Aws Practice 2 Flashcards
A company needs an AWS service that can continuously monitor the company’s AWS account. If there are any changes to the architecture, members of the team must be contacted.
Which service will meet these requirements?
Amazon Macie
Amazon GuardDuty
AWS Config
AWS Trusted Advisor
AWS Config
AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources.
AWS Config also tracks the configuration changes that were not initiated by the API. AWS Config examines the resource configurations periodically and generates configuration items for the configurations that have changed.
You can configure alerts to let team members know if resource configurations have changed. AWS Config can send notifications using Amazon SNS topics.
Which service can a Cloud Practitioner use to configure custom cost and usage limits and enable alerts for when defined thresholds are exceeded?
-Consolidated billing
-AWS Trusted Advisor
-Cost Explorer
-AWS Budgets
-AWS Budgets
AWS Budgets allows you to set custom budgets to track your cost and usage. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold, or when your actual RI and Savings Plans’ utilization or coverage drops below your desired threshold.
This service is used for exploring the costs incurred within your account.
Which AWS service should a Cloud Practitioner use to establish a secure network connection between an on-premises network and AWS?
-AWS Mobile Hub
-AWS Web Application Firewall (WAF)
-Amazon Virtual Private Cloud (VPC)
-Virtual Private Network
Virtual Private Network
AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.
“AWS Mobile Hub” is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services.
“AWS Web Application Firewall (WAF)” is incorrect. This service is used for protecting against common web exploits.
“Amazon Virtual Private Cloud (VPC)” is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.
What can be used to allow an application running on an Amazon EC2 instance to securely store data in an Amazon S3 bucket without using long-term credentials?
-AWS IAM access key
-AWS Systems Manager
-Amazon Connect
-AWS IAM role
-AWS IAM role
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
According to the shared responsibility model, which security-related task is the responsibility of the customer?
-Maintaining physical networking configuration.
-Maintaining server-side encryption.
-Securing servers and racks at AWS data centers.
-Maintaining firewall configurations at a hardware level.
Maintaining server-side encryption.
All client-side and server-side encryption is a responsibility of the customer using the AWS Cloud.
An application has highly dynamic usage patterns. Which characteristics of the AWS Cloud make it cost-effective for this type of workload? (Select TWO.)
-High availability
-Reliability
-Elasticity
-Strict security
-Pay-as-you-go pricing
-Elasticity
-Pay-as-you-go pricing
This service enables applications to retrieve only a subset of data from an object by using simple SQL expressions.
-AWS CodePipeline
-AWS S3 Select
-AWS CodeDeploy
-AWS CodeBuild
AWS S3 Select
S3 Select enables applications to retrieve only a subset of data from an object by using simple SQL expressions. By using S3 Select to retrieve only the data needed by your application, you can achieve drastic performance increases – in many cases you can get as much as a 400% improvement.
CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.
AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.
AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
A Cloud Practitioner wants to configure the AWS CLI for programmatic access to AWS services. Which credential components are required? (Select TWO.)
-An access key ID
-A secret access key
-A public key
-A private key
-An IAM Role
-An access key ID
-A secret access key
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
A user has limited knowledge of AWS services, but wants to quickly deploy a scalable Node.js application in an Amazon VPC.
Which service should be used to deploy the application?
-Amazon LightSail
-AWS CloudFormation
-AWS Elastic Beanstalk
-Amazon EC2
AWS Elastic Beanstalk
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.
. LightSail is a good service to use when you don’t have good knowledge of AWS. However, you cannot deploy a scalable node.js application into a VPC.
CloudFormation is used for automating the deployment of infrastructure resources in AWS.
Which of the following are valid best practices for using the AWS Identity and Access Management (IAM) service? (Select TWO.)
-Create individual IAM users.
-Embed access keys in application code.
-Use inline policies instead of customer managed policies.
-Use groups to assign permissions to IAM users.
-Grant maximum privileges to IAM users.
-Create individual IAM users.
-Use groups to assign permissions to IAM users.
This is the list of valid IAM best practices:
Lock away your AWS account root user access keys
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Get started using permissions with AWS managed policies
Use customer managed policies instead of inline policies
Use access levels to review IAM permissions
Configure a strong password policy for your users
Enable MFA
Use roles for applications that run on Amazon EC2 instances
Use roles to delegate permissions
Do not share access keys
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions for extra security
Monitor activity in your AWS account
Video presentation about IAM best practices
According to the shared responsibility mode, which security and compliance task is AWS responsible for?
-Granting permissions to users and services
-Encrypting data at rest
-Updating Amazon EC2 host firmware
-Updating operating systems
-Updating Amazon EC2 host firmware
A company is interested in moving its on-premises NoSQL database into the AWS Cloud.
Which AWS service should the company use to replace their existing database?
-Amazon DynamoDB
-Amazon Redshift
-Amazon RDS for MySQL
-Amazon Quantum Ledger Database (Amazon QLDB)
Amazon DynamoDB
Which combination of steps will enable multi-factor authentication (MFA) on an AWS account? (Select TWO.)
-Activate the MFA device by using Amazon GuardDuty.
-Contact AWS Support to initiate MFA activation.
-Activate AWS Shield on an MFA-compatible device.
-Acquire an MFA-compatible device.
-Activate the MFA device in the IAM console or by using the AWS CLI.
-Acquire an MFA-compatible device.
-Activate the MFA device in the IAM console or by using the AWS CLI.
Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have).
Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can also be used to control access to AWS service APIs.
You will first need a device capable of providing an application which can support virtual MFA. There are several form factors to choose from:
Which AWS service can act as a hybrid storage solution to connect on-premises workloads with the AWS cloud?
-AWS Direct Connect
-Amazon Connect
-AWS Storage Gateway
-AWS Backup
AWS Storage Gateway
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. You can use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases.
These include moving backups to the cloud, using on-premises file shares backed by cloud storage, and providing low-latency access to data in AWS for on-premises applications.
To support these use cases, the service provides four different types of gateways – Tape Gateway, Amazon S3 File Gateway, Amazon FSx File Gateway, and Volume Gateway – that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access.
Connect is a cloud-based telecommunications service providing managed cloud-based customer contact centers.
AWS Backup” is incorrect as this is a service which manages backups in a cost-effective, fully managed, policy-based manner.
Although Direct Connect is a service for creating hybrid connections to on-premises data centers, it is a direct physical cable connection and not a storage service.
Amazon S3 is typically used for which of the following use cases? (Select TWO.)
-In-memory data cache
-Media hosting
-Install an operating system
-Host a static website
-Message queue
-Media hosting
-Host a static website
Amazon S3 is an object storage system. Typical use cases include: Backup and storage, application hosting, media hosting, software delivery and hosting a static website.
Which of the following statements are security principles within the AWS Well-Architected Framework? (Select TWO.)
-Protect data in transit and at rest.
-Monitor, alert, and audit actions and changes to AWS resources.
-Analyze and attribute expenditures.
-Deploy globally in minutes.
-Perform operations as code.
-Protect data in transit and at rest.
-Monitor, alert, and audit actions and changes to AWS resources.
Ongoing monitoring with alerting and remediation actions is a critical part of a coherent security posture. With ongoing monitoring, you can make sure any potential threats or security concerns can be remediated as soon as possible.
Secondly, protecting data both in transit and at rest is a vital part of a security procedure which ensures that no data is read by anyone who shouldn’t have access to it.
A company needs an AWS service that can continuously monitor the company’s AWS account. If there are any changes to the architecture, members of the team must be contacted.
Amazon GuardDuty
AWS Trusted Advisor
Amazon Macie
AWS Config
Which service will meet these requirements?
AWS Config
Which AWS dashboard displays relevant and timely information to help users manage events in progress, and provides proactive notifications to help plan for scheduled activities?
-AWS Trusted Advisor dashboard
-Amazon CloudWatch dashboard
-AWS Service Health Dashboard
-AWS Personal Health Dashboard
-AWS Personal Health Dashboard
AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.
The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.
Which AWS service can be used to load data from Amazon S3, transform it, and move it to another destination?
-Amazon Kinesis
-Amazon RedShift
-AWS Glue
-Amazon EMR
AWS Glue
AWS Glue is an Extract, Transform, and Load (ETL) service. You can use AWS Glue with data sources on Amazon S3, RedShift and other databases. With AWS Glue you transform and move the data to various destinations. It is used to prepare and load data for analytics.
Amazon RedShift is a data warehouse. With a data warehouse you load data from other databases such as transactional SQL databases and run analysis. You can analyze data using SQL and Business Intelligence tools.
Amazon EMR is a managed Hadoop framework running on EC2 and S3. It is used for analyzing data, not for ETL.
Amazon Kinesis is used for collecting, processing and analyzing real-time streaming data.
An eCommerce company plans to use the AWS Cloud to quickly deliver new functionality in an iterative manner, minimizing the time to market.
Which feature of the AWS Cloud provides this functionality?
-Elasticity
-Cost effectiveness
-Agility
-Fault tolerance
-Agility
Which on-premises costs must be included in a Total Cost of Ownership (TCO) calculation when comparing against the AWS Cloud? (Select TWO.)
-Operating system administration
-Project management services
-Network infrastructure in the data center
-Physical compute hardware
-Database schema development
-Network infrastructure in the data center
-Physical compute hardware
When performing a TCO analysis you must include all costs you are currently incurring in the on-premises environment that you will not pay for in the AWS Cloud. This should include labor costs for activities that will be reduced or eliminated. Labor costs that will continue to be incurred in the cloud need not be included.
Which of the statements below is correct in relation to Consolidated Billing? (Select TWO.)
-You receive one bill per AWS account
-You pay a fee per linked account
-You are charged a fee per user
-You receive a single bill for multiple accounts
-You can combine usage and share volume pricing discounts
-You receive a single bill for multiple accounts
-You can combine usage and share volume pricing discounts
Consolidated billing has the following benefits:
One bill – You get one bill for multiple accounts.
Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.
Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts and Reserved Instance discounts. This can result in a lower charge for your project, department, or company than with individual standalone accounts.
Which AWS service does AWS Snowball Edge natively support?
-AWS Server Migration Service (AWS SMS)
-AWS Database Migration Service (AWS DMS)
-AWS Trusted Advisor
-Amazon EC2
You can run Amazon EC2 compute instances hosted on a Snowball Edge with the sbe1, sbe-c, and sbe-g instance types. The sbe1 instance type works on devices with the Snowball Edge Storage Optimized option. The sbe-c instance type works on devices with the Snowball Edge Compute Optimized option. Both the sbe-c and sbe-g instance types work on devices with the Snowball Edge Compute Optimized with GPU option.
A company is interested in moving its on-premises NoSQL database into the AWS Cloud.
Which AWS service should the company use to replace their existing database?
-Amazon Redshift
-Amazon RDS for MySQL
-Amazon Quantum Ledger Database (Amazon QLDB)
-Amazon DynamoDB
Amazon DynamoDB
Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data export tools. When you hear of AWS Managed NoSQL databases, DynamoDB is the only acceptable choice.
Amazon Quantum Ledger Database (QLDB) is a fully managed ledger database that provides transparent, immutable, and cryptographically verifiable transactions- and is not a suitable replacement for an on-premises NoSQL database.
Amazon Redshift” is incorrect, as it is an SQL-based data warehousing solution.
Which of the following is an advantage for a company running workloads in the AWS Cloud vs on-premises? (Select TWO.)
-Less staff time is required to launch new workloads.
-Increased productivity for application development teams.
-Higher acquisition costs to support elastic workloads.
-Lower overall utilization of server and storage systems.
-Increased time to market for new application features.
-Less staff time is required to launch new workloads.
-Increased productivity for application development teams.
Using AWS cloud services can help development teams to be more productive as they spend less time working on the infrastructure layer as it is provided for them. This additionally means launching new workloads requires less time as you can automate the implementation of the application and there is no underlying hardware layer to configure.
Which of the following best describes an Availability Zone in the AWS Cloud?
-A completely isolated geographic location
-One or more physical data centers
-One or more edge locations based around the world
-A subnet for deploying resources into
One or more physical data centers
An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
Which technology can automatically adjust compute capacity as demand for an application increases or decreases?
-High availability
-Fault tolerance
-Auto Scaling
-Load balancing
Auto Scaling
Which Amazon EC2 tool acts as a virtual firewall to control inbound and outbound traffic to an EC2 instance?
-Network access control list (ACL)
-AWS WAF
-Security group
-AWS Shield
Security group
A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service and does not control traffic.
WAF is a Web Application Firewall – something that is placed in front of your web applications outside of your VPC – whereas security groups live within your VPC, controlled instance specific inbound and outbound traffic.
Network access control list (ACL)” is incorrect. Although Network ACLs are virtual firewalls which control access within a VPC, Network ACLs exist on the subnet level, not on the instance level.
How can an organization take advantage of tiered pricing across multiple business units within an organization?
-Cost Explorer utilization reports.
-AWS Organizations service control policies (SCPs).
-AWS Organizations consolidated billing.
-All Upfront Reserved Instances.
AWS Organizations consolidated billing.
Consolidated billing has the following benefits:
One bill – You get one bill for multiple accounts.
Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.
Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts.
No extra fee – Consolidated billing is offered at no additional cost.
Consolidated billing includes:
Paying Account – independent and cannot access resources of other accounts
Linked Accounts – all linked accounts are independent
Which of the following tasks can a user perform to optimize Amazon EC2 costs? (Select TWO.)
-Implement Auto Scaling groups to add and remove instances based on demand.
-Create a policy to restrict IAM users from accessing the Amazon EC2 console.
-Create users in a single Region to reduce the spread of EC2 instances globally.
-Set a budget to limit spending on Amazon EC2 instances using AWS Budgets.
-Purchase Amazon EC2 Reserved Instances.
-Implement Auto Scaling groups to add and remove instances based on demand.
-Purchase Amazon EC2 Reserved Instances
