peer subnets.

INCORRECT: “Configure matching CIDR address ranges” is incorrect. Configuring matching CIDR address ranges will not mean you can route between accounts. Also, you cannot peer with an account with a matching (or overlapping) address range.

Question 49

Which pricing model will interrupt a running Amazon EC2 instance if capacity becomes temporarily unavailable?
A.On-Demand Instances
B.Standard Reserved Instances
C.Convertible Reserved Instances
D.Spot Instances

Answer 49

D.Spot Instances

Explanation:
Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. When AWS need to reclaim the capacity you get a 2 minute warning and then your instances are terminated.

With all other pricing models your instances will not be terminated by AWS once they are running.

CORRECT: “Spot Instances” is the correct answer.

INCORRECT: “On-Demand Instances” is incorrect as explained above.

INCORRECT: “Standard Reserved Instances” is incorrect as explained above.

INCORRECT: “Convertible Reserved Instances” is incorrect as explained above.

Question 50

What is an example of scaling vertically?
A.AWS Lambda adding concurrently executing functions
B.Adding read replicas to an Amazon RDS
C.Increasing the instance size with Amazon RDS
D.AWS Auto Scaling adding more EC2 Instances

Answer 50

C.Increasing the instance size with Amazon RDS

Explanation:
A good example of vertical scaling is changing the instance size of an EC2 instance or RDS database to one with more CPU and RAM.

All of the other options are examples of scaling horizontally.

CORRECT: “Increasing the instance size with Amazon RDS” is the correct answer.

INCORRECT: “AWS Auto Scaling adding more EC2 instances” is incorrect as explained above.

INCORRECT: “AWS Lambda adding concurrently executing functions” is incorrect as explained above.

INCORRECT: “Adding read replicas to an Amazon RDS database” is incorrect as explained above.

Question 51

Which service allows you to monitor and troubleshoot systems using system and application log files generated by those systems?
A.CloudTrail Metrics
B.CloudWatch Metrics
C.CLoudTrail Logs
D.CloudWatch Logs

Answer 51

D.CloudWatch Logs

Explanation:
Amazon CloudWatch Logs lets you monitor and troubleshoot your systems and applications using your existing system, application and custom log files. CloudWatch Logs can be used for real time application and system monitoring as well as long term log retention.

CORRECT: “CloudWatch Logs” is the correct answer.

INCORRECT: “CloudTrail Logs” is incorrect. CloudTrail is used for logging who does what in AWS by recording API calls. It is used for auditing, not performance or system operational monitoring.

INCORRECT: “CloudWatch Metrics” is incorrect. CloudWatch metrics are the standard method by which CloudWatch collects data

INCORRECT: “CloudTrail Metrics” is incorrect. CloudTrail does not record metrics, it records logs.

Question 52

Your organization has offices around the world and some employees travel between offices. How should their accounts be setup?
A.Set the user account as a global account when created
B.Enable MFA for the accounts
C.Create a separate account in IAM within reach region in which they will travel
D.IAM is a global service, just create the user in one place

Answer 52

D.IAM is a global service, just create the user in one place

Explanation:
IAM is a global service and all users that are created are able to login to the AWS Management Console from any location.

CORRECT: “IAM is a global service, just create the users in one place” is the correct answer.

INCORRECT: “Create a separate account in IAM within each region in which they will travel” is incorrect. You do not create separate IAM accounts in different regions as IAM is a global service.

INCORRECT: “Set the user account as a “global” account when created” is incorrect. There is no such thing as setting the account as “global”.

INCORRECT: “Enable MFA for the accounts” is incorrect. Enabling multi-factor authentication is a good security practice but not necessary to enable users to travel to different locations.

Question 53

Which of the authentication options below can be used to authenticate using AWS APIs? (Select TWO.)
A.Server Passwords
B.Key pairs
C.Security groups
D.Server certificates
E.Access Keys

Answer 53

D.Server certificates
E.Access Keys

Explanation:
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services.

CORRECT: “Access keys” is a correct answer.

CORRECT: “Server certificates” is also a correct answer.

INCORRECT: “Key pairs” is incorrect. Key pairs are used for encrypting logon information when accessing EC2 instances.

INCORRECT: “Server passwords” is incorrect. A server password cannot be used to authenticate with an API.

INCORRECT: “Security groups” is incorrect. Security groups are an instance-level firewall used for controlling access to AWS resources.

Question 54

How can a database administrator reduce operational overhead for a MySQL database?
A.Migrate the database onto an Amazon RDS instance
B.Use AWS CloudFormation to manager operations
C.Migrate the database onto AWS Lambda
D.Migrate the database onto an EC2 instance

Answer 54

A.Migrate the database onto an Amazon RDS instance

Explanation:
Amazon RDS is a managed database service that supports MySQL. The DBA can reduce operational overhead by moving to RDS and having less work to do to manage the database.

CORRECT: “Migrate the database onto an Amazon RDS instance” is the correct answer.

INCORRECT: “Migrate the database onto an EC2 instance” is incorrect. Migrating onto an EC2 instance will not reduce operational overhead as the DBA will still need to manage both the operating system and the database.

INCORRECT: “Migrate the database onto AWS Lambda” is incorrect. AWS Lambda provides functions as a service. It therefore a compute service, not a database service and cannot be used to run a MySQL database.

INCORRECT: “Use AWS CloudFormation to manage operations” is incorrect. AWS CloudFormation is used for automating the deployment of infrastructure on AWS, not for automating operations.

Question 55

What is the most efficient way to establish network connectivity from on-premises to multiple VPCs in different AWS Regions?
A.Use AWS Client VPN
B.Use an AWS Transit Gateway
C.Use AWS Direct Connect
D.Use AWS VPN

Answer 55

B.Use an AWS Transit Gateway

Explanation:
AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway.

With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway in to each Amazon VPC, on-premises data center, or remote office across your network. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes.

CORRECT: “Use an AWS Transit Gateway” is the correct answer.

INCORRECT: “Use AWS Direct Connect” is incorrect as this only connects you to a single Amazon VPC, not multiple VPCs in different Regions.

INCORRECT: “Use AWS VPN” is incorrect as this is a point-to-point connection between an on-premises location and a single Amazon VPC.

INCORRECT: “Use AWS Client VPN” is incorrect as this service allows end users to connect to AWS using a VPN client.

Question 56

What type of cloud computing service type do AWS Elastic Beanstalk and Amazon RDS correspond to?    
A.Hybrid
B.PaaS
C.SaaS
D.IaaS

Answer 56

B.PaaS

Explanation:
Both Elastic Beanstalk and RDS are services that are managed at the platform level meaning you don’t need to manage the infrastructure level yourself. Therefore, tasks like OS management and patching are performed for you.

CORRECT: “PaaS” is the correct answer.

INCORRECT: “IaaS” is incorrect. IaaS is a model where the underlying hardware platform and hypervisor are managed for you and you are delivered tools and interfaces for working with operating system instances.

INCORRECT: “SaaS” is incorrect. SaaS is a model where the whole stack is managed for you right up to the application and you are delivered working software that you can customize and populate with data.

INCORRECT: “Hybrid” is incorrect. Hybrid is a type of cloud delivery model in which you consume both public and private cloud and connect the two together.

Question 57

Which type of AWS database is ideally suited to analytics using SQL queries?
A.Amazaon RedShift
B.Amazon RDS
C.Amazon DynamoDB
D.Amazon S3

Answer 57

A.Amazaon RedShift

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing Business Intelligence (BI) tools. RedShift is a SQL based data warehouse used for analytics applications.

CORRECT: “Amazon RedShift” is the correct answer.

INCORRECT: “Amazon DynamoDB” is incorrect. Amazon DynamoDB is a NoSQL type of database and is not suited to analytics using SQL queries.

INCORRECT: “Amazon RDS” is incorrect. Amazon RDS is a transactional DB, not an analytics DB.

INCORRECT: “Amazon S3” is incorrect. Amazon S3 is an object storage solution not a database.

Question 58

Your manager has asked you to explain some of the security features available in the AWS cloud. How can you describe the function of Amazon CloudHSM?
A.It provides server-side encryption for S3 objects
B.It can be used to generate, use and manage encryption keys in the cloud
C.It is a firewall for use with web applications
D.It is a Public Key Infrastructure (PKI)

Answer 58

B.It can be used to generate, use and manage encryption keys in the cloud

Explanation:
AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications.

CloudHSM has no upfront costs and provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed quickly and cost-effectively.

CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.

CORRECT: “It can be used to generate, use and manage encryption keys in the cloud” is the correct answer.

INCORRECT: “It provides server-side encryption for S3 objects” is incorrect. CloudHSM performs key management but it does not perform encryption of S3 objects.

INCORRECT: “It is a Public Key Infrastructure (PKI)” is incorrect. It can be used to generate asymmetric keys, however it is not a PKI.

INCORRECT: “It is a firewall for use with web applications” is incorrect as it does not provide any firewall functionality.

Question 59

A Cloud Practitioner is creating the business process workflows associated with an order fulfilment system. Which AWS service can assist with coordinating tasks across distributed application components?
A.Amazon SWF
B.AWS STS
C.Amazon SQS
D.Amazon SNS

Answer 59

A.Amazon SWF

Explanation:
Amazon Simple Workflow Service (SWF) is a web service that makes it easy to coordinate work across distributed application components. SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks.

CORRECT: “Amazon SWF” is the correct answer.

INCORRECT: “AWS STS” is incorrect. AWS Security Token Service (STS) is used for requesting temporary credentials..

INCORRECT: “Amazon SQS” is incorrect. Amazon Simple Queue Service (SQS) is a message queue used for decoupling application components.

INCORRECT: “Amazon SNS” is incorrect. Amazon Simple Notification Service (SNS) is a web service that makes it easy to set up, operate, and send notifications from the cloud. SNS supports notifications over multiple transports including HTTP/HTTPS, Email/Email-JSON, SQS and SMS.

Question 60

What is the name for the top-level container used to hold objects within Amazon S3?
A.Instance Store
B.Folder
C.Directory
D.Bucket

Answer 60

D.Bucket

Explanation:
Amazon S3 is an object-based storage system. You upload your objects into buckets.

CORRECT: “Bucket” is the correct answer.

INCORRECT: “Folder” is incorrect. Though S3 is a flat structure (not hierarchical), folders can be used for grouping objects. However, this is not the top-level container.

INCORRECT: “Directory” is incorrect. Directories are usually associated with filesystems rather than object-based storage systems.

INCORRECT: “Instance Store” is incorrect. An Instance Store is a type of ephemeral block-based storage service available to EC2 instances.

Question 61

Which of the following are pillars from the five pillars of the AWS Well-Architected Framework? (Select TWO.)
A.Resilience
B.Performance Efficiency
C.Confidentiality
C.Economics
D.Operational Excellence

Answer 61

B.Performance Efficiency
D.Operational Excellence

Explanation:
The five pillars of the AWS Well-Architected Framework are operation excellence, security, reliability, performance efficiency, and cost optimization

CORRECT: “Operational excellence” is a correct answer.

CORRECT: “Performance efficiency” is also a correct answer.

INCORRECT: “Resilience” is incorrect as this is not one of the five pillars.

INCORRECT: “Confidentiality” is incorrect as this is not one of the five pillars.

INCORRECT: “Economics” is incorrect as this is not one of the five pillars.

Question 62

Which of the statements below does NOT characterize cloud computing?
A.Cloud compiuting is the on-demand delivery of compute power
B.Cloud computing allows you to swap variable expense for capital
C.With cloud computing you can increase speed and agility
D.With cloud computing you get to benefit from massive economies of scale

Answer 62

B.Cloud computing allows you to swap variable expense for capital

Explanation:
Cloud computing is not a one-off capital expense, it is an ongoing operating expense. The caveat to this is that if you purchase reserved capacity you have an option to partially or fully pay upfront. However, it is still an operating cost as you do not own and depreciate the assets.

CORRECT: “Cloud computing allows you to swap variable expense for capital expense” is the correct answer.

INCORRECT: “Cloud computing is the on-demand delivery of compute power” is incorrect as this is a valid statement.

INCORRECT: “With cloud computing you get to benefit from massive economies of scale” is incorrect as this is a valid statement.

INCORRECT: “With cloud computing you can increase your speed and agility” is incorrect as this is a valid statement.

Question 63

Which of the following is NOT a best practice for protecting the root user of an AWS account?
A.Lock away the AWS root access keys
B.Enable MFA
C>Remove administrative permissions
D.Don't share the root user credentials

Answer 63

C>Remove administrative permissions

Explanation

You cannot remove administrative permissions from the root user of an AWS account. Therefore, you must protect the account through creating a complex password, enabling MFA, locking away access keys (assuming they’re even required), and not sharing the account details.

CORRECT: “Remove administrative permissions” is the correct answer.

INCORRECT: “Don’t share the root user credentials” is incorrect as this is a best practice.

INCORRECT: “Enable MFA” is incorrect as this is a best practice.

INCORRECT: “Lock away the AWS root user access keys” is incorrect as this is a best practice.

Question 64

Which type of scaling does Amazon EC2 Auto Scaling provide?
A.Horizontal
B.Linear
C.vertical
D.Incremental

Answer 64

A.Horizontal

Explanation:
Amazon EC2 Auto Scaling scales horizontally by adding launching and terminating EC2 instances based on actual demand for your application.

CORRECT: “Horizontal” is the correct answer.

INCORRECT: “Vertical” is incorrect as EC2 auto scaling scales horizontally.

INCORRECT: “Linear” is incorrect as this is not the way Auto Scaling works.

INCORRECT: “Incremental” is incorrect as this is not the way Auto Scaling works.

Question 65

Under the AWS Shared Responsibility Model, who is responsible for what? (Select TWO.)
A.Customers are responsible for compute infrastructure
B.Customers are responsible for edge locations
C.AWS is responsible for network and firewall configuration
D.AWS is responsible for networking infrastructure
E.Customers are responsible for networking traffic protection

Answer 65

D.AWS is responsible for networking infrastructure
E.Customers are responsible for networking traffic protection

Explanation:
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. Customers are responsible for security in the cloud and responsibilities vary by service.

Customers are responsible for networking traffic protection. This includes applying encryption and using security groups and Network ACLs.

AWS are responsible for networking infrastructure. The underlying networking equipment is maintained by AWS.

CORRECT: “Customers are responsible for networking traffic protection” is a correct answer.

CORRECT: “AWS are responsible for networking infrastructure” is also a correct answer.

INCORRECT: “Customers are responsible for compute infrastructure” is incorrect. AWS are responsible for compute infrastructure

INCORRECT: “AWS are responsible for network and firewall configuration” is incorrect. Customers are responsible for network and firewall configuration.

INCORRECT: “Customers are responsible for edge locations” is incorrect. AWS are responsible for edge locations.