AWS Certified Solutions Architect - Associate

Question 1

Which service gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount?

Answer 1

AWS Budgets

Question 2

What service has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time?

Answer 2

AWS Cost Explorer

Question 3

What service provides threat detection and continuous monitoring for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?

Answer 3

AWS GuardDuty

Question 4

What service is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS? It also provides an inventory of S3 buckets that are public, unencrypted, or shared with AWS accounts outside the ones defined in your AWS organizations, which it can alert for sensitive data such as PII.

Answer 4

Amazon Macie

Question 5

What is the default configuration of the default NACL?

Answer 5

Allow

Question 6

What is the default configuration of a custom NACL?

Answer 6

Deny

Question 7

What service can you use to create and provide trusted users with temporary *short term* security credentials that can control access to your AWS resources? This provides access to your AWS resources to your users, without having to define an AWS identity for them.

Answer 7

AWS Security Token Service (STS)

Question 8

Is Redshift appropriate for handling session state of a web application?

Answer 8

No, it is a data warehouse

Question 9

What is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools? It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near-real-time analytics with existing business intelligence tools and dashboards you’re already using today. It is a fully-managed service. It can also batch, compress, transform, and encrypt the data before loading it.

Answer 9

Amazon Kinesis Data Firehose

Question 10

How is Kinesis Data Firehose different from Kinesis Data Streams?

Answer 10

It takes more work to set up Data Streams, but Firehose transfers into fewer places.

Question 11

Where can Amazon Kinesis Data Firehose transfer information into?

Answer 11

S3
Redshift
Elasticsearch
Splunk

Question 12

Ignoring cost, which Disaster Recovery plan has a better RTO and RPO? Warm standby, or Backup and Restore?

Answer 12

Warm Standby

Question 13

What is RT in disaster recovery?

Answer 13

Recovery time - How fast the system is back up

Question 14

What is RP in disaster recovery?

Answer 14

Recovery point - How much data is recovered

Question 15

What can you do with an EBS volume while taking a snapshot of it?

Answer 15

Anything. It can be used normally.

Question 16

What is a “warm attach” of an ENI?

Answer 16

Attaching it to an instance while it’s stopped.

Question 17

What is a “hot attach” of an ENI?

Answer 17

Attaching it to an instance while it’s running.

Question 18

What is a “cold attach” of an ENI?

Answer 18

Attaching it to an instance while it’s being launched.

Question 19

Suppose you want a CFT to work in multiple regions, and therefore need to set the AMI based on the region. What’s a good way to do that?

Answer 19

Use a mapping, taking the region as a key and AMI as the value.

Question 20

How could you implement synchronous data replication for an RDS database to meet a disaster recovery plan’s RTO?

Answer 20

RDS Multi-AZ deployments. When you provision an instance of one, RDS creates a primary DB instance and sychronously replicates the data to standby instances in different AZs. If the primary fails, it automatically falls over to a standby instance, while keeping the same endpoint.

Question 21

Which DR plan optimizes RT with cost not being a major factor? Multi-site, Warm Standby, Pilot Light, or Backup and Restore?

Answer 21

Multi-Site. By having identical infrastructure in both places, you spend more money but have optimal RT.

Question 22

Does RDS multi-region exist?

Answer 22

No

Question 23

Does RDS multi-AZ exist?

Answer 23

Yes

Question 24

What DNS records need to be made at the zone apex to point to the DNS name of an ALB?

Answer 24

Alias with A and AAAA type record sets

Question 25

How long does multi-AZ RDS take to failover from one AZ to another?

Answer 25

One to two minutes

Question 26

You have an ALB pointed at an autoscaling group of EC2 instance.

What action does an ALB take if an EC2 instance fails a health check?

Answer 26

The ALB stops sending traffic to the instance.

Question 27

What is the Backup and Restore DR plan?

Answer 27

Taking snapshots of data, and restoring from them in an incident.

Question 28

What are the benefits of the Backup and Restore DR plan?

Answer 28

It’s cheap.

Question 29

What is the Pilot Light DR plan?

Answer 29

Keeping the critical elements of a system ready to scale up. This gets rid of the time spent creating initial infrastructure.

Question 30

What are the drawbacks of the Backup and Restore DR plan?

Answer 30

It takes the longest time to recover.

Question 31

What is the Warm Standby DR plan?

Answer 31

Keeping a scaled-down version of a fully functional environment always running.

Question 32

What is the Multi-site DR plan?

Answer 32

Having a one-one copy of your infrastructure in another region or AZ.

Question 33

What are the four different DR plan types?

Answer 33

Backup & Restore
Pilot Light
Warm Standby
Multi-Site

Question 34

Your team has provisioned Auto Scaling Groups in a single Region. The Auto Scaling Group at max capacity would total 40 EC2 instances between them. However, you notice that the Auto Scaling Groups will only scale out to a portion of that number of instances at any one time. What could be the problem?

Answer 34

There is a vCPU-based on-demand instance limit per region.

Question 35

What is an IAM group?

Answer 35

An IAM group is a collection of IAM users. They let you specify permissions for multiple users.

Question 36

Where are point-in-time snapshots of EBS volumes stored?

Answer 36

S3

Question 37

Which would be faster, a point-in-time EBS volume snapshot, or copying their data to s3 manually?

Answer 37

The snapshot.

Question 38

Can SNS send emails?

Answer 38

Yes

Question 39

Can you send cloudwatch alerts through SES?

Answer 39

No, SES is for sending communications via email, not for cloudwatch notification. Use SNS instead.

Question 40

The allowed block size in VPC is between a /?? netmask and /?? netmask

Answer 40

/16 (65536 IP addresses) and /28 (16 IP addresses)

Question 41

When you create a subnet, is it automatically associated with the main route table for the VPC?

Answer 41

Yes

Question 42

To enable the connection to a service running on an instance, the associated NACL must allow both inbound traffic on the service port as well as outbound traffic from ____

Answer 42

Ephemeral ports. When a client connects to a server, a random port from the ephemeral port range becomes the client’s source port.

Question 43

What is DAX?

Answer 43

DynamoDB accelerator is a fully managed, highly available, in-memory cache for DynamoDB. It provides an in-memory cache that delivers up to 10x performance improvement from milliseconds to microseconds or even at millions of requests per second.

Question 44

What is AWS Backup?

Answer 44

AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup your application data across AWS services in the AWS Cloud, helping you meet your business and regulatory backup compliance requirements.

Question 45

What is the maximum retention period for an RDS automated backup?

Answer 45

35 days

Question 46

Is it possible to create an active-active failover with one primary and one secondary resource in route53?

Answer 46

No, because active-active means sending traffic to both endpoints.

Question 47

Will stopping an EC2 instance detach its ENI (elastic network interface)?

Answer 47

No

Question 48

Will stopping an EC2 instance disassociate an Elastic IP address from it?

Answer 48

No

Question 49

Why would you use AWS Storage gateway over Amazon FSx for Windows File Server, for a hybrid cloud’s SMB share with low-latency access to data in AWS for on-premises applications?

Answer 49

AWS Storage Gateway supports local caching without any development overhead.

Question 50

Can you make a DynamoDB table globally accessible in all regions?

Answer 50

Yes, via global tables.

Question 51

Is autoscaling enabled by default for dynamodb tables created using the aws CLI?

Answer 51

No

Question 52

Do RDS read replicas provide synchronous or asynchronous replication?

Answer 52

Asynchronous

Question 53

How big of a range does 10.0.0.0/32 refer to?

Answer 53

A single IP address

Question 54

What is a VPC endpoint?

Answer 54

An endpoint that lets you connect between a VPC and an AWS service (like s3).

Question 55

Which type of s3 VPC endpoint is billed, Gateway or Interface?

Answer 55

Interface endpoint

Question 56

Which type of s3 VPC endpoint allows access from a VPC in another region, using VPC peering or AWS Transit Gateway? Interface, or Gateway

Answer 56

Interface endpoint

Question 57

Which type of s3 VPC endpoint allows access from on premises? Interface, or Gateway?

Answer 57

Interface

Question 58

Which type of s3 VPC endpoint uses Amazon S3 public IP addresses? Gateway, or Interface

Answer 58

Gateway

Question 59

Which type of S3 VPC endpoint uses private IP addresses from your VPC to access Amazon S3? Gateway or Interface?

Answer 59

Interface

Question 60

Will you be billed for a spot instance when it’s preparing to stop with a ‘stopping’ state?

Answer 60

No

Question 61

Will you be billed when your on-demand instance is preparing to hibernate with a stopping state?

Answer 61

Yes

Question 62

Is it a valid DDOS prevention measure, to add multiple Elastic Fabric Adapters (EFA,) to EC2 instances to increase network bandwidth.

Answer 62

You can only attach one EFA per EC2 instance, and they’re for performance improvement, not DDoS prevention.

Question 63

How can you get data out of S3 Glacier quickly?

Answer 63

Purchase provisioned retrieval capacity, and use an Expedited retrieval.

Question 64

In a CFT, use the ____ attribute when you want to wait on resource configuration actions before stack creation proceeds.

Answer 64

CreationPolicy

Question 65

If an NACL has an allow rule that matches a piece of traffic, followed by a deny rule that also matches it, will the traffic be allowed?

Answer 65

Yes, once a rule is matched (from low to high number) the rest are not evaluated.

Question 66

What endpoint should be used to load balance read requests between Aurora read replicas?

Answer 66

The built-in Reader endpoint.

Question 67

Scenario: Set up asynchronous data replication to another RDS DB instance hosted in another AWS Region

Solution: ______

Answer 67

Create a Read Replica

Question 68

Should you use an Aurora Provisioned DB cluster for intermittent, sporadic, and unpredictable transactional workloads?

Answer 68

No, it is more suited to predictable workloads, because you can adjust capacity manually. Use serverless instead.

Question 69

Why would you prefer target tracking scaling to simple scaling?

Answer 69

You can have shorter cooldown periods, and you don’t have to create cloudwatch alarms.

Question 70

What is target tracking scaling?

Answer 70

Scaling to keep a given metric within a specified range.

Question 71

Can you directly set CloudWatch Alarms to update an ECS task count?

Answer 71

No, you should use CloudWatch Events instead.

Question 72

Can an SQS queue subscribe to an SNS topic?

Answer 72

Yes

Question 73

Are SQS messages automatically deleted after retrieval?

Answer 73

No

Question 74

How can Cloudfront help fix users getting lots of 504 errors?

Answer 74

Origin failover. It can automatically fail over from a primary to a secondary origin group, if a 504 (gateway timeout) error occurs.

Question 75

Should you use AWS Storage Gateway to migrate a file share to AWS, if you plan on migrating an entire application from on-premise to AWS?

Answer 75

No, it i used to integrate on-prem and AWS systems. If you’re migrating the entire applicaiton to AWS, you can use a purely-AWS storage solution.

Question 76

What is AWS Resource Access Manager?

Answer 76

AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types

Question 77

Can RDS events capture INSERT/DELETE/UPDATE calls?

Answer 77

No, you should use native functions or stored procedures.

Question 78

Which has better schema flexibility and scalability? Aurora or DynamoDB?

Answer 78

DynamoDB. Being nonrelational helps in these aspects.

Question 79

How would you get metrics from RDS that aren’t normally available in CloudWatch (e.g. memory usage)?

Answer 79

Enable Enhanced Monitoring

Question 80

With Amazon Aurora, how would you point production traffic to high-capacity instances and reporting traffic to low-capacity instances in a cluster?

Answer 80

Custom endpoints.

Question 81

How do you prevent an RDS DB from losing access due to an AZ’s outage?

Answer 81

Mutli-AZ failover

Question 82

Which is more appropriate for set permissions for Active Directory users from AWS Directory Service AD Connector? IAM Roles or IAM Groups?

Answer 82

IAM Roles

Question 83

If you have an Auto Scaling Group of EC2 instances in two availability zones, what minimum number of instances do you need to insure there are never fewer than two instances running?

Answer 83

Four. This will have 2 instances running in each AZ, so if one AZ has an outage you will still have 2 running in the other.

Question 84

How can you ensure that your RDS database can only be accessed using the profile credentials specific to your EC2 instances via an authentication token?

Answer 84

Enable IAM DB Authentication

Question 85

Can you set up an IAM Policy and MFA which require other AWS users to enter their IAM credentials and token before accessing an ElastiCache cluster?

Answer 85

No. You have to use the Redis AUTH option instead.

Question 86

How would you add environment variables to a Lambda function that could only be read by users with access to a KMS key (as opposed to users with access to the lambda)?

Answer 86

Use the KMS key to enable encryption helpers to store and encrypt the sensitive information.

Question 87

Are third party tool necessary to use Corporate AD/LDAP to let users access their (and only their) folder in an S3 bucket?

Answer 87

No. Just set up a federation proxy or identity provider, use Security Token Service to generate temp tokens, and configure an IAM role and IAM Policy to access the bucket.

Question 88

Should you store encryption keys in S3?

Answer 88

No, CloudHSM is a more appropriate place to store them

Question 89

Is EBS On-Premises Data Encryption a thing?

Answer 89

No. EBS is purely in the cloud, not on your premises, so there cannot be on-premises encryption.

Question 90

What are the features in AWS that can ensure data security for your confidential documents in s3?

Answer 90

S3 Client-Side and Server-Side encryption.

Question 91

Are DynamoDB streams enabled by default?

Answer 91

No, you have to enable each one you want to create

Question 92

What is Amazon MQ?

Answer 92

Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.

Question 93

How can API Gateway protect backend systems and applications from traffic spikes?

Answer 93

Throttling limits

Question 94

What is AWS Control Tower?

Answer 94

AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices

Question 95

Is it possible to upgrade the storage capacity of a DynamoDB Table?

Answer 95

No, it is fully managed and automatically scales its storage

Question 96

How are geoproximity and geolocation routing different?

Answer 96

Geoproximity lets you configure the size of the geographic region from which traffic is routed, geolocation just lets you choose the instances based on location.

Question 97

Are IPv4 CIDRs required in a VPC, or can you use purely IPv6?

Answer 97

Yes, they are required.

Question 98

Which EBS volume type is most cost-effective for infrequent, large, sequential I/O operations?

Answer 98

Cold HDD (sc1)

Question 99

Which is better for processing a 5 minute workload? On-demand EC2 instances, or Lambda?

Answer 99

Lambda

Question 100

Can EBS volumes be attached to any EC2 instance in any Availability Zone?

Answer 100

No, they can only be attached to instances in the same AZ

Question 101

Can you change the configuration of an EBS volume while it’s being used?

Answer 101

Yes

Question 102

How would you create a static IP for an ALB and its targets?

Answer 102

Create elastic IP, point it at an NLB, put the ALB in the NLB’s target group.

EIP -> NLB -> ALB -> Targets

Question 103

Can an NACL allow/disallow communication between two subnets?

Answer 103

Yes

Question 104

Can you set filter policies in an SNS topic to choose which SQS queue to publish a message to?

Answer 104

Yes

Question 105

Can you block SQL Injection and XSS attacks via AWS Web Application Firewall?

Answer 105

Yes

Question 106

The maximum ratio of provisioned IOPS to requested volume size (in GiB) is __:1

Answer 106

50 : 1

Question 107

How do you protect a Redshift cluster from a regional outage?

Answer 107

Enable Cross-Region Snapshots Copy in the Redshift Cluster

Question 108

What are AWS Step Functions?

Answer 108

AWS Step Functions is a low-code, visual workflow service that developers use to build distributed applications, automate IT and business processes, and build data and machine learning pipelines using AWS services. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.

Question 109

Can AWS SWF prevent duplicate tasks?

Answer 109

Yes

Question 110

Can you specify a security group as the source for the rule in another security group?

Answer 110

Yes, although that doesn’t add a corresponding rule to the other security group.

Question 111

Is “RDS Child Processes” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?

Answer 111

Yes

Question 112

Is “OS Processes” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?

Answer 112

Yes

Question 113

Is “Database Connections” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?

Answer 113

No

Question 114

Is “CPU Utilization” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?

Answer 114

No

Question 115

When the instance is terminated, what happens to the data on the root volume?

Answer 115

It is automatically deleted

Question 116

Suppose I want to keep an automatically created backup of RDS for more than 35 days. How should I do that?

Answer 116

Use AWS Backup to create a backup plan

Question 117

What can you use to encrypt all the data on an EBS Volume?

Answer 117

Encrypt it using AWS KMS

Question 118

Is VPC Peering supported on a DirectConnect connection?

Answer 118

No

Question 119

Which DB solution is more fully managed? DynamoDB or RDS?

Answer 119

DynamoDB. RDS still has backups, and choosing when automated OS patching occurs

Question 120

What happens to data in an Instance Store when you stop an instance?

Answer 120

It does not persist.

Question 121

Can you encrypt an Instance Store?

Answer 121

No

Question 122

Can simple scaling scaled based on a set of adjustments?

Answer 122

No

Question 123

If AWS Storage Gateway is used to *integrate* AWS cloud storage with on-premise systems, what is used to *migrate* from on-premise systems?

Answer 123

AWS DataSync

Question 124

Are IAM roles specific to a region?

Answer 124

No, IAM is a global service

Question 125

How long must objects be stored in S3 before they can be moved to Infrequent Access tiers?

Answer 125

30 days

Question 126

Does Redshift autoscale?

Answer 126

No

Question 127

Is Amazon Aurora appropriate for OLTP, or OLAP?

Answer 127

OLTP Online Transactional Processing

Question 128

Is Redshift appropriate for OLTP or OLAP?

Answer 128

OLAP, Online analytical processing

Question 129

Are CloudTrail event log files encrypted by S3 server side encryption by default?

Answer 129

Yes

Question 130

Does Aurora have warm standbys, ready for instant failover, running by default?

Answer 130

No, you have to use Aurora Replica

Question 131

How does Aurora replica quickly fail over to a new AZ?

Answer 131

Flipping the CNAME record for the instance to point at the healthy replica

Question 132

Is data moving from an encrypted EBS volume to an instance encrypted?

Answer 132

Yes

Question 133

Are Elastic Fabric Adapters supported on windows instances?

Answer 133

No, the OS-bypass capabilities are not supported

Question 134

Elastic Fabric Adapters are ___ with added capabilities

Answer 134

Elastic Network Adapters

Question 135

Can IAM allow/deny access to resources with specific tags?

Answer 135

Yes

Question 136

___ is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.

Answer 136

Amazon Athena

Question 137

Is IAM DB authentication in RDS supported for Microsoft SQL Server instances?

Answer 137

No

Question 138

A mobile application stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider.

Which AWS Security Token Service approach to temporary access should you use for this scenario?

Answer 138

Web Identity Federation

Question 139

What benefit do launch templates have over launch configurations?

Answer 139

You can have multiple versions of a launch template

Question 140

What service can you use to import/export data from DynamoDB?

Answer 140

Elastic Map Reduce

Question 141

Do Launch Configurations support dedicated hosts?

Answer 141

No, you must use Launch Templates

Question 142

When can data persist in an instance store?

Answer 142

In a reboot

Question 143

By default, is Autoscaling enabled in DynamoDB tables created in the console?

Answer 143

Yes

Question 144

How many security groups can you assign to an instance?

Answer 144

Five

Question 145

Can you directly attach a policy to a group, or do you need to use a role?

Answer 145

You can directly attach it

Question 146

What does EBS Encryption by Default do in a region?

Answer 146

Configures your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create

Question 147

How many instances should you launch when you create a cluster placement group?

Answer 147

All that you plan on using. Adding later runs into the chance that you get an insufficient capacity error

Question 148

Does RDS for MySQL have cross region read replicas with sub-second replication?

Answer 148

No, they are async and have a replication latency measured in seconds

Question 149

What is an Egress-only Internet Gateway?

Answer 149

A gateway that allows an EC2 instance to communicate to the internet but prevents inbound traffic.

Question 150

What kind of load balancing allows the load balancer to distribute incoming requests evenly to all EC2 instances across multiple availability zones?

Answer 150

Cross-zone load balancing

Question 151

Should you use an NLB to route traffic to ALBs across multiple regions?

Answer 151

No. Use AWS Global Accelerator instead

Question 152

Does Inter-Region VPC Peering exist?

Answer 152

Yes

Question 153

Can inter-AZ data transfers accrue cost?

Answer 153

Yes, deploy to one AZ to reduce transfer costs

Question 154

Is ALB Target Group CPU utilization a usable metric for auto scaling?

Answer 154

No

Question 155

Can you use Lambda@Edge functions as part of an origin group in cloudfront?

Answer 155

No

Question 156

Can you configure AWS Lambda with Elastic BeanStalk?

Answer 156

No

Question 157

A serverless application consists of multiple Lambda Functions and a DynamoDB table. The application must be deployed by calling the CloudFormation APIs using AWS CLI. The CloudFormation template and the files containing the code for all the Lambda functions are located on a local computer.

What should the Developer do to deploy the application?

Answer 157

Use the aws cloudformation package command and deploy using aws cloudformation deploy.

Question 158

A transcoding media service is being developed on Amazon Cloud. Photos uploaded to Amazon S3 will trigger a Lambda function. The Lambda function will cause the Step Functions to coordinate a series of processes that will do the image analysis tasks. The input of each function should be preserved on the result to conform to the application’s logic flow.

What should the developer do?

Answer 158

Declare a ResultPath field filter on the Amazon States Language specification.