AWS Exam Questions

Question 1

I want to be able to give my manager a billing report, how can I do this with AWS?

Answer 1

You can use a ‘Cost and Usage report’, you can set this resort up to deliver to S3.

Question 2

I have a Java application and a MongoDB NoSQL database to store app customer data. It is currently on-prem and I am migrating to AWS, I what the application to be highly available, have traced, what options do I have?

Answer 2

• For Java use beanstalk or autoscaled EC2 or Kubernetes, this meets autoscaling requirement.
• Use DynamoDB for scalable and highly available backend
• Use Xray for tracing.
• Use CloudWatch logs for log visibility
• Use CloudWatch metrics for performance visibility.

Question 3

I want to run a batch script at 8pm to collect stats and generate a report, what options do I have?

Answer 3

I can use CloudWatch Events to trigger an event to run lambda functions.

Question 4

When using CloudWatch events, is this the correct cron expression, “00 08**?”” ?

Answer 4

Yes

Question 5

I have a legacy application that used a traditional load balancer, my application used a certificated a that is used between the calling application and the LB, what options do I have?

Answer 5

Select to use a network load balancer as an application load balancer is not suitable. The network load balancer will allow traffic straight through to the application without touching it. The application will see traffic as coming from the application, not the LB.

Question 6

I have a legacy application that used a traditional load balancer, my application used a certificated a that is used between the calling application and the LB, also the application uses TLS, what type of LB and protocols should I select to use on the lB?

Answer 6

TLS

Network LB

Question 7

I have to trigger a build of application code at 2 PM each day and also send an email to dev team how can I trigger this build and send an email?

Answer 7

You can use CloudWatch Events to trigger the build by setting a schedule cron expression and creating two triggers, one for the code build and one for the SNS email.

Question 8

What are the two conditions you must meet when switching role to another account, are the following true or false? User must not be a root user to switch rile? Does the user need to be granted permissions to assume the role?

Answer 8

Both are true.

Question 9

I am using glue, pick what is true form the following, a) Glue contains a crawler that can connect to s3 and create metadata tables in a data catalogue b) can automatically generate Java code to extract data from the source and transform the data to a scheme c) has a central metadata repository and can be analyzed straight away.

Answer 9

A and C are true B is incorrect.

Question 10

I have an s3 bucket and an application that writes user file to the s3 bucket, I want to keep track how much storage a user is using and send a notification email, how can I do this? a) Itirirate over files using a lambda function triggered on notifications b) write the size of the how much each user has used to dynnamodb?

Answer 10

b) is correct as you do not want to initiate over large amounts of data.

Question 11

You have been taking frequent snapshots and you want to perform a restore of 10 files form the volume, how can you do this?

Answer 11

Using the snapshots you will create a new volume from the snapshot, mount the volume to the existing instance, navigate to where the files are on the disk and select the 10 files and copy.

Question 12

I am collecting thermostat information at a rage of 1K ever min and I have 5.5M thermostats in the USA, how bets can I collect this type of data, could I have S3 and it is a good choice?

Answer 12

S3 is not the best choice here, it is possible but a better choice would be Kinesis.

Question 13

I have 999 users and I want to set up an ActiveDirectory for use with a new AWS app, I want to be able to use existing on-prem ActiveDirectory with this new ActiveDirectory?

Answer 13

You need a compatible AD so SimpeAD is not a choice here, AWS Directory for Microsoft Active Directory is a possible option where you can set up a trust relationship with on-prem. AD Connector is probably bets options, it connects with on-prem.

Question 14

I have two groups using RedShift and I want to ensure that the group’s queries do not what to wat on each other, how can I ensure this?

Answer 14

You can use two different RedShift management groups/

Question 15

I have a mobile application that writes data to RedShift tables, I want to set up how the app will access the table, how can I do this?

Answer 15

Set up a role to allow web-based identity federation using OAuth.

Question 16

I have a MySQL DB in EU, ASIA and head Q in the US, I run an hourly report where I need the data to form all regions, how bets can I do this? I am using RDS.

Answer 16

You can set up an RDS Master in each region and replicas in the HQ in the USA.

Question 17

I have licences tied to MAC address of the Instance, how can you ensure the MAC address will not change?

Answer 17

Create ENI and assign it to the instance, the MAC will not change.

Question 18

We have a customer that uses AWS and we want to share our service running in a VPC with the customer so they can do some work, how can we share the server?

Answer 18

Use VPC peering to share the VPC and server.

Question 19

I have a number of EC2 instances, I wnat to check the logs form both the OS and Apache( IIS) for security issues, how can I do this in real-time?

Answer 19

• Install the cloudwatch logs agent

- Configure a lambda with the trigger on the cloudwatch log group.

Question 20

I have an autoscaling group using 3 availability zones, once zone currently has issues and no instances are running in it, all instances are across other zones. The error zones come back online, what will happen?

Answer 20

An AZRebalance will take place and new instances will be created in the error zone and then once all instances are up and working, the other instances will be terminated from the other two zones until there is equal numbers in all zones.

Question 21

I am using autoscaling, from cloud watch I see the autoscaling group launching more instance then the max and then terminating to instances to bring the overall number back to the Max

Answer 21

This happens when the autoscaling group is AZRebalancing.

Question 22

Why does the Autoscaling group create new instance before terminating old one in an AZRebalance?

Answer 22

To ensure your capacity is kept and your application does not get capacity issues.

Question 23

An International company has deployed a multi-tier web application that relies on DynamoDB in a single region. For regulatory reasons they need disaster recovery capability in a separate region with a Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours. They should synchronize their data on a regular basis and be able to provision the web application rapidly using CloudFormation. The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize only the modified elements. Which design would you choose to meet these requirements?

Answer 23

Use EMR and write a custom script to retrieve data from DynamoDB in the current region using a SCAN operation and push it to DynamoDB in the second region. (No Schedule and throughput control)
Use AWS data Pipeline to schedule an export of the DynamoDB table to S3 in the current region once a day then schedule another task immediately after it that will import data from S3 to DynamoDB in the other region. (With AWS Data pipeline the data can be copied directly to other DynamoDB table)
Send each item into an SQS queue in the second region; use an auto-scaling group behind the SQS queue to replay the write in the second region. (Not Automated to replay the write)

Question 24

I am a SAAS provider a and my clients are already on AWS, I wnat to share my service through my VPC, how cna I do this?

Answer 24

One could use VPC peering, but this is not correct as you have many customers an IP overlap is an issue. You will wnat to share your service through Privatelink so your customers will be able to create an endpoint in there VPC and access your service.

Question 25

Can you enable cost explorer is it enables by default?

Answer 25

By default cost explorer is disabled. The payer (master) account can enable Cost Explorer at a root level, automatically enabling all linked (member) accounts.

Question 26

In relation to EC2 what should we be doing to ensure costs are managed?

Answer 26

We should be,

- Using autoscaling groups

Question 27

I am architecting a solution and wnat to better understand the approx monthly cost of my solution for my customer, what is the best solution?

Answer 27

AWS Simple Monthly Calculator will enable you to calculate the approx monthly cost of your architecture.

Question 28

Can I use AWS Simple Monthly Calculator to see my in production cost?

Answer 28

No! WS Simple Monthly Calculator only shows you what a configuration could be, like when you are architecting a solution. It does not show you the cost of current and running resources.

Question 29

I am using EMR, should I favour spot pricing over on-demand?

Answer 29

Yes for the core and task nodes.

Question 30

For EBS Optimised volumes, is the throughput limited and how can you increase it if needed?

Answer 30

Yes, it is limited based in instance size, you can increase the instance size.

Question 31

If I change the size of the instance of an EBS optimized instances, what will happen?

Answer 31

The throughput and IOPS will change, in the larger instance have larger throughput and IOPS.

Question 32

Can I add a WAF ACL to an NLB ?

Answer 32

No, you can only add L7 to type device and the supported one are API Gw, CloudFront and ALB.

Question 33

When creating a pre-signed URL, what must I ensure to ensure the users of the pre-sighed URL has read and write permissions?

Answer 33

Ensure the user creating the URL as read-write permissions

Question 34

A customer needs governance and cost control over a number of accounts, what are the best options?

Answer 34

Start to use AWS orgnizations.

Question 35

What is the component (something) in Austoscaling that controles the scaling up or down?

Answer 35

It is the autoscaling group policy.

Question 36

When I am working across accounts, what should I be aware of with regard to permissions?

Answer 36

You have to have permissions to take action in both accounts. For S3 this means the ability to copy in both account 11111 and 2222.

Question 37

Should I use a WAF for DDOS?

Answer 37

No, it more for targeted rules

Question 38

What should I be using for DDOS attacks?

Answer 38

Shield

Question 39

I wnat to use for L7 DDOS attacks?

Answer 39

Shield advanced

Question 40

What services does Shield Advance support?

Answer 40

For higher levels of protection against attacks targeting Amazon Elastic Compute Cloud
Elastic Load Balancing (ELB)
Amazon CloudFront
Amazon Route 53 
AWS Global Accelerator

Question 41

How does ShieldAdvance protect you EIPs during a DDOS attack?

Answer 41

(Sup[er cool!!) Normally the ShieldAdvance ACL is in the dame region and when an attack is detected the ACL is promoted out to the AWS edge.

Question 42

I have ShieldAdvance, during a DDOS attack, what options do I have for support?

Answer 42

You have access to, 24x7 DDoS response team (DRT)

Question 43

What advance visibility do you get into a DDOS attack with a shield?

Answer 43

too advanced, real-time metrics and reports for extensive visibility into attacks on your AWS resource

Question 44

I am concerned about cost during an attack, is there anything I can do?

Answer 44

AWS ShieldAdvance give yoThis cost protection is provided for your Elastic Load Balancing load balancers, Amazon CloudFront distributions, Amazon Route 53 hosted zones, Amazon Elastic Compute Cloud instances, and your AWS Global Accelerator accelerators

Question 45

Is there a cost toA WSShieldAdvance or is it free?

Answer 45

It is 3000 a month

Question 46

I have a L4 application, should I choose to use ShieldAdvance?

Answer 46

No, ShieldAdvance is only good for L7 applications.

Question 47

Will and instance IP changes when it fails and is recovered by AWS?

Answer 47

NO, all the instance attributes say the same.

Question 48

How can I be informed when an EC2 instance fails?

Answer 48

The CheckStatusFailed_system is triggered.

Question 49

Depending on the speed of connection ot the internet, when should consider doing snowball or import/export

Answer 49

T1 (1.544Mbps)	- 82 days -	100GB or more
10Mbp - s	13 days -	600GB or more
T3 (44.736Mbps) - 	3 days -	2TB or more
100Mbps	1 to 2 days - 	5TB or more
1000Mbps -	Less than 1 day -	60TB or more

Question 50

Should I use tags for cost management?

Answer 50

This will come upon exam, tags are imported and cost allocation tags are supported important.

Question 51

Can I create a central VPC and have other VPC transit through it?

Answer 51

No, you can not transit through VPCs

Question 52

What is the limit on the number of peered connections on a VPC?

Answer 52

125

Question 53

Explain what a EC2 dedicated host is?

Answer 53

This is a server allocated by AWS your use only, you can run many EC2 instances on the server. The server is allocated to your account and you cna place your EC2 instance on it. You cna control the placement of EC2 instances using License Manager, LM enables you to control the placement of instances for licence purpose.

Question 54

Dose fargate support auto-scaling?

Answer 54

Yes 100%, you can have it so the number of tasks are scaled as needed.

Question 55

When using ECS, if I set up auto-scaling, what am i doing?

Answer 55

You are setting up auto-scaling on the tasks, so the number of tasks will increase or decrease as needed.

Question 56

What is pilot light, backup & restore, warm standby, multi-light?

Answer 56

• poliet light is when we just keep something like the DB but have to recreate the rest of the infrastructure.
• B & R is when we have to recreate everything
• Warm stand is a scaled-down version of your environment
• Multisite is when everything is ready to go

Question 57

What is required by two accounts for delegation?

Answer 57

• Create a cross acc role in account A with account B been the trusted account.
• Create a user in account B with permissions to call AssumeRole API.
• Share the sign-in link.

Question 58

What identity providers dose AWS IAM support?

Answer 58

• OpenID

- SAML

Question 59

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operation?

Answer 59

Web identity federation

Question 60

What is an auto-scaling group?

Answer 60

It is a group of 1 or more EC2 instances thet is under control of the AutoScaling group configuration. This means the group can,

• Increase or decrease the number of EC2 instances
• Increasing or decreasing the instances is based on for example CPU, Traffic, ELB transactions

Question 61

Dose data firehose store data in real-time?

Answer 61

There is a 60sec latency

Question 62

I am using kinesis and I wnat analyze the data in real-time using SQL, what is my best option?

Answer 62

Your best option is Kinesis Analytics, you can execute SQL again the incoming stream.

Question 63

I am wan using kinesis and I want to run queries over my incoming streamed data in real-time, how cna I do this, should I used RedShift?

Answer 63

You should use Kinesis analytics, it is streaming analytics, RedShift is a datawherehouse where the data has to be stored to disk before SQL could be run.

Question 64

What is an ELB sandwich?

Answer 64

It is where you wnat ot use a non-AWS managed WAF and you put an ELB on from and back of it.

Question 65

Can I put a static IP on an NLB?

Answer 65

Yes

Question 66

When using an NLB with TLS termination is the proxy protocol required to preserve the source IP?

Answer 66

No, the source IP is preserved.

Question 67

When using an NLB for TCP is the proxy protocol required to preserve the source IP?

Answer 67

No, the source IP is preserved as it is an L4 LB and this means the data packets are untouched.

Question 68

What is s2n?

Answer 68

It is amazons implementation of the TLS protocol, the striped out the junk.

Question 69

On an NLB can you have HTTP and HTTPs network health checks?

Answer 69

Yes, 100%, this is supported in addition to a network-level check where ea socket is opened.

Question 70

Is redshift a multi-AZ cluster?

Answer 70

No, a single AZ

Question 71

What is an instance profile?

Answer 71

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance start

Question 72

What are the migration option for a system/app?

Answer 72

• Re-host (lift and shift)
• Re-platform ( lift thinker shift) (change to say RDS and the elastic beanstalk)
• Refractor/ rearchitect

Question 73

When using an ALB is the source IP forwared to the client?

Answer 73

No, No, !!!!!. The ALB is an L7 device and as such the source IP is not transferred to the destination

Question 74

When using an ALB how can you find out the client IP?

Answer 74

X-Forwarded-For, the ALB will place the client ip in this HTTP header.

Question 75

When using an ALB how can you find out the client IP and port?

Answer 75

X-Forwarded-Port

Question 76

What will this policy do?

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Deny",
        "NotPrincipal": {"AWS": [
            "arn:aws:iam::444455556666:user/Bob"
        ]},
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::dog",
            "arn:aws:s3:::dog/*"
        ]
    }]
}

Answer 76

It will explicitly deny all users except bob form accessing the bucket dog and the bucket objects.

Question 77

I have an application and tomorrow we know there will be a large increase in the number of the customer using our application, the app is located on-prem, what cna I do quickly to decrease workload?

Answer 77

You could create CloudFront and as CF can deal with dynamic content it can help in the following ways,

• Cache dynamic content
• Deal with the connection between client and edge

Question 78

Can you have RAC Oracal in an RDS instance?

Answer 78

No, RAC requires shared disk array, shared disk array is not supported by AWS so RAC is not supported on AWS. Oracle DB is supported on RDS but Oracle DB is not RAC.

Question 79

What is VM Import/Export?

Answer 79

It is a CLI thet enables you to import and export VM from EC2 using an S3 bucket.

Question 80

What formats are supported by VM import/export?

Answer 80

OVF, VMDK, VHD

Question 81

I wnat to use requester pays, do i use cross-account roles or bucket policies?

Answer 81

Buckey polices

Question 82

Do NAT GW have EIP?

Answer 82

Yes

Question 83

How cna I take scheduled snapshots of EBS volumes?

Answer 83

You can use EBS DLM (data life cycle manager), this enables you to set up a schedule and use it to take snapshots of any volume that has a matching tag.

Question 84

I am using DLM and the number of snapshots are growing, what cna I do this trim down the number of snapshots?

Answer 84

DLM has an option of the life cycle for the snapshots, so snapshots will be deleted.

Question 85

I IAM how can I get a list of users?

Answer 85

You cna get this list by downloading the user report from the console or through the CLI

Question 86

What permission has a root user?

Answer 86

Full

Question 87

What permission has a non-root user

Answer 87

None

Question 88

Dose the ALLOW in a policy override a DENY?

Answer 88

No, they DENU overrides that deny