AWS Solutions Architect Associate Flashcards

Question 1

Q

What is a proper definition of an IAM Role?

1) IAM Users in multiple User Groups
2) An IAM entity that defines a password policy for IAM users
3) An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service
4) Permissions assigned to IAM Users to perform actions

Answer

A

3) An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service

Some AWS services need to perform actions on your behalf. To do so, you assign permissions to AWS services with IAM Roles.

Question 2

Q

Which of the following is an IAM Security Tool?

1) IAM Credentials Report
2) IAM Root Account Manager
3) IAM Services Report
4) IAM Security Advisor

Answer

A

1) IAM Credentials Report

IAM Credentials report lists all your AWS Account’s IAM Users and the status of their various credentials.

Question 3

Q

Which answer is INCORRECT regarding IAM Users?

1) IAM Users can belong to multiple User Groups
2) IAM Users don’t have to belong to a User Group
3) IAM Policies can be attached directly to IAM Users
4) IAM Users access AWS services using root account credentials

Answer

A

4) IAM Users access AWS services using root account credentials

IAM Users access AWS services using their own credentials (username & password or Access Keys).

Question 4

Q

Which of the following is an IAM best practice?

1) Create several IAM Users for one physical person
2) Don’t use the root user account
3) Share your AWS account credentials with your colleague, so they can perform a task for you
4) Do not enable MFA for easier access

Answer

A

2) Don’t use the root user account

Use the root account only to create your first IAM User and a few account/service management tasks. For everyday tasks, use an IAM User.

Question 5

Q

What are IAM Policies?

1) A set of policies that defines how AWS accounts interact with each other
2) JSON documents that define a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles
3) A set of policies that define a password for IAM Users
4) A set of policies defined by AWS that show how customers interact with AWS

Answer

A

2) JSON documents that define a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles

Question 6

Q

What is tenancy in regards to EC2?

Answer

A

Tenancy defines how EC2 instances are distributed across physical hardware and affects pricing. There are three tenancy options available:

1) Shared (default) — Multiple AWS accounts may share the same physical hardware.

2) Dedicated Instance (dedicated) — Your instance runs on single-tenant hardware.

3) Dedicated Host (host) — Your instance runs on a physical server with EC2 instance capacity fully dedicated to your use, an isolated server with configurations that you can control.

Question 7

Q

Which principle should you apply regarding IAM Permissions?
1) Grant most privilege
2) Grant more permissions if your employee asks you to
3) Grant least privilege
4) Restrict root account permissions

Answer

A

3) Grant least privilege

Don’t give more permissions than the user needs.

Question 8

Q

What should you do to increase your root account security?

1) Remove permissions from the root account
2) Only access AWS services through AWS Command Line Interface (CLI)
3) Don’t create IAM Users, only access you AWS account using the root account
4) Enable MFA

Answer

A

4) Enable MFA

When you enable MFA, this adds another layer of security. Even if your password is stolen, lost, or hacked your account is not compromised.

Question 9

Q

IAM User Groups can contain IAM Users and other User Groups.

True
False

Answer

A

False

IAM User Groups can contain only IAM Users.

Question 10

Q

An IAM policy consists of one or more statements. A statement in an IAM Policy consists of the following, EXCEPT:

1) Effect
2) Principal
3) Version
4) Action
5) Resource

Answer

A

3) Version

A statement in an IAM Policy consists of Sid, Effect, Principal, Action, Resource, and Condition. Version is part of the IAM Policy itself, not the statement.

{
“Version”: “2012-10-17”,
“Statement”: [{
“Sid”: “1”,
“Effect”: “Allow”,
“Principal”: {“AWS”: [“arn:aws:iam::account-id:root”]},
“Action”: “s3:”,
“Resource”: [
“arn:aws:s3:::mybucket”,
“arn:aws:s3:::mybucket/”
]
}]
}

Question 11

Q

You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up?

1) Provide the Dev team with a completely independent AWS account
2) Apply a global IAM policy on your Prod account
3) Create an AWS Organization and create 2 Prod and Dev OUs, then apply an SCP on the Prod OU
4) Create an AWS Config Rule

Answer

A

3) Create an AWS Organization and create 2 Prod and Dev OUs, then Apply an SCP on the Prod OU

Question 12

Q

You are managing the AWS account for your company, and you want to give one of the developers access to read files from an S3 bucket. You have updated the bucket policy to this, but he still can’t access the files in the bucket. What is the problem?

{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "AllowsRead",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789012:user/Dave"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::static-files-bucket-xxx"
     }]
}

1) Everything is okay, he just needs to logout and login again
2) The bucket does not contain any files yet
3) You should change the resource to arn:aws:s3:::static-files-bucket-xxx/*, because this is an object level permission

Answer

A

3) You should change the resource to arn:aws:s3:::static-files-bucket-xxx/*, because this is an object level permission

Question 13

Q

You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?
1) Using IAM Roles
2) Using AWS Organizations SCP
3) Using AWS Config

Answer

A

2) Using AWS Organizations SCP

Question 14

Q

Which of the following IAM condition key you can use only to allow API calls to a specified AWS region?

1) aws:RequiredRegion
2) aws SourceRegion
3) aws:InitialRegion
4) aws:RequestedRegion

Answer

A

4) aws:RequestedRegion

Question 15

Q

When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use …………………..

1) Identity-Based Policy, Resource-Based Policy
2) Resource-Based Policy, Identity-Based Policy
3) Identity-Based Policy, Identity-Based Policy
4) Resource-Based Policy, Resource-Based Policy

Answer

A

2) Resource-Based Policy, Identity-Based Policy

Question 16

Q

Which AWS Directory Service is best suited for an organization looking to extend their existing on-premises Active Directory to the AWS Cloud without replicating their AD data?

1) AWS Managed Microsoft AD
2) AD Connector
3) Simple AD
4) Amazon Cognito

Answer

A

AD Connector

AD Connector acts as a proxy to redirect directory requests to your existing on-premises Active Directory, allowing you to manage AWS resources without replicating your AD data

Question 17

Q

A company requires a fully managed, highly available, and scalable Active Directory service in AWS to support their Windows-based applications. Which AWS Directory Service should they use?

A. Simple AD
B. Amazon Cognito
C. AWS Managed Microsoft AD
D. AD Connector

Answer

A

C. AWS Managed Microsoft AD

AWS Managed Microsoft AD is a full-fledged Active Directory managed by AWS, ideal for Windows-based applications and complex AD tasks.

Question 18

Q

Which AWS Directory Service offers a cost-effective solution for small to medium-sized businesses that need basic AD capabilities such as domain joining and group policies?

A. AWS Managed Microsoft AD
B. Amazon Cognito
C. AD Connector
D. Simple AD

Answer

A

D. Simple AD

Simple AD is a Samba-based, AD-compatible service that provides basic Active Directory features, making it suitable for smaller businesses with basic directory service needs.

Question 19

Q

An organization wants to use its existing server-bound software licenses (such as Windows Server and SQL Server) within AWS. Which AWS Directory Service supports Bring Your Own License (BYOL) compatibility?

A. AWS Managed Microsoft AD
B. AD Connector
C. Amazon Cognito
D. Simple AD

Answer

A

A. AWS Managed Microsoft AD

AWS Managed Microsoft AD allows for Bring Your Own License (BYOL) compatibility, enabling the use of existing server-bound software licenses within AWS

Question 20

Q

An organization wants to ensure that their IAM policies allow access to an S3 bucket only if the requests are coming from IP addresses within their corporate network. Which IAM policy condition key should be used to achieve this?

A. aws:SourceIp
B. aws:SourceArn
C. aws:UserAgent
D. aws:SecureTransport

Answer

A

A. aws:SourceIp

The aws:SourceIp condition key in IAM policies is used to specify the IP address or IP address range from which the requests are allowed or denied.

Question 21

Q

A company wants to restrict access to their AWS resources, ensuring that API calls are only made using HTTPS. Which IAM policy condition key should be utilized to enforce this policy?

A. aws:SecureTransport
B. aws:SourceIp
C. aws:UserAgent
D. aws:RequestTime

Answer

A

A. aws:SecureTransport

The aws:SecureTransport condition key is used in IAM policies to check whether the request was sent using SSL (HTTPS).

Question 22

Q

How can an AWS Solutions Architect restrict IAM user access to resources based on the user’s tagged department, such as only allowing access to resources tagged with “Department”: “Finance”?

A. Use the aws:RequestTag/Department condition key.
B. Use the aws:TagKeys condition key.
C. Use the aws:ResourceTag/Department condition key.
D. Use the aws:User/Department condition key.

Answer

A

C. Use the aws:ResourceTag/Department condition key

The aws:ResourceTag/Department condition key in IAM policies allows for the specification of conditions based on the tags on the AWS resource being accessed.

Question 23

Q

To comply with regulatory requirements, a Solutions Architect needs to ensure that IAM users can only modify AWS resources if they use a specific client application. Which IAM condition key can be used to enforce this policy?

A. aws:SourceIp
B. aws:UserAgent
C. aws:RequestTag/Client
D. aws:CalledVia

Answer

A

B. aws:UserAgent

The aws:UserAgent condition key allows policies to specify conditions based on the client application identified in the user agent string of the request.

Question 24

Q

An organization wants to enhance the security of their AWS environment by ensuring that certain sensitive actions, like terminating EC2 instances, can only be performed by users who have authenticated using Multi-Factor Authentication (MFA). Which IAM policy condition key should be used to enforce this security requirement?

A. aws:MultiFactorAuthPresent
B. aws:SecureTransport
C. aws:TokenIssueTime
D. aws:UserAgent

Answer

A

A. aws:MultiFactorAuthPresent

The aws:MultiFactorAuthPresent condition key in IAM policies is used to verify whether the requester has authenticated with Multi-Factor Authentication (MFA). This condition can be set to true to enforce that the specified action is allowed only when the user is MFA-authenticated, enhancing the security for sensitive operations.

Example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:TerminateInstances",
      "Resource": "*",
      "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
    }
  ]
}

Question 25

Q

What is a primary feature of AWS IAM Identity Center?

A. It allows for the creation and management of AWS resources.
B. It is a web service for organizing and federating access to AWS accounts and business applications.
C. It is used for hardware-based key storage for cryptographic operations.
D. It offers a centralized service for billing and cost management of AWS resources.

Answer

A

B. It is a web service for organizing and federating access to AWS accounts and business applications.

AWS IAM Identity Center is designed to help manage access to AWS accounts and business applications, providing a single location to centrally manage access. It allows users to sign in once and access multiple accounts and applications.

Question 26

Q

Which feature does AWS IAM Identity Center (SSO) provide to enhance security and streamline user access management across multiple AWS accounts?

A. Multi-factor authentication for each AWS account separately.
B. Centralized user access to multiple AWS accounts with a single set of credentials.
C. Automated encryption and decryption of AWS secrets.
D. Direct control over the underlying EC2 instances running IAM services.

Answer

A

B. Centralized user access to multiple AWS accounts with a single set of credentials.

AWS IAM Identity Center allows users to access multiple AWS accounts and applications using a single set of credentials, thereby centralizing and streamlining user access management

Question 27

Q

In AWS IAM Identity Center, which of the following best describes the function of permission sets?

A. They are used to assign EC2 instance types to users.
B. They define the IAM roles that users can assume in AWS accounts.
C. They encrypt data stored in S3 buckets.
D. They monitor and log user activity within the AWS Management Console.

Answer

A

B. They define the IAM roles that users can assume in AWS accounts

In AWS IAM Identity Center, permission sets are used to define the IAM roles that can be assumed by users when accessing AWS accounts. This allows for fine-grained access control

Question 28

Q

How does AWS IAM Identity Center integrate with existing corporate directories?

A. It replaces the need for a corporate directory with its own user database.
B. It provides a physical storage solution for corporate directory data.
C. It enables integration with existing directories like Microsoft Active Directory for user authentication.
D. It only integrates with AWS Managed Microsoft AD and not with any on-premises directories.

Answer

A

C. It enables integration with existing directories like Microsoft Active Directory for user authentication.

AWS IAM Identity Center supports integration with existing corporate directories, such as Microsoft Active Directory, to authenticate and manage user access, allowing for a seamless connection between AWS and existing user management systems

Question 29

Q

Which EC2 Purchasing Option can provide you the biggest discount, but it is not suitable for critical jobs or databases?

1) Convertible Reserved Instances
2) Dedicated Hosts
3) Spot Instances

Answer

A

3) Spot Instances

Spot Instances are good for short workloads and this is the cheapest EC2 Purchasing Option. But, they are less reliable because you can lose your EC2 instance.

Question 30

Q

What should you use to control traffic in and out of EC2 instances?

1) Network Access Control List (NACL)
2) Security Groups
3) IAM Policies

Answer

A

2) Security Groups

Security Groups operate at the EC2 instance level and can control traffic.

Question 31

Q

How long can you reserve an EC2 Reserved Instance?

1) 1 or 3 years
2) 2 or 4 years
3) 6 months or 1 year
4) Anytime between 1 and 3 years

Answer

A

1) 1 or 3 years

EC2 Reserved Instances can be reserved for 1 or 3 years only.

Question 32

Q

You would like to deploy a High-Performance Computing (HPC) application on EC2 instances. Which EC2 instance type should you choose?

1) Storage Optimized
2) Compute Optimized
3) Memory Optimized
4) General Purpose

Answer

A

2) Compute Optimized

Compute Optimized EC2 instances are great for compute-intensive workloads requiring high-performance processors (e.g., batch processing, media transcoding, high-performance computing, scientific modeling & machine learning, and dedicated gaming servers).

Question 33

Q

Which EC2 Purchasing Option should you use for an application you plan to run on a server continuously for 1 year?

1) Reserved Instances
2) Spot Instances
3) On-Demand Instances

Answer

A

1) Reserved Instances

Reserved Instances are good for long workloads. You can reserve EC2 instances for 1 or 3 years.

Question 34

Q

You are preparing to launch an application that will be hosted on a set of EC2 instances. This application needs some software installation and some OS packages need to be updated during the first launch. What is the best way to achieve this when you launch the EC2 instances?

1) Connect to each EC2 instance using SSH, then install the required software and update your OS packages manually
2) Write a bash script that installs the required software and updates to your OS, then contact AWS Support and provide them with the script. They will run it on your EC2 instances at launch
3) Write a bash script that installs the required software and updates to your OS, then use this script in the EC2 User Data when you launch your EC2 instances

Answer

A

3) EC2 User Data

EC2 User Data is used to bootstrap your EC2 instances using a bash script. This script can contain commands such as installing software/packages, download files from the Internet, or anything you want.

Question 35

Q

Which EC2 Instance Type should you choose for a critical application that uses an in-memory database?

1) Storage Optimized
2) Compute Optimized
3) Memory Optimized
4) General Purpose

Answer

A

3) Memory Optimized

Memory Optimized EC2 instances are great for workloads requiring large data sets in memory.

Question 36

Q

You have an e-commerce application with an OLTP database hosted on-premises. This application has popularity which results in its database has thousands of requests per second. You want to migrate the database to an EC2 instance. Which EC2 Instance Type should you choose to handle this high-frequency OLTP database?

1) Storage Optimized
2) Compute Optimized
3) Memory Optimized
4) General Purpose

Answer

A

1) Storage Optimized

Storage Optimized EC2 instances are great for workloads requiring high, sequential read/write access to large data sets on local storage.

Question 37

Q

Security Groups can be attached to only one EC2 instance.

True
False

Answer

A

False

Security Groups can be attached to multiple EC2 instances within the same AWS Region/VPC.

Question 38

Q

You’re planning to migrate on-premises applications to AWS. Your company has strict compliance requirements that require your applications to run on dedicated servers. You also need to use your own server-bound software license to reduce costs. Which EC2 Purchasing Option is suitable for you?

1) Convertible Reserved Instances
2) Dedicated Hosts
3) Spot Instances

Answer

A

2) Dedicated Hosts

Dedicated Hosts are good for companies with strong compliance needs or for software that have complicated licensing models. This is the most expensive EC2 Purchasing Option available.

Question 39

Q

You would like to deploy a database technology on an EC2 instance and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 Purchasing Option allows you to get visibility into them?

1) Spot Instances
2) On-Demand
3) Dedicated Hosts
4) Reserved Instances

Answer

A

3) Dedicated Hosts

Question 40

Q

Spot Fleet is a set of Spot Instances and optionally ……………

1) Dedicated Instances
2) On-Demand Instances
3) Dedicated Hosts
4) Reserved Instances

Answer

A

2) On-Demand Instances

Spot Fleet is a set of Spot Instances and optionally On-demand Instances. It allows you to automatically request Spot Instances with the lowest price.

Question 41

Q

You have an e-commerce website and you are preparing for Black Friday which is the biggest sale of the year. You expect that your traffic will increase by 100x. Your website already using an SQS Standard Queue, and you’re running a fleet of EC2 instances in an Auto Scaling Group to consume SQS messages. What should you do to prepare your SQS Queue?

1) Contact AWS Support to pre-warm your SQS Standard Queue
2) Enable Auto Scaling in your SQS queue
3) Increase the capacity of the SQS queue
4) Do nothing, SQS scales automatically

Answer

A

4) Do nothing, SQS scales automatically

Question 42

Q

You have an SQS Queue where each consumer polls 10 messages at a time and finishes processing them in 1 minute. After a while, you noticed that the same SQS messages are received by different consumers resulting in your messages being processed more than once. What should you do to resolve this issue?

1) Enable Long Polling
2) Add DelaySeconds parameter to the messages when being produced
3) Increase the Visibility Timeout
4) Decrease the Visibility Timeout

Answer

A

3) Increase the Visibility Timeout

SQS Visibility Timeout is a period of time during which Amazon SQS prevents other consumers from receiving and processing the message again. In Visibility Timeout, a message is hidden only after it is consumed from the queue. Increasing the Visibility Timeout gives more time to the consumer to process the message and prevent duplicate reading of the message. (default: 30 sec., min.: 0 sec., max.: 12 hours)

Question 43

Q

Which SQS Queue type allows your messages to be processed exactly once and in order?

1) SQS Standard Queue
2) SQS Dead Letter Queue
3) SQS Delay Queue
4) SQS FIFO Queue

Answer

A

4) SQS FIFO Queue

SQS FIFO (First-In-First-Out) Queues have all the capabilities of the SQS Standard Queue, plus the following two features. First, The order in which messages are sent and received are strictly preserved and a message is delivered once and remains available until a consumer process and deletes it. Second, duplicated messages are not introduced into the queue.

Question 44

Q

You have 3 different applications that you’d like to send them the same message. All 3 applications are using SQS. What is the best approach would you choose?

1) Use SQS Replication Feature
2) Use SNS + SQS Fan Out Pattern
3) Send messages Individually to 3 SQS queues

Answer

A

2) Use SNS + SQS Fan Out Pattern

This is a common pattern where only one message is sent to the SNS topic and then “fan-out” to multiple SQS queues. This approach has the following features: it’s fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.

Question 45

Q

You have a Kinesis data stream with 6 shards provisioned. This data stream usually receiving 5 MB/s of data and sending out 8 MB/s. Occasionally, your traffic spikes up to 2x and you get a ProvisionedThroughputExceeded exception. What should you do to resolve the issue?

1) Add more Shards
2) Enable Kinesis Replication
3) Use SQS as a buffer to Kinesis

Answer

A

1) Add more Shards

The capacity limits of a Kinesis data stream are defined by the number of shards within the data stream. The limits can be exceeded by either data throughput or the number of reading data calls. Each shard allows for 1 MB/s incoming data and 2 MB/s outgoing data. You should increase the number of shards within your data stream to provide enough capacity.

Question 46

Q

You have a website where you want to analyze clickstream data such as the sequence of clicks a user makes, the amount of time a user spends, and where the navigation begins and how it ends. You decided to use Amazon Kinesis, so you have configured the website to send these clickstream data all the way to a Kinesis data stream. While you checking the data sent to your Kinesis data stream, you found that the users’ data is not ordered and the data for one individual user is spread across many shards. How would you fix this problem?

1) There are too many shards, you should only use 1 shard
2) You shouldn’t use multiple consumers, only one and it should re-order data
3) For each record sent to Kinesis, use a partition key that represents the identity of the user

Answer

A

3) For each record sent to Kinesis, use a partition key that represents the identity of the user

Kinesis Data Stream uses the partition key associated with each data record to determine which shard a given data record belongs to. When you use the identity of each user as the partition key, this ensures the data for each user is ordered hence sent to the same shard.

Question 47

Q

You are running an application that produces a large amount of real-time data that you want to load into S3 and Redshift. Also, these data need to be transformed before being delivered to their destination. What is the best architecture would you choose?

1) SQS + AWS Lambda
2) SNS + HTTP Endpoint
3) Kinesis Data Streams + Kinesis Data Firehose

Answer

A

3) Kinesis Data Streams + Kinesis Data Firehose

This is a perfect combo of technology for loading data near real-time data into S3 and Redshift. Kinesis Data Firehose supports custom data transformations using AWS Lambda.

Question 48

Q

Which of the following is NOT a supported subscriber for AWS SNS?

1) Amazon Kinesis Data Streams
2) Amazon SQS
3) HTTP(S) Endpoint
4) AWS Lambda

Answer

A

1) Amazon Kinesis Data Streams

Note: Kinesis Data Firehose is now supported, but not Kinesis Data Streams.

Question 49

Q

Which AWS service helps you when you want to send email notifications to your users?

1) Amazon SQS with AWS Lambda
2) Amazon SNS
3) Amazon Kinesis

Answer

A

2) Amazon SNS

Question 50

Q

You’re running many micro-services applications on-premises and they communicate using a message broker that supports MQTT protocol. You’re planning to migrate these applications to AWS without re-engineering the applications and modifying the code. Which AWS service allows you to get a managed message broker that supports the MQTT protocol?

1) Amazon SQS
2) Amazon SNS
3) Amazon Kinesis
4) Amazon MQ

Answer

A

4) Amazon MQ

Amazon MQ supports industry-standard APIs such as JMS and NMS, and protocols for messaging, including AMQP, STOMP, MQTT, and WebSocket.

Question 51

Q

An e-commerce company is preparing for a big marketing promotion that will bring millions of transactions. Their website is hosted on EC2 instances in an Auto Scaling Group and they are using Amazon Aurora as their database. The Aurora database has a bottleneck and a lot of transactions have been failed in the last promotion they have made as they had a lot of transaction and the Aurora database wasn’t prepared to handle these too many transactions. What do you recommend to handle those transactions and prevent any failed transactions?

1) Use SQS as a buffer to write to Aurora
2) Host the website in AWS Fargate instead of EC2 instances
3) Migrate Aurora to RDS for SQL Server

Answer

A

1) Use SQS as a buffer to write to Aurora

Question 52

Q

A company is using Amazon Kinesis Data Streams to ingest clickstream data and then do some analytical processes on it. There is a campaign in the next few days and the traffic is unpredictable which might grow up to 100x. What Kinesis Data Stream capacity mode do you recommend?

1) Provisioned Mode
2) On-demand Mode

Answer

A

2) On-demand Mode

Question 53

Q

What type of firewall can be used in conjunction with API Gateway to help prevent DDoS attacks?

1) Security group
2) Web Application Firewall (WAF)
3) Host firewall
4) NACL

Answer

A

2) Web Application Firewall (WAF)

Question 54

Q

If your application needs to process 5,000 messages per second, which type of SQS queue would you use?

1) SQS Performance
2) SQS Standard
3) SQS FIFO
4) SQS paired with an EC2 Auto Scaling Group

Answer

A

2) SQS Standard

Auto Scaling groups are for EC2 instances only

Question 55

Q

You need to create a new message broker application in AWS. The new application needs to support the JMS messaging protocol. Which service fits your needs?

1) Amazon MQ
2) Amazon SQS
3) Amazon SNS
4) Amazon MSK

Answer

A

1) Amazon MQ

Question 56

Q

Which of the following endpoints can use a custom delivery policy to define how Amazon SNS retries the delivery of messages when server-side errors occur?

1) Email
2) SMS
3) HTTP/S
4) It can’t retry messages

Answer

A

3) HTTP/S

Question 57

Q

Which service allows for bidirectional data flows between AWS and SaaS applications?

1) AWS AppSync
2) Amazon S3 Replication
3) Amazon AppFlow
4) Amazon MSK

Answer

A

3) Amazon AppFlow

Question 58

Q

Which tool can be used to sideline malformed SQS messages?

1) It can’t be done
2) Side-letter queues (SLQ)
3) Alive-letter queues (ALQ)
4) Dead-letter queues (DLQ)

Answer

A

4) Dead-letter queues (DLQ)

Question 59

Q

Which AWS service would you choose for serverless orchestration of long-running (up to 1 year) workflows that can integrate with several other AWS services?

1) AWS Step Functions
2) AWS EC2 Spot Instances
3) AWS Lambda
4) Amazon MQ

Answer

A

1) AWS Step Functions

This is a serverless orchestration service combining different AWS services for business applications.

Question 60

Q

Which layers of our applications need to be loosely coupled?

1) Internal and external
2) Just internal
3) None — it’s bad practice to loosely couple applications
4) Just external

Answer

A

1) Internal and external

All levels of your architecture need to be loosely coupled!

Question 61

Q

What is the largest message size you can store in SQS?

1) 256KB
2) 512KB
3) 128KB
4) 1MB

Question 62

Q

You have launched an EC2 instance that will host a NodeJS application. After installing all the required software and configured your application, you noted down the EC2 instance public IPv4 so you can access it. Then, you stopped and then started your EC2 instance to complete the application configuration. After restart, you can’t access the EC2 instance, and you found that the EC2 instance public IPv4 has been changed. What should you do to assign a fixed public IPv4 to your EC2 instance?

1) Allocate an Elastic IP and assign it to your EC2 instance
2) From inside your EC2 instance OS, change network configuration from DHCP to static and assign it a public IPv4
3) Contact AWS Support and request a fixed public IPv4 to your EC2 instance
4) This can’t be done, you can only assign a fixed private IPv4 to your EC2 instance

Answer

A

1) Allocate an Elastic IP and assign it to your EC2 instance

Elastic IP is a public IPv4 that you own as long as you want and you can attach it to one EC2 instance at a time.

Question 63

Q

You have an application performing big data analysis hosted on a fleet of EC2 instances. You want to ensure your EC2 instances have the highest networking performance while communicating with each other. Which EC2 Placement Group should you choose?

1) Spread Placement Group
2) Cluster Placement Group
3) Partition Placement Group

Answer

A

2) Cluster Placement Group

Cluster Placement Groups place your EC2 instances next to each other which gives you high-performance computing and networking.

Question 64

Q

You have a critical application hosted on a fleet of EC2 instances in which you want to achieve maximum availability when there’s an AZ failure. Which EC2 Placement Group should you choose?

1) Spread Placement Group
2) Cluster Placement Group
3) Partition Placement Group

Answer

A

1) Spread Placement Group

Spread Placement Group places your EC2 instances on different physical hardware across different AZs.

Answer 64

A

False

Elastic Network Interfaces (ENIs) are bounded to a specific AZ. You can not attach an ENI to an EC2 instance in a different AZ.

Answer 65

A

1) EC2 Instance Root Volume must be an Instance Store volume

To enable EC2 Hibernate, the EC2 Instance Root Volume type must be an EBS volume and must be encrypted to ensure the protection of sensitive content.

Answer 66

A

2) When you have an auditing requirement to run your hosts on single-tenant hardware

Answer 67

A

2) When your code needs to learn something about the EC2 instances that it’s running on

EC2 instance metadata can be used to configure or manage a running instance, and can also be used to access user data that was specified when the instance was launched

Answer 68

A

4) Allows you to extend the power of the AWS data center to your own data center

Outposts allows you to extend the AWS data center to your own data center

Answer 69

A

3) While it is possible that your Spot Instance is interrupted before the warnings can be made, AWS makes a best effort to provide two-minute Spot Instance interruption notices to the metadata of your EC2 instance(s).

If your Spot Instance has been marked for termination, a notification will be best-effort posted to the metadata of your EC2 instance two minutes before it is stopped or terminated

Answer 70

A

4) QuickSight

QuickSight allows you to create dashboards and visualize your data

Answer 71

A

1) Exporting Amazon RDS data to Amazon S3
3) Importing and exporting Amazon DynamoDB data
4) Copying CSV files between Amazon S3 buckets

Answer 72

A

2) Amazon Managed Streaming for Apache Kafka (MSK)

Amazon MSK is a fully managed service for running data-streaming applications that leverage Apache Kafka.

Answer 73

A

2) Relational

Redshift is a relational database

Answer 74

A

4) Amazon Redshift Spectrum

Redshift Spectrum allows you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, Parquet, and others. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size

Answer 75

A

2) Amazon OpenSearch Service (successor to Elasticsearch)

Answer 76

A

1) Amazon Redshift

Redshift would be the best solution for analyzing large volumes of data with complex queries, fast query performance, and scalability. Amazon Redshift is specifically designed for data warehousing and analytics workloads. It provides columnar storage, parallel query execution, and automatic scaling capabilities to handle large datasets and complex queries efficiently

Answer 77

A

3) AWS Data Pipeline

AWS Data Pipeline is a managed extract, transform, load (ETL) service for automating movement and transformation of your data

Answer 78

A

1) In AWS Glue, you can specify the number of DPUs (data processing units) you want to allocate to an ETL job.

You can specify the number of DPUs for an ETL job. A Glue ETL job must have a minimum of 2 DPUs. AWS Glue allocates 10 DPUs to each ETL job by default.

Answer 79

A

4) Glue, Athena

Answer 80

A

4) Athena

Answer 81

A

4) Amazon OpenSearch Service

Answer 82

A

3) Kinesis Data Streams

Answer 83

A

3) Amazon Redshift

Answer 84

A

4) Amazon Athena

Answer 85

A

2) Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region

Answer 86

A

1) Enhanced VPC Routing

Answer 87

A

3) Amazon OpenSearch Service

Answer 88

A

1) AWS Glue

Answer 89

A

2) Amazon OpenSearch service

Answer 90

A

2) Amazon EMR

Answer 91

A

3) Amazon QuickSight

Answer 92

A

1) Glue Job Bookmarks

Answer 93

A

4) AWS Glue

Answer 94

A

3) Amazon MSK

Answer 95

A

1) Lake Formation Fine-grained Access Control

Answer 96

A

3) Amazon Kinesis Data Analytics

Answer 97

A

3) AWS Fargate on ECS

AWS Fargate allows you to run your containers on AWS without managing any servers.

Answer 98

A

1) Amazon EC2 Launch Type and Fargate Launch Type

Answer 99

A

2) ECS Task Role

ECS Task Role is the IAM Role used by the ECS task itself. Use when your container wants to call other AWS services like S3, SQS, etc.

Answer 100

A

1) Mount an EFS volume

EFS volume can be shared between different EC2 instances and different ECS Tasks. It can be used as a persistent multi-AZ shared storage for your containers.

Answer 101

A

2) Create an IAM task role for the new application

Answer 102

A

2) ECR

Amazon ECR is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images. ECR is fully integrated with Amazon ECS, allowing easy retrieval of container images from ECR while managing and running containers using ECS.

Answer 103

A

4) AWS Lambda

Answer 104

A

1) AWS App Runner

Answer 105

A

C. To provide a blueprint for running Docker containers, including the container image and resource allocation.

In Amazon ECS, a task definition is a blueprint for your application that describes how a container should run, including details like the Docker image, CPU and memory allocations, environment variables, and more.

Answer 106

A

B. Amazon EKS

Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easier to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes.

Answer 107

A

A. Amazon EBS

Amazon EBS (Elastic Block Store) can be used with Amazon EKS to provide persistent block storage for containerized applications. EBS volumes can be dynamically provisioned as part of the EKS deployment process.

Answer 108

A

A. Amazon ECS with AWS Fargate and Amazon Route 53

Amazon ECS with AWS Fargate allows for serverless container deployments, and when combined with Elastic Load Balancing and Route 53, it offers high availability across multiple Availability Zones and efficient traffic distribution.

Answer 109

A

B. Utilize AWS Batch with Spot Instances for processing jobs.

AWS Batch efficiently runs batch jobs and, when combined with Spot Instances, can provide a cost-effective solution for processing jobs as they arrive without the need for over-provisioning.

Answer 110

A

B. Horizontal Pod Autoscaler in EKS for each microservice deployment.

The Horizontal Pod Autoscaler in Amazon EKS automatically scales the number of pods in a deployment based on observed CPU utilization or other selected metrics, ideal for independently scaling microservices.

Answer 111

A

D. Amazon EKS with dedicated EC2 instances, running within a private subnet and using IAM roles for secure access to AWS services.

Amazon EKS provides a secure and scalable environment for containerized applications. Using dedicated EC2 instances in a private subnet enhances security, and IAM roles ensure secure access to other AWS services, meeting compliance and security needs.

Answer 112

A

4) ECS

ECS manages this process for you

Answer 113

A

1) Scan on Push
3) Lifecycle policies
5) Image tag immutability

Answer 114

A

2) Amazon Aurora Serverless

Amazon Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora. It is perfect for when you are running workloads that have sudden and unpredictable increases in activity, but you need to plan capacity. Since it is serverless, you also only pay for what you consume.

Answer 115

A

3) AWS X-Ray

When you see requests and responses, think AWS X-Ray. AWS X-Ray is a service that collects data about requests that your application serves. It provides tools that you can use to view, filter, and gain insights into that data to identify issues and opportunities for optimization.

Answer 116

A

2) Amazon EKS Anywhere

Amazon EKS Anywhere provides a means of managing Kubernetes clusters using the same operational excellence and best practices that AWS uses for its Amazon Elastic Kubernetes Service (Amazon EKS). It leverages the EKS Distro (EKS-D) for deploying, using, and managing Kubernetes clusters that run in your data centers.

Answer 117

A

1) Aurora capacity units

These are how the clusters scale. They are based on a certain amount of compute and memory. You can set a minimum and maximum for automatically scaling between the units.

Answer 118

A

1) AWS AppSync

AWS AppSync provides a robust, scalable GraphQL interface for application developers to combine data from multiple sources, including Amazon DynamoDB, AWS Lambda, and HTTP APIs.

Answer 119

A

4) Operating System

In a serverless application, you don’t have access to the OS

Answer 120

A

2) 10GB

Lambda supports up to 10GB of RAM

Answer 121

A

1) Fargate

Answer 122

A

2) Role

Roles should be used for Lambda to talk to other AWS APIs. Reference Documentation: AWS Lambda execution role

Answer 123

A

2) Amazon EKS Distro (EKS-D)

Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters.

Answer 124

A

3) Run your code somewhere else (e.g. EC2 instance)

Lambda’s maximum execution time is 15 minutes. You can run your code somewhere else such as an EC2 instance or use Amazon ECS.

Answer 125

A

False

DynamoDB is serverless with no servers to provision, patch, or manage and no software to install, maintain or operate. It automatically scales tables up and down to adjust for capacity and maintain performance. It provides both provisioned (specify RCU & WCU) and on-demand (pay for what you use) capacity modes.

Answer 126

A

1) Increase RCU and keep WCU the same

RCU and WCU are decoupled, so you can increase/decrease each value separately.

Answer 127

A

2) Create a DAX Cluster

DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x performance improvement. It caches the most frequently used data, thus offloading the heavy reads on hot keys off your DynamoDB table, hence preventing the “ProvisionedThroughputExceededException” exception.

Answer 128

A

3) Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails

DynamoDB Streams allows you to capture a time-ordered sequence of item-level modifications in a DynamoDB table. It’s integrated with AWS Lambda so that you create triggers that automatically respond to events in real-time. There is no such SNS and Dynamo DB integration

Answer 129

A

3) AWS Lambda

Answer 130

A

False

An Edge-Optimized API Gateway is best for geographically distributed clients. API requests are routed to the nearest CloudFront Edge Location which improves latency. The API Gateway still lives in one AWS Region.

Answer 131

A

2) Use Provisioned Capacity Mode with AutoScaling enabled for production and On-Demand Capacity Mode for development

Answer 132

A

1) Lambda@Edge

Lambda@Edge is a feature of CloudFront that lets you run code closer to your users, which improves performance and reduces latency.

Answer 133

A

3) 400 KB

Answer 134

A

3) AWS Step Functions

Answer 135

A

4) Use DynamoDB Accelerator (DAX) to cache the most requested data

Answer 136

A

1) Select DynamoDB table then select Export to S3

Answer 137

A

3) Store users’ sessions in a DynamoDB table and enable TTL

Answer 138

A

2) Use Amazon Cognito Identity Federation

Amazon Cognito can be used to federate mobile user accounts and provide them with their own IAM permissions, so they can be able to access their own personal space in the S3 bucket.

Answer 139

A

3) Use Cognito User Pools

Answer 140

A

3) Amazon Cognito

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

Answer 141

A

1) API Gateway + AWS Lambda

Answer 142

A

2) Lambda

Answer 143

A

2) Amazon CloudFront

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. This is a perfect use case for Amazon CloudFront.

Answer 144

A

1) Dynamo Streams

DynamoDB Streams enable DynamoDB to get a changelog and use that changelog to replicate data across replica tables in other AWS Regions.

Answer 145

A

2) The Lambda Execution IAM Role is missing permissions

Answer 146

A

3) Amazon SQS + Amazon EC2

Amazon SQS allows you to retain messages for days and process them later, while we can take down our EC2 instances.

Answer 147

A

4) Create a CloudFront Distribution

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. Amazon CloudFront can be used in front of an Application Load Balancer.

Answer 148

A

1) Kinesis Data Streams

Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. It can continuously capture gigabytes of data per second from hundreds of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events.

Answer 149

A

4) AWS Global Accelerator Program

Answer 150

A

1) Amazon FSx-created Luster file system may be used to store data.

Customers that utilize Amazon FSx’s Luster file system will only be charged for what they really use.

Answer 151

A

4) Set up CloudFront to distribute the S3 bucket’s content.

CloudFront is able to cache frequently requested material, resulting in improved speed. The speed of other solutions may be improved, but they do not keep cache for S3 items.

Answer 152

A

4) Create a planned activity in the Auto Scaling group and define the frequency, start and end times as well as the capacity of the action.

Answer 153

A

2) In the instance, configure the Elastic Fabric Adapter (EFA).

EFA is the most suited strategy for boosting High-Performance Computing (HPC) and machine learning applications.

Answer 154

A

1) Use the Cluster placement technique to start all of the EC2 instances in a placement group.

The Cluster placement technique may increase EC2 instance network performance. When setting up a placement group, you may choose a strategy. When establishing a placement group, you may choose the approach.

Answer 155

A

1) The size of the SQS queue in terms of messages.

Users may set up a CloudWatch alert depending on the number of messages in the SQS queue and use the alarm to tell the ECS cluster to scale up or down.

Answer 156

A

3) S3 bucket may not be available at the VPC endpoint because of a restrictive policy.

Answer 157

A

1) Use CloudFront Geo Restriction

Answer 158

A

2) Configure your CloudFront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution

Answer 159

A

2) Only allows the S3 bucket content to be accessed from your CloudFront Distribution

Answer 160

A

2) CloudFront Cache Invalidation

Answer 161

A

2) CloudFront Price Classes

Answer 162

A

1) AWS Global Accelerator + Application Load Balancer

Answer 163

A

2) 7 days

Answer 164

A

4) Secrets Manager

Answer 165

A

2) To provide authentication, authorization, and user management for your web and mobile apps without the need for custom code.

Answer 166

A

3) RDS event history

Answer 167

A

4) Layer 7

Answer 168

A

4) Create a presigned URL using S3.

Presigned URLs would allow you to restrict the length of time the content can be viewed

Answer 169

A

1) AWS Artifact

Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

Answer 170

A

2) an HTTPS endpoint with an SSL certificate

In-flight Encryption = HTTPS, and HTTPS can not be enabled without an SSL certificate.

Answer 171

A

False

Server-Side Encryption means the server will encrypt the data for us. We don’t need to encrypt it beforehand.

Answer 172

A

1) Both Encryption and Decryption happen on the server

In Server-Side Encryption, we can’t do encryption/decryption ourselves as we don’t have access to the corresponding encryption key.

Answer 173

A

False

With Client-Side Encryption, the server doesn’t need to know any information about the encryption scheme being used, as the server will not perform any encryption or decryption operations.

Answer 174

A

False

You can use the AWS Managed Service keys in KMS, therefore we don’t need to create our own KMS keys.

You could also create your own keys for AWS to do the encryption, but it’s not mandatory.

Answer 175

A

True

KMS keys can be symmetric or asymmetric. A symmetric KMS key represents a 256-bit key used for encryption and decryption. An asymmetric KMS key represents an RSA key pair used for encryption and decryption or signing and verification, but not both. Or it represents an elliptic curve (ECC) key pair used for signing and verification.

Answer 176

A

2) 1 year

Answer 177

A

2) You need to share the KMS CMK used to encrypt the AMI with the other AWS account

Answer 178

A

3) Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

Answer 179

A

1) KMS Key Policies

Answer 180

A

3) Have it as an encrypted env variable and decrypt it at runtime

Answer 181

A

2) SSM Parameter Store

SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter’s history.

Answer 182

A

2) AWS Shield Advanced

Answer 183

A

4) SSM Parameter Store

Answer 184

A

4) CloudWatch Logs

Answer 185

A

2) AWS WAF

Answer 186

A

3) Amazon Inspector

Answer 187

A

1) AWS Secrets Manager

Answer 188

A

4) AWS Firewall Manager

AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.

Answer 189

A

3) Amazon Macie

Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).

Answer 190

A

1) Using Aurora Client-side Encryption and KMS Multi-region Keys

Answer 191

A

3) You have to configure permissions for both Source KMS Key kms:Decrypt and Target KMS Key kms:Encrypt to be used by the S3 Replication Service

Answer 192

A

2) Configure EventBridge for Daily Expiration Events from ACM to invoke SNS notifications to your email

Answer 193

A

1) us-east-1

As the Edge-Optimized API Gateway is using a custom AWS managed CloudFront distribution behind the scene to route requests across the globe through CloudFront Edge locations, the ACM certificate must be created in us-east-1.

Answer 194

A

4) AWS Firewall Manager

Answer 195

A

B. AWS CloudFormation

AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment

CloudFormation is an Infrastructure as Code (IaC) service that allows you to model, provision, and manage AWS and third-party resources by writing templates.

Answer 196

A

B. Sending bulk email and transactional email

AWS SES is a cost-effective, flexible, and scalable email service that enables developers to send mail from within any application

Answer 197

A

C. Engaging with customers through email, SMS, push notifications, and campaigns.

AWS Pinpoint is used for customer engagement through various channels like email, SMS, and push notifications, helping to drive user engagement through targeted communication.

Answer 198

A

C. It helps you manage your AWS resources.

AWS Systems Manager gives you visibility and control of your infrastructure on AWS. It provides a unified user interface that allows you to view operational data from multiple AWS services and automate operational tasks across your AWS resources.

Answer 199

A

B. AWS Cost Explorer

AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time.

Answer 200

A

D. Efficiently running hundreds to thousands of batch computing jobs on AWS.

AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds to thousands of batch computing jobs on AWS.

Answer 201

A

C. It securely transfers data between SaaS applications and AWS services.

AWS AppFlow is a fully managed integration service that enables you to securely transfer data between SaaS applications like Salesforce, ServiceNow, and AWS services like Amazon S3 and Redshift.

Answer 202

A

C. Building, deploying, and hosting mobile and web applications.

AWS Amplify is a set of tools and services that can be used together or on their own to help front-end web and mobile developers build scalable full-stack applications, powered by AWS.

Answer 203

A

Elastic Beanstalk: Best for developers who want to deploy applications quickly without managing the underlying infrastructure. It’s like renting an apartment - you control what’s inside, but not the building itself.
CloudFormation: Ideal for infrastructure engineers and DevOps who need to codify and automate the setup of their AWS infrastructure. It’s like building your own house - complete control over the construction.
Amplify: Geared towards frontend and mobile developers who want an integrated environment for both backend services and frontend development. It’s like having a toolkit to both design your house and manage the utilities and services it needs.

Answer 204

A

B) AWS Organizations

AWS Organizations is a service that allows you to centrally manage and govern multiple AWS accounts. It helps you consolidate billing, implement security policies, and manage access control across your AWS resources from a single AWS account.

Answer 205

A

A) AWS Identity and Access Management (IAM)

AWS IAM provides the capability to enable multi-factor authentication (MFA) for AWS accounts. MFA adds an extra layer of security by requiring users to provide an additional authentication factor, such as a one-time password generated by a virtual or hardware MFA device, in addition to their regular username and password.

Answer 206

A

A) Network Access Control Lists (ACLs)

Network Access Control Lists (ACLs) allow you to control inbound and outbound traffic at the subnet level. ACLs act as a stateless firewall, enabling you to create rules that define what type of traffic is allowed or denied between subnets in your VPC. They provide an additional layer of network security alongside security groups.

Answer 207

A

A) AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a managed service that allows you to create and control the encryption keys used to encrypt your data. By integrating KMS with other AWS services such as Amazon S3, Amazon EBS, or Amazon RDS, you can easily encrypt your data at rest. KMS provides a secure and scalable solution for key management.

Answer 208

A

A) AWS Security Token Service (STS)

AWS Security Token Service (STS) enables you to provide temporary, limited-privilege credentials to external users without the need for them to have their own AWS account. STS issues temporary security tokens that can be used to access AWS resources for a specific duration, making it suitable for scenarios where temporary access is required, such as cross-account access or federated access.

Answer 209

A

C) AWS Fargate

AWS Fargate is a serverless compute engine for containers that allows you to run containers without managing the underlying infrastructure. It provides a fully managed platform to deploy and run containerized applications, abstracting away the need to provision and manage servers, making it a secure and scalable option for running workloads.

Answer 210

A

C) AWS Global Accelerator

AWS Global Accelerator is a service that improves the availability and performance of your applications by directing traffic to optimal endpoints across multiple AWS regions. It uses the AWS global network infrastructure to route traffic to your resources, helping achieve high availability and low latency for your applications.

Answer 211

A

A) AWS Cognito

AWS Cognito is a fully managed service that enables you to add user sign-up, sign-in, and access control to your web and mobile applications. It provides secure authentication, authorization, and user management features, allowing you to easily authenticate users through various identity providers, such as social media or corporate directories.

Answer 212

A

A) Enable default encryption for the S3 bucket

By enabling default encryption for an Amazon S3 bucket, you ensure that any new object uploaded to the bucket is automatically encrypted with a unique key. This setting provides an additional layer of security and helps enforce encryption for all objects stored in the bucket, even if the encryption settings are not explicitly specified during the object upload.

Answer 213

A

A) Amazon Inspector

Amazon Inspector is an automated security assessment service that helps you test the security state of your applications and resources. It performs security assessments by scanning for vulnerabilities, security best practices, and common configuration issues. Amazon Inspector provides detailed findings and recommendations to help you improve the security posture of your applications.

Answer 214

A

C) AWS Key Management Service (KMS)

AWS Key Management Service (KMS) is a fully managed service that allows you to create and control the encryption keys used to encrypt your data. It integrates with various AWS services, such as Amazon S3 and Amazon EBS, to provide seamless encryption at rest. KMS provides secure key storage and management, making it an appropriate choice for data security controls.

Answer 215

A

B) AWS Secrets Manager

AWS Secrets Manager is a service that helps you securely store and manage secrets such as database credentials, API keys, and other sensitive information. It provides a central location to store secrets, allows for automatic rotation of secrets, and integrates with AWS services and applications securely.

Answer 216

A

A) Amazon VPC (Virtual Private Cloud)

Amazon VPC (Virtual Private Cloud) allows you to create a logically isolated section of the AWS Cloud, where you can define IP address ranges and configure security groups and network ACLs. By configuring the appropriate network settings within your VPC, you can control access to your Amazon S3 bucket by allowing access only from specific IP addresses or IP ranges.

Answer 217

A

A) AWS Direct Connect

AWS Direct Connect provides a dedicated network connection between your on-premises data center and AWS. It establishes a private, secure, and high-bandwidth connection that bypasses the public internet, ensuring the encryption and privacy of data in transit between the two environments.

Answer 218

A

A) Server-Side Encryption with AWS Key Management Service (SSE-KMS)

AWS provides Server-Side Encryption with AWS Key Management Service (SSE-KMS) as an option for encrypting data at rest for Amazon RDS database instances. With SSE-KMS, the data is encrypted using keys managed by AWS KMS, providing a secure and scalable solution for protecting sensitive data stored in the database.

Answer 219

A

A) Amazon Simple Queue Service (SQS)

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices-based architectures. It allows you to decouple the components of your application by providing a reliable and scalable messaging platform for exchanging messages between different services, helping achieve loose coupling and scalability

Answer 220

A

B) Amazon Kinesis

Amazon Kinesis is a fully managed service for real-time streaming data processing. It can handle large amounts of data and provide low-latency processing, making it suitable for scenarios such as real-time analytics, IoT data ingestion, and log processing.

Answer 221

A

C) Amazon EC2 Auto Scaling

Amazon EC2 Auto Scaling allows you to automatically scale your Amazon EC2 instances based on predefined policies and conditions. It helps your application handle sudden traffic spikes by automatically adding or removing instances to meet demand, ensuring scalability and optimal resource utilization.

Answer 222

A

D) Amazon Route 53

Amazon Route 53 is a scalable domain name system (DNS) web service that can provide automatic failover between regions in the event of a service disruption. By configuring health checks and DNS failover policies, Route 53 can route traffic to an alternate region if the primary region becomes unavailable, ensuring high availability and fault tolerance.

Answer 223

A

D) AWS Step Functions

AWS Step Functions is a fully managed service that helps you orchestrate and manage complex workflows for processing large-scale data. It allows you to coordinate and visualize the different steps and dependencies of your workflow, making it easier to design and manage scalable data processing pipelines.

Answer 224

A

C) AWS Global Accelerator

AWS Global Accelerator is a service that helps improve the availability and performance of your applications by directing traffic to optimal endpoints across multiple AWS regions. In the event of an Availability Zone failure, AWS Global Accelerator can automatically route traffic to the healthy instances in other Availability Zones, ensuring high availability and fault tolerance.

Answer 225

A

3) Lambda Function

The Lambda function’s invocation is “asynchronous”, so the DLQ has to be set on the Lambda function side

Answer 226

A

2) AWS WAF

Answer 227

A

3) Use Multi-Part upload when uploading files larger than 5GB

Multi-Part Upload is recommended as soon as the file is over 100 MB

Answer 228

A

2) S3 bucket names must be globally unique and “dev” is already taken

Answer 229

A

3) The IAM user must have an explicit DENY in the attached IAM policy

Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.

Answer 230

A

4) S3 Replication

S3 Replication allows you to replicate data from an S3 bucket to another in the same/different AWS Region

Answer 231

A

1) Configure replication from bucket A to bucket B, then from bucket A to bucket C

Answer 232

A

1) Expedited (1-5 minute)

Answer 233

A

1) Instant (10 seconds)

Answer 234

A

3) S3 Event Notifications

Answer 235

A

2) S3 Lifecycle Rules - Expiration Actions

Answer 236

A

3) S3 Lifecycle Rules

Answer 237

A

3) Use an S3 Lifecycle Policy to automate old/unfinished parts deletion

Answer 238

A

2) S3 Analytics

Answer 239

A

3) Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes and store that information in RDS

Answer 240

A

3) Use Multi-part Upload & S3 Transfer Acceleration

Answer 241

A

3) S3 Select

Answer 242

A

3) S3 Batch Operations

Answer 243

A

3) SSE-C

With SSE-C, the encryption happens in AWS and you have full control over the encryption keys.

Answer 244

A

2) SSE-KMS

With SSE-KMS, the encryption happens in AWS, and the encryption keys are managed by AWS but you have full control over the rotation policy of the encryption key. Encryption keys stored in AWS.

Answer 245

A

4) Client-Side Encryption

With Client-Side Encryption, you have to do the encryption yourself and you have full control over the encryption keys. You perform the encryption yourself and send the encrypted data to AWS. AWS does not know your encryption keys and cannot decrypt your data.

Answer 246

A

3) CORS is wrong

Cross-Origin Resource Sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. To learn more about CORS, go here: https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

Answer 247

A

1) Use S3 Object Lambda to change the objects before they are retrieved by the report

Answer 248

A

1) Glacier Vaults with Vault Lock Policies

Answer 249

A

1) Enable S3 Access Logs and analyze them using Athena

S3 Access Logs log all the requests made to S3 buckets and Amazon Athena can then be used to run serverless analytics on top of the log files.

Answer 250

A

2) S3 Pre-Signed URL

S3 Pre-Signed URLs are temporary URLs that you generate to grant time-limited access to some actions in your S3 bucket.

Answer 251

A

2) Do nothing, Amazon S3 automatically encrypt new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)

Answer 252

A

2) Enable MFA Delete

MFA Delete forces users to use MFA codes before deleting S3 objects. It’s an extra level of security to prevent accidental deletions.

Answer 253

A

3) S3 Object Lock - Retention Compliance Mode

Answer 254

A

3) Legal Hold

Answer 255

A

1) MongoDB

Answer 256

A

3) Enable Muti-AZ

Multi-AZ helps when you plan a disaster recovery for an entire AZ going down. If you plan against an entire AWS Region going down, you should use backups and replication across AWS Regions.

Answer 257

A

RDS Multi-AZ

Be very careful with the way you read questions at the exam. Here, the question is asking which solution is NOT adapted to this problem. ElastiCache and RDS Read Replicas do indeed help with scaling reads.

Answer 258

A

2) Read Replicas have Asynchronous Replication, therefore it’s likely your users will only read Eventual Consistency

Answer 259

A

1) Multi-AZ

Multi-AZ keeps the same connection string regardless of which database is up.

Answer 260

A

3) Store session data in ElastiCache

Storing Session Data in ElastiCache is a common pattern to ensuring different EC2 instances can retrieve your user’s state if needed.

Answer 261

A

1) Setup a Read Replica

Answer 262

A

4) Aurora Global Database

Aurora Global Databases allows you to have an Aurora Replica in another AWS Region, with up to 5 secondary regions.

Answer 263

A

2) Using IAM Authentication

Answer 264

A

2) Create a Read Replica in a different AZ and run the analytics workload on the standby database

Answer 265

A

2) Create a Read Replica in a different region and enable Multi-AZ on the Read Replica

Answer 266

A

3) Enable IAM Database Authentication

Answer 267

A

2) Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication

Answer 268

A

3) Create a snapshot of the unencrypted RDS DB instance, copy the snapshot and tick “Enable encryption”, then restore the RDS DB instance from the encrypted snapshot

Answer 269

A

1) Oracle

Answer 270

A

No

You can not create encrypted Read Replicas from an unencrypted RDS DB instance.

Answer 271

A

3) Use Aurora Serverless

Answer 272

A

2) MySQL and PostgreSQL

Answer 273

A

4) Use ElastiCache for Redis - Sorted Sets

Answer 274

A

2) RDS Custom for Oracle

Answer 275

A

2) Perform On Demand Backups

Answer 276

A

4) Use the Aurora Cloning feature

Answer 277

A

4) Use an RDS Proxy

This reduces the failover time by up to 66% and keeps connection actives for your applications

Answer 278

A

False

Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text. Amazon Polly is a service that turns text into lifelike speech.

Answer 279

A

4) Lex

Amazon Lex is a service for building conversational interfaces into any application using voice and text. Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions.

Answer 280

A

4) Forecast

Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate forecasts.

Answer 281

A

1) Rekognition

Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use.

Answer 282

A

1) Personalize

Amazon Personalize is a machine learning service that makes it easy for developers to create individualized recommendations for customers using their applications.

Answer 283

A

2) Comprehend

Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find meaning and insights in text.

Answer 284

A

3) Translate

Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable language translation.

Answer 285

A

1) SageMaker

Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. SageMaker removes the heavy lifting from each step of the machine learning process to make it easier to develop high quality models.

Answer 286

A

3) Transcribe

Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text.

Answer 287

A

2) Kendra

Amazon Kendra is a highly accurate and easy to use enterprise search service that’s powered by machine learning.

Answer 288

A

4) Amazon Rekognition

Answer 289

A

2) Amazon Transcribe

Answer 290

A

3) Pronunciation Lexicons, Speech Synthesis Markup Language (SSML)

Answer 291

A

1) Amazon Comprehend Medical

Answer 292

A

1) AWS Trusted Advisor

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. It evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.

Answer 293

A

2) AWS CloudHSM

The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the hardware. You should use AWS CloudHSM when you need to manage the HSMs that generate and store your encryption keys. In AWS CloudHSM, you create and manage HSMs, including creating users and setting their permissions. You also create the symmetric keys and asymmetric key pairs that the HSM stores.

Answer 294

A

4) Use AWS Artifact to download the certificate

AWS Artifact is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements

Answer 295

A

2) AWS Managed Service for Prometheus
3) AWS Managed Grafana

Prometheus offers open-source monitoring. Amazon Managed Service for Prometheus is a serverless, Prometheus-compatible monitoring service for container metrics. It is perfect for monitoring Kubernetes clusters at scale.
Grafana is a well-known open-source analytics and monitoring application. Amazon Managed Grafana offers a fully managed service for infrastructure for data visualizations. You can leverage this service to query, correlate, and visualize operational metrics from multiple sources.

While Prometheus and Grafana is a popular open-source monitoring tool, running it on EC2 instances immediately adds operational overhead and cost to the solution.

Answer 296

A

2) Storing metadata for S3 objects
3) Managing web session data
4) High-performance reads and writes for online transaction workloads

In order to optimize your costs across AWS services, large objects or infrequently accessed data sets should be stored in Amazon S3, while smaller data elements or file pointers (possibly to Amazon S3 objects) are best saved in Amazon DynamoDB.

Amazon DynamoDB’s fast and predictable performance characteristics make it a great match for handling session data. Plus, since it’s a fully-managed NoSQL database service, you avoid all the work of maintaining and operating a separate session store.

High-performance reads and writes are easy to manage with Amazon DynamoDB, and you can expect performance that is effectively constant across widely varying loads

Answer 297

A

4) Cache frequently accessed data in-memory

Amazon ElastiCache allows you to seamlessly set up, run, and scale popular open-source-compatible, in-memory data stores in the cloud. Build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for real-time use cases like caching, session stores, gaming, geospatial services, real-time analytics, and queuing

Answer 298

A

2) Use RDS to host your database. Create a cross-region read replica of your database. In the event of a failure, promote the read replica to be a standalone database. Send new reads and writes to this database.

While 1 is a great option for high availability within a region, it won’t meet cross-region requirements

It’s important to note that while read replicas are often used for load balancing and read-heavy workloads, they are also a valuable component in a disaster recovery strategy, especially in scenarios requiring quick failover to a different region.

Answer 299

A

1) The instance launched from the oldest launch configuration.

When the Auto Scaling Group (ASG) is configured with the Default Termination Policy and a scale-in event occurs (i.e., when the number of instances needs to be reduced), AWS follows a specific sequence to determine which instance to terminate. The “Least Busy Instances” criterion comes into play in this sequence. Here’s how it works:

Balance Across Availability Zones: The policy first ensures that the instances are balanced across Availability Zones. It targets the zone with the most instances for scale-in.

Least Busy Instances: Within the selected Availability Zone, AWS then targets the instances that are considered “least busy.” This is determined based on two factors:

Network Performance: AWS examines the network in and out from/to each instance. Instances with lower network use are considered less busy.
Instance Usage: AWS also looks at the overall instance usage, which could include factors like CPU utilization and disk I/O, to assess which instances are least active or busy.
Oldest Launch Configuration or Template: If multiple instances have similar usage levels, the policy then considers the age of the launch configuration or template used by the instances.

Closest to the Next Billing Hour: Finally, among the remaining instances, AWS selects the one closest to the next billing hour.

Answer 300

A

2) There is a vCPU-based On-Demand Instance limit per Region

While there is a limit of 20 instances per region (no specific limit for AZ), it is not a hard limit. This limit is raised automatically by AWS based on your usage. Larger limit increase requests may require approval from AWS support. Limits are imposed to ensure fair access to resources for all customers and prevent overutilization. But the limits are not fixed and are designed to accommodate growing usage.

Answer 301

A

1) AWS Snowball Edge

Direct Connect is more suited to a long-term solution rather than a one time operation.

The AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS capabilities. Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud.

Answer 302

A

2) Pilot Light

Answer 303

A

4) Multi-Site

Answer 304

A

1) Backup and Restore

Answer 305

A

3) Warm Standby

Answer 306

A

1) Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data

Answer 307

A

2) Amazon EBS

Answer 308

A

3) AWS Backup

AWS Backup enables you to centralize and automate data protection across AWS services. It helps you support your regulatory compliance or business policies for data protection.

Answer 309

A

2) AWS Application Migration Service

Answer 310

A

1) VMware Cloud on AWS

Answer 311

A

4) Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL

Answer 312

A

3) AWS Backup

Answer 313

A

4) Use Snowball Edge

Snowball Edge is the right answer as it comes with computing capabilities and allows you to pre-process the data while it’s being moved into Snowball.

Answer 314

A

2) AWS Storage Gateway - Tape Gateway

Answer 315

A

1) Amazon FSx for Window (File Server)

Answer 316

A

3) AWS Snowball Edge

Answer 317

A

2) AWS Storage Gateway - S3 File Gateway

Answer 318

A

1) Amazon FSx for Windows (File Server

Answer 319

A

2) Amazon FSx for Lustre

Answer 320

A

2) Persistent File System

Answer 321

A

3) Transport Layer Security (TLS)

AWS Transfer Family is a managed service for file transfers into and out of S3 or EFS using the FTP protocol, thus TLS is not supported.

Answer 322

A

3) FSx File Gateway

Answer 323

A

4) AWS DataSync

Answer 324

A

2) AWS DataSync

Answer 325

A

1) Use AWS Transfer Family

Answer 326

A

1) Amazon FSx for OpenZFS

Answer 327

A

3) Use S3 Lifecycle Policy

Answer 328

A

3) AWS DataSync

AWS DataSync is an online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services.

Answer 329

A

3) AWS Application Discovery Service

This service helps users plan migrations to AWS via the collection of usage and configuration data from on-premises servers.

Answer 330

A

1) 10.0.4.0 to 10.0.4.15

/28 means 16 IPs (=2^(32-28) = 2^4), means only the last digit can change.

Answer 331

A

2) 172.16.0.0/16

CIDR not should overlap, and the max CIDR size in AWS is /16.

Answer 332

A

1) EC2 instance, Subnet

Answer 333

A

3) The Security Group does not allow traffic in

Security groups are stateful and if traffic can go out, then it can go back in.

Answer 334

A

3) NAT Gateway

Answer 335

A

2) Check the Route Tables in VPC B

Route tables must be updated in both VPCs that are peered.

Answer 336

A

3) Use a Direct Connect Gateway

This is the main use case of Direct Connect Gateways.

Answer 337

A

3) Amazon S3 & DynamoDB

These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).

Answer 338

A

4) 10.0.0.4

Answer 339

A

2) Establish 3 VPC Peering connections (A-B, A-C, B-C)

Answer 340

A

1) Enable VPC Flow Logs

VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Answer 341

A

2) Hosted

Hosted Direct Connect connection supports 50Mbps, 500Mbps, up to 10Gbps.

Answer 342

A

4) Virtual Private Gateway and Customer Gateway

Answer 343

A

2) AWS VPN CloudHub

AWS VPN CloudHub allows you to securely communicate with multiple sites using AWS VPN. It operates on a simple hub-and-spoke model that you can use with or without a VPC.

Answer 344

A

3) AWS Direct Connect

Answer 345

A

3) Use Transit Gateway

Answer 346

A

3) Add an additional IPv4 VIDR to your VPC

Answer 347

A

2) Allow traffic only on port 22 from the company’s public CIDR

Answer 348

A

3) Setup a Site-to-SiteVPN connection as a backup

Answer 349

A

1) AWS Network Firewall

Answer 350

A

3) Add an Inbound Rule with port 80 and ALB’s Security Group as the source

This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it. Make sure you fully master the concepts behind it!

Answer 351

A

3) EBS volumes are locked to AZ

EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZs using EBS Snapshots.

Answer 352

A

False

AMIs are built for a specific AWS Region, they’re unique for each AWS Region. You can’t launch an EC2 instance using an AMI in another AWS Region, but you can copy the AMI to the target AWS Region and then use it to create your EC2 instances.

Answer 353

A

2) The root volume type will be deleted and the EBS volume type will not be deleted

By default, the Root volume type will be deleted as its “Delete On Termination” attribute checked by default. Any other EBS volume types will not be deleted as its “Delete On Termination” attribute disabled by default.

Answer 354

A

2) gp2, gp3, io1, io2

When creating EC2 instances, you can only use the following EBS volume types as boot volumes: gp2, gp3, io1, io2, and Magnetic (Standard).

Answer 355

A

3) Attach the same EBS volume to multiple EC2 instances in the same AZ

Using EBS Multi-Attach, you can attach the same EBS volume to multiple EC2 instances in the same AZ. Each EC2 instance has full read/write permissions.

Answer 356

A

1) Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume

Answer 357

A

2) Use EFS

EFS is a network file system (NFS) that allows you to mount the same file system on EC2 instances that are in different AZs.

Answer 358

A

3) Instance Store

EC2 Instance Store provides the best disk I/O performance.

Answer 359

A

3) Use an EC2 Instance Store

You can run a database on an EC2 instance that uses an Instance Store, but you’ll have a problem that the data will be lost if the EC2 instance is stopped (it can be restarted without problems). One solution is that you can set up a replication mechanism on another EC2 instance with an Instance Store to have a standby copy. Another solution is to set up backup mechanisms for your data. It’s all up to you how you want to set up your architecture to validate your requirements. In this use case, it’s around IOPS, so we have to choose an EC2 Instance Store.

Answer 360

A

2) Vertical Scalability

Answer 361

A

1) Horizontal Scalability

Answer 362

A

2) static DNS name we can use in our application

Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.

Answer 363

A

3) The Elastic Load Balancer does not have Sticky Sessions enabled

ELB Sticky Session feature ensures traffic for the same client is always redirected to the same target (e.g., EC2 instance). This helps that the client does not lose his session data.

Answer 364

A

2) Modify your website’s backend to get the client IP address from the X-Forwarded-For header

When using an Application Load Balancer to distribute traffic to your EC2 instances, the IP address you’ll receive requests from will be the ALB’s private IP addresses. To get the client’s IP address, ALB adds an additional header called “X-Forwarded-For” contains the client’s IP address.

Answer 365

A

1) Enable ELB Health Checks

When you enable ELB Health Checks, your ELB won’t send traffic to unhealthy (crashed) EC2 instances.

Answer 366

A

3) Network Load Balancer

Network Load Balancer provides the highest performance and lowest latency if your application needs it.

Answer 367

A

3) TCP

Application Load Balancers support HTTP, HTTPS and WebSocket

Answer 368

A

1) Client’s Location (Geography)

ALBs can route traffic to different Target Groups based on URL Path, Hostname, HTTP Headers, and Query Strings.

Answer 369

A

2) Network Load Balancer

Answer 370

A

2) Network Load Balancer

Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.

Answer 371

A

2) APPUSERC

The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG).

Answer 372

A

1) Enable Cross-Zone Load Balancing

Answer 373

A

2) Server Name Indication (SNI)

Answer 374

A

3) Use Server Name Indication (SNI)

Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener.

Answer 375

A

1) Nothing

The Auto Scaling Group can’t go over the maximum capacity (you configured) during scale-out events.

Answer 376

A

3) The ASG will terminate the EC2 instance

You can configure the Auto Scaling Group to determine the EC2 instances’ health based on Application Load Balancer Health Checks instead of EC2 Status Checks (default). When an EC2 instance fails the ALB Health Checks, it is marked unhealthy and will be terminated while the ASG launches a new EC2 instance.

Answer 377

A

1) Create a CloudWatch custom metric then create a CloudWatch Alarm on this metric to scale your ASG

There’s no CloudWatch Metric for “requests per minute” for backend-to-database connections. You need to create a CloudWatch Custom Metric, then create a CloudWatch Alarm.

Answer 378

A

3) Target Tracking Policy

Answer 379

A

2) Migrate the health check to HTTP

The NLB supports HTTP health checks as well as TCP and HTTPS

Answer 380

A

2) Configure the ALB to redirect HTTP to HTTPS

Answer 381

A

2) Weighted

Weighted Routing Policy allows you to redirect part of the traffic based on weight (e.g., percentage). It’s a common use case to send part of traffic to a new version of your application.

Answer 382

A

3) Because of the TTL

Each DNS record has a TTL (Time To Live) which orders clients for how long to cache these values and not overload the DNS Resolver with DNS requests. The TTL value should be set to strike a balance between how long the value should be cached vs. how many requests should go to the DNS Resolver.

Answer 383

A

3) Latency

Latency Routing Policy will evaluate the latency between your users and AWS Regions, and help them get a DNS response that will minimize their latency (e.g. response time)

Answer 384

A

4) Geolocation

Answer 385

A

4) Create a Public Hosted Zone and update the 3rd party Registrar NS records

Public Hosted Zones are meant to be used for people requesting your website through the Internet. Finally, NS records must be updated on the 3rd party Registrar.

Answer 386

A

1) Health Checks that monitor SQS Queue

Answer 387

A

2) Reserve 2 EC2 instances

This is the way to save further costs as we will run 2 EC2 instances no matter what.

Answer 388

A

4) Store session data on EBS volumes

EBS volumes are created in a specific AZ and can only be attached to one EC2 instance at a time.

Answer 389

A

2) Store the software updates on EFS and mount EFS as a network drive at startup

EFS is a network file system (NFS) that allows you to mount the same file system to 100s of EC2 instances. Storing software updates on an EFS allows each EC2 instance to access them.

Answer 390

A

1) Use a Golden AMI

Golden AMI is an image that contains all your software installed and configured so that future EC2 instances can boot up quickly from that AMI.

Answer 391

A

1) Single Instance Mode

The question mentions that you’re still in the development stage and you want to reduce costs. Single Instance Mode will create one EC2 instance and one Elastic IP.

Answer 392

A

3) Create a Golden AMI that contains the dependencies and use that image to launch the EC2 instances

Golden AMI is an image that contains all your software, dependencies, and configurations, so that future EC2 instances can boot up quickly from that AMI.

Answer 393

A

2) Amazon RDS

Answer 394

A

4) Amazon ElastiCache

Amazon ElastiCache is a fully managed in-memory data store, compatible with Redis or Memcached.

Answer 395

A

2) Amazon DynamoDB

Answer 396

A

3) Amazon Aurora

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database. It features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across 3 AZs.

Answer 397

A

3) Amazon Neptune

Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

Social media- think graph database

Answer 398

A

2) Amazon S3

Answer 399

A

2) Amazon DocumentDB

Answer 400

A

4) Amazon Keyspace

Answer 401

A

3) Amazon QLDB

Answer 402

A

1) Amazon Timestream

Answer 403

A

2) Create a CloudWatch Logs Metric Filter that filter the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter

Answer 404

A

2) The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 instances in the ASG

The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.

Answer 405

A

3) Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch

Answer 406

A

1) Amazon CloudWatch

Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications’ performance and metrics.

Answer 407

A

4) AWS CloudTrail

AWS CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. It provides the event history of your AWS account activity, audit API calls made through the AWS Management Console, AWS SDKs, AWS CLI. So, the EC2 instance termination API call will appear here. You can use CloudTrail to detect unusual activity in your AWS accounts.

Answer 408

A

2) CloudTrail Insights

Answer 409

A

2) Analyze CloudTrail logs in S3 bucket using Amazon Athena

You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.

Answer 410

A

3) Setup Config Rules

Answer 411

A

1) AWS Config

Answer 412

A

2) AWS CloudTrail

Answer 413

A

1) AWS Config Remediations

Answer 414

A

3) AWS Config Notifications

Answer 415

A

1) CloudWatch Metric Stream

Answer 416

A

3) CloudWatch Contributor Insights

Answer 417

A

2) Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS

Answer 418

A

1) Use EventBridge Archive and Replay feature

Answer 419

A

D) Amazon Route 53

Amazon Route 53 is a scalable domain name system (DNS) web service that can provide automatic failover between AWS regions in the event of a service disruption. By configuring DNS failover policies, Route 53 can route traffic to an alternate region if the primary region becomes unavailable, ensuring high availability and fault tolerance.

Both AWS Global Accelerator and Amazon Route 53 could be considered viable options. However, if the emphasis is on DNS-level traffic management with advanced routing policies (like geolocation or latency-based routing), Amazon Route 53 would be the more suitable choice. On the other hand, if the focus is on optimizing performance with rapid failover capabilities and a consistent entry point (static IPs) for global users, then AWS Global Accelerator would be the ideal solution.

Answer 420

A

C) Amazon EMR (Elastic MapReduce)

Amazon EMR is a fully managed big data processing service that allows you to process and transform large datasets using popular frameworks such as Apache Spark, Apache Hadoop, and Presto. EMR enables distributed processing across a cluster of EC2 instances, making it suitable for big data processing scenarios.

Answer 421

A

A) Amazon S3 Intelligent-Tiering

Amazon S3 Intelligent-Tiering is a storage class in Amazon S3 that offers a combination of low-cost storage and high retrieval performance. It automatically moves data between two access tiers (frequent access and infrequent access) based on changing access patterns, optimizing costs while maintaining performance.

Answer 422

A

B) Amazon S3 Standard

Amazon S3 Standard storage class offers cost-effective storage with low-latency access for frequently accessed data. It provides high durability, availability, and performance for storing and retrieving objects, making it suitable for frequently accessed data that requires low-latency access.

Brainscape's Knowledge GenomeTM

AWS Solutions Architect Associate Flashcards

Brainscape's Knowledge Genome^TM