AWS Solutions Architect Associate Flashcards

Question

What is a primary feature of AWS IAM Identity Center? A. It allows for the creation and management of AWS resources. B. It is a web service for organizing and federating access to AWS accounts and business applications. C. It is used for hardware-based key storage for cryptographic operations. D. It offers a centralized service for billing and cost management of AWS resources.

Answer 1

B. It is a web service for organizing and federating access to AWS accounts and business applications. AWS IAM Identity Center is designed to help manage access to AWS accounts and business applications, providing a single location to centrally manage access. It allows users to sign in once and access multiple accounts and applications.

Answer 2

B. Centralized user access to multiple AWS accounts with a single set of credentials. AWS IAM Identity Center allows users to access multiple AWS accounts and applications using a single set of credentials, thereby centralizing and streamlining user access management

Answer 3

B. They define the IAM roles that users can assume in AWS accounts In AWS IAM Identity Center, permission sets are used to define the IAM roles that can be assumed by users when accessing AWS accounts. This allows for fine-grained access control

Answer 4

C. It enables integration with existing directories like Microsoft Active Directory for user authentication. AWS IAM Identity Center supports integration with existing corporate directories, such as Microsoft Active Directory, to authenticate and manage user access, allowing for a seamless connection between AWS and existing user management systems

Answer 5

3) Spot Instances Spot Instances are good for short workloads and this is the cheapest EC2 Purchasing Option. But, they are less reliable because you can lose your EC2 instance.

Answer 6

2) Security Groups Security Groups operate at the EC2 instance level and can control traffic.

Answer 7

1) 1 or 3 years EC2 Reserved Instances can be reserved for 1 or 3 years only.

Answer 8

2) Compute Optimized Compute Optimized EC2 instances are great for compute-intensive workloads requiring high-performance processors (e.g., batch processing, media transcoding, high-performance computing, scientific modeling & machine learning, and dedicated gaming servers).

Answer 9

1) Reserved Instances Reserved Instances are good for long workloads. You can reserve EC2 instances for 1 or 3 years.

Answer 10

3) EC2 User Data EC2 User Data is used to bootstrap your EC2 instances using a bash script. This script can contain commands such as installing software/packages, download files from the Internet, or anything you want.

Answer 11

3) Memory Optimized Memory Optimized EC2 instances are great for workloads requiring large data sets in memory.

Answer 12

1) Storage Optimized Storage Optimized EC2 instances are great for workloads requiring high, sequential read/write access to large data sets on local storage.

Answer 13

False Security Groups can be attached to multiple EC2 instances within the same AWS Region/VPC.

Answer 14

2) Dedicated Hosts Dedicated Hosts are good for companies with strong compliance needs or for software that have complicated licensing models. This is the most expensive EC2 Purchasing Option available.

Answer 15

3) Dedicated Hosts

Answer 16

2) On-Demand Instances Spot Fleet is a set of Spot Instances and optionally On-demand Instances. It allows you to automatically request Spot Instances with the lowest price.

Answer 17

4) Do nothing, SQS scales automatically

Answer 18

3) Increase the Visibility Timeout SQS Visibility Timeout is a period of time during which Amazon SQS prevents other consumers from receiving and processing the message again. In Visibility Timeout, a message is hidden only after it is consumed from the queue. Increasing the Visibility Timeout gives more time to the consumer to process the message and prevent duplicate reading of the message. (default: 30 sec., min.: 0 sec., max.: 12 hours)

Answer 19

4) SQS FIFO Queue SQS FIFO (First-In-First-Out) Queues have all the capabilities of the SQS Standard Queue, plus the following two features. First, The order in which messages are sent and received are strictly preserved and a message is delivered once and remains available until a consumer process and deletes it. Second, duplicated messages are not introduced into the queue.

Answer 20

2) Use SNS + SQS Fan Out Pattern This is a common pattern where only one message is sent to the SNS topic and then "fan-out" to multiple SQS queues. This approach has the following features: it's fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.

Answer 21

1) Add more Shards The capacity limits of a Kinesis data stream are defined by the number of shards within the data stream. The limits can be exceeded by either data throughput or the number of reading data calls. Each shard allows for 1 MB/s incoming data and 2 MB/s outgoing data. You should increase the number of shards within your data stream to provide enough capacity.

Answer 22

3) For each record sent to Kinesis, use a partition key that represents the identity of the user Kinesis Data Stream uses the partition key associated with each data record to determine which shard a given data record belongs to. When you use the identity of each user as the partition key, this ensures the data for each user is ordered hence sent to the same shard.

Answer 23

3) Kinesis Data Streams + Kinesis Data Firehose This is a perfect combo of technology for loading data near real-time data into S3 and Redshift. Kinesis Data Firehose supports custom data transformations using AWS Lambda.

Answer 24

1) Amazon Kinesis Data Streams Note: Kinesis Data Firehose is now supported, but not Kinesis Data Streams.

Answer 25

2) Amazon SNS

Answer 26

4) Amazon MQ Amazon MQ supports industry-standard APIs such as JMS and NMS, and protocols for messaging, including AMQP, STOMP, MQTT, and WebSocket.

Answer 27

1) Use SQS as a buffer to write to Aurora

Answer 28

2) On-demand Mode

Answer 29

2) Web Application Firewall (WAF)

Answer 30

2) SQS Standard Auto Scaling groups are for EC2 instances only

Answer 31

1) Amazon MQ

Answer 32

3) Amazon AppFlow

Answer 33

4) Dead-letter queues (DLQ)

Answer 34

1) AWS Step Functions This is a serverless orchestration service combining different AWS services for business applications.

Answer 35

1) Internal and external All levels of your architecture need to be loosely coupled!

Answer 36

1) Allocate an Elastic IP and assign it to your EC2 instance Elastic IP is a public IPv4 that you own as long as you want and you can attach it to one EC2 instance at a time.

Answer 37

2) Cluster Placement Group Cluster Placement Groups place your EC2 instances next to each other which gives you high-performance computing and networking.

Answer 38

1) Spread Placement Group Spread Placement Group places your EC2 instances on different physical hardware across different AZs.

Answer 39

False Elastic Network Interfaces (ENIs) are bounded to a specific AZ. You can not attach an ENI to an EC2 instance in a different AZ.

Answer 40

1) EC2 Instance Root Volume must be an Instance Store volume To enable EC2 Hibernate, the EC2 Instance Root Volume type must be an EBS volume and must be encrypted to ensure the protection of sensitive content.

Answer 41

2) When you have an auditing requirement to run your hosts on single-tenant hardware

Answer 42

2) When your code needs to learn something about the EC2 instances that it's running on EC2 instance metadata can be used to configure or manage a running instance, and can also be used to access user data that was specified when the instance was launched

Answer 43

4) Allows you to extend the power of the AWS data center to your own data center Outposts allows you to extend the AWS data center to your own data center

Answer 44

3) While it is possible that your Spot Instance is interrupted before the warnings can be made, AWS makes a best effort to provide two-minute Spot Instance interruption notices to the metadata of your EC2 instance(s). If your Spot Instance has been marked for termination, a notification will be best-effort posted to the metadata of your EC2 instance two minutes before it is stopped or terminated

Answer 45

4) QuickSight QuickSight allows you to create dashboards and visualize your data

Answer 46

1) Exporting Amazon RDS data to Amazon S3 3) Importing and exporting Amazon DynamoDB data 4) Copying CSV files between Amazon S3 buckets

Answer 47

2) Amazon Managed Streaming for Apache Kafka (MSK) Amazon MSK is a fully managed service for running data-streaming applications that leverage Apache Kafka.

Answer 48

2) Relational Redshift is a relational database

Answer 49

4) Amazon Redshift Spectrum Redshift Spectrum allows you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, Parquet, and others. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size

Answer 50

2) Amazon OpenSearch Service (successor to Elasticsearch)

Answer 51

1) Amazon Redshift Redshift would be the best solution for analyzing large volumes of data with complex queries, fast query performance, and scalability. Amazon Redshift is specifically designed for data warehousing and analytics workloads. It provides columnar storage, parallel query execution, and automatic scaling capabilities to handle large datasets and complex queries efficiently

Answer 52

3) AWS Data Pipeline AWS Data Pipeline is a managed extract, transform, load (ETL) service for automating movement and transformation of your data

Answer 53

1) In AWS Glue, you can specify the number of DPUs (data processing units) you want to allocate to an ETL job. You can specify the number of DPUs for an ETL job. A Glue ETL job must have a minimum of 2 DPUs. AWS Glue allocates 10 DPUs to each ETL job by default.

Answer 54

4) Glue, Athena

Answer 55

4) Amazon OpenSearch Service

Answer 56

3) Kinesis Data Streams

Answer 57

3) Amazon Redshift

Answer 58

4) Amazon Athena

Answer 59

2) Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region

Answer 60

1) Enhanced VPC Routing

Answer 61

3) Amazon OpenSearch Service

Answer 62

1) AWS Glue

Answer 63

2) Amazon OpenSearch service

Answer 64

2) Amazon EMR

Answer 65

3) Amazon QuickSight

Answer 66

1) Glue Job Bookmarks

Answer 67

4) AWS Glue

Answer 68

3) Amazon MSK

Answer 69

1) Lake Formation Fine-grained Access Control

Answer 70

3) Amazon Kinesis Data Analytics

Answer 71

3) AWS Fargate on ECS AWS Fargate allows you to run your containers on AWS without managing any servers.

Answer 72

1) Amazon EC2 Launch Type and Fargate Launch Type

Answer 73

2) ECS Task Role ECS Task Role is the IAM Role used by the ECS task itself. Use when your container wants to call other AWS services like S3, SQS, etc.

Answer 74

1) Mount an EFS volume EFS volume can be shared between different EC2 instances and different ECS Tasks. It can be used as a persistent multi-AZ shared storage for your containers.

Answer 75

2) Create an IAM task role for the new application

Answer 76

2) ECR Amazon ECR is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images. ECR is fully integrated with Amazon ECS, allowing easy retrieval of container images from ECR while managing and running containers using ECS.

Answer 77

4) AWS Lambda

Answer 78

1) AWS App Runner

Answer 79

C. To provide a blueprint for running Docker containers, including the container image and resource allocation. In Amazon ECS, a task definition is a blueprint for your application that describes how a container should run, including details like the Docker image, CPU and memory allocations, environment variables, and more.

Answer 80

B. Amazon EKS Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easier to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Answer 81

A. Amazon EBS Amazon EBS (Elastic Block Store) can be used with Amazon EKS to provide persistent block storage for containerized applications. EBS volumes can be dynamically provisioned as part of the EKS deployment process.

Answer 82

A. Amazon ECS with AWS Fargate and Amazon Route 53 Amazon ECS with AWS Fargate allows for serverless container deployments, and when combined with Elastic Load Balancing and Route 53, it offers high availability across multiple Availability Zones and efficient traffic distribution.

Answer 83

B. Utilize AWS Batch with Spot Instances for processing jobs. AWS Batch efficiently runs batch jobs and, when combined with Spot Instances, can provide a cost-effective solution for processing jobs as they arrive without the need for over-provisioning.

Answer 84

B. Horizontal Pod Autoscaler in EKS for each microservice deployment. The Horizontal Pod Autoscaler in Amazon EKS automatically scales the number of pods in a deployment based on observed CPU utilization or other selected metrics, ideal for independently scaling microservices.

Answer 85

D. Amazon EKS with dedicated EC2 instances, running within a private subnet and using IAM roles for secure access to AWS services. Amazon EKS provides a secure and scalable environment for containerized applications. Using dedicated EC2 instances in a private subnet enhances security, and IAM roles ensure secure access to other AWS services, meeting compliance and security needs.

Answer 86

4) ECS ECS manages this process for you

Answer 87

1) Scan on Push 3) Lifecycle policies 5) Image tag immutability

Answer 88

2) Amazon Aurora Serverless Amazon Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora. It is perfect for when you are running workloads that have sudden and unpredictable increases in activity, but you need to plan capacity. Since it is serverless, you also only pay for what you consume.

Answer 89

3) AWS X-Ray When you see requests and responses, think AWS X-Ray. AWS X-Ray is a service that collects data about requests that your application serves. It provides tools that you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization.

Answer 90

2) Amazon EKS Anywhere Amazon EKS Anywhere provides a means of managing Kubernetes clusters using the same operational excellence and best practices that AWS uses for its Amazon Elastic Kubernetes Service (Amazon EKS). It leverages the EKS Distro (EKS-D) for deploying, using, and managing Kubernetes clusters that run in your data centers.

Answer 91

1) Aurora capacity units These are how the clusters scale. They are based on a certain amount of compute and memory. You can set a minimum and maximum for automatically scaling between the units.

Answer 92

1) AWS AppSync AWS AppSync provides a robust, scalable GraphQL interface for application developers to combine data from multiple sources, including Amazon DynamoDB, AWS Lambda, and HTTP APIs.

Answer 93

4) Operating System In a serverless application, you don't have access to the OS

Answer 94

2) 10GB Lambda supports up to 10GB of RAM

Answer 95

1) Fargate

Answer 96

2) Role Roles should be used for Lambda to talk to other AWS APIs. Reference Documentation: AWS Lambda execution role

Answer 97

2) Amazon EKS Distro (EKS-D) Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters.

Answer 98

3) Run your code somewhere else (e.g. EC2 instance) Lambda's maximum execution time is 15 minutes. You can run your code somewhere else such as an EC2 instance or use Amazon ECS.

Answer 99

False DynamoDB is serverless with no servers to provision, patch, or manage and no software to install, maintain or operate. It automatically scales tables up and down to adjust for capacity and maintain performance. It provides both provisioned (specify RCU & WCU) and on-demand (pay for what you use) capacity modes.

Answer 100

1) Increase RCU and keep WCU the same RCU and WCU are decoupled, so you can increase/decrease each value separately.

Answer 101

2) Create a DAX Cluster DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x performance improvement. It caches the most frequently used data, thus offloading the heavy reads on hot keys off your DynamoDB table, hence preventing the "ProvisionedThroughputExceededException" exception.

Answer 102

3) Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails DynamoDB Streams allows you to capture a time-ordered sequence of item-level modifications in a DynamoDB table. It's integrated with AWS Lambda so that you create triggers that automatically respond to events in real-time. There is no such SNS and Dynamo DB integration

Answer 103

3) AWS Lambda

Answer 104

False An Edge-Optimized API Gateway is best for geographically distributed clients. API requests are routed to the nearest CloudFront Edge Location which improves latency. The API Gateway still lives in one AWS Region.

Answer 105

2) Use Provisioned Capacity Mode with AutoScaling enabled for production and On-Demand Capacity Mode for development

Answer 106

1) Lambda@Edge Lambda@Edge is a feature of CloudFront that lets you run code closer to your users, which improves performance and reduces latency.

Answer 107

3) AWS Step Functions

Answer 108

4) Use DynamoDB Accelerator (DAX) to cache the most requested data

Answer 109

1) Select DynamoDB table then select Export to S3

Answer 110

3) Store users' sessions in a DynamoDB table and enable TTL

Answer 111

2) Use Amazon Cognito Identity Federation Amazon Cognito can be used to federate mobile user accounts and provide them with their own IAM permissions, so they can be able to access their own personal space in the S3 bucket.

Answer 112

3) Use Cognito User Pools

Answer 113

3) Amazon Cognito Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

Answer 114

1) API Gateway + AWS Lambda

Answer 115

2) Amazon CloudFront Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. This is a perfect use case for Amazon CloudFront.

Answer 116

1) Dynamo Streams DynamoDB Streams enable DynamoDB to get a changelog and use that changelog to replicate data across replica tables in other AWS Regions.

Answer 117

2) The Lambda Execution IAM Role is missing permissions

Answer 118

3) Amazon SQS + Amazon EC2 Amazon SQS allows you to retain messages for days and process them later, while we can take down our EC2 instances.

Answer 119

4) Create a CloudFront Distribution Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. Amazon CloudFront can be used in front of an Application Load Balancer.

Answer 120

1) Kinesis Data Streams Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. It can continuously capture gigabytes of data per second from hundreds of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events.

Answer 121

4) AWS Global Accelerator Program

Answer 122

1) Amazon FSx-created Luster file system may be used to store data. Customers that utilize Amazon FSx’s Luster file system will only be charged for what they really use.

Answer 123

4) Set up CloudFront to distribute the S3 bucket’s content. CloudFront is able to cache frequently requested material, resulting in improved speed. The speed of other solutions may be improved, but they do not keep cache for S3 items.

Answer 124

4) Create a planned activity in the Auto Scaling group and define the frequency, start and end times as well as the capacity of the action.

Answer 125

2) In the instance, configure the Elastic Fabric Adapter (EFA). EFA is the most suited strategy for boosting High-Performance Computing (HPC) and machine learning applications.

Answer 126

1) Use the Cluster placement technique to start all of the EC2 instances in a placement group. The Cluster placement technique may increase EC2 instance network performance. When setting up a placement group, you may choose a strategy. When establishing a placement group, you may choose the approach.

Answer 127

1) The size of the SQS queue in terms of messages. Users may set up a CloudWatch alert depending on the number of messages in the SQS queue and use the alarm to tell the ECS cluster to scale up or down.

Answer 128

3) S3 bucket may not be available at the VPC endpoint because of a restrictive policy.

Answer 129

1) Use CloudFront Geo Restriction

Answer 130

2) Configure your CloudFront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution

Answer 131

2) Only allows the S3 bucket content to be accessed from your CloudFront Distribution

Answer 132

2) CloudFront Cache Invalidation

Answer 133

2) CloudFront Price Classes

Answer 134

1) AWS Global Accelerator + Application Load Balancer

Answer 135

4) Secrets Manager

Answer 136

2) To provide authentication, authorization, and user management for your web and mobile apps without the need for custom code.

Answer 137

3) RDS event history

Answer 138

4) Layer 7

Answer 139

4) Create a presigned URL using S3. Presigned URLs would allow you to restrict the length of time the content can be viewed

Answer 140

1) AWS Artifact Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

Answer 141

2) an HTTPS endpoint with an SSL certificate In-flight Encryption = HTTPS, and HTTPS can not be enabled without an SSL certificate.

Answer 142

False Server-Side Encryption means the server will encrypt the data for us. We don't need to encrypt it beforehand.

Answer 143

1) Both Encryption and Decryption happen on the server In Server-Side Encryption, we can't do encryption/decryption ourselves as we don't have access to the corresponding encryption key.

Answer 144

False With Client-Side Encryption, the server doesn't need to know any information about the encryption scheme being used, as the server will not perform any encryption or decryption operations.

Answer 145

False You can use the AWS Managed Service keys in KMS, therefore we don't need to create our own KMS keys. You could also create your own keys for AWS to do the encryption, but it's not mandatory.

Answer 146

True KMS keys can be symmetric or asymmetric. A symmetric KMS key represents a 256-bit key used for encryption and decryption. An asymmetric KMS key represents an RSA key pair used for encryption and decryption or signing and verification, but not both. Or it represents an elliptic curve (ECC) key pair used for signing and verification.

Answer 147

2) You need to share the KMS CMK used to encrypt the AMI with the other AWS account

Answer 148

3) Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

Answer 149

1) KMS Key Policies

Answer 150

3) Have it as an encrypted env variable and decrypt it at runtime

Answer 151

2) SSM Parameter Store SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter's history.

Answer 152

2) AWS Shield Advanced

Answer 153

4) SSM Parameter Store

Answer 154

4) CloudWatch Logs

Answer 155

2) AWS WAF

Answer 156

3) Amazon Inspector

Answer 157

1) AWS Secrets Manager

Answer 158

4) AWS Firewall Manager AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.

Answer 159

3) Amazon Macie Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).

Answer 160

1) Using Aurora Client-side Encryption and KMS Multi-region Keys

Answer 161

3) You have to configure permissions for both Source KMS Key kms:Decrypt and Target KMS Key kms:Encrypt to be used by the S3 Replication Service

Answer 162

2) Configure EventBridge for Daily Expiration Events from ACM to invoke SNS notifications to your email

Answer 163

1) us-east-1 As the Edge-Optimized API Gateway is using a custom AWS managed CloudFront distribution behind the scene to route requests across the globe through CloudFront Edge locations, the ACM certificate must be created in us-east-1.

Answer 164

4) AWS Firewall Manager

Answer 165

B. AWS CloudFormation AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment CloudFormation is an Infrastructure as Code (IaC) service that allows you to model, provision, and manage AWS and third-party resources by writing templates.

Answer 166

B. Sending bulk email and transactional email AWS SES is a cost-effective, flexible, and scalable email service that enables developers to send mail from within any application

Answer 167

C. Engaging with customers through email, SMS, push notifications, and campaigns. AWS Pinpoint is used for customer engagement through various channels like email, SMS, and push notifications, helping to drive user engagement through targeted communication.

Answer 168

C. It helps you manage your AWS resources. AWS Systems Manager gives you visibility and control of your infrastructure on AWS. It provides a unified user interface that allows you to view operational data from multiple AWS services and automate operational tasks across your AWS resources.

Answer 169

B. AWS Cost Explorer AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time.

Answer 170

D. Efficiently running hundreds to thousands of batch computing jobs on AWS. AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds to thousands of batch computing jobs on AWS.

Answer 171

C. It securely transfers data between SaaS applications and AWS services. AWS AppFlow is a fully managed integration service that enables you to securely transfer data between SaaS applications like Salesforce, ServiceNow, and AWS services like Amazon S3 and Redshift.

Answer 172

C. Building, deploying, and hosting mobile and web applications. AWS Amplify is a set of tools and services that can be used together or on their own to help front-end web and mobile developers build scalable full-stack applications, powered by AWS.

Answer 173

Elastic Beanstalk: Best for developers who want to deploy applications quickly without managing the underlying infrastructure. It's like renting an apartment - you control what's inside, but not the building itself. CloudFormation: Ideal for infrastructure engineers and DevOps who need to codify and automate the setup of their AWS infrastructure. It's like building your own house - complete control over the construction. Amplify: Geared towards frontend and mobile developers who want an integrated environment for both backend services and frontend development. It's like having a toolkit to both design your house and manage the utilities and services it needs.

Answer 174

B) AWS Organizations AWS Organizations is a service that allows you to centrally manage and govern multiple AWS accounts. It helps you consolidate billing, implement security policies, and manage access control across your AWS resources from a single AWS account.

Answer 175

A) AWS Identity and Access Management (IAM) AWS IAM provides the capability to enable multi-factor authentication (MFA) for AWS accounts. MFA adds an extra layer of security by requiring users to provide an additional authentication factor, such as a one-time password generated by a virtual or hardware MFA device, in addition to their regular username and password.

Answer 176

A) Network Access Control Lists (ACLs) Network Access Control Lists (ACLs) allow you to control inbound and outbound traffic at the subnet level. ACLs act as a stateless firewall, enabling you to create rules that define what type of traffic is allowed or denied between subnets in your VPC. They provide an additional layer of network security alongside security groups.

Answer 177

A) AWS Key Management Service (KMS) AWS Key Management Service (KMS) is a managed service that allows you to create and control the encryption keys used to encrypt your data. By integrating KMS with other AWS services such as Amazon S3, Amazon EBS, or Amazon RDS, you can easily encrypt your data at rest. KMS provides a secure and scalable solution for key management.

Answer 178

A) AWS Security Token Service (STS) AWS Security Token Service (STS) enables you to provide temporary, limited-privilege credentials to external users without the need for them to have their own AWS account. STS issues temporary security tokens that can be used to access AWS resources for a specific duration, making it suitable for scenarios where temporary access is required, such as cross-account access or federated access.

Answer 179

C) AWS Fargate AWS Fargate is a serverless compute engine for containers that allows you to run containers without managing the underlying infrastructure. It provides a fully managed platform to deploy and run containerized applications, abstracting away the need to provision and manage servers, making it a secure and scalable option for running workloads.

Answer 180

C) AWS Global Accelerator AWS Global Accelerator is a service that improves the availability and performance of your applications by directing traffic to optimal endpoints across multiple AWS regions. It uses the AWS global network infrastructure to route traffic to your resources, helping achieve high availability and low latency for your applications.

Answer 181

A) AWS Cognito AWS Cognito is a fully managed service that enables you to add user sign-up, sign-in, and access control to your web and mobile applications. It provides secure authentication, authorization, and user management features, allowing you to easily authenticate users through various identity providers, such as social media or corporate directories.

Answer 182

A) Enable default encryption for the S3 bucket By enabling default encryption for an Amazon S3 bucket, you ensure that any new object uploaded to the bucket is automatically encrypted with a unique key. This setting provides an additional layer of security and helps enforce encryption for all objects stored in the bucket, even if the encryption settings are not explicitly specified during the object upload.

Answer 183

A) Amazon Inspector Amazon Inspector is an automated security assessment service that helps you test the security state of your applications and resources. It performs security assessments by scanning for vulnerabilities, security best practices, and common configuration issues. Amazon Inspector provides detailed findings and recommendations to help you improve the security posture of your applications.

Answer 184

C) AWS Key Management Service (KMS) AWS Key Management Service (KMS) is a fully managed service that allows you to create and control the encryption keys used to encrypt your data. It integrates with various AWS services, such as Amazon S3 and Amazon EBS, to provide seamless encryption at rest. KMS provides secure key storage and management, making it an appropriate choice for data security controls.

Answer 185

B) AWS Secrets Manager AWS Secrets Manager is a service that helps you securely store and manage secrets such as database credentials, API keys, and other sensitive information. It provides a central location to store secrets, allows for automatic rotation of secrets, and integrates with AWS services and applications securely.

Answer 186

A) Amazon VPC (Virtual Private Cloud) Amazon VPC (Virtual Private Cloud) allows you to create a logically isolated section of the AWS Cloud, where you can define IP address ranges and configure security groups and network ACLs. By configuring the appropriate network settings within your VPC, you can control access to your Amazon S3 bucket by allowing access only from specific IP addresses or IP ranges.

Answer 187

A) AWS Direct Connect AWS Direct Connect provides a dedicated network connection between your on-premises data center and AWS. It establishes a private, secure, and high-bandwidth connection that bypasses the public internet, ensuring the encryption and privacy of data in transit between the two environments.

Answer 188

A) Server-Side Encryption with AWS Key Management Service (SSE-KMS) AWS provides Server-Side Encryption with AWS Key Management Service (SSE-KMS) as an option for encrypting data at rest for Amazon RDS database instances. With SSE-KMS, the data is encrypted using keys managed by AWS KMS, providing a secure and scalable solution for protecting sensitive data stored in the database.

Answer 189

A) Amazon Simple Queue Service (SQS) Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices-based architectures. It allows you to decouple the components of your application by providing a reliable and scalable messaging platform for exchanging messages between different services, helping achieve loose coupling and scalability

Answer 190

B) Amazon Kinesis Amazon Kinesis is a fully managed service for real-time streaming data processing. It can handle large amounts of data and provide low-latency processing, making it suitable for scenarios such as real-time analytics, IoT data ingestion, and log processing.

Answer 191

C) Amazon EC2 Auto Scaling Amazon EC2 Auto Scaling allows you to automatically scale your Amazon EC2 instances based on predefined policies and conditions. It helps your application handle sudden traffic spikes by automatically adding or removing instances to meet demand, ensuring scalability and optimal resource utilization.

Answer 192

D) Amazon Route 53 Amazon Route 53 is a scalable domain name system (DNS) web service that can provide automatic failover between regions in the event of a service disruption. By configuring health checks and DNS failover policies, Route 53 can route traffic to an alternate region if the primary region becomes unavailable, ensuring high availability and fault tolerance.

Answer 193

D) AWS Step Functions AWS Step Functions is a fully managed service that helps you orchestrate and manage complex workflows for processing large-scale data. It allows you to coordinate and visualize the different steps and dependencies of your workflow, making it easier to design and manage scalable data processing pipelines.

Answer 194

C) AWS Global Accelerator AWS Global Accelerator is a service that helps improve the availability and performance of your applications by directing traffic to optimal endpoints across multiple AWS regions. In the event of an Availability Zone failure, AWS Global Accelerator can automatically route traffic to the healthy instances in other Availability Zones, ensuring high availability and fault tolerance.

Answer 195

3) Lambda Function The Lambda function's invocation is "asynchronous", so the DLQ has to be set on the Lambda function side

Answer 196

2) AWS WAF

Answer 197

3) Use Multi-Part upload when uploading files larger than 5GB Multi-Part Upload is recommended as soon as the file is over 100 MB

Answer 198

2) S3 bucket names must be globally unique and "dev" is already taken

Answer 199

3) The IAM user must have an explicit DENY in the attached IAM policy Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.

Answer 200

4) S3 Replication S3 Replication allows you to replicate data from an S3 bucket to another in the same/different AWS Region

Answer 201

1) Configure replication from bucket A to bucket B, then from bucket A to bucket C

Answer 202

1) Expedited (1-5 minute)

Answer 203

1) Instant (10 seconds)

Answer 204

3) S3 Event Notifications

Answer 205

2) S3 Lifecycle Rules - Expiration Actions

Answer 206

3) S3 Lifecycle Rules

Answer 207

3) Use an S3 Lifecycle Policy to automate old/unfinished parts deletion

Answer 208

2) S3 Analytics

Answer 209

3) Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes and store that information in RDS

Answer 210

3) Use Multi-part Upload & S3 Transfer Acceleration

Answer 211

3) S3 Select

Answer 212

3) S3 Batch Operations

Answer 213

3) SSE-C With SSE-C, the encryption happens in AWS and you have full control over the encryption keys.

Answer 214

2) SSE-KMS With SSE-KMS, the encryption happens in AWS, and the encryption keys are managed by AWS but you have full control over the rotation policy of the encryption key. Encryption keys stored in AWS.

Answer 215

4) Client-Side Encryption With Client-Side Encryption, you have to do the encryption yourself and you have full control over the encryption keys. You perform the encryption yourself and send the encrypted data to AWS. AWS does not know your encryption keys and cannot decrypt your data.

Answer 216

3) CORS is wrong Cross-Origin Resource Sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. To learn more about CORS, go here: https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

Answer 217

1) Use S3 Object Lambda to change the objects before they are retrieved by the report

Answer 218

1) Glacier Vaults with Vault Lock Policies

Answer 219

1) Enable S3 Access Logs and analyze them using Athena S3 Access Logs log all the requests made to S3 buckets and Amazon Athena can then be used to run serverless analytics on top of the log files.

Answer 220

2) S3 Pre-Signed URL S3 Pre-Signed URLs are temporary URLs that you generate to grant time-limited access to some actions in your S3 bucket.

Answer 221

2) Do nothing, Amazon S3 automatically encrypt new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)

Answer 222

2) Enable MFA Delete MFA Delete forces users to use MFA codes before deleting S3 objects. It's an extra level of security to prevent accidental deletions.

Answer 223

3) S3 Object Lock - Retention Compliance Mode

Answer 224

3) Legal Hold

Answer 225

1) MongoDB

Answer 226

3) Enable Muti-AZ Multi-AZ helps when you plan a disaster recovery for an entire AZ going down. If you plan against an entire AWS Region going down, you should use backups and replication across AWS Regions.

Answer 227

RDS Multi-AZ Be very careful with the way you read questions at the exam. Here, the question is asking which solution is NOT adapted to this problem. ElastiCache and RDS Read Replicas do indeed help with scaling reads.

Answer 228

2) Read Replicas have Asynchronous Replication, therefore it's likely your users will only read Eventual Consistency

Answer 229

1) Multi-AZ Multi-AZ keeps the same connection string regardless of which database is up.

Answer 230

3) Store session data in ElastiCache Storing Session Data in ElastiCache is a common pattern to ensuring different EC2 instances can retrieve your user's state if needed.

Answer 231

1) Setup a Read Replica

Answer 232

4) Aurora Global Database Aurora Global Databases allows you to have an Aurora Replica in another AWS Region, with up to 5 secondary regions.

Answer 233

2) Using IAM Authentication

Answer 234

2) Create a Read Replica in a different AZ and run the analytics workload on the standby database

Answer 235

2) Create a Read Replica in a different region and enable Multi-AZ on the Read Replica

Answer 236

3) Enable IAM Database Authentication

Answer 237

2) Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication

Answer 238

3) Create a snapshot of the unencrypted RDS DB instance, copy the snapshot and tick "Enable encryption", then restore the RDS DB instance from the encrypted snapshot

Answer 239

No You can not create encrypted Read Replicas from an unencrypted RDS DB instance.

Answer 240

3) Use Aurora Serverless

Answer 241

2) MySQL and PostgreSQL

Answer 242

4) Use ElastiCache for Redis - Sorted Sets

Answer 243

2) RDS Custom for Oracle

Answer 244

2) Perform On Demand Backups

Answer 245

4) Use the Aurora Cloning feature

Answer 246

4) Use an RDS Proxy This reduces the failover time by up to 66% and keeps connection actives for your applications

Answer 247

False Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text. Amazon Polly is a service that turns text into lifelike speech.

Answer 248

4) Lex Amazon Lex is a service for building conversational interfaces into any application using voice and text. Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions.

Answer 249

4) Forecast Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate forecasts.

Answer 250

1) Rekognition Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use.

Answer 251

1) Personalize Amazon Personalize is a machine learning service that makes it easy for developers to create individualized recommendations for customers using their applications.

Answer 252

2) Comprehend Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find meaning and insights in text.

Answer 253

3) Translate Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable language translation.

Answer 254

1) SageMaker Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. SageMaker removes the heavy lifting from each step of the machine learning process to make it easier to develop high quality models.

Answer 255

3) Transcribe Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text.

Answer 256

2) Kendra Amazon Kendra is a highly accurate and easy to use enterprise search service that’s powered by machine learning.

Answer 257

4) Amazon Rekognition

Answer 258

2) Amazon Transcribe

Answer 259

3) Pronunciation Lexicons, Speech Synthesis Markup Language (SSML)

Answer 260

1) Amazon Comprehend Medical

Answer 261

1) AWS Trusted Advisor AWS Trusted Advisor provides recommendations that help you follow AWS best practices. It evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.

Answer 262

2) AWS CloudHSM The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the hardware. You should use AWS CloudHSM when you need to manage the HSMs that generate and store your encryption keys. In AWS CloudHSM, you create and manage HSMs, including creating users and setting their permissions. You also create the symmetric keys and asymmetric key pairs that the HSM stores.

Answer 263

4) Use AWS Artifact to download the certificate AWS Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements

Answer 264

2) AWS Managed Service for Prometheus 3) AWS Managed Grafana Prometheus offers open-source monitoring. Amazon Managed Service for Prometheus is a serverless, Prometheus-compatible monitoring service for container metrics. It is perfect for monitoring Kubernetes clusters at scale. Grafana is a well-known open-source analytics and monitoring application. Amazon Managed Grafana offers a fully managed service for infrastructure for data visualizations. You can leverage this service to query, correlate, and visualize operational metrics from multiple sources. While Prometheus and Grafana is a popular open-source monitoring tool, running it on EC2 instances immediately adds operational overhead and cost to the solution.

Answer 265

2) Storing metadata for S3 objects 3) Managing web session data 4) High-performance reads and writes for online transaction workloads In order to optimize your costs across AWS services, large objects or infrequently accessed data sets should be stored in Amazon S3, while smaller data elements or file pointers (possibly to Amazon S3 objects) are best saved in Amazon DynamoDB. Amazon DynamoDB’s fast and predictable performance characteristics make it a great match for handling session data. Plus, since it’s a fully-managed NoSQL database service, you avoid all the work of maintaining and operating a separate session store. High-performance reads and writes are easy to manage with Amazon DynamoDB, and you can expect performance that is effectively constant across widely varying loads

Answer 266

4) Cache frequently accessed data in-memory Amazon ElastiCache allows you to seamlessly set up, run, and scale popular open-source-compatible, in-memory data stores in the cloud. Build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for real-time use cases like caching, session stores, gaming, geospatial services, real-time analytics, and queuing

Answer 267

2) Use RDS to host your database. Create a cross-region read replica of your database. In the event of a failure, promote the read replica to be a standalone database. Send new reads and writes to this database. While 1 is a great option for high availability within a region, it won't meet cross-region requirements It's important to note that while read replicas are often used for load balancing and read-heavy workloads, they are also a valuable component in a disaster recovery strategy, especially in scenarios requiring quick failover to a different region.

Answer 268

1) The instance launched from the oldest launch configuration. When the Auto Scaling Group (ASG) is configured with the Default Termination Policy and a scale-in event occurs (i.e., when the number of instances needs to be reduced), AWS follows a specific sequence to determine which instance to terminate. The "Least Busy Instances" criterion comes into play in this sequence. Here's how it works: Balance Across Availability Zones: The policy first ensures that the instances are balanced across Availability Zones. It targets the zone with the most instances for scale-in. Least Busy Instances: Within the selected Availability Zone, AWS then targets the instances that are considered "least busy." This is determined based on two factors: Network Performance: AWS examines the network in and out from/to each instance. Instances with lower network use are considered less busy. Instance Usage: AWS also looks at the overall instance usage, which could include factors like CPU utilization and disk I/O, to assess which instances are least active or busy. Oldest Launch Configuration or Template: If multiple instances have similar usage levels, the policy then considers the age of the launch configuration or template used by the instances. Closest to the Next Billing Hour: Finally, among the remaining instances, AWS selects the one closest to the next billing hour.

Answer 269

2) There is a vCPU-based On-Demand Instance limit per Region While there is a limit of 20 instances per region (no specific limit for AZ), it is not a hard limit. This limit is raised automatically by AWS based on your usage. Larger limit increase requests may require approval from AWS support. Limits are imposed to ensure fair access to resources for all customers and prevent overutilization. But the limits are not fixed and are designed to accommodate growing usage.

Answer 270

1) AWS Snowball Edge Direct Connect is more suited to a long-term solution rather than a one time operation. The AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS capabilities. Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud.

Answer 271

2) Pilot Light

Answer 272

4) Multi-Site

Answer 273

1) Backup and Restore

Answer 274

3) Warm Standby

Answer 275

1) Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data

Answer 276

2) Amazon EBS

Answer 277

3) AWS Backup AWS Backup enables you to centralize and automate data protection across AWS services. It helps you support your regulatory compliance or business policies for data protection.

Answer 278

2) AWS Application Migration Service

Answer 279

1) VMware Cloud on AWS

Answer 280

4) Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL

Answer 281

3) AWS Backup

Answer 282

4) Use Snowball Edge Snowball Edge is the right answer as it comes with computing capabilities and allows you to pre-process the data while it's being moved into Snowball.

Answer 283

2) AWS Storage Gateway - Tape Gateway

Answer 284

1) Amazon FSx for Window (File Server)

Answer 285

3) AWS Snowball Edge

Answer 286

2) AWS Storage Gateway - S3 File Gateway

Answer 287

1) Amazon FSx for Windows (File Server

Answer 288

2) Amazon FSx for Lustre

Answer 289

2) Persistent File System

Answer 290

3) Transport Layer Security (TLS) AWS Transfer Family is a managed service for file transfers into and out of S3 or EFS using the FTP protocol, thus TLS is not supported.

Answer 291

3) FSx File Gateway

Answer 292

4) AWS DataSync

Answer 293

2) AWS DataSync

Answer 294

1) Use AWS Transfer Family

Answer 295

1) Amazon FSx for OpenZFS

Answer 296

3) Use S3 Lifecycle Policy

Answer 297

3) AWS DataSync AWS DataSync is an online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services.

Answer 298

3) AWS Application Discovery Service This service helps users plan migrations to AWS via the collection of usage and configuration data from on-premises servers.

Answer 299

1) 10.0.4.0 to 10.0.4.15 /28 means 16 IPs (=2^(32-28) = 2^4), means only the last digit can change.

Answer 300

2) 172.16.0.0/16 CIDR not should overlap, and the max CIDR size in AWS is /16.

Answer 301

1) EC2 instance, Subnet

Answer 302

3) The Security Group does not allow traffic in Security groups are stateful and if traffic can go out, then it can go back in.

Answer 303

3) NAT Gateway

Answer 304

2) Check the Route Tables in VPC B Route tables must be updated in both VPCs that are peered.

Answer 305

3) Use a Direct Connect Gateway This is the main use case of Direct Connect Gateways.

Answer 306

3) Amazon S3 & DynamoDB These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).

Answer 307

4) 10.0.0.4

Answer 308

2) Establish 3 VPC Peering connections (A-B, A-C, B-C)

Answer 309

1) Enable VPC Flow Logs VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Answer 310

2) Hosted Hosted Direct Connect connection supports 50Mbps, 500Mbps, up to 10Gbps.

Answer 311

4) Virtual Private Gateway and Customer Gateway

Answer 312

2) AWS VPN CloudHub AWS VPN CloudHub allows you to securely communicate with multiple sites using AWS VPN. It operates on a simple hub-and-spoke model that you can use with or without a VPC.

Answer 313

3) AWS Direct Connect

Answer 314

3) Use Transit Gateway

Answer 315

3) Add an additional IPv4 VIDR to your VPC

Answer 316

2) Allow traffic only on port 22 from the company's public CIDR

Answer 317

3) Setup a Site-to-SiteVPN connection as a backup

Answer 318

1) AWS Network Firewall

Answer 319

3) Add an Inbound Rule with port 80 and ALB's Security Group as the source This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it. Make sure you fully master the concepts behind it!

Answer 320

3) EBS volumes are locked to AZ EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZs using EBS Snapshots.

Answer 321

False AMIs are built for a specific AWS Region, they're unique for each AWS Region. You can't launch an EC2 instance using an AMI in another AWS Region, but you can copy the AMI to the target AWS Region and then use it to create your EC2 instances.

Answer 322

2) The root volume type will be deleted and the EBS volume type will not be deleted By default, the Root volume type will be deleted as its "Delete On Termination" attribute checked by default. Any other EBS volume types will not be deleted as its "Delete On Termination" attribute disabled by default.

Answer 323

2) gp2, gp3, io1, io2 When creating EC2 instances, you can only use the following EBS volume types as boot volumes: gp2, gp3, io1, io2, and Magnetic (Standard).

Answer 324

3) Attach the same EBS volume to multiple EC2 instances in the same AZ Using EBS Multi-Attach, you can attach the same EBS volume to multiple EC2 instances in the same AZ. Each EC2 instance has full read/write permissions.

Answer 325

1) Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume

Answer 326

2) Use EFS EFS is a network file system (NFS) that allows you to mount the same file system on EC2 instances that are in different AZs.

Answer 327

3) Instance Store EC2 Instance Store provides the best disk I/O performance.

Answer 328

3) Use an EC2 Instance Store You can run a database on an EC2 instance that uses an Instance Store, but you'll have a problem that the data will be lost if the EC2 instance is stopped (it can be restarted without problems). One solution is that you can set up a replication mechanism on another EC2 instance with an Instance Store to have a standby copy. Another solution is to set up backup mechanisms for your data. It's all up to you how you want to set up your architecture to validate your requirements. In this use case, it's around IOPS, so we have to choose an EC2 Instance Store.

Answer 329

2) Vertical Scalability

Answer 330

1) Horizontal Scalability

Answer 331

2) static DNS name we can use in our application Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.

Answer 332

3) The Elastic Load Balancer does not have Sticky Sessions enabled ELB Sticky Session feature ensures traffic for the same client is always redirected to the same target (e.g., EC2 instance). This helps that the client does not lose his session data.

Answer 333

2) Modify your website's backend to get the client IP address from the X-Forwarded-For header When using an Application Load Balancer to distribute traffic to your EC2 instances, the IP address you'll receive requests from will be the ALB's private IP addresses. To get the client's IP address, ALB adds an additional header called "X-Forwarded-For" contains the client's IP address.

Answer 334

1) Enable ELB Health Checks When you enable ELB Health Checks, your ELB won't send traffic to unhealthy (crashed) EC2 instances.

Answer 335

3) Network Load Balancer Network Load Balancer provides the highest performance and lowest latency if your application needs it.

Answer 336

3) TCP Application Load Balancers support HTTP, HTTPS and WebSocket

Answer 337

1) Client's Location (Geography) ALBs can route traffic to different Target Groups based on URL Path, Hostname, HTTP Headers, and Query Strings.

Answer 338

2) Network Load Balancer

Answer 339

2) Network Load Balancer Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.

Answer 340

2) APPUSERC The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG).

Answer 341

1) Enable Cross-Zone Load Balancing

Answer 342

2) Server Name Indication (SNI)

Answer 343

3) Use Server Name Indication (SNI) Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.

Answer 344

1) Nothing The Auto Scaling Group can't go over the maximum capacity (you configured) during scale-out events.

Answer 345

3) The ASG will terminate the EC2 instance You can configure the Auto Scaling Group to determine the EC2 instances' health based on Application Load Balancer Health Checks instead of EC2 Status Checks (default). When an EC2 instance fails the ALB Health Checks, it is marked unhealthy and will be terminated while the ASG launches a new EC2 instance.

Answer 346

1) Create a CloudWatch custom metric then create a CloudWatch Alarm on this metric to scale your ASG There's no CloudWatch Metric for "requests per minute" for backend-to-database connections. You need to create a CloudWatch Custom Metric, then create a CloudWatch Alarm.

Answer 347

3) Target Tracking Policy

Answer 348

2) Migrate the health check to HTTP The NLB supports HTTP health checks as well as TCP and HTTPS

Answer 349

2) Configure the ALB to redirect HTTP to HTTPS

Answer 350

2) Weighted Weighted Routing Policy allows you to redirect part of the traffic based on weight (e.g., percentage). It's a common use case to send part of traffic to a new version of your application.

Answer 351

3) Because of the TTL Each DNS record has a TTL (Time To Live) which orders clients for how long to cache these values and not overload the DNS Resolver with DNS requests. The TTL value should be set to strike a balance between how long the value should be cached vs. how many requests should go to the DNS Resolver.

Answer 352

3) Latency Latency Routing Policy will evaluate the latency between your users and AWS Regions, and help them get a DNS response that will minimize their latency (e.g. response time)

Answer 353

4) Geolocation

Answer 354

4) Create a Public Hosted Zone and update the 3rd party Registrar NS records Public Hosted Zones are meant to be used for people requesting your website through the Internet. Finally, NS records must be updated on the 3rd party Registrar.

Answer 355

1) Health Checks that monitor SQS Queue

Answer 356

2) Reserve 2 EC2 instances This is the way to save further costs as we will run 2 EC2 instances no matter what.

Answer 357

4) Store session data on EBS volumes EBS volumes are created in a specific AZ and can only be attached to one EC2 instance at a time.

Answer 358

2) Store the software updates on EFS and mount EFS as a network drive at startup EFS is a network file system (NFS) that allows you to mount the same file system to 100s of EC2 instances. Storing software updates on an EFS allows each EC2 instance to access them.

Answer 359

1) Use a Golden AMI Golden AMI is an image that contains all your software installed and configured so that future EC2 instances can boot up quickly from that AMI.

Answer 360

1) Single Instance Mode The question mentions that you're still in the development stage and you want to reduce costs. Single Instance Mode will create one EC2 instance and one Elastic IP.

Answer 361

3) Create a Golden AMI that contains the dependencies and use that image to launch the EC2 instances Golden AMI is an image that contains all your software, dependencies, and configurations, so that future EC2 instances can boot up quickly from that AMI.

Answer 362

2) Amazon RDS

Answer 363

4) Amazon ElastiCache Amazon ElastiCache is a fully managed in-memory data store, compatible with Redis or Memcached.

Answer 364

2) Amazon DynamoDB

Answer 365

3) Amazon Aurora Amazon Aurora is a MySQL and PostgreSQL-compatible relational database. It features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across 3 AZs.

Answer 366

3) Amazon Neptune Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets. Social media- think graph database

Answer 367

2) Amazon S3

Answer 368

2) Amazon DocumentDB

Answer 369

4) Amazon Keyspace

Answer 370

3) Amazon QLDB

Answer 371

1) Amazon Timestream

Answer 372

2) Create a CloudWatch Logs Metric Filter that filter the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter

Answer 373

2) The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 instances in the ASG The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.

Answer 374

3) Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch

Answer 375

1) Amazon CloudWatch Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications' performance and metrics.

Answer 376

4) AWS CloudTrail AWS CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. It provides the event history of your AWS account activity, audit API calls made through the AWS Management Console, AWS SDKs, AWS CLI. So, the EC2 instance termination API call will appear here. You can use CloudTrail to detect unusual activity in your AWS accounts.

Answer 377

2) CloudTrail Insights

Answer 378

2) Analyze CloudTrail logs in S3 bucket using Amazon Athena You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.

Answer 379

3) Setup Config Rules

Answer 380

1) AWS Config

Answer 381

2) AWS CloudTrail

Answer 382

1) AWS Config Remediations

Answer 383

3) AWS Config Notifications

Answer 384

1) CloudWatch Metric Stream

Answer 385

3) CloudWatch Contributor Insights

Answer 386

2) Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS

Answer 387

1) Use EventBridge Archive and Replay feature

Answer 388

D) Amazon Route 53 Amazon Route 53 is a scalable domain name system (DNS) web service that can provide automatic failover between AWS regions in the event of a service disruption. By configuring DNS failover policies, Route 53 can route traffic to an alternate region if the primary region becomes unavailable, ensuring high availability and fault tolerance. Both AWS Global Accelerator and Amazon Route 53 could be considered viable options. However, if the emphasis is on DNS-level traffic management with advanced routing policies (like geolocation or latency-based routing), Amazon Route 53 would be the more suitable choice. On the other hand, if the focus is on optimizing performance with rapid failover capabilities and a consistent entry point (static IPs) for global users, then AWS Global Accelerator would be the ideal solution.

Answer 389

C) Amazon EMR (Elastic MapReduce) Amazon EMR is a fully managed big data processing service that allows you to process and transform large datasets using popular frameworks such as Apache Spark, Apache Hadoop, and Presto. EMR enables distributed processing across a cluster of EC2 instances, making it suitable for big data processing scenarios.

Answer 390

A) Amazon S3 Intelligent-Tiering Amazon S3 Intelligent-Tiering is a storage class in Amazon S3 that offers a combination of low-cost storage and high retrieval performance. It automatically moves data between two access tiers (frequent access and infrequent access) based on changing access patterns, optimizing costs while maintaining performance.

Answer 391

B) Amazon S3 Standard Amazon S3 Standard storage class offers cost-effective storage with low-latency access for frequently accessed data. It provides high durability, availability, and performance for storing and retrieving objects, making it suitable for frequently accessed data that requires low-latency access.