AWS Practice Exam 2 Flashcards

Question 1

Q

Which AWS service does AWS Snowball Edge natively support?

-AWS Server Migration Service (AWS SMS)
-Amazon EC2
-AWS Trusted Advisor
-AWS Database Migration Service (AWS DMS)

Answer

A

Amazon EC2

You can run Amazon EC2 compute instances hosted on a Snowball Edge with the sbe1, sbe-c, and sbe-g instance types. The sbe1 instance type works on devices with the Snowball Edge Storage Optimized option. The sbe-c instance type works on devices with the Snowball Edge Compute Optimized option. Both the sbe-c and sbe-g instance types work on devices with the Snowball Edge Compute Optimized with GPU option.

Question 2

Q

Which AWS service can be used to load data from Amazon S3, transform it, and move it to another destination?

-Amazon Kinesis
-Amazon RedShift
-AWS Glue
-Amazon EMR

Answer

A

AWS Glue

AWS Glue is an Extract, Transform, and Load (ETL) service. You can use AWS Glue with data sources on Amazon S3, RedShift and other databases. With AWS Glue you transform and move the data to various destinations. It is used to prepare and load data for analytics.

Amazon RedShift is a data warehouse. With a data warehouse you load data from other databases such as transactional SQL databases and run analysis. You can analyze data using SQL and Business Intelligence tools.

Amazon EMR is a managed Hadoop framework running on EC2 and S3. It is used for analyzing data, not for ETL.

Amazon Kinesis is used for collecting, processing and analyzing real-time streaming data.

Question 3

Q

Which Amazon EC2 pricing model should be avoided if a workload cannot accept interruption if capacity becomes temporarily unavailable?

-Spot Instances
-Standard Reserved Instances
-On-Demand Instances
-Convertible Reserved Instances

Answer

A

Spot Instances

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices.

The downside is that if capacity becomes temporarily unavailable, your instances may be terminated.

Question 4

Q

Which combination of steps will enable multi-factor authentication (MFA) on an AWS account? (Select TWO.)

-Activate the MFA device by using Amazon GuardDuty.
-Contact AWS Support to initiate MFA activation.
-Activate AWS Shield on an MFA-compatible device.
-Acquire an MFA-compatible device.
-Activate the MFA device in the IAM console or by using the AWS CLI.

Answer

A

-Acquire an MFA-compatible device.
-Activate the MFA device in the IAM console or by using the AWS CLI.

Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS Management Console, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have).

Taken together, these multiple factors provide increased security for your AWS account settings and resources. You can enable MFA for your AWS account and for individual IAM users you have created under your account. MFA can also be used to control access to AWS service APIs.

You will first need a device capable of providing an application which can support virtual MFA. There are several form factors to choose from:

Question 5

Q

A company requires a dashboard for reporting when using a business intelligence solution. Which AWS service can a Cloud Practitioner use?

-Amazon Athena
-Amazon Kinesis
-Amazon QuickSight
-Amazon Redshift

Answer

A

-Amazon QuickSight

Amazon QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service built for the cloud.

QuickSight lets you easily create and publish interactive BI dashboards that include Machine Learning-powered insights.

QuickSight dashboards can be accessed from any device, and seamlessly embedded into your applications, portals, and websites.

Question 6

Q

What can a Cloud Practitioner use the AWS Total Cost of Ownership (TCO) Calculator for?

-Generate reports that break down AWS Cloud compute costs by duration, resource, or tags
-Estimate a monthly bill for the AWS Cloud resources that will be used
-Estimate savings when comparing the AWS Cloud to an on-premises environment
-Enable billing alerts to monitor actual AWS costs compared to estimated costs

Answer

A

Estimate savings when comparing the AWS Cloud to an on-premises environment

The TCO calculators allow you to estimate the cost savings when using AWS, compared to on-premises, and provide a detailed set of reports that can be used in executive presentations. The calculators also give you the option to modify assumptions that best meet your business needs.

“Generate reports that break down AWS Cloud compute costs by duration, resource, or tags” is incorrect. This describes the AWS Cost & Usage Report.

Estimate a monthly bill for the AWS Cloud resources that will be used” is incorrect. This describes the AWS Pricing Calculator (or Simple Monthly Calculator).

Enable billing alerts to monitor actual AWS costs compared to estimated costs” is incorrect. Billing alerts can be enabled using Amazon CloudWatch.

Question 7

Q

An application has highly dynamic usage patterns. Which characteristics of the AWS Cloud make it cost-effective for this type of workload? (Select TWO.)

-Strict security
-Elasticity
-Pay-as-you-go pricing
-Reliability
-High availability

Answer

A

-Elasticity
-Pay-as-you-go pricing

AWS is a cost-effective for dynamic workloads because it is elastic, meaning your workload can scale based on demand. And because you only pay for what you use (pay-as-you-go pricing).

Question 8

Q

Which AWS service should a Cloud Practitioner use to establish a secure network connection between an on-premises network and AWS?

Amazon Virtual Private Cloud (VPC)
AWS Web Application Firewall (WAF)
Virtual Private Network
AWS Mobile Hub

Answer

A

Virtual Private Network

AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.

AWS Mobile Hub” is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services.

“AWS Web Application Firewall (WAF)” is incorrect. This service is used for protecting against common web exploits.

Amazon Virtual Private Cloud (VPC)” is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.

Question 9

Q

A company needs to use third-party software for its workload on AWS.

Is there a feature or service of AWS that the company can use to purchase the software?

-WS License Manager
-AWS Managed Services
-AWS Marketplace
-AWS Resource Access Manager

Answer

A

AWS Marketplace

AWS Marketplace is a curated digital catalog that makes it easy for organizations to discover, procure, entitle, provision, and govern third-party software. You can find thousands of software listings from popular categories like security, business applications, and data & analytics, and across specific industries, such as healthcare, financial services, and public sector.

“AWS Managed Service” is incorrect as this describes services in which AWS customers don’t have to provision their own infrastructure.

“AWS License Manager” is incorrect as it is a service that makes it easier for you to manage Software Licenses.

“AWS Resource Access Manager” is incorrect as it is a service that helps you to securely share your resources across AWS accounts, within your organization or organizational units (OUs) within AWS and has nothing to do with third party services.

Question 10

Q

Which of the statements below is correct in relation to Consolidated Billing? (Select TWO.)

-You receive one bill per AWS account
-You pay a fee per linked account
-You are charged a fee per user
-You receive a single bill for multiple accounts
-You can combine usage and share volume pricing discounts

Answer

A

-You receive a single bill for multiple accounts
-You can combine usage and share volume pricing discounts

Consolidated billing has the following benefits:

One bill – You get one bill for multiple accounts.

Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.

Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts and Reserved Instance discounts. This can result in a lower charge for your project, department, or company than with individual standalone accounts.

Question 11

Q

A company is interested in moving its on-premises NoSQL database into the AWS Cloud.

Which AWS service should the company use to replace their existing database?

-Amazon Redshift
-Amazon RDS for MySQL
-Amazon Quantum Ledger Database (Amazon QLDB)
-Amazon DynamoDB

Answer

A

Amazon DynamoDB

Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data export tools. When you hear of AWS Managed NoSQL databases, DynamoDB is the only acceptable choice.

Amazon Quantum Ledger Database (QLDB) is a fully managed ledger database that provides transparent, immutable, and cryptographically verifiable transactions- and is not a suitable replacement for an on-premises NoSQL database.
Amazon Redshift” is incorrect, as it is an SQL-based data warehousing solution.

Question 12

Q

Which of the following tasks can a user perform to optimize Amazon EC2 costs? (Select TWO.)

-Implement Auto Scaling groups to add and remove instances based on demand.
-Create a policy to restrict IAM users from accessing the Amazon EC2 console.
-Create users in a single Region to reduce the spread of EC2 instances globally.
-Set a budget to limit spending on Amazon EC2 instances using AWS Budgets.
-Purchase Amazon EC2 Reserved Instances.

Answer

A

-Implement Auto Scaling groups to add and remove instances based on demand.
-Purchase Amazon EC2 Reserved Instances

Question 13

Q

Which Amazon EC2 tool acts as a virtual firewall to control inbound and outbound traffic to an EC2 instance?

-Network access control list (ACL)
-AWS WAF
-Security group
-AWS Shield

Answer

A

Security group

A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service and does not control traffic.

WAF is a Web Application Firewall – something that is placed in front of your web applications outside of your VPC – whereas security groups live within your VPC, controlled instance specific inbound and outbound traffic.

Network access control list (ACL)” is incorrect. Although Network ACLs are virtual firewalls which control access within a VPC, Network ACLs exist on the subnet level, not on the instance level.

Question 14

Q

A company needs an AWS service that can continuously monitor the company’s AWS account. If there are any changes to the architecture, members of the team must be contacted.

Amazon GuardDuty
AWS Trusted Advisor
Amazon Macie
AWS Config
Which service will meet these requirements?

Answer

A

AWS Config

Question 15

Q

Which AWS service helps customers meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware appliances within the AWS Cloud?

-AWS Directory Service
-AWS CloudHSM
-AWS Secrets Manager
-AWS Key Management Service (AWS KMS)

Answer

A

AWS CloudHSM

The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS Cloud.

AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

AWS Key Management Service (AWS KMS)” is incorrect. This service is also involved with creating and managing encryption keys but does not use dedicated hardware.

AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

Question 16

Q

Which AWS service can be used to perform data extract, transform, and load (ETL) operations so you can prepare data for analytics?

-Amazon S3 Select
-Amazon Athena
-AWS Glue
-Amazon QuickSight

Answer

A

AWS Glue

AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue provides all of the capabilities needed for data integration so that you can start analyzing your data and putting it to use in minutes instead of months.

-Amazon QuickSight is a cloud-native, serverless, business intelligence service.

Amazon Athena is a serverless, interactive query service to query data and analyze big data in Amazon S3 using standard SQL

-This service enables applications to retrieve only a subset of data from an object by using simple SQL expressions.

AWS Glue provides both visual and code-based interfaces to make data integration easier. Users can easily find and access data using the AWS Glue Data Catalog. Data engineers and ETL (extract, transform, and load) developers can visually create, run, and monitor ETL workflows with a few clicks in AWS Glue Studio.

Question 17

Q

This service enables applications to retrieve only a subset of data from an object by using simple SQL expressions.

-AWS CodePipeline
-AWS CodeCommit
-AWS CodeDeploy
-AWS CodeBuild

Answer

A

AWS CodeCommit

AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.

CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.

AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.

CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.

AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.

Question 18

Q

A Cloud Practitioner requires a simple method to identify if unrestricted access to resources has been allowed by security groups. Which service can the Cloud Practitioner use?

-AWS CloudTrail
-Amazon CloudWatch
-AWS Trusted Advisor
-VPC Flow Logs

Answer

A

AWS Trusted Advisor checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.

CloudWatch is used for performance monitoring.

VPC Flow Logs are used to capture network traffic information, they will not easily identify unrestricted security groups.

AWS CloudTrail” is incorrect. This service is used for auditing API actions

Question 19

Q

Which technology can automatically adjust compute capacity as demand for an application increases or decreases?

-High availability
-Fault tolerance
-Auto Scaling
-Load balancing

Answer

A

Auto Scaling

Question 20

Q

AWS are able to continue to reduce their pricing due to:

-Reserved instance pricing
-Economies of scale
-The AWS global infrastructure
-Pay-as-you go pricing

Answer

A

Economies of scale

Question 21

Q

Which benefit of AWS enables companies to replace upfront fixed expenses with variable expenses when using on-demand technology services?

Economies of scale
Pay-as-you-go pricing
High availability
Global reach

Answer

A

Pay-as-you-go pricing

Question 22

Q

A Cloud Practitioner is re-architecting a monolithic application. Which design principles for cloud architecture do AWS recommend? (Select TWO.)

-Implement loose coupling.
-Implement manual scalability.
-Use self-managed servers.
-Design for scalability.
-Rely on individual components.

Answer

A

Implement loose coupling.
Design for scalability.

Question 23

Q

What should a Cloud Practitioner ensure when designing a highly available architecture on AWS?

A single monolithic application component handles all operations.
There are enough servers to run at peak load available at all times.
Servers have low-latency and high throughput network connectivity.
The failure of a single component should not affect the application.

Answer

A

The failure of a single component should not affect the application.

In a highly available system the failure of a single component should not affect the application. This means that if a single component such as an application server fails, there should be other applications servers available that can seamlessly take over operations and ensure the application continues to operate.

Question 24

Q

In a highly available system the failure of a single component should not affect the application. This means that if a single component such as an application server fails, there should be other applications servers available that can seamlessly take over operations and ensure the application continues to operate.

EC2 security groups
AWS Conﬁg
Amazon Macie
Amazon Inspector

Answer

A

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Security groups are instance-level firewalls used for controlling network traffic reaching and leaving EC2 instances.

. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.

Question 25

Q

A company is interested in moving its on-premises NoSQL database into the AWS Cloud.

Which AWS service should the company use to replace their existing database?

-Amazon DynamoDB
-Amazon Redshift
-Amazon RDS for MySQL
-Amazon Quantum Ledger Database (Amazon QLDB)

Answer

A

Amazon DynamoDB

Question 26

Q

Which AWS service can act as a hybrid storage solution to connect on-premises workloads with the AWS cloud?

-AWS Direct Connect
-Amazon Connect
-AWS Storage Gateway
-AWS Backup

Answer

A

AWS Storage Gateway

AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. You can use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases.

These include moving backups to the cloud, using on-premises file shares backed by cloud storage, and providing low-latency access to data in AWS for on-premises applications.

To support these use cases, the service provides four different types of gateways – Tape Gateway, Amazon S3 File Gateway, Amazon FSx File Gateway, and Volume Gateway – that seamlessly connect on-premises applications to cloud storage, caching data locally for low-latency access.

Connect is a cloud-based telecommunications service providing managed cloud-based customer contact centers.

AWS Backup” is incorrect as this is a service which manages backups in a cost-effective, fully managed, policy-based manner.

Although Direct Connect is a service for creating hybrid connections to on-premises data centers, it is a direct physical cable connection and not a storage service.

Question 27

Q

Which AWS service does AWS Snowball Edge natively support?

-AWS Server Migration Service (AWS SMS)
-AWS Database Migration Service (AWS DMS)
-AWS Trusted Advisor
-Amazon EC2

Answer

A

You can run Amazon EC2 compute instances hosted on a Snowball Edge with the sbe1, sbe-c, and sbe-g instance types. The sbe1 instance type works on devices with the Snowball Edge Storage Optimized option. The sbe-c instance type works on devices with the Snowball Edge Compute Optimized option. Both the sbe-c and sbe-g instance types work on devices with the Snowball Edge Compute Optimized with GPU option.

Question 28

Q

A company needs a consistent and dedicated connection between AWS resources and an on-premise system.

Which AWS service can fulﬁl this requirement?

-AWS Direct Connect
-AWS Managed VPN
-AWS DataSync
-Amazon Connect

Answer

A

AWS Direct Connect

An AWS Direct Connect connection is a private, dedicated link to AWS. As it does not use the internet, performance is consistent.

Question 29

Q

According to the AWS shared responsibility model, which task is the customer’s responsibility?

-Maintaining Amazon API Gateway infrastructure.
-Updating the guest operating system on Amazon EC2 instances.
-Updating the operating system of AWS Lambda instances.
-Maintaining the infrastructure needed to run Amazon DynamoDB.

Answer

A

-Updating the guest operating system on Amazon EC2 instances.

Question 30

Q

According to the shared responsibility model, which security-related task is the responsibility of the customer?

-Maintaining physical networking configuration.
-Maintaining server-side encryption.
-Securing servers and racks at AWS data centers.
-Maintaining firewall configurations at a hardware level.

Answer

A

Maintaining server-side encryption.

All client-side and server-side encryption is a responsibility of the customer using the AWS Cloud.

Question 31

Q

According to the AWS Shared responsibility model, which two tasks are the responsibility of AWS? (Select TWO.)

-Provide physical security for Availability Zones.
-Encrypt client-side data and authenticate data integrity.
-Patch the operating system of Amazon S3.
-Manage customer data.
-Perform identity and access management.

Answer

A

-Provide physical security for Availability Zones.
-Patch the operating system of Amazon S3.

Question 32

Q

How can an organization gain access to compliance reports natively through the AWS console?

AWS Certificate Manager (ACM)
AWS Security Hub
AWS Artifact
AWS Identity and Access Management (IAM)

Answer

A

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. You can access the AWS Artifact console to use AWS Artifact to review, accept, and track the status of AWS agreements

Question 33

Q

How can an organization gain access to compliance reports natively through the AWS console?

AWS Certificate Manager (ACM)
AWS Security Hub
AWS Artifact
AWS Identity and Access Management (IAM)

Answer

A

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. You can access the AWS Artifact console to use AWS Artifact to review, accept, and track the status of AWS agreements

“AWS Identity and Access Management (IAM)” is incorrect because IAM is related to administering permissions for Users, Groups and Roles within your account, and is not related to compliance.

AWS Security Hub is not a compliance service. AWS Security Hub is a cloud security posture management service that automates best practice checks, aggregates alerts, and supports automated remediation.

“AWS Certificate Manager (ACM)” is incorrect as ACM manages SSL certificates, not compliance.

Question 34

Q

How can an organization take advantage of tiered pricing across multiple business units within an organization?

-Cost Explorer utilization reports.
-AWS Organizations service control policies (SCPs).
-AWS Organizations consolidated billing.
-All Upfront Reserved Instances.

Answer

A

AWS Organizations consolidated billing.

Consolidated billing has the following benefits:

One bill – You get one bill for multiple accounts.

Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.

Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts.

No extra fee – Consolidated billing is offered at no additional cost.

Consolidated billing includes:

Paying Account – independent and cannot access resources of other accounts

Linked Accounts – all linked accounts are independent

Question 35

Q

Which of the following can be used to identify a specific user who terminated an Amazon RDS DB instance?

AWS Trusted Advisor
AWS CloudTrail
Amazon Inspector
Amazon CloudWatch

Answer

A

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

Question 36

Q

A cloud practitioner needs to migrate a 70 TB of data from an on-premises data center into the AWS Cloud. The company has a slow and unreliable internet connection.

Which AWS service can the cloud practitioner leverage to transfer the data?

Amazon S3 Glacier
-AWS DataSync
-AWS Storage Gateway
-AWS Snowball

Answer

A

AWS Snowball

A Snowball Edge device can hold up to 80 TB so a single device can be used. This transfer method completely avoids the slow and unreliable internet connection.

“AWS DataSync” is incorrect. DataSync uses the internet to transfer data You can utilize Snowcone but that only holds up to 8 TB per device.

Question 37

Q

An application has highly dynamic usage patterns. Which characteristics of the AWS Cloud make it cost-effective for this type of workload? (Select TWO.)

-High availability
-Reliability
-Elasticity
-Strict security
-Pay-as-you-go pricing

Answer

A

-Elasticity
-Pay-as-you-go pricing

Question 38

Q

Which AWS service is used to send both text and email messages from distributed applications?

-Amazon Simple Notiﬁcation Service (Amazon SNS)
-Amazon Simple Email Service (Amazon SES)
-Amazon Simple Queue Service (Amazon SQS)
-Amazon Simple Workflow Service (Amazon SWF)

Answer

A

-Amazon Simple Notiﬁcation Service (Amazon SNS)

Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.

Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints for parallel processing, including Amazon SQS queues, AWS Lambda functions, and HTTP/S webhooks.

Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud.Amazon Simple Workflow Service (Amazon SWF)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.

Question 39

Q

An eCommerce company plans to use the AWS Cloud to quickly deliver new functionality in an iterative manner, minimizing the time to market.

Which feature of the AWS Cloud provides this functionality?

-Elasticity
-Cost effectiveness
-Agility
-Fault tolerance

Question 40

Q

Which AWS service should a Cloud Practitioner use to establish a secure network connection between an on-premises network and AWS?

-AWS Mobile Hub
-AWS Web Application Firewall (WAF)
-Amazon Virtual Private Cloud (VPC)
-Virtual Private Network

Answer

A

Virtual Private Network

AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.

“AWS Mobile Hub” is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services.

“AWS Web Application Firewall (WAF)” is incorrect. This service is used for protecting against common web exploits.

“Amazon Virtual Private Cloud (VPC)” is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.

Question 41

Q

Which cloud architecture design principle is supported by deploying workloads across multiple Availability Zones?

-Design for agility.
-Design for failure.
-Automate infrastructure.
-Enable elasticity.

Answer

A

Design for failure.

Amazon EC2 instances can be deployed in an Amazon VPC across multiple Availability Zones. You would then typically use an Elastic Load Balancer (ELB) to distribute load between the available instances. This architecture enables high availability as if a single instance fails or if something fails that causes an outage in an entire Availability Zone, the application still has available instances to continue to service demand.

Question 42

Q

Which Amazon EC2 tool acts as a virtual firewall to control inbound and outbound traffic to an EC2 instance?

-AWS Shield
-AWS WAF
-Security group
-Network access control list (ACL)

Answer

A

Security group

A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

“Network access control list (ACL)” is incorrect. Although Network ACLs are virtual firewalls which control access within a VPC, Network ACLs exist on the subnet level, not on the instance level.

Question 43

Q

What can a Cloud Practitioner use the AWS Total Cost of Ownership (TCO) Calculator for?

-Enable billing alerts to monitor actual AWS costs compared to estimated costs
-Estimate a monthly bill for the AWS Cloud resources that will be used
-Estimate savings when comparing the AWS Cloud to an on-premises environment
-Generate reports that break down AWS Cloud compute costs by duration, resource, or tags

Answer

A

Estimate savings when comparing the AWS Cloud to an on-premises environment

The TCO calculators allow you to estimate the cost savings when using AWS, compared to on-premises, and provide a detailed set of reports that can be used in executive presentations. The calculators also give you the option to modify assumptions that best meet your business needs.

“Generate reports that break down AWS Cloud compute costs by duration, resource, or tags” is incorrect. This describes the AWS Cost & Usage Report.

“Estimate a monthly bill for the AWS Cloud resources that will be used” is incorrect. This describes the AWS Pricing Calculator (or Simple Monthly Calculator).

“Enable billing alerts to monitor actual AWS costs compared to estimated costs” is incorrect. Billing alerts can be enabled using Amazon CloudWatch.

Question 44

Q

How should an organization deploy an application running on multiple EC2 instances to ensure that a power failure does not cause an application outage?

-Launch the EC2 instances into Edge Locations
-Launch the EC2 instances into different Availability Zones
-Launch the EC2 instances into different VPCs
-Launch the EC2 instances in separate regions

Answer

A

Launch the EC2 instances into different Availability Zones

If you have multiple EC2 instances that are part of an application, you should deploy them into separate availability zones (AZs). Each AZ has redundant power and is also fed from a different grid. AZs also have low-latency network links which is often advantageous for most applications.

If you split your applications across regions you introduce latency which may impact your application. You may also run into data sovereignty issues in some cases.

VPCs within a region use the same underlying infrastructure so deploying into different VPCs may still result in your EC2 instances being deployed into the same AZs.

Question 45

Q

A Cloud practitioner wants to know if there are services which can protect from DDoS (Distributed Denial of Service) attacks directed at AWS services.

Which AWS service or tool will provide this protection?

-Network access control list (ACL)
-AWS Shield
-Security group
-Amazon GuardDuty

Answer

A

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.

There are two tiers of AWS Shield – Standard and Advanced.

Amazon GuardDuty is an intelligent threat detection service which has nothing to do with Distributed Denial of Service (DDoS) protection.

Question 46

Q

What can a Cloud Practitioner do with the AWS Cost Management tools? (Select TWO.)

-Visualize AWS costs by day, service, and linked AWS account.
-Terminate EC2 instances automatically if budget thresholds are exceeded.
-Automatically modify EC2 instances to use Spot pricing to reduce costs.
-Archive data to Amazon Glacier if it is not accessed for a configured period of time.
-Create budgets and receive notifications if current or forecasted usage exceeds the budgets.

Answer

A

-Visualize AWS costs by day, service, and linked
account.
-Create budgets and receive notifications if current or forecasted usage exceeds the budgets.

AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time. It can be used to visualize AWS costs by day, service, and linked AWS account.

AWS Budgets can be used to receive notifications if current or forecasted usage exceeds the budgets.

“Archive data to Amazon Glacier if it is not accessed for a configured period of time” is incorrect. Use lifecycle rules in Amazon S3 to automatically move data between storage classes.

Question 47

Q

A company needs an AWS service that can continuously monitor the company’s AWS account. If there are any changes to the architecture, members of the team must be contacted.

Which service will meet these requirements?

Amazon Macie
Amazon GuardDuty
AWS Config
AWS Trusted Advisor

Answer

A

AWS Config

AWS Config keeps track of all changes to your resources by invoking the Describe or the List API call for each resource in your account. The service uses those same API calls to capture configuration details for all related resources.

AWS Config also tracks the configuration changes that were not initiated by the API. AWS Config examines the resource configurations periodically and generates configuration items for the configurations that have changed.

You can configure alerts to let team members know if resource configurations have changed. AWS Config can send notifications using Amazon SNS topics.

Question 48

Q

A Service Control Policy (SCP) is used to manage the maximum available permissions and is associated with which of the following?

Service control policies (SCPs) manage permissions for which of the following?

-AWS Organizations
-Availability Zones
-AWS Regions
-AWS Global Infrastructure

Answer

A

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs are associated with AWS Organizations and help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled.

Question 49

Q

A Cloud Practitioner wants to configure the AWS CLI for programmatic access to AWS services. Which credential components are required? (Select TWO.)

-An access key ID
-A secret access key
-A public key
-A private key
-An IAM Role

Answer

A

-An access key ID
-A secret access key

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

Question 50

Q

What AWS service, tool, or feature can help companies identify underutilized Amazon EC2 instances and reduce their costs?

-AWS Trusted Advisor
-Consolidated billing
-Cost Explorer
-Amazon Inspector

Answer

A

AWS Trusted Advisor

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. You can then follow the check recommendations to optimize your services and resources.

Question 51

Q

A company is migrating virtual machines (VMs) from their data center to the AWS Cloud. The company plans to deploy these migrated machines on Amazon EC2.

Which cloud computing model will the company use for this operation?

-Software as a Service (SaaS)
-Function as a Service (FaaS)
-Infrastructure as a Service (IaaS)
-Platform as a Service (PaaS)

Answer

A

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) is a type of cloud computing service that offers essential compute, storage, and networking resources on demand, on a pay-as-you-go basis. IaaS is one of the four types of cloud services, along with software as a service (SaaS), platform as a service (PaaS), and Function as a Service (FaaS).

INCORRECT: “Platform as a Service (PaaS)” is incorrect. Platform as a service (PaaS) is a cloud computing model where a third-party provider delivers hardware and software tools to users over the internet. Usually, these tools are needed for application development.

INCORRECT: “Function as a Service (FaaS)” is incorrect, FaaS (Function-as-a-Service) is a type of cloud-computing service that allows you to execute code in response to events i.e. Lambda functions within AWS.

INCORRECT: “Software as a Service (SaaS)” is incorrect. Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted.

Question 52

Q

A company plan to move the application development to AWS. Which benefits can they achieve when developing and running applications in the AWS Cloud compared to on-premises? (Select TWO.)

-AWS can accommodate large changes in application demand.
-AWS will fully manage the entire application.
-AWS automatically replicates all data globally.
-A-WS makes it easy to implement high availability.
-AWS takes care of application security patching.

Answer

A

-AWS can accommodate large changes in application demand.
-A-WS makes it easy to implement high availability.

AWS provides many options for high availability including multiple availability zones within Regions and multiple Regions around the world. There are also many options to leverage durable data storage, message buses, databases.

AWS have a huge global infrastructure with massive amounts of capacity. It is therefore very easy to accommodate large changes in application demand and this can often be seamless to your application.

Question 53

Q

Which of the following is an advantage for a company running workloads in the AWS Cloud vs on-premises? (Select TWO.)

-Less staff time is required to launch new workloads.
-Increased productivity for application development teams.
-Higher acquisition costs to support elastic workloads.
-Lower overall utilization of server and storage systems.
-Increased time to market for new application features.

Answer

A

-Less staff time is required to launch new workloads.
-Increased productivity for application development teams.

Using AWS cloud services can help development teams to be more productive as they spend less time working on the infrastructure layer as it is provided for them. This additionally means launching new workloads requires less time as you can automate the implementation of the application and there is no underlying hardware layer to configure.

Question 54

Q

Which AWS service or feature allows a company to receive a single monthly AWS bill when using multiple AWS accounts?

-AWS Cost Explorer
-Amazon Cloud Directory
-Consolidated billing
-AWS Cost and Usage report

Answer

A

-Consolidated billing

Question 55

Q

A company has a global user base and needs to deploy AWS services that can decrease network latency for their users. Which services may assist? (Select TWO.)

-AWS Global Accelerator
-Amazon CloudFront
-AWS Direct Connect
-Amazon VPC
- Application Auto Scaling

Answer

A

-AWS Global Accelerator
-Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that caches media assets such as files, photos, and videos in Edge locations around the world. This gets your content closer to the user base which decreases latency.

AWS Global Accelerator is a service that can direct users to the nearest AWS Region that contains and endpoint for an application. The service utilizes Edge locations to decrease latency and then forwards all traffic on the AWS global network which also decreases latency.

Question 56

Q

Which of the statements below is correct in relation to Consolidated Billing? (Select TWO.)

-You receive one bill per AWS account
-You can combine usage and share volume pricing discounts
-You pay a fee per linked account
-You are charged a fee per user
-You receive a single bill for multiple accounts

Answer

A

-You can combine usage and share volume pricing discounts
-You receive a single bill for multiple accounts

Question 57

Q

Which AWS service should a Cloud Practitioner use to automate conﬁguration management using Puppet?

-AWS CloudFormation
-AWS Conﬁg
-AWS OpsWorks
-AWS Systems Manager

Answer

A

AWS OpsWorks

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.

OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments,

AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment.

“AWS Systems Manager” is incorrect. AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.

Question 58

Q

Which of the following statements are security principles within the AWS Well-Architected Framework? (Select TWO.)

-Protect data in transit and at rest.
-Monitor, alert, and audit actions and changes to AWS resources.
-Analyze and attribute expenditures.
-Deploy globally in minutes.
-Perform operations as code.

Answer

A

-Protect data in transit and at rest.
-Monitor, alert, and audit actions and changes to AWS resources.

Ongoing monitoring with alerting and remediation actions is a critical part of a coherent security posture. With ongoing monitoring, you can make sure any potential threats or security concerns can be remediated as soon as possible.

Secondly, protecting data both in transit and at rest is a vital part of a security procedure which ensures that no data is read by anyone who shouldn’t have access to it.

Question 59

Q

Amazon S3 is typically used for which of the following use cases? (Select TWO.)

-In-memory data cache
-Media hosting
-Install an operating system
-Host a static website
-Message queue

Answer

A

-Media hosting
-Host a static website

Amazon S3 is an object storage system. Typical use cases include: Backup and storage, application hosting, media hosting, software delivery and hosting a static website.

Question 60

Q

What is the function of Amazon EC2 Auto Scaling?

-Automatically modifies the network throughput of EC2 instances, based on demand.
-Scales the number of EC2 instances in or out automatically, based on demand.
-Scales the size of EC2 instances up or down automatically, based on demand.
-Automatically updates the EC2 pricing model, based on demand.

Answer

A

-Scales the number of EC2 instances in or out automatically, based on demand.

Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define. You can use the fleet management features of EC2 Auto Scaling to maintain the health and availability of your fleet. You can also use the dynamic and predictive scaling features of EC2 Auto Scaling to add or remove EC2 instances.

Question 61

Q

Which on-premises costs must be included in a Total Cost of Ownership (TCO) calculation when comparing against the AWS Cloud? (Select TWO.)

-Operating system administration
-Project management services
-Network infrastructure in the data center
-Physical compute hardware
-Database schema development

Answer

A

-Network infrastructure in the data center
-Physical compute hardware

When performing a TCO analysis you must include all costs you are currently incurring in the on-premises environment that you will not pay for in the AWS Cloud. This should include labor costs for activities that will be reduced or eliminated. Labor costs that will continue to be incurred in the cloud need not be included.

Question 62

Q

Which service can a Cloud Practitioner use to configure custom cost and usage limits and enable alerts for when defined thresholds are exceeded?

-Consolidated billing
-AWS Trusted Advisor
-Cost Explorer
-AWS Budgets

Answer

A

-AWS Budgets

AWS Budgets allows you to set custom budgets to track your cost and usage. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold, or when your actual RI and Savings Plans’ utilization or coverage drops below your desired threshold.

This service is used for exploring the costs incurred within your account.

Question 63

Q

A Cloud Practitioner noticed that IP addresses that are owned by AWS are being used to attempt to flood ports on some of the company’s systems.

To whom should the issue be reported?

-AWS Technical Account Manager (TAM)
-AWS Trust & Safety team
-AWS Partner Network (APN)
-AWS Professional Services

Answer

A

AWS Trust & Safety team

If you suspect that AWS resources are used for abusive purposes, contact the AWS Trust & Safety team using the Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com. Provide all the necessary information, including logs in plaintext, email headers, and so on, when you submit your request.

Question 64

Q

Which of the following should be used to improve the security of access to the AWS Management Console? (Select TWO.)

-AWS Multi-Factor Authentication (AWS MFA)
-Security group rules
-AWS Certiﬁcate Manager
-Strong password policies
-AWS Secrets Manager

Answer

A

-AWS Multi-Factor Authentication (AWS MFA)
-Strong password policies

Answer 64

A

-Amazon ECS
-AWS Lambda

The Amazon Elastic Container Service (ECS) is a compute service that allows you to run Docker containers as tasks on AWS. AWS Lambda is a function as a service offering that provides the ability to run compute functions in response to triggers.

Answer 65

A

AWS Storage Gateway

AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases.

These include moving tape backups to the cloud, reducing on-premises storage with cloud-backed file shares, providing low latency access to data in AWS for on-premises applications, as well as various migration, archiving, processing, and disaster recovery use cases.

Answer 66

A

AWS Elastic Beanstalk

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.

. LightSail is a good service to use when you don’t have good knowledge of AWS. However, you cannot deploy a scalable node.js application into a VPC.

CloudFormation is used for automating the deployment of infrastructure resources in AWS.

Answer 67

A

-Updating Amazon EC2 host firmware

Answer 68

A

-User control of physical infrastructure
-Capital expenses are replaced with variable expenses

Answer 69

A

-Create individual IAM users.
-Use groups to assign permissions to IAM users.

This is the list of valid IAM best practices:

Lock away your AWS account root user access keys

Create individual IAM users

Use groups to assign permissions to IAM users

Grant least privilege

Get started using permissions with AWS managed policies

Use customer managed policies instead of inline policies

Use access levels to review IAM permissions

Configure a strong password policy for your users

Enable MFA

Use roles for applications that run on Amazon EC2 instances

Use roles to delegate permissions

Do not share access keys

Rotate credentials regularly

Remove unnecessary credentials

Use policy conditions for extra security

Monitor activity in your AWS account

Video presentation about IAM best practices

Answer 70

A

-AWS IAM role

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

Answer 71

A

One or more physical data centers

An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.

Answer 72

A

-AWS Personal Health Dashboard

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.

The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.

Answer 73

A

-Amazon EMR

Amazon Elastic Map Reduce (EMR) is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3.

Answer 74

A

-Implement Auto Scaling groups to add and remove instances based on demand.
-Purchase Amazon EC2 Reserved Instances.

Cost optimization can include using Auto Scaling groups to scale the number of EC2 instances according to actual demand. Also, using Amazon EC2 reserved instances for suitable workloads is a good way of optimizing costs over the longer term.

Brainscape's Knowledge GenomeTM

AWS Practice Exam 2 Flashcards

Brainscape's Knowledge Genome^TM