AWS Practice Exam 4 Flashcards

1
Q

Which AWS service monitors AWS accounts continuously for malicious activity and unauthorized behavior?

-Amazon Inspector
-AWS Config
-Amazon GuardDuty
-Amazon Macie

A

-Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Amazon Macie helps identify PII data within S3 Bucket and does not detect threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An organization is migrating to AWS Cloud. During the migration, the company needs consulting and guidance on its applications. Upon completion of the migration, the company requires a response within 30 minutes in the event of a business-critical system failure.

Which AWS Support plans meet these requirements? (Select TWO.)

  • AWS Business Support
    -AWS Developer Support
    -AWS Enterprise On-Ramp Support
    -AWS Basic Support
    -AWS Enterprise Support
A

-AWS Enterprise On-Ramp Support
-AWS Enterprise Support

AWS Enterprise Support is a support plan which provides a less than 15 minutes response time for business-critical system failure, and AWS Enterprise On-Ramp provides a less than 30 minutes response time for business-critical system failure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A company wants to push VPC flow logs to Amazon S3.

What action is the company responsible for under the Shared Responsibility Model?

-Managing the encryption options on the S3 bucket.
-Managing the operating system updates on the S3 bucket.
-Managing the data in transit.
-Managing the infrastructure that runs the S3 bucket.

A

The company is responsible for enabling encryption on the bucket because the customer is responsible for the data within the bucket, and the way it is protected using things like Bucket Policies, permissions, and encryption.

“Managing the data in transit” is incorrect. When you push VPC flow logs to S3 this will be done over the AWS backbone, meaning that it will be encrypted by default and the customer has no insight into this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

There is a need to perform queries and to search and analyze logs interactively within an organization.

Which AWS service or feature will meet this requirement?

-Amazon EventBridge (Amazon CloudWatch Events).
-Amazon CloudWatch anomaly detection.
-Amazon CloudWatch Logs Insights.
-Amazon CloudWatch Logs streams.

A

Amazon CloudWatch Logs Insights.

CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.

“Amazon EventBridge (Amazon CloudWatch Events)” is incorrect. Amazon EventBridge is a serverless event bus that ingests data from your own apps, SaaS apps and AWS services and routes that data to targets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An IT company requires a private, encrypted channel of communication between its on-premises data center and a VPC in the AWS Cloud.

Which AWS service or feature meets this requirement?

-VPC endpoints
-AWS Site-to-Site VPN
-AWS Global Accelerator
-AWS PrivateLink

A

AWS PrivateLink

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

A VPC endpoint enables users to privately connect their VPC to supported AWS services and does not connect AWS to an on-premises network.

AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low. It is not used as a tool to communicate between your VPC and on-premises environments.

“AWS Site-to-Site VPN” is incorrect, because although traffic can be encrypted between a VPC and on-premises environments, it is over the public interview therefore it is not suitable for the needs of the IT company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How can I deploy AWS Cloud infrastructure to multiple AWS Regions quickly, automatically, and reliably?

-Create and launch an Amazon EC2 Amazon Machine Image (AMI) containing the source code with built-in deployment hooks to launch other AWS services.
-Use AWS Systems Manager to automate management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches.
-Create and use an AWS CloudFormation template.
Use AWS CodeStar to set up a continuous delivery toolchain for automated deployment.

A

Create and use an AWS CloudFormation template.

AWS CloudFormation is an Infrastructure as Code (IaC) tool which allows users to provision infrastructure services using either JSON or YAML. With AWS CloudFormation you can easily provision resources in a different Region easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which AWS service should be used to create a billing alarm?

-Amazon QuickSight
-AWS Trusted Advisor
-AWS CloudTrail
-Amazon CloudWatch

A

-Amazon CloudWatch

You can monitor your estimated AWS charges by using Amazon CloudWatch. When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.

Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. This data includes the estimated charges for every service in AWS that you use, in addition to the estimated overall total of your AWS charges.

The alarm triggers when your account billing exceeds the threshold you specify. It triggers only when actual billing exceeds the threshold. It doesn’t use projections based on your usage so far in the month.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which AWS service provides a quick and automated way to create and manage AWS accounts?

-Amazon Connect
-AWS Organizations
-Amazon LightSail
-AWS QuickSight

A

AWS Organizations

AWS Organizations is a web service that enables you to consolidate your multiple AWS accounts into an organization and centrally manage your accounts and their resources. The AWS Organizations API can be used to create AWS accounts and this can be automated through code.

LightSail offers virtual servers (instances) that are easy to set up and backed by the power and reliability of AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which feature of AWS IAM enables you to identify unnecessary permissions that have been assigned to users?

-Group Advisor
-Permissions Advisor
-Access Advisor
-Role Advisor

A

Access Advisor

The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is called service last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.”

That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When an Amazon EC2 instance is stopped, which of the following AWS services can be used to identify the user who stopped it?

-AWS CloudTrail
-Amazon Inspector
-Amazon CloudWatch
-VPC Flow Logs

A

AWS CloudTrail

AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action and in this case will capture who stopped an EC2 instance.

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Remote employees need access to managed Windows virtual desktops and applications over secure networks.

Which AWS services can the company use to meet these requirements? (Select TWO.)

-Amazon Connect
-Amazon AppStream 2.0
-Amazon Workspaces
-Amazon Elastic Container Service (Amazon ECS)
-AWS Site-to-Site VPN

A

-Amazon Workspaces
-AWS Site-to-Site VPN

Amazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to access resources from any supported device.

To secure your network you would use the AWS Site-to-Site VPN. AWS Site-to-Site VPN allows you to encrypt traffic across your networks.

Amazon AppStream is a non-persistent desktop and application service for remotely accessing your work. The non-persistent feature of this service would make the product unsuitable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

It is necessary for a company to have access to scalable, highly reliable, and fully managed file storage that runs on the Server Message Block (SMB) protocol.

Which AWS service will meet these requirements?

-Amazon Elastic Block Store (Amazon EBS).
-Amazon FSx for Windows File Server.
-Amazon Elastic File System (Amazon EFS).
-Amazon S3.

A

Amazon FSx for Windows File Server.

Amazon FSx for Windows File Server provides fully managed Microsoft Windows file servers, backed by a fully native Windows file system. Amazon FSx supports a broad set of enterprise Windows workloads with fully managed file storage built on Microsoft Windows Server. Amazon FSx has native support for Windows file system features and for the industry-standard Server Message Block (SMB) protocol to access file storage over a network.

“Amazon Elastic File System (Amazon EFS)” is incorrect. Although it is a file, it is a Linux based file system which uses the NFS protocol, not the SMB like a Windows server.

“Amazon Elastic Block Store (Amazon EBS)” is incorrect. This service is a block-based storage system, not a file-based storage system. SMB is a file-based storage protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which service can be added to a database to provide improved performance for some requests?

-Amazon ElastiCache
-Amazon RedShift
-Amazon RDS
-Amazon EFS

A

Amazon ElastiCache

Amazon ElastiCache provides in-memory caching which improves performance for read requests when the data is cached in ElastiCache. ElastiCache can be placed in front of your database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An organization is migrating its application from on-premises SQL Server to AWS. As part of the migration, the company wants to reduce operational overhead, but lacks the resources to refactor the application.

Which database service would MOST effectively support these requirements?

-Amazon RDS for SQL Server
-Microsoft SQL Server on Amazon EC2
-Amazon Redshift
-Amazon DynamoDB

A

Amazon RDS for SQL Server

Amazon RDS for SQL Server is a fully managed SQL database service which you can migrate your on-premises database into. You do not need to refactor or change your on-premises database and you can perform homogeneous migrations with ease.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A system administrator discovers that several Amazon EC2 instances have been terminated. It is the responsibility of the system administrator to identify the user or AWS API call that terminated these instances.

Which AWS service should the system administrator use to meet this requirement?

Amazon Detective
AWS Trusted Advisor
AWS CloudTrail
Amazon Inspector

A

AWS CloudTrail

“Amazon Inspector” is incorrect. Inspector is a fully managed vulnerability assessment tool, which doesn’t track who is performing what actions within an account.

“Amazon Detective” is incorrect. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. It does not however track API calls within an account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Business Support customers have access to which of the following?

AWS Health API
AWS DDoS Response Team (DRT)
AWS Support concierge
AWS technical account manager (TAM)

A

AWS Health API

The AWS Health API is available to all Business, Enterprise On-Ramp, or Enterprise Support customers. You can use the API operations to get information about events that might affect your AWS services and resources.

AWS DDoS Response Team (DRT)” is incorrect. This is not available through a support plan, but through the AWS Shield Advanced service.

“AWS technical account manager (TAM)” is incorrect. You get a dedicated AWS TAM when you have Enterprise Support, and you get access to a pool of TAMs when you are using Enterprise On-Ramp.

AWS Support concierge” is incorrect. This is only available to Enterprise Support customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which AWS service lets you add user sign up, sign-in and access control to web and mobile apps?

AWS CloudHSM
AWS Artifact
Amazon Cognito
AWS Directory Service

A

Amazon Cognito

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

As part of its cloud architecture, a company wants its workloads to be resilient, perform correctly, consistently, and recover from errors in a timely manner.

Which pillar of the AWS Well-Architected Framework are these requirements related to?

Security
Performance efficiency
Operational excellence
Reliability

A

Reliability

The Reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.

Security simply refers to the ability to ensure your workloads and infrastructure are safe from attack or from exploitation.

The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations, and it does not include initial resilience and recovery of workloads.

The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In AWS IAM, what are the characteristics of users and groups? (Select TWO.)

-Groups can be nested and can contain other groups.
-A user can only be a member of a single group at one time.
-A user can be a member of multiple groups.
-Groups can contain users only and cannot be nested.
-All new users are automatically added to a default group.

A

A user can be a member of multiple groups.
Groups can contain users only and cannot be nested.

In IAM, a user can be a member of multiple groups. One IAM user can be a part of a maximum of 5 groups. Also Groups are a flat hierarchy of users with similar permissions, and you cannot place a group within another group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The ability to horizontally scale Amazon EC2 instances based on demand is an example of which concept?

Economy of scale
Elasticity
High availability
Agility

A

Elasticity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which of the following are advantages of the AWS Cloud? (Select TWO.)

AWS manages capacity planning for physical servers
AWS manages the security of applications built on AWS
AWS manages the development of applications on AWS
AWS manages the maintenance of the cloud infrastructure
AWS manages cost planning for virtual servers

A

-AWS manages capacity planning for physical servers
-AWS manages the maintenance of the cloud infrastructure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does an organization need to do to move to another AWS region?

Apply for another AWS account in that region
Submit an application to extend their account to the additional region
Create a separate IAM account for that region
Just start deploying resources in the additional region

A

Just start deploying resources in the additional region

You don’t need to do anything except start deploying resources in the new region. With the AWS cloud you can use any region around the world at any time. There is no need for a separate account, and IAM is a global service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A company is considering migrating from on-premises to the AWS Cloud. In order to handle the workload efficiently, the IT team needs to offload this heavy lifting as much as possible.

What should the IT team do to accomplish this goal?

Build hardware refreshes into the operational calendar to ensure availability.
Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 instances.
Use AWS Managed Services to provision, run, and support the company infrastructure.
Overprovision compute capacity for seasonal events and traffic spikes to prevent downtime.

A

Use AWS Managed Services to provision, run, and support the company infrastructure.

AWS Managed Services (AMS) helps you adopt AWS at scale and operate more efficiently and securely. We leverage standard AWS services and offer guidance and execution of operational best practices with specialized automations, skills, and experience that are contextual to your environment and applications. You can easily leave a lot of the heavy lifting to AWS when you are using managed services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which AWS service enables hybrid cloud storage between on-premises and the AWS Cloud?

Amazon CloudFront
AWS Storage Gateway
Amazon Elastic File System (EFS)
Amazon S3 Cross Region Replication (CRR)

A

AWS Storage Gateway

The AWS Storage Gateway service enables hybrid cloud storage between on-premises environments and the AWS Cloud. It seamlessly integrates on-premises enterprise applications and workflows with Amazon’s block and object cloud storage services through industry standard storage protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does an organization need to do in Amazon IAM to enable user access to services being launched in new region?

Nothing, IAM is global
Update the user accounts to allow access from another region
Create new user accounts in the new region
Enable global mode in IAM to provision the required access

A

Nothing, IAM is global

AM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How can consolidated billing within AWS Organizations help lower overall monthly expenses?

By leveraging service control policies (SCP) for centralized service management
By providing a consolidated view of monthly billing across multiple accounts
By pooling usage across multiple accounts to achieve a pricing tier discount
By automating the creation of new accounts through APls

A

By pooling usage across multiple accounts to achieve a pricing tier discount

You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

An organization has multiple AWS accounts and uses a mixture of on-demand and reserved instances. One account has a considerable amount of unused reserved instances. How can the organization reduce their costs? (Select TWO.)

Redeem their reserved instances
Use Spot instances instead
Create an AWS Organization configuration linking the accounts
Switch to using placement groups
Setup consolidated billing between the accounts

A

-Create an AWS Organization configuration linking the
-Setup consolidated billing between the accounts

AWS organizations allow you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Unused reserved instances (RIs) for EC2 are applied across the group so the organization can utilize their unused reserved instance instead of consuming on-demand instances which will lower their costs.

28
Q

What is the benefit of using fully managed services compared to deploying 3rd party software on EC2?

You don’t need to back-up your data
Improved security
Reduced operational overhead
You have greater control and flexibility

A

Reduced operational overhead

Fully managed services reduce your operational overhead as AWS manage not just the infrastructure layer but the service layers above it. Examples are Amazon Aurora and Amazon ElastiCache where the database is managed for you.

29
Q

The AWS acceptable use policy for penetration testing allows?

Customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for selected services
AWS to perform penetration testing against customer resources without notification
Authorized security assessors to perform penetration tests against any AWS customer without authorization
Customers to carry out security assessments or penetration tests against their AWS infrastructure after obtaining authorization from AWS

A

Customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for selected services

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for the following eight services:

Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.

Amazon RDS.

Amazon CloudFront.

Amazon Aurora.

Amazon API Gateways.

AWS Lambda and Lambda Edge functions.

Amazon LightSail resources.

Amazon Elastic Beanstalk environments.

30
Q

In order to perform analytical tasks, a company needs a data warehouse. Standard SQL queries must be supported by the data warehouse.

Which AWS service meets these requirements?

Amazon RDS
Amazon Redshift
Amazon Athena
Amazon EMR

A

Amazon Redshift

Amazon Redshift uses SQL to analyze structured and semi-structured data across data warehouses, operational databases, and data lakes, using AWS-designed hardware and machine learning to deliver the best price performance at any scale.

Data warehouses are built on databases designed for online analytics processing (OLAP) use cases.

31
Q

An organization has an on-premises cloud and accesses their AWS Cloud over the Internet. How can they create a private hybrid cloud connection that avoids the internet?

AWS Managed VPN
AWS Direct Connect
AWS VPN CloudHub
AWS VPC Endpoint

A

AWS Direct AWS Direct Connect

Connect is a low-latency, high-bandwidth, private connection to AWS. This can be used to create a private hybrid cloud connection between on-premises and the AWS Cloud.

32
Q

Which of the following need to be included in a total cost of ownership (TCO) analysis? (Select TWO.)

Data center security costs
Company wide marketing
IT Manager salary
Facility equipment installation
Application development

A

Data center security costs
Facility equipment installation

To perform a TCO you need to document all of the costs you’re incurring today to run your IT operations. That includes facilities equipment installation and data center security costs. That way you get to compare the full cost of running your IT on-premises today, to running it in the cloud.

33
Q

When performing a total cost of ownership (TCO) analysis between on-premises and the AWS Cloud, which factors are only relevant to on-premises deployments? (Select TWO.)

Application licensing
Hardware procurement teams
Operating system licensing
Facility operations costs
Database administration

A

Hardware procurement teams
Facility operations costs

Facility operations and hardware procurement costs are something you no longer need to pay for in the AWS Cloud. These factors therefore must be included as an on-premise cost so you can understand the cost of staying in your own data centers.

Database administration, operating system licensing and application licensing will still be required in the AWS Cloud.

34
Q

Which statement is correct in relation to the AWS Shared Responsibility Model?

Customers are responsible for security of the cloud
AWS are responsible for encrypting customer data
Customers are responsible for patching storage systems
AWS are responsible for the security of regions and availability zones

A

AWS are responsible for the security of regions and availability zones

AWS are responsible for “Security of the Cloud”. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services, and this includes regions, availability zones and edge locations.

Customers are responsible for “Security in the Cloud”. This includes encrypting customer data, patching operating systems but not patching or maintaining the underlying infrastructure.

35
Q

Which of the following is a benefit of moving to the AWS Cloud?

Long term commitments
Capital purchases
Outsource all IT operations
Pay for what you use

A

Pay for what you use

With the AWS cloud you pay for what you use. This is a significant advantage compared to on-premises infrastructure where you need to purchase more equipment than you need to allow for peak capacity. You also need to pay for that equipment upfront.

36
Q

The AWS shared responsibility model is included in which pillar of the AWS Well-Architected Framework?

Performance efficiency
Operational excellence
Security
Reliability

A

Security

Security and compliance are shared responsibilities between AWS and the customer. Depending on the services deployed, this shared model can help relieve the customer’s operational burden. This is because AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

37
Q

A company needs significant cost savings for their non-interruptible workloads on AWS.

Which EC2 instance pricing model should the company select?

Spot Instances
Dedicated Hosts
On-Demand Instances
Reserved Instances

A

Reserved Instances

Reserved instances allow a customer to use on-demand EC2 instances at a discounted price based on a commitment of usage. If you require cost optimization of non-interruptible workloads, you can use Reserved instances to provide discounts on your EC2 spend.

38
Q

Which AWS services are delivered globally rather than regionally? (Select TWO.)

Amazon VPC
Amazon Route 53
Amazon CloudFront
Amazon EC2
Amazon RDS

A

Amazon Route 53
Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) service that helps you distribute your static and dynamic content quickly and reliably with high speed globally.

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service which is also deployed globally.

39
Q

Which team is available to support AWS customers on an Enterprise support plan with account issues?

AWS Technical Account Manager
AWS Concierge
AWS Billing and Accounts
AWS Technical Support

A

AWS Concierge

Included as part of the Enterprise Support plan, the Support Concierge Team are AWS billing and account experts that specialize in working with enterprise accounts.

The Technical Account Manager provides expert monitoring and optimization for your environment and coordinates access to other programs and experts.

40
Q

What is the main benefit of the principle of “loose coupling”?

Automate the deployment of infrastructure using code
Enables applications to scale automatically based on current demand
Reduce operational complexity
Reduce interdependencies so a failure in one component does not cascade to other components

A

Reduce interdependencies so a failure in one component does not cascade to other components

As application complexity increases, a desirable attribute of an IT system is that it can be broken into smaller, loosely coupled components. This means that IT systems should be designed in a way that reduces interdependencies—a change or a failure in one component should not cascade to other components.

41
Q

Which service can be used to improve performance for users around the world?

Amazon Connect
Amazon CloudFront
Amazon ElastiCache
AWS LightSail

A

Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that caches content at Edge Locations around the world. This gets the content closer to users which improves performance.

42
Q

Which Amazon EC2 pricing model should be used to comply with per-core software license requirements?

Dedicated Hosts
Reserved Instances
On-Demand Instances
Spot Instances

A

Dedicated Hosts

Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2, so that you get the flexibility and cost effectiveness of using your own licenses, but with the resiliency, simplicity and elasticity of AWS. An Amazon EC2 Dedicated Host is a physical server fully dedicated for your use, so you can help address corporate compliance requirements.

43
Q

In which AWS service can a company collect data about the configuration, usage, and behavior of its on-premises data centers to assist in planning a migration to AWS?

AWS Resource Groups
AWS Application Discovery Service
AWS Service Catalog
AWS Systems Manager

A

AWS Application Discovery Service

AWS Application Discovery Service helps you plan your migration to the AWS cloud by collecting usage and configuration data about your on-premises servers.

44
Q

What are two components of Amazon S3? (Select TWO.)

File systems
Directories
Buckets
Block devices
Objects

A

Buckets
Objects

Amazon S3 is an object-based storage system that is accessed using a RESTful API over HTTP(S). It consists of buckets, which are root level folders, and objects, which are the files, images etc. that you upload

The terms directory, file system and block device do not apply to Amazon S3.

45
Q

Which AWS service uses a highly secure hardware storage device to store encryption keys?

AWS WAF
AWS CloudHSM
AWS IAM
Amazon Cloud Directory

A

AWS CloudHSM

AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications

46
Q

Which service can be used to assign a policy to a group?

AWS IAM
AWS STS
AWS Shield
Amazon Cognito

A

AWS IAM

IAM is used to securely control individual and group access to AWS resources. Groups are collections of users and have policies attached to them. You can use IAM to attach a policy to a group

47
Q

Which type of AWS Storage Gateway can be used to backup data with popular backup software?

Gateway Virtual Tape Library
Backup Gateway
Volume Gateway
File Gateway

A

Gateway Virtual Tape Library

The AWS Storage Gateway service enables hybrid storage between on-premises environments and the AWS Cloud.

The Gateway Virtual Tape Library can be used with popular backup software such as NetBackup, Backup Exec and Veeam. Uses a virtual media changer and tape drives.

48
Q

What can be assigned to an IAM user? (Select TWO.)

A password for access to the management console
A password for logging into Linux
A key pair
An SSL/TLS certificate
An access key ID and secret access key

A

A password for access to the management console
An access key ID and secret access key

An IAM user is an entity that represents a person or service. Users can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools and a password for access to the management console.

49
Q

What is the most cost-effective Amazon S3 storage tier for data that is not often accessed but requires high availability?

Amazon S3 Standard
Amazon S3 Standard-IA
Amazon S3 One Zone-IA
Amazon Glacier

A

Amazon S3 Standard-IA

S3 Standard-IA is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard with 99.9% availability

S3 One Zone-IA is for data that is accessed less frequently, but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ and offers lower availability.

50
Q

Which of the following are architectural best practices for the AWS Cloud? (Select TWO.)

Close coupling
Deploy into a single availability zone
Deploy into multiple Availability Zones
Design for fault tolerance
Create monolithic architectures

A

Deploy into multiple Availability Zones
Design for fault tolerance

It is an architectural best practice to deploy your resources into multiple availability zones and design for fault tolerance. These both ensure that if resources or infrastructure fails, your application continues to run.

51
Q

What fully managed AWS service allows users to bring their own machine learning algorithms?

Amazon SageMaker
AWS Data Pipeline
AWS Artifact
Amazon Forecast

A

Amazon SageMaker

Amazon SageMaker is a managed Machine Learning service. With Amazon SageMaker, you can package your own algorithms that can then be trained and deployed in the SageMaker environment.

52
Q

Which tool can be used to create alerts when the actual or forecasted cost of AWS services exceed a certain threshold?

AWS Cost and Usage report
AWS Budgets
AWS CloudTrail
AWS Cost Explorer

A

AWS Budgets

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.

You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define. Reservation alerts are supported for Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache, and Amazon Elasticsearch reservations.

53
Q

When a company moves an on-premises, internet-facing website to the AWS Cloud, what benefits does it obtain? (Select TWO.)

The company can take advantage of the pay-as-you-go pricing model.
The website shows up with higher priority in internet search engines.
AWS automatically provides the company with the lowest-cost pricing model.
Website capacity can expand or contract as website traffic changes.
Data that is stored in the AWS Cloud is automatically encrypted.

A

The company can take advantage of the pay-as-you-go pricing model.

Website capacity can expand or contract as website traffic changes.

Website capacity expanding and contracting is a sign of elasticity, and this is one of the most popular benefits of moving to the cloud. This is defined as the ability to acquire resources as you need them and release resources when you no longer need them.

Also, when you move to the cloud you do not pay upfront for your resources as standard and move to a OPEX model (operational expenditure.)

54
Q

Which of the following security related activities are AWS customers responsible for? (Select TWO.)

Secure disposal of faulty disk drives
Implementing data center access controls
Installing patches on network devices
Implementing IAM password policies
Installing patches on Windows operating systems

A

Implementing IAM password policies
Installing patches on Windows operating systems

Customers are responsible for configuring their own IAM password policies and installing operating system patches on Amazon EC2 instances

AWS are responsible for installing patches on physical hardware devices, data center access controls and secure disposal of disk drives

55
Q

Which of the below are components that can be configured in the VPC section of the AWS management console? (Select TWO.)

EBS volumes
Endpoints
Subnet
DNS records
Elastic Load Balancer

A

Endpoints
Subnet

You can have configured subnets and endpoints within the VPC section of AWS management console

EBS volumes and ELB must be configured in the EC2 section of the AWS management console

DNS records must be configured in Amazon Route 53

56
Q

Which of the following is an architectural best practice recommended by AWS?

Think servers, not services
Design for success
Use manual operational processes
Design for failure

A

Design for failure

It is recommended that you design for failure. This means always considering what would happen if a component of an application fails and ensuring there is resilience in the architecture.

57
Q
  1. QUESTION
    How does “elasticity” benefit an application design?

By reducing interdependencies between application components
By automatically scaling resources based on demand
By reserving capacity to reduce cost
By selecting the correct storage tier for your workload

A

By automatically scaling resources based on demand

Elasticity refers to the automatic scaling of resources based on demand. The benefit is that you provision only the necessary resources at a given time (optimizing cost) and don’t have to worry about absorbing spikes in demand.

58
Q

Which statement is true in relation to data stored within an AWS Region?

Data is always automatically replicated to at least one other availability zone
Data is not replicated outside of a region unless you configure it
Data is always replicated to another region
Data is automatically archived after 90 days

A

Data is not replicated outside of a region unless you configure it

Data stored within an AWS region is not replicated outside of that region automatically. It is up to customers of AWS to determine whether they want to replicate their data to other regions. You must always consider compliance and network latency when making this decision.

59
Q

Which actions are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)

Securing the virtualization layer
Patching the operating system on Amazon EC2 instances
Configuring security groups and network ACLs
Enforcing a strict password policy for IAM users
Patching the operating system on Amazon RDS instances

A

Securing the virtualization layer

Patching the operating system on Amazon RDS instances

60
Q

Which service can be used to manage configuration versions?

AWS Service Catalog
AWS Config
AWS Artifact
Amazon Inspector

A

AWS Config

AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

61
Q

Which aspects of security on AWS are customer responsibilities? (Select TWO.)

Availability of AWS regions
Server-side encryption
Physical access controls
Setting up account password policies
Patching of storage systems

A

Server-side encryption
Setting up account password policies

AWS are responsible for the “security of the cloud”. This includes protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

The customer is responsible for “security in the cloud”. Customer responsibility depends on the service consumed but includes aspects such as Identity and Access Management (includes password policies), encryption of data, protection of network traffic, and operating system, network and firewall configuration.

62
Q

A user has an AWS account with a Business-level AWS Support plan and needs assistance with handling a production service disruption.

Which action should the user take?

Open a production system down support case
Open a business-critical system down support case
Contact the dedicated AWS Concierge Support team
Contact the dedicated Technical Account Manager

A

Open a production system down support case

The Business support plan provides a service level agreement (SLA) of < 1 hour for production system down support cases.

The dedicated TAM only comes with the Enterprise support plan.
The concierge support team only comes with the Enterprise support plan.
The business-critical system down support only comes with the Enterprise support plan.

63
Q

What AWS service offers managed DDoS protection?

Amazon GuardDuty
Amazon Inspector
AWS Shield
AWS Firewall Manager

A

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.

64
Q

When storing passwords on AWS, what is the MOST secure method?

Store passwords in AWS Storage Gateway.
Store passwords as AWS CloudFormation parameters.
Store passwords in AWS Secrets Manager.
Store passwords in an Amazon S3 bucket.

A

Store passwords in AWS Secrets Manager.

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.

65
Q

Which storage type can be mounted using the NFS protocol to many EC2 instances simultaneously?

Amazon S3
Amazon Instance Store
Amazon EFS
Amazon EBS

A

Amazon EFS

EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. EFS uses the NFSv4.1 protocol. Can concurrently connect 1 to 1000s of EC2 instances, from multiple AZs.