AWS Practice Exam 4 Flashcards
Which AWS service monitors AWS accounts continuously for malicious activity and unauthorized behavior?
-Amazon Inspector
-AWS Config
-Amazon GuardDuty
-Amazon Macie
-Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Amazon Macie helps identify PII data within S3 Bucket and does not detect threats.
An organization is migrating to AWS Cloud. During the migration, the company needs consulting and guidance on its applications. Upon completion of the migration, the company requires a response within 30 minutes in the event of a business-critical system failure.
Which AWS Support plans meet these requirements? (Select TWO.)
- AWS Business Support
-AWS Developer Support
-AWS Enterprise On-Ramp Support
-AWS Basic Support
-AWS Enterprise Support
-AWS Enterprise On-Ramp Support
-AWS Enterprise Support
AWS Enterprise Support is a support plan which provides a less than 15 minutes response time for business-critical system failure, and AWS Enterprise On-Ramp provides a less than 30 minutes response time for business-critical system failure.
A company wants to push VPC flow logs to Amazon S3.
What action is the company responsible for under the Shared Responsibility Model?
-Managing the encryption options on the S3 bucket.
-Managing the operating system updates on the S3 bucket.
-Managing the data in transit.
-Managing the infrastructure that runs the S3 bucket.
The company is responsible for enabling encryption on the bucket because the customer is responsible for the data within the bucket, and the way it is protected using things like Bucket Policies, permissions, and encryption.
“Managing the data in transit” is incorrect. When you push VPC flow logs to S3 this will be done over the AWS backbone, meaning that it will be encrypted by default and the customer has no insight into this.
There is a need to perform queries and to search and analyze logs interactively within an organization.
Which AWS service or feature will meet this requirement?
-Amazon EventBridge (Amazon CloudWatch Events).
-Amazon CloudWatch anomaly detection.
-Amazon CloudWatch Logs Insights.
-Amazon CloudWatch Logs streams.
Amazon CloudWatch Logs Insights.
CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.
“Amazon EventBridge (Amazon CloudWatch Events)” is incorrect. Amazon EventBridge is a serverless event bus that ingests data from your own apps, SaaS apps and AWS services and routes that data to targets.
An IT company requires a private, encrypted channel of communication between its on-premises data center and a VPC in the AWS Cloud.
Which AWS service or feature meets this requirement?
-VPC endpoints
-AWS Site-to-Site VPN
-AWS Global Accelerator
-AWS PrivateLink
AWS PrivateLink
AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.
A VPC endpoint enables users to privately connect their VPC to supported AWS services and does not connect AWS to an on-premises network.
AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low. It is not used as a tool to communicate between your VPC and on-premises environments.
“AWS Site-to-Site VPN” is incorrect, because although traffic can be encrypted between a VPC and on-premises environments, it is over the public interview therefore it is not suitable for the needs of the IT company.
How can I deploy AWS Cloud infrastructure to multiple AWS Regions quickly, automatically, and reliably?
-Create and launch an Amazon EC2 Amazon Machine Image (AMI) containing the source code with built-in deployment hooks to launch other AWS services.
-Use AWS Systems Manager to automate management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches.
-Create and use an AWS CloudFormation template.
Use AWS CodeStar to set up a continuous delivery toolchain for automated deployment.
Create and use an AWS CloudFormation template.
AWS CloudFormation is an Infrastructure as Code (IaC) tool which allows users to provision infrastructure services using either JSON or YAML. With AWS CloudFormation you can easily provision resources in a different Region easily.
Which AWS service should be used to create a billing alarm?
-Amazon QuickSight
-AWS Trusted Advisor
-AWS CloudTrail
-Amazon CloudWatch
-Amazon CloudWatch
You can monitor your estimated AWS charges by using Amazon CloudWatch. When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.
Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. This data includes the estimated charges for every service in AWS that you use, in addition to the estimated overall total of your AWS charges.
The alarm triggers when your account billing exceeds the threshold you specify. It triggers only when actual billing exceeds the threshold. It doesn’t use projections based on your usage so far in the month.
Which AWS service provides a quick and automated way to create and manage AWS accounts?
-Amazon Connect
-AWS Organizations
-Amazon LightSail
-AWS QuickSight
AWS Organizations
AWS Organizations is a web service that enables you to consolidate your multiple AWS accounts into an organization and centrally manage your accounts and their resources. The AWS Organizations API can be used to create AWS accounts and this can be automated through code.
LightSail offers virtual servers (instances) that are easy to set up and backed by the power and reliability of AWS.
Which feature of AWS IAM enables you to identify unnecessary permissions that have been assigned to users?
-Group Advisor
-Permissions Advisor
-Access Advisor
-Role Advisor
Access Advisor
The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is called service last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.”
That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy.
When an Amazon EC2 instance is stopped, which of the following AWS services can be used to identify the user who stopped it?
-AWS CloudTrail
-Amazon Inspector
-Amazon CloudWatch
-VPC Flow Logs
AWS CloudTrail
AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action and in this case will capture who stopped an EC2 instance.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Remote employees need access to managed Windows virtual desktops and applications over secure networks.
Which AWS services can the company use to meet these requirements? (Select TWO.)
-Amazon Connect
-Amazon AppStream 2.0
-Amazon Workspaces
-Amazon Elastic Container Service (Amazon ECS)
-AWS Site-to-Site VPN
-Amazon Workspaces
-AWS Site-to-Site VPN
Amazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to access resources from any supported device.
To secure your network you would use the AWS Site-to-Site VPN. AWS Site-to-Site VPN allows you to encrypt traffic across your networks.
Amazon AppStream is a non-persistent desktop and application service for remotely accessing your work. The non-persistent feature of this service would make the product unsuitable.
It is necessary for a company to have access to scalable, highly reliable, and fully managed file storage that runs on the Server Message Block (SMB) protocol.
Which AWS service will meet these requirements?
-Amazon Elastic Block Store (Amazon EBS).
-Amazon FSx for Windows File Server.
-Amazon Elastic File System (Amazon EFS).
-Amazon S3.
Amazon FSx for Windows File Server.
Amazon FSx for Windows File Server provides fully managed Microsoft Windows file servers, backed by a fully native Windows file system. Amazon FSx supports a broad set of enterprise Windows workloads with fully managed file storage built on Microsoft Windows Server. Amazon FSx has native support for Windows file system features and for the industry-standard Server Message Block (SMB) protocol to access file storage over a network.
“Amazon Elastic File System (Amazon EFS)” is incorrect. Although it is a file, it is a Linux based file system which uses the NFS protocol, not the SMB like a Windows server.
“Amazon Elastic Block Store (Amazon EBS)” is incorrect. This service is a block-based storage system, not a file-based storage system. SMB is a file-based storage protocol.
Which service can be added to a database to provide improved performance for some requests?
-Amazon ElastiCache
-Amazon RedShift
-Amazon RDS
-Amazon EFS
Amazon ElastiCache
Amazon ElastiCache provides in-memory caching which improves performance for read requests when the data is cached in ElastiCache. ElastiCache can be placed in front of your database.
An organization is migrating its application from on-premises SQL Server to AWS. As part of the migration, the company wants to reduce operational overhead, but lacks the resources to refactor the application.
Which database service would MOST effectively support these requirements?
-Amazon RDS for SQL Server
-Microsoft SQL Server on Amazon EC2
-Amazon Redshift
-Amazon DynamoDB
Amazon RDS for SQL Server
Amazon RDS for SQL Server is a fully managed SQL database service which you can migrate your on-premises database into. You do not need to refactor or change your on-premises database and you can perform homogeneous migrations with ease.
A system administrator discovers that several Amazon EC2 instances have been terminated. It is the responsibility of the system administrator to identify the user or AWS API call that terminated these instances.
Which AWS service should the system administrator use to meet this requirement?
Amazon Detective
AWS Trusted Advisor
AWS CloudTrail
Amazon Inspector
AWS CloudTrail
“Amazon Inspector” is incorrect. Inspector is a fully managed vulnerability assessment tool, which doesn’t track who is performing what actions within an account.
“Amazon Detective” is incorrect. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. It does not however track API calls within an account.
AWS Business Support customers have access to which of the following?
AWS Health API
AWS DDoS Response Team (DRT)
AWS Support concierge
AWS technical account manager (TAM)
AWS Health API
The AWS Health API is available to all Business, Enterprise On-Ramp, or Enterprise Support customers. You can use the API operations to get information about events that might affect your AWS services and resources.
AWS DDoS Response Team (DRT)” is incorrect. This is not available through a support plan, but through the AWS Shield Advanced service.
“AWS technical account manager (TAM)” is incorrect. You get a dedicated AWS TAM when you have Enterprise Support, and you get access to a pool of TAMs when you are using Enterprise On-Ramp.
AWS Support concierge” is incorrect. This is only available to Enterprise Support customers.
Which AWS service lets you add user sign up, sign-in and access control to web and mobile apps?
AWS CloudHSM
AWS Artifact
Amazon Cognito
AWS Directory Service
Amazon Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
As part of its cloud architecture, a company wants its workloads to be resilient, perform correctly, consistently, and recover from errors in a timely manner.
Which pillar of the AWS Well-Architected Framework are these requirements related to?
Security
Performance efficiency
Operational excellence
Reliability
Reliability
The Reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.
Security simply refers to the ability to ensure your workloads and infrastructure are safe from attack or from exploitation.
The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations, and it does not include initial resilience and recovery of workloads.
The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve.
In AWS IAM, what are the characteristics of users and groups? (Select TWO.)
-Groups can be nested and can contain other groups.
-A user can only be a member of a single group at one time.
-A user can be a member of multiple groups.
-Groups can contain users only and cannot be nested.
-All new users are automatically added to a default group.
A user can be a member of multiple groups.
Groups can contain users only and cannot be nested.
In IAM, a user can be a member of multiple groups. One IAM user can be a part of a maximum of 5 groups. Also Groups are a flat hierarchy of users with similar permissions, and you cannot place a group within another group.
The ability to horizontally scale Amazon EC2 instances based on demand is an example of which concept?
Economy of scale
Elasticity
High availability
Agility
Elasticity
Which of the following are advantages of the AWS Cloud? (Select TWO.)
AWS manages capacity planning for physical servers
AWS manages the security of applications built on AWS
AWS manages the development of applications on AWS
AWS manages the maintenance of the cloud infrastructure
AWS manages cost planning for virtual servers
-AWS manages capacity planning for physical servers
-AWS manages the maintenance of the cloud infrastructure
What does an organization need to do to move to another AWS region?
Apply for another AWS account in that region
Submit an application to extend their account to the additional region
Create a separate IAM account for that region
Just start deploying resources in the additional region
Just start deploying resources in the additional region
You don’t need to do anything except start deploying resources in the new region. With the AWS cloud you can use any region around the world at any time. There is no need for a separate account, and IAM is a global service.
A company is considering migrating from on-premises to the AWS Cloud. In order to handle the workload efficiently, the IT team needs to offload this heavy lifting as much as possible.
What should the IT team do to accomplish this goal?
Build hardware refreshes into the operational calendar to ensure availability.
Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 instances.
Use AWS Managed Services to provision, run, and support the company infrastructure.
Overprovision compute capacity for seasonal events and traffic spikes to prevent downtime.
Use AWS Managed Services to provision, run, and support the company infrastructure.
AWS Managed Services (AMS) helps you adopt AWS at scale and operate more efficiently and securely. We leverage standard AWS services and offer guidance and execution of operational best practices with specialized automations, skills, and experience that are contextual to your environment and applications. You can easily leave a lot of the heavy lifting to AWS when you are using managed services.
Which AWS service enables hybrid cloud storage between on-premises and the AWS Cloud?
Amazon CloudFront
AWS Storage Gateway
Amazon Elastic File System (EFS)
Amazon S3 Cross Region Replication (CRR)
AWS Storage Gateway
The AWS Storage Gateway service enables hybrid cloud storage between on-premises environments and the AWS Cloud. It seamlessly integrates on-premises enterprise applications and workflows with Amazon’s block and object cloud storage services through industry standard storage protocols.
What does an organization need to do in Amazon IAM to enable user access to services being launched in new region?
Nothing, IAM is global
Update the user accounts to allow access from another region
Create new user accounts in the new region
Enable global mode in IAM to provision the required access
Nothing, IAM is global
AM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions.
How can consolidated billing within AWS Organizations help lower overall monthly expenses?
By leveraging service control policies (SCP) for centralized service management
By providing a consolidated view of monthly billing across multiple accounts
By pooling usage across multiple accounts to achieve a pricing tier discount
By automating the creation of new accounts through APls
By pooling usage across multiple accounts to achieve a pricing tier discount
You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.