AWSExam_2 Flashcards

Question

You are consulted by a multimedia company that needs to deploy web services to an AWS region which they have never used before. The company currently has an IAM role for their Amazon EC2 instance which permits the instance to access Amazon DynamoDB. They want their EC2 instances in the new region to have the exact same privileges. What should you do to accomplish this?

Answer 1

Assign the existing IAM role to instances in the new region In this scenario, the company has an existing IAM role hence you don’t need to create a new one. IAM roles are global service that are available to all regions hence, all you have to do is assign the existing IAM role to the instance in the new region.

Answer 2

upload the data to S3 and set a lifecycle policy to transition to Glacier after 0 days Glacier has a management console which you can use to create and delete vaults. However, you cannot directly upload archives to Glacier by using the management console. To upload data, such as photos, videos, and other documents, you must either use the AWS CLI or write code to make requests, by using either the REST API directly or by using the AWS SDKs.

Answer 3

the AZ is not properly added to the load balancer which is why it is not receiving any traffic In this scenario, one of the Availability Zones is not properly added to the Elastic load balancer. Hence, that Availability Zone is not receiving any traffic. You can set up your load balancer in EC2-Classic to distribute incoming requests across EC2 instances in a single Availability Zone or multiple Availability Zones. First, launch EC2 instances in all the Availability Zones that you plan to use. Next, register these instances with your load balancer. Finally, add the Availability Zones to your load balancer. After you add an Availability Zone, the load balancer starts routing requests to the registered instances in that Availability Zone. Note that you can modify the Availability Zones for your load balancer at any time. By default, the load balancer routes requests evenly across its Availability Zones. To route requests evenly across the registered instances in the Availability Zones, enable cross-zone load balancing.

Answer 4

change the web architecture to access the financial data in your S3 bucket through a Gateway VPC endpoint.. Take note that your VPC lives within a larger AWS network and the services, such as S3, DynamoDB, RDS and many others, are located outside of your VPC, but still within the AWS network. By default, the connection that your VPC uses to connect to your S3 bucket or any other service traverses the public Internet via your Internet Gateway. A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Answer 5

Amazon EBS general purpose SSD (gp2) The EBS volume that you should use has to handle a maximum of 450 GB of data and can also be used as the system boot volume for your EC2 instance. Since HDD volumes cannot be used as a bootable volume, we can narrow down our options by selecting SSD volumes. In addition, SSD volumes are more suitable for transactional database workloads General Purpose: These volumes deliver single-digit millisecond latencies and the ability to burst to 3,000 IOPS for extended periods of time. Between a minimum of 100 IOPS (at 33.33 GiB and below) and a maximum of 10,000 IOPS (at 3,334 GiB and above), baseline performance scales linearly at 3 IOPS per GiB of volume size

Answer 6

Configure the SQS to use long polling by setting the ReceiveMessageWaitTimeSeconds to a number greater than zero The ReceiveMessageWaitTimeSeconds is the queue attribute that determines whether you are using Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long polling.

Answer 7

the correct answers are: using your own keys in AWS Key Management Service (KMS) and using Amazon-managed keys in AWS Key Management Service (KMS). Amazon EBS encryption offers seamless encryption of EBS data volumes, boot volumes, and snapshots, eliminating the need to build and maintain a secure key management infrastructure. EBS encryption enables data at rest security by encrypting your data using Amazon-managed keys, or keys you create and manage using the AWS Key Management Service (KMS). (using S3 server-side or client-side encryption relates only to S3)

Answer 8

Amazon FSx for Windows File Server Amazon FSx provides fully managed third-party file systems. Amazon FSx provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA). You don’t have to worry about managing file servers and storage, as Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even more useful for a broader set of workloads. (Amazon FSx for Lustre is incorrect because this service doesn't support the Windows-based applications as well as Windows servers.) Amazon FSx for Windows File Server Amazon FSx provides fully managed third-party file systems. Amazon FSx provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA). You don’t have to worry about managing file servers and storage, as Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even more useful for a broader set of workloads. (Amazon FSx for Lustre is incorrect because this service doesn't support the Windows-based applications as well as Windows servers.)

Answer 9

enables access logs on the application load balancer Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

Answer 10

enable Enhanced Networking with Elastic Network Adapter (ENA) on the windows EC2 instance.. Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking. Amazon EC2 provides enhanced networking capabilities through the Elastic Network Adapter (ENA). It supports network speeds of up to 100 Gbps for supported instance types. Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking. An Elastic Fabric Adapter (EFA) is simply an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with additional OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality. The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities. Hence, the correct answer is to enable Enhanced Networking with Elastic Network Adapter (ENA) on the Windows EC2 Instances.

Answer 11

Parameter Groups You manage your DB engine configuration through the use of parameters in a DB parameter group. DB parameter groups act as a container for engine configuration values that are applied to one or more DB instances.

Answer 12

All of the options here are correct except for the option that says: The SSH private key that you are using has a file permission of 0777 because if the private key that you are using has a file permission of 0777, then it will throw an "Unprotected Private Key File" error and not a "Server refused our key" error. You might be unable to log into an EC2 instance if: - You're using an SSH private key but the corresponding public key is not in the authorized\_keys file. - You don't have permissions for your authorized\_keys file. - You don't have permissions for the .ssh folder. - Your authorized\_keys file or .ssh folder isn't named correctly. - Your authorized\_keys file or .ssh folder was deleted. - Your instance was launched without a key, or it was launched with an incorrect key.

Answer 13

HTTPS All of the APIs created with Amazon API Gateway expose HTTPS endpoints only (unencrypted, HTTP endpoints are not supported)

Answer 14

Weighted Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes including load balancing and testing new versions of software. You can set a specific percentage of how much traffic will be allocated to the resource by specifying the weights.

Answer 15

Amazon SQS has automatically deleted the messages that have been in a queue for more than the maximum message retention period… Amazon SQS automatically deletes messages that have been in a queue for more than the maximum message retention period. The default message retention period is 4 days. Since the queue is configured to the default settings and the batch job application only processes the messages once a week, the messages that are in the queue for more than 4 days are deleted. This is the root cause of the issue. To fix this, you can increase the message retention period to a maximum of 14 days using the SetQueueAttributes action.

Answer 16

AWS CloudTrail AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

Answer 17

Create an A record aliased to the load balancer DNS name Additionally, Route 53 supports the alias resource record set, which lets you map your zone apex (e.g. tutorialsdojo.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route 53 responds to each request for an Alias resource record set with one IP address for the load balancer.

Answer 18

aws ec2 describe-instances…. The describe-instances command shows the status of the EC2 instances including the recently terminated instances. It also returns a StateReason of why the instance was terminated.

Answer 19

the keys are lost permanently if you did not have a copy Attempting to log in as the administrator more than twice with the wrong password zeroizes your HSM appliance. When an HSM is zeroized, all keys, certificates, and other data on the HSM is destroyed. You can use your cluster's security group to prevent an unauthenticated user from zeroizing your HSM. Amazon does not have access to your keys nor to the credentials of your Hardware Security Module (HSM) and therefore has no way to recover your keys if you lose your credentials. Amazon strongly recommends that you use two or more HSMs in separate Availability Zones in any production CloudHSM Cluster to avoid loss of cryptographic keys.

Answer 20

Run Command… You can use Run Command from the console to configure instances without having to login to each instance.

Answer 21

AWS Glue AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog.

Answer 22

* S3 * Redshift Consumers (such as a custom application running on Amazon EC2, or an Amazon Kinesis Data Firehose delivery stream) can store their results using an AWS service such as Amazon DynamoDB, Amazon Redshift, or Amazon S3.

Answer 23

just maintain a single snapshot of the BS volume since the latest snapshot is both incremental and complete

Answer 24

Edge Locations

Answer 25

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt both the boot and data volumes of an EC2 instance.

Answer 26

encrypt data on the client-side before sending to S3 using their own master key + implement s3 server-side encryption with customer-provided keys (SSE-C) (using SSL to encrypt the data while in transit to S3 is incorrect because the requirement is to only secure the data at rest and not data in transit)

Answer 27

Amazon Aurora….. !=Amazon Redshift is incorrect because this is primarily used for OLAP applications and not for OLTP. Moreover, it doesn't scale automatically to handle the exponential growth of the database. !=Amazon DynamoDB is incorrect because although you can use this to have an ACID-compliant database, it is not capable of handling complex queries and highly transactional (OLTP) workloads. !=Amazon RDS is incorrect because although it is an ACID-compliant relational database that can handle complex queries and transactional (OLTP) workloads, it is not scalable to handle the growth of the database. Amazon Aurora is the better choice as its underlying storage can grow automatically as needed.

Answer 28

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from most widely used commercial and open-source databases.

Answer 29

Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

Answer 30

Use Storage Gateway - Cached Volumes By using Cached volumes, you store your data in Amazon Simple Storage Service (Amazon S3) and retain a copy of frequently accessed data subsets locally in your on-premises network. Cached volumes offer substantial cost savings on primary storage and minimize the need to scale your storage on-premises. You also retain low-latency access to your frequently accessed data. This is the best solution for this scenario.

Answer 31

The instance that you want to attach must meet the following criteria: - The instance is in the running state. - The AMI used to launch the instance must still exist. - The instance is not a member of another Auto Scaling group. - The instance is launched into one of the Availability Zones defined in your Auto Scaling group. - If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.

Answer 32

Configure a VPC Gateway Endpoint along with a corresponding route entry that directs the data to S3 The important concept that you have to understand in the scenario is that your VPC and your S3 bucket are located within the larger AWS network. However, the traffic coming from your VPC to your S3 bucket is traversing the public Internet by default. To better protect your data in transit, you can set up a VPC endpoint so the incoming traffic from your VPC will not pass through the public Internet, but instead through the private AWS network.

Answer 33

Aurora will first attempt to create a new DB instance in the same AZ as the original instance. If unable to do so, Aurora will attempt to create a new DB instance in a different AZ. = If you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone. (The options that say: Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary and Amazon Aurora flips the A record of your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary are incorrect because this will only happen if you are using an Amazon Aurora Replica. In addition, Amazon Aurora flips the canonical name record (CNAME) and not the A record (IP address) of the instance.)

Answer 34

Use Amazon ElastiCache In this question, the keyword is distributed session data management. In AWS, you can use Amazon ElastiCache which offers fully managed Redis and Memcached service to manage and store session data for your web applications.

Answer 35

Cached Volume Gateway In this scenario, the technology company is looking for a storage service that will enable their analytics application to frequently access the latest data subsets and not the entire data set because it was mentioned that the old data are rarely being used. This requirement can be fulfilled by setting up a Cached Volume Gateway in AWS Storage Gateway.

Answer 36

Use CloudTrail with its default settings… By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).

Answer 37

$0.06 Since the Spot instance has been running for more than an hour, which is past the first instance hour, this means that you will be charged from the time it was launched till the time it was terminated by AWS. The computation for your 90 minute usage would be $0.04 (60 minutes) + $0.02 (30 minutes) = $0.06 hence, the correct answer is $0.06.

Answer 38

If your Spot instance is terminated or stopped by Amazon EC2 in the first instance hour, you will not be charged for that usage. However, if you terminate the instance yourself, you will be charged to the nearest second. If the Spot instance is terminated or stopped by Amazon EC2 in any subsequent hour, you will be charged for your usage to the nearest second. If you are running on Windows and you terminate the instance yourself, you will be charged for an entire hour.

Answer 39

AWS OpsWorks AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Answer 40

Amazon S3 IA In this scenario, the requirement is to have a storage option that is cost-effective and has the ability to access or retrieve the archived data immediately. The cost-effective options are Amazon Glacier Deep Archive and Amazon S3 Standard- Infrequent Access (Standard - IA). However, the former option is not designed for rapid retrieval of data which is required for the surprise audit.

Answer 41

The EBS volume can be used while the snapshot is in progress… Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the EBS volume normally.

Answer 42

Step Scaling Amazon EC2 Auto Scaling supports the following types of scaling policies: Target tracking scaling - Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest. Step scaling - Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach. Simple scaling - Increase or decrease the current capacity of the group based on a single scaling adjustment. If you are scaling based on a utilization metric that increases or decreases proportionally to the number of instances in an Auto Scaling group, then it is recommended that you use target tracking scaling policies. Otherwise, it is better to use step scaling policies instead.

Answer 43

SQS polling from an EC2 instance using IAM user credentials For decoupled applications, it is best to use SWF and SQS which are both available in all options. Note that this question asks you for the option that you would LEAST likely to recommend. SQS polling from an EC2 instance using IAM user credentials is not the recommended way to do so. It should use an IAM role instead.

Answer 44

In this scenario, enabling IAM cross-account access for all corporate IT administrators in each child account and using AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account are the correct choices. The combined use of IAM and Consolidated Billing will support the autonomy of each corporate division while enabling corporate IT to maintain governance and cost oversight.

Answer 45

CloudWatch Logs agent The CloudWatch Logs agent provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. The agent is comprised of the following components: A plug-in to the AWS CLI that pushes log data to CloudWatch Logs.

Answer 46

in order to use Cross-Region Replication feature in S3, you need to first enable versioning on the bucket To enable the cross-region replication feature in S3, the following items should be met: * The source and destination buckets must have versioning enabled. * The source and destination buckets must be in different AWS Regions. * Amazon S3 must have permissions to replicate objects from that source bucket to the destination bucket on your behalf.

Answer 47

First, create a snapshot of the EBS volume. Afterwards, create a volume using thr snapshot in the other AZ.

Answer 48

EFS In this question, you should take note of this phrase: "allows concurrent connections from multiple EC2 instances". There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a "block" storage and can only have one connection to one EC2 instance at a time.

Answer 49

create a virtual overlay network on the OS level of the instance Creating a virtual overlay network running on the OS level of the instance is correct because overlay multicast is a method of building IP level multicast across a network fabric supporting unicast IP routing, such as Amazon Virtual Private Cloud (Amazon VPC). (Amazon VPC does not support multicast or broadcast networking)

Answer 50

ElastiCache in-memory caching For sub-millisecond latency caching, ElastiCache is the best choice. (Multi-master DynamoDB and Multi-AZ RDS are incorrect because although you can use DynamoDB and RDS for storing session state, these two are not the best choices in terms of cost-effectiveness and performance when compared to ElastiCache. There is a significant difference in terms of latency if you used DynamoDB and RDS when you store the session data.)

Answer 51

create a set of Access Keys for the user and attach the necessary permissions You can choose the credentials that are right for your IAM user. When you use the AWS Management Console to create a user, you must choose to at least include a console password or access keys. By default, a brand new IAM user created using the AWS CLI or AWS API has no credentials of any kind. You must create the type of credentials for an IAM user based on the needs of your user. + Assigning an IAM Policy to the user to allow it to send API calls is incorrect because adding a new IAM policy to the new user will not grant the needed Access Keys needed to make API calls to the AWS resources.

Answer 52

By default, data records in Kinesis are only accessible for 24 hours from the time they are added to a stream

Answer 53

$0.00 If your Spot instance is terminated or stopped by Amazon EC2 in the first instance hour, you will not be charged for that usage. However, if you terminate the instance yourself, you will be charged to the nearest second. If the Spot instance is terminated or stopped by Amazon EC2 in any subsequent hour, you will be charged for your usage to the nearest second. If you are running on Windows and you terminate the instance yourself, you will be charged for an entire hour.

Answer 54

Using MyISAM as the storage engine for MySQL is not recommended. The recommended storage engine for MySQL is InnoDB and not MyISAM.

Answer 55

use Scheduled Reserved instances, which compute capacity that is always on the specified recurring schedule Scheduled Reserved Instances (Scheduled Instances) enable you to purchase capacity reservations that recur on a daily, weekly, or monthly basis, with a specified start time and duration, for a one-year term.

Answer 56

* it makes the database fault-tolerant to an AZ failure * increased database availability in the case of system upgrades like OS patching or DB instance scaling

Answer 57

stop and restart the instances in the Placement Group and then try the launch again The option that says: Stop and restart the instances in the Placement Group and then try the launch again is correct because you can resolve this issue just by launching again. If the instances are stopped and restarted, AWS may move the instances to a hardware that has capacity for all the requested instances.

Answer 58

Sticky sessions By default, a Classic Load Balancer routes each request independently to the registered instance with the smallest load. However, you can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user's session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.

Answer 59

* consider not using a multi-AZ RDS deployment for the development and test data One thing that you should notice here is that the company is using Multi-AZ databases in all of their environments, including their development and test environment. This is costly and unnecessary as these two environments are not critical. It is better to use Multi-AZ for production environments to reduce costs, which is why the option that says: Consider not using a Multi-AZ RDS deployment for the development and test database is the correct answer.

Answer 60

You can create a snapshot of the instance to save its data and then sell the instance to the Reserved Instance Marketplace.

Answer 61

Create a role in IAM. Afterwards, assign this role to a new EC2 instance. The best option is to create a role in IAM. Afterwards, assign this role to a new EC2 instance. Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. (storing your API credentials in S3 Glacier is incorrect as S3 Glacier is used for data archives and not for managing API credentials)

Answer 62

AWS elastic beanstalk Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment. You can choose your own platform, programming language, and any application dependencies (such as package managers or tools), that aren't supported by other platforms. Docker containers are self-contained and include all the configuration information and software your web application requires to run.

Answer 63

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet

Answer 64

CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions. It allows you to rapidly release new features, update Lambda function versions, avoid downtime during application deployment, and handle the complexity of updating your applications, without many of the risks associated with error-prone manual deployments.

Answer 65

Use deployment groups in CodeDeploy to automate code deployments in a consistent manner.

Answer 66

Launch an Auto-scaling group of EC2 instances to host your application services and an SQS queue. Include an Auto Scaling trigger to watch the SQS queue size which will either scale in or out the number of EC2 instances based on the queue There are three main parts in a distributed messaging system: the components of your distributed system which can be hosted on EC2 instance; your queue (distributed on Amazon SQS servers); and the messages in the queue. To improve the scalability of your distributed system, you can add Auto Scaling group to your EC2 instances.

Answer 67

Direct Connect + IPsec VPN Connection You can connect your VPC to remote networks by using a VPN connection which can be Direct Connect, IPsec VPN connection, AWS VPN CloudHub, or a third party software VPN appliance. Hence, IPsec VPN connection and AWS Direct Connect are the correct answers. (Amazon Connect is incorrect because this is not a VPN connectivity option. It is actually a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost. Amazon Connect is based on the same contact center technology used by Amazon customer service associates around the world to power millions of customer conversations.)

Answer 68

It is actually a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost. Amazon Connect is based on the same contact center technology used by Amazon customer service associates around the world to power millions of customer conversations.) (Amazon Connect is NOT a VPN connectivity option unlike Direct Connect.)

Answer 69

use AWS Organizations and Service Control Policies to control services on each account AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes. It allows you to create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts. (The option that says: Connect all departments by setting up a cross-account access to each of the AWS accounts of the company. Create and attach IAM policies to your resources based on their respective departments to control access is incorrect because although you can set up cross-account access to each department, this entails a lot of configuration compared with using AWS Organizations and Service Control Policies (SCPs). Cross-account access would be a more suitable choice if you only have two accounts to manage, but not for multiple accounts.)

Answer 70

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking. * when you need consistently lower inter-instance latencies * when you need a higher packet-per-second performance

Answer 71

Launch the instances in the AWS VPC In EC2-Classic, your EC2 instance receives a private IPv4 address from the EC2-Classic range each time it's started. In EC2-VPC on the other hand, your EC2 instance receives a static private IPv4 address from the address range of your default VPC. Hence, the correct answer is launching the instances in the Amazon Virtual Private Cloud (VPC) and not launching the instances in EC2-Classic

Answer 72

Amazon Route 53’s DNS services does not support DNSSEC at this time. However, their domain name registration service supports configuration of signed DNSSEC keys for domains when DNS service is configured at another provider. AWS Route 53 currently supports: * -A (address record) * -AAAA (IPv6 address record) * -CNAME (canonical name record) * -CAA (certification authority authorization) * -MX (mail exchange record) * -NAPTR (name authority pointer record) * -NS (name server record) * -PTR (pointer record) * -SOA (start of authority record) * -SPF (sender policy framework) * -SRV (service locator) * -TXT (text record)

Answer 73

Use Multi-AZ deployment! (this is the best you can do) next, Create Amazon Aurora Replicas (For most use cases, including read scaling and high availability, it is recommended using Amazon Aurora Replicas)

Answer 74

AWS hosts a variety of public datasets that anyone can access for free.

Answer 75

Immediately The correct answer is Immediately. Changes made in a security group are immediately implemented. There is no need to wait for some amount of time for propagation nor reboot any instances for your changes to take effect.

Answer 76

Increase the number of shards of the Kinesis stream by using the “UpdateShardCount” command Amazon Kinesis Data Streams supports resharding, which lets you adjust the number of shards in your stream to adapt to changes in the rate of data flow through the stream. There are two types of resharding operations: shard split and shard merge. In a shard split, you divide a single shard into two shards. In a shard merge, you combine two shards into a single shard. Splitting increases the number of shards in your stream and therefore increases the data capacity of the stream. Because you are charged on a per-shard basis, splitting increases the cost of your stream. Similarly, merging reduces the number of shards in your stream and therefore decreases the data capacity—and cost—of the stream.

Answer 77

Inter-Region VPC Peering A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.

Answer 78

Use Route 42 latency based routing to distribute the load to the multiple EC2 instances across all AWS regions

Answer 79

simply a service that provides a fast way to move large amounts of data online between on-premises storage and Amazon S3 or Amazon EFS.

Answer 80

Web Identity Federation With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure because you don't have to embed and distribute long-term security credentials with your application.

Answer 81

Remove the stored access keys in the AMI. Create a new IAM role with permissions to access the DynamoDB table and assign it to the EC2 instances... You should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use an IAM role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance.

Answer 82

User Data When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can write and run scripts that install new packages, software, or tools in your instance when it is launched.

Answer 83

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWSresources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 84

Storage Optimized Instances Storage Optimized Instances is the correct answer. Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications.

Answer 85

Memory Optimized Instances are designed to deliver fast performance for workloads that process large data sets in memory, which is quite different from handling high read and write capacity on local storage (as Storage Optimized)

Answer 86

Compute Optimized Instances are ideal for compute-bound applications that benefit from high-performance processors, such as batch processing workloads and media transcoding.

Answer 87

HTTP 200 result code and MD5 checksum If you triggered an S3 API call and got HTTP 200 result code and MD5 checksum, then it is considered as a successful upload. The S3 API will return an error code in case the upload is unsuccessful.

Answer 88

Egress-only Internet gateway An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances. Take note that an egress-only Internet gateway is for use with IPv6 traffic only. To enable outbound-only Internet communication over IPv4, use a NAT gateway instead.

Answer 89

NAT Gateway (Egress-Only Internet Gateway is incorrect because this is primarily used for VPCs that use IPv6 to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances, just like what NAT Instance and NAT Gateway do. The scenario explicitly says that the EC2 instances are using IPv4 addresses which is why Egress-only Internet gateway is invalid, even though it can provide the required high availability.)

Answer 90

set up an RDS database and enable the IAM DB Authentication You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Answer 91

there is no cost if the instance is running and it has only one associated EIP An Elastic IP address doesn’t incur charges as long as the following conditions are true: * -The Elastic IP address is associated with an Amazon EC2 instance. * -The instance associated with the Elastic IP address is running. * -The instance has only one Elastic IP address attached to it.

Answer 92

use path conditions to define rules that forward request to different target groups based on the URL in the request You can use path conditions to define rules that forward requests to different target groups based on the URL in the request (also known as path-based routing). This type of routing is the most appropriate solution for this scenario OBS… only Application Load Balancer supports path-based routing

Answer 93

In this scenario, the main culprit is that the Cache-Control max-age directive is set to a low value, which is why the request is always directed to your origin server. Hence the correct answer is the option that says: The Cache-Control max-age directive is set to zero. The Cache-Control and Expires headers control how long objects stay in the cache. The Cache-Control max-age directive lets you specify how long (in seconds) you want an object to remain in the cache before CloudFront gets the object again from the origin server. The minimum expiration time CloudFront supports is 0 seconds for web distributions and 3600 seconds for RTMP distributions.

Answer 94

Amazon FSx for Lustre For compute-intensive and fast processing workloads, like high-performance computing (HPC), machine learning, EDA, and media processing, Amazon FSx for Lustre, provides a file system that’s optimized for performance, with input and output stored on Amazon S3.

Answer 95

Use AWS Lambda and Amazon API Gateway The best possible answer here is to use Lambda and API Gateway because this solution is both scalable and cost-effective. You will only be charged when you use your Lambda function, unlike having an EC2 instance which always runs even though you don’t use it.

Answer 96

Cross-Zone Load Balancing

Answer 97

set up the security group of the database tier to allow database traffic from the security of the application servers. In the scenario, the servers of the application-tier are in an Auto Scaling group which means that the number of EC2 instances could grow or shrink over time. An Auto Scaling group could also cover one or more Availability Zones (AZ) which have their own subnets. Hence, the most suitable solution would be to set up the security group of the database tier to allow database traffic from the security group of the application servers since you can utilize the security group of the application-tier Auto Scaling group as the source for the security group rule in your database tier.

Answer 98

Since you are using a Remote Desktop connection to access your EC2 instance, you have to ensure that the Remote Desktop Protocol is allowed in the security group. By default, the server listens on TCP port 3389 and UDP port 3389. (the option with port 22 is incorrect as port 22 is used for SSH connections and not RDP)

Answer 99

Amazon RDS is a suitable database service for online transaction processing (OLTP) applications. However, the question asks for a list of AWS services for the web tier and not the database tier. Also, when it comes to services providing scalability and elasticity for your web tier, Auto Scaling and Elastic Load Balancer should immediately come into mind. Therefore, Elastic Load Balancing, Amazon EC2, and Auto Scaling is the correct answer.

Answer 100

the Failed Lambda functions have been running for over 15 minutes and reached the maximum execution time =\> You pay for the AWS resources that are used to run your Lambda function. To prevent your Lambda function from running indefinitely, you specify a timeout. When the specified timeout is reached, AWS Lambda terminates execution of your Lambda function. It is recommended that you set this value based on your expected execution time. The default timeout is 3 seconds and the maximum execution duration per request in AWS Lambda is 900 seconds, which is equivalent to 15 minutes. Hence, the correct answer is the option that says: The failed Lambda functions have been running for over 15 minutes and reached the maximum execution time.

Answer 101

Use S3 Multipart upload API The main issue is the slow upload time of the video objects to Amazon S3. To address this issue, you can use Multipart upload in S3 to improve the throughput. It allows you to upload parts of your object in parallel thus, decreasing the time it takes to upload big objects. Each part is a contiguous portion of the object's data.

Answer 102

use versioned objects.. to control the versions of files that are served from your distribution, you can either invalidate files or give them versioned file names. If you want to update your files frequently, AWS recommends that you primarily use file versioning: - Versioning enables you to control which file a request returns even when the user has a version cached either locally or behind a corporate caching proxy. If you invalidate the file, the user might continue to see the old version until it expires from those caches. * - CloudFront access logs include the names of your files, so versioning makes it easier to analyze the results of file changes. * - Versioning provides a way to serve different versions of files to different users. * - Versioning simplifies rolling forward and back between file revisions. * - Versioning is less expensive. You still have to pay for CloudFront to transfer new versions of your files to edge locations, but you don't have to pay for invalidating files (Invalidating the files in your CloudFront web distribution is incorrect because even though using invalidation will solve this issue, this solution is more expensive as compared to using versioned objects.)

Answer 103

The correct answer is the option that says: Application files are stored in S3. The server log files can also optionally be stored in S3 or in CloudWatch Logs. AWS Elastic Beanstalk stores your application files and optionally, server log files in Amazon S3.

Answer 104

Amazon Kinesis

Answer 105

1,3 “Access policies define access to resources and can be associated with resources (buckets and objects) and users You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. Bucket policies can be used to grant permissions to objects”

Answer 106

1 OpenID Connect + 4.Another AWS account “The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users) Federation can come from three sources: - Federation (typically AD) - Federation with Mobile Apps (e.g. Facebook, Amazon, Google or other OpenID providers) - Cross account access (another AWS account) The question has asked for supported sources for users. Cognito user pools contain users, but identity pools do not”

Answer 107

DynamoDB * “Amazon Dynamo DB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability * Push button scaling means that you can scale the DB at any time without incurring downtime * DynamoDB provides low read and write latency”

Answer 108

ALB...1 “An Application Load Balancer is a type of Elastic Load Balancer that can use layer 7 (HTTP/HTTPS) protocol data to make forwarding decisions. An ALB supports both path-based (e.g. /images or /orders) and host-based routing (e.g. example.com)”

Answer 109

3…..NAT Gateway “A NAT Gateway is created in a specific AZ and can have a single Elastic IP address associated with it. NAT Gateways are deployed in public subnets and the route tables of the private subnets where the EC2 instances reside are configured to forward Internet-bound traffic to the NAT Gateway. You do pay for using a NAT Gateway based on hourly usage and data processing, however this is still a cost-effective solution”

Answer 110

“Storing the file in an S3 bucket is cost-efficient, and using S3 event notifications to invoke a Lambda function works well for this unpredictable workload and is cost-efficient” “SQS queues have a maximum message size of 256KB. You can use the extended client library for Java to use pointers to a payload on S3 but the maximum payload size is 2GB”

Answer 111

2… * security group membership can be changed whilst instances are running * any changes to security groups will take effect immediately * you can only assign permit rules in a security group, you cannot assign deny rules

Answer 112

2 Launch a single ALB and bind multiple SSL certificates to the same secure listener. Clients will use the Server Name Indication (SNI) extension “You can use a single ALB and bind multiple SSL certificates to the same listener With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener”

Answer 113

A key pair consist of a public key that AWS stores and a private key file that you store For Linux AMIs, the private key file allows you to securely SSH into your instance

Answer 114

2… “Either create an encrypted volume and copy data to it or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot”

Answer 115

3.. Kinesis Streams “This is a good use case for Amazon Kinesis streams as it is able to scale to the required load, allow multiple applications to access the records and process them sequentially Amazon Kinesis Data Streams enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications”

Answer 116

2.. Use RDS in a Multi-AZ configuration “Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. With RDS you can configure Multi-AZ which creates a replica in another AZ and synchronously replicates to it (DR only)”

Answer 117

1,4 “Public subnets are subnets that have: “Auto-assign public IPv4 address” set to “Yes” which will assign a public IP The subnet route table has an attached Internet Gateway The instance will also need to a security group with an inbound rule allowing the traffic”

Answer 118

1,4… “For serving both the media player and media files you need two types of distributions: - A web distribution for the media player - An RTMP distribution for the media files RTMP: - Distribute streaming media files using Adobe Flash Media Server’s RTMP protocol - Allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location - Files must be stored in an S3 bucket (not an EBS volume or EC2 instance)”

Answer 119

1,4 * Redis: * “Redis engine stores data persistently * Redis engine supports Multi-AZ using read replicas in another AZ in the same region” * Memached: * Memcached engine does not store data persistently * Memcached does not support multi-aZ failover or replication

Answer 120

2,4 * “Glacier objects are visible through S3 only (not Glacier directly) * The contents of an archive that has been uploaded cannot be modified * Uploading archives is synchronous * Downloading archives is asynchronous * Retrieval can take a few hours”

Answer 121

2. Device Farm “AWS Device Farm is an app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time”

Answer 122

1,4 “This question is really just asking you to identify which of the listed services are stream-based services. DynamoDB and Kinesis are both used for streaming data”

Answer 123

2… “Amazon Kinesis Data Analytics is the easiest way to process and analyze real-time, streaming data. Kinesis Data Analytics can use standard SQL queries to process Kinesis data streams and can ingest data from Kinesis Streams and Kinesis Firehose but Firehose cannot be used for running SQL queries”

Answer 124

3… “Cross-region replication allows you to replicate across regions: - Amazon DynamoDB global tables provides a fully managed solution for deploying a multi-region, multi-master database”

Answer 125

1….ALB “An Application Load Balancer allows dynamic port mapping. You can have multiple tasks from a single service on the same container instance.”

Answer 126

2...Management Console + 5. AWS API “You can authenticate using an MFA device in the following ways: * Through the AWS Management Console – the user is prompted for a user name, password and authentication code” * “Using the AWS API – restrictions are added to IAM policies and developers can request temporary security credentials and pass MFA parameters in their AWS STS API requests * Using the AWS CLI by obtaining temporary security credentials from STS (aws sts get-session-token)”

Answer 127

3… Install an additional Microsoft Active Directory Domain Controller for your existing domain on EC2 and configure the application to authenticate to the local DC “The best answer is to Install an additional Microsoft Active Directory Domain Controller for your existing domain on EC2: - When you build your own you can join an existing on-premise Active Directory domain/directory (replication mode)”

Answer 128

AWS Simple AD “AWS Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone, fully managed, directory “on the AWS cloud. Simple AD is generally the least expensive option and the best choice for less than 50000 users and don’t need advanced AD features. It is powered by SAMBA 4 Active Directory compatible server”

Answer 129

2… AWS Budgets “AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic”

Answer 130

1, 3 “Amazon EMR is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3. EMR uses Apache Hadoop as its distributed data processing engine which is an open source, Java soft”“ware framework that supports data-intensive distributed applications running on large clusters of commodity hardware EMR launches all nodes for a given cluster in the same Amazon EC2 Availability Zone”

Answer 131

1,4… “Options for storing logs: * - CloudWatch Logs * - Centralized logging system (e.g. Splunk) * - Custom script and store on S3”

Answer 132

3.. you have 24 hours to download data after retrieval (24h is default and can be changed)+ 4..Glacier must complete a job before you can get its output

Answer 133

1,5.. can be sold on RI marketplace can be used in placement groups can also be used in auto scaling groups can also change instance size within same instance type can also switch AZ within same region

Answer 134

“Unlike gp2, which uses a bucket and credit model to calculate performance, an io1 volume allows you to specify a consistent IOPS rate when you create the volume, and Amazon EBS delivers within 10 percent of the provisioned IOPS performance 99.9 percent of the time over a given year. Therefore you should expect to get 900 IOPS most of the year”

Answer 135

3,4 “Proxy protocol for TCP/SSL carries the source (client) IP/port information X-forwarded-for for HTTP/HTTPS carries the source IP/port information In both cases the protocol carries the source IP/port information right through to the web server. If you were happy to just record the source connections on the load balancer you could use access logs”

Answer 136

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

Answer 137

3, 4.. “You cannot do transitive peering so a hub and spoke architecture would not allow all VPCs to communicate directly with each other. For this you need to establish a mesh topology”

Answer 138

Elastic Transcoder “Amazon Elastic Transcoder is a highly scalable, easy to use and cost-effective way for developers and businesses to convert (or “transcode”) video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs”

Answer 139

1, 3 “Regional Edge Caches are located between origin web servers and global edge locations and have a larger cache than any individual edge location, so your objects remain in cache longer at these locations. Regional Edge caches aim to get content closer to users and are enabled by default for CloudFront Distributions (so you don't need to update your distributions) There are no additional charges for using Regional Edge Caches”

Answer 140

1,4. “There are two parts to this solution. First you need to copy the S3 data to each region (as the instances are stateless), then you need to be able to deploy instances from an ASG using the same AMI in each regions. - CRR is an Amazon S3 feature that automatically replicates data across AWS Regions. With CRR, every object uploaded to an S3 bucket is automatically replicated to a destination bucket in a different AWS Region that you choose, this enables you to copy the existing data across to each region - AMIs of both Amazon EBS-backed AMIs and instance store-backed AMIs can be copied between regions. You can then use the copied AMI to create a new launch configuration (remember that you cannot modify an ASG launch configuration, you must create a new launch configuration)”

Answer 141

2,4 “RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy SSD, Provisioned IOPS – I01 provides higher performance than General Purpose SSD (GP2) and you can specify the IOPS required up to 50 IOPS per GB and a maximum of 32000 IOPS”

Answer 142

* “RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy * RAID 1 = 1 mirroring – creates 2 copies of the data but does not increase performance, only redundancy”

Answer 143

3… “Server access logging provides detailed records for the requests that are made to a bucket. To track requests for access to your bucket, you can enable server access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and an error code, if relevant” (“CloudWatch metrics do not include the bucket operations specified in the question)

Answer 144

1,4 “The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn't launch or terminate additional instances before the previous scaling activity takes effect so this would help. After the Auto Scaling group dynamically scales using a simple scaling policy, it waits for the cooldown period to complete before resuming scaling activities The CloudWatch Alarm Evaluation Period is the number of the most recent data points to evaluate when determining alarm state. This would help as you can increase the number of datapoints required to trigger an alarm”

Answer 145

1,3 “DynamoDB charges: - DynamoDB is more cost effective for read heavy workloads it is priced based on provisioned throughput (read/write) regardless of whether you use it or not NOTE: With the DynamoDB Auto Scaling feature you can now have DynamoDB dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. However, this is relatively new and may not yet feature on the exam. See the link below for more details”

Answer 146

3...Cache content using CloudFront

Answer 147

2.. enable DynamoDB Streams and create an event source mapping between AWS Lambda and the relevant stream

Answer 148

2. REDIS “Redis - Data is persistent - Can be used as a datastore - Not multi-threaded - Scales by adding shards, not nodes”

Answer 149

2… “AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation”. “Before you can use a stack set to create stacks in a target account, you must set up a trust relationship between the administrator and target accounts”

Answer 150

2. Simple AD “Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone, fully managed, directory on the AWS cloud and is generally the least expensive option. It is the best choice for less than 5000 users and when you don’t need advanced AD features”

Answer 151

1,5. “For this solution Kinesis Data Firehose can be used as it can use Kinesis Data Streams as a source and can capture, transform, and load streaming data into a RedShift cluster. Kinesis Data Firehose can invoke a Lambda function to transform data before delivering it to destinations”

Answer 152

DynamoDB “Out of the options in the list, DynamoDB requires the least operational overhead as there are no backups, maintenance periods, software updates etc. to deal with”

Answer 153

2..EFS.. “Amazon EFS is the best solution as it is the only solution that is a file-level storage solution (not block/object-based), stores data redundantly across multiple AZs within a region and you can concurrently connect up to thousands of EC2 instances to a single filesystem”

Answer 154

1,3 “RedShift always keeps three copies of your data and provides continuous/incremental backups

Answer 155

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console.

Answer 156

1. AWS KMS API “The AWS KMS API can be used for encrypting data keys (envelope encryption)”

Answer 157

4. Cluster Subnet Group “A cluster subnet group allows you to specify a set of subnets in your VPC”

Answer 158

Generate a pre-signed URL and distribute it to the consumers.. “S3 pre-signed URLs can be used to provide temporary access to a specific object to those who do not have AWS credentials.”

Answer 159

Athena.. “Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run”

Answer 160

1,2 “When the launch configuration is created from the CLI detailed monitoring of EC2 instances is enabled by default”

Answer 161

4, 5 “There are two possible solutions here. In one you create a new IAM role with multiple policies, in the other you add a new policy to the existing IAM role. Contrary to one of the incorrect answers, you can modify IAM roles after an instance has been launched - this was changed quite ”“some time ago now. However, you cannot add multiple IAM roles to a single EC2 instance. If you need to attach multiple policies you must attach them to a single IAM role. There is no such thing as delegating access using the API Gateway management console” “You are using an Application Load Balancer (ALB) for distributing traffic for a number of application servers running on EC2 instances. The configuration consists of a single ALB with a single target group. The front-end listeners are receiving traffic for digitalcloud.training on port 443 (SSL/TLS) and the back-end listeners are receiving traffic on port 80 (HTTP).

Answer 162

1,3 “The traffic is coming in on standard ports (443/HTTPS, 80/HTTP) to a single front-end listener. You can only have a single listener running on a single port. Therefore to be able to direct traffic for a specific web page you need to use an ALB and path-based routing to direct the traffic to a specific back-end listener. As only one protocol and one port can be defined per target group you also need to create a new target group that uses port 8080 as a target.”

Answer 163

1,4 “The ECS container agent allows container instances to connect to the cluster nd runs on each infrastructure resource on an ECS cluster. The ECS container agent is included in the Amazon ECS optimized AMI and can also be installed on any EC2 instance that supports the ECS specification (only supported on EC2 instances). It is available for Linux and Windows”

Answer 164

“System status checks detect (StatusCheckFailed\_System) problems with your instance that require AWS involvement to repair whereas Instance status checks (StatusCheckFailed\_Instance) detect problems that require your involvement to repair”

Answer 165

4.,.. “The important points here are that you need to utilize the on-premise AD for authentication with AWS services whilst not synchronizing the AD database into the cloud or setting up trust relationships(adding permissions to resources in another AD domain). AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory and eliminates the need for directory synchronization. AD connector is considered the best choice when you want to use an existing AD with AWS services. The small AD connector is for up to 500 users and the large version caters for up to 5000 so in this case we need to use the large AD connector” “Active Directory Service for Microsoft Active Directory is the best choice if you have more than 5000 users and is a standalone AD service in the cloud. You can also setup trust relationships with existing on-premise AD instances (though you can't replicate/synchronize). In this case we want to leverage the on-premise AD and want to avoid trust relationships”

Answer 166

3… “With AWS Direct Connect you can provision a low latency, high performance private connection between the client's data center and AWS. Direct Connect connections connect you to a region and all AZs within that region. In this case the client has a single VPC so we know their resources are container within a single region and therefore a single Direct Connect connection satisfies the requirements.”

Answer 167

1,3 “CloudTrail is used for recording API calls (auditing) whereas CloudWatch is used for recording metrics (performance monitoring). The solution can be deployed with a single trail that is applied to all regions. A single KMS key can be used to encrypt log files for trails applied to all regions. CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and you can also enable encryption SSE KMS for additional security”

Answer 168

2. Query string parameters “Query string parameters cause CloudFront to forward query strings to the origin and to cache based on the language parameter”

Answer 169

control access to CloudFront distributions

Answer 170

“Amazon API Gateway decouples the client application from the back-end application-layer services by providing a single endpoint for API requetss”

Answer 171

“Amazon Cognito is used for adding sign-up, sign-in and access control to mobile apps”

Answer 172

DynamoDB “Amazon DynamoDB is a fully managed NoSQL database service that provides a durable and persistent data store. You can scale DynamoDB using push button scaling which means that you can scale the DB at any time without incurring downtime. Amazon DynamoDB stores three geographically distributed replicas of each table to enable high availability and data durability” “As a Solutions Architect for Digital Cloud Training you are designing an online shopping application for a new client. The application will be composed of distributed, decoupled components to ensure that the failure of a single component does not affect the availability of the application.

Answer 173

3 = FIFO “FIFO (first-in-first-out) queues preserve the exact order in which messages are sent and received.. If you use a FIFO queue, you don’t have to place sequencing information in your message and they provide exactly-once processing, which means that each message is delivered once and remains available until a consumer processes it and deletes it. A FIFO queue would fit the solution requirements for this question”

Answer 174

“DynamoDB a NoSQL DB which means you can change the schema easily. It's also the only DB in the list that you can scale without any downtime Amazon Aurora, RDS MySQL and RedShift all require changing instance sizes in order to scale which causes an outage. They are also all relational databases (SQL) so changing the schema is difficult”

Answer 175

“Multi-AZ RDS creates a replica in another AZ and synchronously replicates to it. This provides a DR solution as if the AZ in which the primary DB resides fails, multi-AZ will automatically fail over to the replica instance with minimal downtime”

Answer 176

3... “You can only apply one IAM role to a Task Definition so you must create a separate Task Definition.. A Task Definition is required to run Docker containers in Amazon ECS and you can specify the IAM role (Task Role) that the task should use for permissions It is incorrect to say that you cannot implement granular permissions with ECS containers as IAM roles are granular and are applied through Task Definitions/Task Roles You can apply different IAM roles to different EC2 instances, but to grant permissions to ECS application containers you must use Task Definitions and Task Roles”

Answer 177

Cloudfront and ELB “CloudFront and ELB support Perfect Forward Secrecy which creates a new private key for each SSL session Perfect Forward Secrecy (PFS) provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key”

Answer 178

CloudFormation “AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion. AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment”

Answer 179

1=memory usage

Answer 180

“With EMR and EC2 you have access to the underlying operating system which means “you can connect to the operating system using protocols such as SSH and then manage the operating system”

Answer 181

1,3 “An Amazon API Gateway is a collection of resources and methods that are integrated with back-end HTTP endpoints, Lambda function or other AWS services. API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls. Throttling can be configured at multiple levels including Global and Service Call”

Answer 182

“EBS volume data is replicated across multiple servers within an AZ”

Answer 183

EFS “The Amazon Elastic File System (EFS) is a file-based (not block or object-based) system that is accessed using the NFSv4.1 protocol. You can concurrently connect 1 to 1000s of EC2 instances from multiple AZs to a single EFS file system. EFS is elastic and provides high levels of aggregate throughput and IOPS.”

Answer 184

“In this scenario we are not looking to backup the instances but to create identical copies of them in the other region. These are often called golden images. We must assume that any data used by the instances resides in another service and will be accessible to them when they are launched in a DR situation You launch EC2 instances using AMIs not snapshots (you can create AMIs from snapshots). Therefore, you should create AMIs of each instance (rather than snapshots), copy the AMIs between regions and then create new EC2 instances from the AMIs”

Answer 185

1,3 “None of the answer options present the full solution. However, you have been asked which services will help you to achieve the desired outcome. In this case we need high availability for on-demand EC2 instances. A single Auto Scaling Group will enable the on-demand instances to be launched into multiple availability zones with an elastic load balancer distributing incoming connections to the available EC2 instances. This provides high availability and elasticity Amazon S3 and CloudFront could be used to serve static content from an S3 bucket, however the question states that the web application runs on EC2 instances”

Answer 186

“A Recovery Point Objective (RPO) relates to the amount of data loss that can be allowed, in this case a low RPO means that you need to minimize the amount of data lost so synchronous replication is required. Out of the options presented only Amazon RDS in a multi-AZ configuration uses synchronous replication”

Answer 187

“If you do not want to manage EC2 instances you must use the AWS Fargate launch type which is a serverless infrastructure managed by AWS. Fargate only supports container images hosted on Elastic Container Registry (ECR) or Docker Hub”

Answer 188

1,5 = “S3 can be used to host static websites and you can use a custom domain name with S3 using a Route 53 Alias record. When using a custom domain name the bucket name must be the same as the domain name The Alias record is a Route 53 specific record type. Alias records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites”

Answer 189

“This scenario asks that when retrieving data the chosen storage solution should always return the most up-to-date data. Therefore we must use Amazon RDS as it provides read-after-write consistency”

Answer 190

1,4 = “The customer wants to leverage their existing directory but not replicate account credentials into the cloud. Therefore they can use the Active Directory Service for Microsoft Active Directory and create a trust relationship with their existing AD domain. This will allow them to authenticate using local user accounts in their existing directory without creating an AD Domain Controller in the cloud (which would entail replicating account credentials) Active Directory Service for Microsoft Active Directory is the best choice if you have more than 5000 users and/or need a trust relationship set up”

Answer 191

“The Architect requires a solution that removes the need to manage instances. Therefore it must be a serverless service which rules out EC2. The two remaining options use AWS Lambda at the back-end for processing. Though CloudFront can trigger Lambda functions it is more suited to customizing content delivered from an origin. Therefore API Gateway with AWS Lambda is the most workable solution presented”

Answer 192

2,4 “You cannot automatically register EC2 instances with private hosted zones Route 53 can be used to route Internet traffic for domains registered with another domain registrar (any domain) You can transfer domains to Route 53 only if the Top Level Domain (TLD) is supported”

Answer 193

3,5 = “The in-memory caching provided by ElastiCache can be used to significantly improve latency and throughput for many read-heavy application workloads or compute-intensive workloads ElastiCache is best for scenarios where the DB load is based on Online Analytics Processing (OLAP) transactions not Online Transaction Processing (OLTP) Elasticache EC2 nodes cannot be accessed from the Internet, nor can they be accessed by EC2 instances in other VPCs You cannot mix Memcached and Redis in a cluster”

Answer 194

2… “Auto Scaling rebalances by launching new EC2 instances in the AZs that have fewer instances first, only then will it start terminating instances in AZs that had more instances”

Answer 195

1..“IAM roles for ECS tasks enabled you to secure your infrastructure by assigning an IAM role directly to the ECS task rather than to the EC2 container instance. This means you can have one task that uses a specific IAM role for access to S3 and one task that uses an IAM role to access DynamoDB With IAM roles for EC2 instances you assign all of the IAM policies required by tasks in the cluster to the EC2 instances that host the cluster. This does not allow the secure separation requested”

Answer 196

2.. “As the client needs to access the operating system of the database servers, we need to use EC2 instances not RDS (which does not allow operating system access). We can implement EC2 instances with Microsoft SQL in two different AZs which provides the requested location redundancy and AZs are connected by low-latency, high throughput and redundant networking”

Answer 197

“Security Groups can be configured with Inbound (ingress) and Outbound (egress) rules. You can only assign permit rules in a security group,”

Answer 198

1...Kinesis Firehose is the easiest way to load streaming data stores and “analytics tools. It captures, transforms, and loads streaming data and can invoke a Lambda function to transform data before delivering it to destinations. Firehose Destinations include: S3, RedShift, Elasticsearch and Splunk”

Answer 199

“Kinesis Data Streams processes data and then stores it for applications to access. It does not deliver it to destinations such as Splunk”

Answer 200

“Kinesis Data Analytics is used for processing and analyzing real-time streaming data. It can only output data to S3, RedShift, Elasticsearch and Kinesis Data Streams”

Answer 201

1,5… “API Gateway can scale to any level of traffic received by an API. API Gateway scales up to the default throttling limit of 10,000 requests per second, and can burst past that up to 5,000 RPS. Throttling is used to protect back-end instances from traffic spikes Lambda uses continuous scaling – scales out not up. Lambda scales concurrently executing functions up to your default limit (1000)”

Answer 202

2...“A spread placement group is a group of instances that are each placed on distinct underlying hardware”

Answer 203

Hibernate and Stop “You can specify whether Amazon EC2 should hibernate, stop, or terminate Spot Instances when they are interrupted. You can choose the interruption behavior that meets your needs. The default is to terminate Spot Instances when they are interrupted”

Answer 204

4. Configure Amazon DAX “Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. You can enable DAX for a DynamoDB database with a few clicks”

Answer 205

1..“You can enable Instance Protection to protect a specific instance in an ASG from a scale in action”

Answer 206

Answer: 1,4” “You can use server-side encryption with SSE-KMS to protect your data with a master key or you can use an AWS KMS customer master key KMS uses customer master keys (CMKs), not customer provided keys SSE-KMS requires that AWS manage the data key but you manage the master key in AWS KMS Auditable master keys can be created, rotated, and disabled from the IAM console You can use the Amazon S3 encryption client in the AWS SDK from your own application to encrypt objects and upload them to Amazon S3, otherwise data is encrypted on Amazon S3, not on the client side”

Answer 207

3,4 “A custom CMK key must be used for encryption if you want to share the snapshot You must share the CMK key as well as the snapshot with the other AWS account Snapshots of encrypted volumes are encrypted automatically To share an encrypted snapshot you must encrypt it in the source account with a custom CMK key and then share the key with the target account”

Answer 208

2,3 “The relevant facts are there is a soft limit of 20 On-demand or 20 reserved instances per region by default and there are 32 possible hosts in a /27 subnet. AWS reserve the first 4 and last 1 IP address. ELB requires 8 addresses within your subnet which only leaves 19 addresses available for use There are 16 EC2 instances so a capacity increase of 50% would bring the total up to 24 instances which exceeds the address space and the default account limit for On-Demand instances”

Answer 209

3,5 “Network ACLs contain a numbered list of rules that are evaluated in order from the lowest number until the explicit deny. Network ACLs only apply to traffic that is ingress or egress to the subnet not to traffic within the subnet Network ACL’s function at the subnet level, not the instance level With NACLs you can have permit and deny rules All rules are not evaluated before making a decision (security groups do this), they are evaluated in order until a permit or deny is encountered”

Answer 210

“The easiest and recommended option is to create an AMI (image) from the instance and launch an instance from the AMI in the other AZ. AMIs are backed by snapshots which in turn are backed by S3 so the data is available from any AZ within the region You can take a snapshot, launch an instance in the destination AZ. Stop the instance, detach its root volume, create a volume from the snapshot you took and attach it to the instance. However, this is not the best option There’s no way to move an EC2 instance from the management console You cannot perform a copy operation to move the instance”

Answer 211

“Add a rule to the Network ACL to deny traffic from the identified IP addresses. Ensure all subnets are associated with the Network ACL” the best way to handle this situation is to create a deny rule in a network ACL using the identified IP addresses as the source. You would apply the network ACL to the subnet(s) that are seeing suspicious traffic”

Answer 212

1… IAM is global

Answer 213

create a DynamoDB Accelerator (DAX) cluster

Answer 214

“Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs). Public VIFs allow access to public services such as S3, EC2, and DynamoDB. Private VIFs allow access to your VPC. You must use public IP addresses on public VIFs, and private IP addresses on private VIFs Once you have connected to an AWS region using AWS Direct Connect you can connect to all AZs within that region. You can also establish IPSec connections over public VIFs to remote regions.”

Answer 215

S3... is object-based storage + allow concurrent access = can be shared by multiple instances

Answer 216

1,3 “AWS currently supports enhanced networking capabilities using SR-IOV which provides direct access to network adapters, provides higher performance (packets-per-second) and lower latency. You must launch an HVM AMI with the appropriate drivers and it is only available for certain instance types and only supported in VPC”

Answer 217

2… “The key facts here are that whilst minimizing application downtime you need to take a consistent snapshot and are unable to pause writes long enough to do so. Therefore the best option is to unmount the EBS volume and take the snapshot. This will be much faster than shutting down the instance, taking the snapshot, and then starting it back up again Snapshots capture a point-in-time state of an instance and are stored on S3. To take a consistent snapshot writes must be stopped (paused) until the snapshot is complete – if not possible the volume needs to be detached, or if it’s an EBS root volume the instance must be stopped” (if taking snapshot while attached you may not get a fully consistent snapshot which is needed here)

Answer 218

“AWS recommends that you always use the default predefined security policy. When choosing a custom security policy you can select the ciphers and protocols (only for CLB)” (AES is an encryption policy, not a policy)

Answer 219

1...decoupling

Answer 220

3...“Maintenance windows are configured to allow DB instance modifications to take place such as scaling and software patching. Some operations require the DB instance to be taken offline briefly and this includes security patching” (the others do not take place during a maintenance window)

Answer 221

2,4 “Amazon Dynamo DB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability that provides low read and write latency. Because of its performance profile and the fact that it is a NoSQL type of database, DynamoDB is good for rapidly ingesting clickstream data You should use a relational database such as RDS when you need to do complex queries and joins. Microsoft SQL and Oracle DB are both relational databases so DynamoDB is not a good backup target or migration destination for these types of DB”

Answer 222

1,3 both a web application using Amazon RDS and a long running worker process (where it manages an SQS queue) are good examples of when yo use Beanstalk as multiple services are being used which is what Beanstalk is for = orchestration engine

Answer 223

2… Access keys are a combination of an access Key ID and a secret access key and you can assign “two active access keys to a user at a time. These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools” (a password is needed for logging into the console yes, but a password is not needed to make API calls)

Answer 224

1,2.. “When using S3 encryption your data is always encrypted at rest and you can choose to use KMS managed keys or customer-provided keys. If you encrypt the data at the source and transfer it in an encrypted state it will also be encrypted in-transit With client side encryption data is encrypted on the client side and transferred in an encrypted state and with server-side encryption data is encrypted by S3 before it is written to disk (data is decrypted when it is downloaded)”

Answer 225

Cloud HardwareSecurityModule is used to create and manage encryption keys but not actually encrypting the data

Answer 226

3,5...“Placement groups are recommended for applications that benefit from low latency and high bandwidth and it s recommended to use an instance type that supports enhanced networking. Instances within a placement group can communicate with each other ”

Answer 227

“EFS provides a highly-available data store with consistent low latencies and elasticity to scale as required” (DynamoDB is a low latency, highly-available NoSQL Database and you can also store JSON files but only up to 400 kb in size and thus EFS is the only plausible solution here)

Answer 228

CloudFormation

Answer 229

1…why? * CloudFront caches near end users and ensure low latency * API Gateway and API Lambda are present in all options * DynamoDB can be used for storing session state data * (RDS is not a serverless service so can be ruled out)

Answer 230

2,4… “If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances. Auto Scaling will terminate the existing instance before launching a replacement instance” (the process is different for AZ rebalancing where it launches new instances first in the other AZ before it closes instances down).

Answer 231

Redshift = Data warehouse “Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing Business Intelligence (BI) tools. RedShift is a SQL based data warehouse that is used for analytics applications. RedShift is 10x faster than a traditional SQL DB”

Answer 232

Expedited Retrieval… typically 1-5 minutes (standard retrieval is 3-5hours, bulk retrieval is more cost-effective but 5-12 hours))

Answer 233

4...Kinesis Firehose with Redshift “Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. Firehose Destinations include: Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing Business Intelligence tools.

Answer 234

“Kinesis Data Streams enables you to build custom applications that process or analyze streaming data for specialized needs. It enables real-time processing of streaming big data and can be used for rapidly moving data off data producers and then continuously processing the data. Kinesis Data Streams stores data for later processing by applications (key difference with Firehose which delivers data directly to AWS services) (Kinesis Firehose can allow transformation of data and it then delivers data to supported services”)

Answer 235

“The SSH protocol uses TCP port 22

Answer 236

2...“Using the CloudFront content delivery network (CDN) would offload the processing from the EC2 instance as the videos would be cached and accessed without hitting the EC2 instance” (“Using CloudFront is preferable to using an Auto Scaling group to launch more instances as it is designed for caching content and would provide the best user experience”)

Answer 237

3… “Always use IAM roles when you can It is an AWS best practice not to store API credentials within applications, on file systems or on instances (such as in metadata).”

Answer 238

2… “Throughput Optimized HDD is the most cost-effective storage option and for a small DB with low traffic volumes it may be sufficient. Note that the volume must be at least 500 GB in size (AWS recommend using General Purpose SSD rather than Throughput Optimized HDD for most use cases but it is more expensive”)

Answer 239

4...“Aurora databases can scale up to 64 TB and Aurora replicas features millisecond latency All other RDS engines have a limit of 16 TiB maximum DB size and asynchronous replication typically takes seconds”

Answer 240

CloudFormation “CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts”

Answer 241

a deployment service that “automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions”

Answer 242

2,4… “AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory. AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure and connects your existing on-premise AD to AWS. It is the best choice when you want to use an existing Active Directory with AWS services IAM Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests. With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. user name and password)”. you map the groups in AD to IAM Roles (not IAM users or groups)

Answer 243

“AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory. AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure and connects your existing on-premise AD to AWS. It is the best choice when you want to use an existing Active Directory with AWS services

Answer 244

“AWS Directory Service Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a fully cloud-based solution and does not integrate with an on-premises Active Directory service.

Answer 245

3,5… “The key requirements are that historical data that data is recorded in a low latency, durable data store and then moved into a data warehouse when the data is over 1 year old for historical analytics. This is a good use case for DynamoDB as a data store and RedShift as a data warehouse. Kinesis is used for real-time data, not historical data so is not a good fit”

Answer 246

“Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information.

Answer 247

“You can use MFA with a Cognito user pool (not in IAM) and this satisfies the requirement. A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers”

Answer 248

2,5. “Due to the reverse proxy being a bottleneck to scalability, we need to replace it with a solution that can perform content-based routing. This means we must use an ALB not a CLB as ALBs support path-based and host-based routing Auto Scaling should be added to the architecture so that the back end EC2 instances do not become a bottleneck. With Auto Scaling instances can be added and removed from the back end fleet as demand changes”

Answer 249

3..TTL “Caches are provisioned for a specific stage of your APIs. Caching features include customisable keys and time-to-live (TTL) in seconds for your API data which enhances response times and reduces load on back-end services You can throttle and monitor requests to protect your back-end, but the cache is used to reduce the load on the back-end”

Answer 250

“Using PrivateLink you can connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services”

Answer 251

3… to connect to other AWS accounts privately you need to use PrivateLink.

Answer 252

2.5… “Best practices for securing operating systems and applications include: * Disable root API access keys and secret key * Restrict access to instances from limited IP ranges using Security Groups * Password protect the .pem file on user machines * Delete keys from the authorized\_keys file on your instances when someone leaves your organization or no longer requires access * Rotate credentials (DB, Access Keys) * Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys * Use bastion hosts to enforce control and visibility” *

Answer 253

1… SQS allows us to decouple the application and store messages waiting to be processed. Then we add some EC2 instances to process this queue

Answer 254

1.Redshift “Amazon RedShift uses columnar storage and is used for analyzing data using business intelligence tools (SQL)” (DynamoDB is not columnar as it is NoSQL, RDS is better for OLTP work and not analytics and Elasticache is an in-memory caching service)

Answer 255

2…. “The possible values are ok, impaired, warning, or insufficient-data. If all checks pass, the overall status of the volume is ok. If the check fails, the overall status is impaired. If the status is insufficient-data, then the checks may still be taking place on your volume at the time”

Answer 256

2. stop sending traffic “The ELB will simply stop sending traffic to the instance as it has determined it to be unhealthy ELBs are not responsible for terminating EC2 instances. The ELB does not send instructions to the ASG, the ASG has its own health checks and can also use ELB health checks to determine the status of instances”

Answer 257

4,5 “To use Route 53 for an existing domain the Architect needs to change the NS records to point to the Amazon Route 53 name servers. This will direct name resolution to Route 53 for the domain name. The most cost-effective solution for hosting the website will be to use an Amazon S3 bucket. To do this you create a bucket using the same name as the domain name (e.g. example.com) and use a Route 53 Alias record to map to it Using an EC2 instance instead of an S3 bucket would be more costly so that rules out 2 options that explicitly mention EC3 Elastic Beanstalk provisions EC2 instances so again this would be a more costly option”

Answer 258

EFS.. “EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. EFS is good for big data and analytics, media processing workflows, content management, web serving, home directories etc.. EFS uses the NFSv4.1 protocol which is a protocol for mounting file systems (similar to Microsoft’s SMB)” (DynamoDB is only good with OLTP)

Answer 259

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

Answer 260

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts.

Answer 261

IAM roles for EC2 instances simplifies management and deployment of AWS access keys to EC2 instances. Using this feature, you associate an IAM role with an instance. Then your EC2 instance provides the temporary security credentials to applications running on the instance, and the applications can use these credentials to make requests securely to the AWS service resources defined in the role. = IAM roles for EC2 instances enables your applications running on EC2 to make requests to AWS services such as Amazon S3, Amazon SQS, and Amazon SNS without you having to copy AWS access keys to every instance

Answer 262

Temporary security credentials consist of the AWS access key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply referred to as tokens. (default 12 hours, min 15 minutes, max 36 hours)

Answer 263

AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).

Answer 264

Federated users (external identities) are users you manage outside of AWS in your corporate directory, but to whom you grant access to your AWS account using temporary security credentials. They differ from IAM users, which are created and maintained in your AWS account.

Answer 265

Web identity federation allows you to create AWS-powered mobile apps that use public identity providers (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider) for authentication. With web identity federation, you have an easy way to integrate sign-in from public identity providers (IdPs) into your apps without having to write any server-side code and without distributing long-term AWS security credentials with the app.

Answer 266

For best results, use Amazon Cognito as your identity broker for almost all web identity federation scenarios.

Answer 267

1,4. AWS recommends that you use the AWS SDKs to make programmatic API calls to IAM. However, you can also use the IAM Query API to make direct calls to the IAM web service. An access key ID and secret access key must be used for authentication when using the Query API.

Answer 268

2...“This is simply about understanding the performance characteristics of the different EBS volume types. The only EBS volume type that supports over 10,000 IOPS is Provisioned IOPS SSD” (Provisioned IOPS for… +10,000 IOPS, up to 32,000 IOPS per volume, up to 50 IOPS per GiB)

Answer 269

* Soft limit of 20 on-demand instances per region * 300 TiB of aggregate PIOPS volumes per region and 300,000 aggregate PIOPS

Answer 270

## Footnote “ELB nodes have public IPs and route traffic to the private IP addresses of the EC2 instances. You need one public subnet in each AZ where the ELB is defined and the private subnets are located”

Answer 271

1,3 policies are documents that define permissions and can be applied to users, groups, and roles. =\> within an IAM policy you can grant either programmatic access or AWS Management Console access to Amazon S3 resources.

Answer 272

to access EC2 instances

Answer 273

1,2 “Athena also allows you to easily query encrypted data stored in Amazon S3 and write encrypted results back to your S3 bucket. Both, server-side encryption and client-side encryption are supported With IAM policies, you can grant IAM users fine-grained control to your S3 buckets, and is preferable to using bucket ACLs”

Answer 274

3... “Single sign-on using federation allows users to login to the AWS console without assigning IAM credentials The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (such as federated users from an on-premise directory) Federation (typically Active Directory) uses SAML 2.0 for authentication and grants temporary access based on the users AD credentials. The user does not need to be a user in IAM”

Answer 275

to authenticate users to web and mobile apps (not for providing single sign-on between on-premises directories and AWS management console… here we use Federation (STS and SAML)

Answer 276

* API Gateway * Lambda * S3 * DynamoDB * SNS * SQS * Kinesis

Answer 277

1..snapshots capture a point-in-time state of an instance and snapshots of EBS volumes are automatically stored in S3

Answer 278

Answer: 2 DynamoDB can throttle requests that exceed the provisioned throughput for a table. When a request is throttled it fails with an HTTP 400 code (Bad Request) and a ProvisionedThroughputExceeded exception (not a 503 or 200 status code) When using the provisioned capacity pricing model DynamoDB does not automatically scale. DynamoDB can automatically scale when using the new on[…]”

Answer 279

2...when you create a new subnet, it is automatically associated with the main route table. Therefore, the EC2 instance will not have a route to the Internet in this example. The architect should associate the new subnet with the custom route table.

Answer 280

Answer: 2 With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Using this feature you can achieve the required outcome by using IAM roles for tasks and splitting the containers according to the permissions required to different task profiles.”

Answer 281

3...“If any health check returns an unhealthy status the instance will be terminated. Unlike AZ rebalancing, termination of unhealthy instances happens first, then Auto Scaling attempts to launch new instances to replace terminated instances AS will not launch a new instance immediately as it always terminates unhealthy instance before launching a replacement”

Answer 282

1,2 “It is not specified what types of documents are being moved into the cloud or what services they will be placed on. Therefore we can assume that options include S3 and EBS. Both of these services provide native encryption functionality to ensure security of the sensitive documents. With EBS you can use KMS-managed or customer-managed encryption keys. With S3 you can use client-side or server-side encryption (IAM access policies are not used for controlling encryption”)

Answer 283

in a private subnet of your VPC

Answer 284

3 tags… a tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define. TAGS enable you to categorize your AWS resources in different ways, for example, by purpose, owner or environment

Answer 285

Answer: 1 By default Eth0 is the only Elastic Network Interface (ENI) created with an EC2 instance when launched. You can add additional interfaces to EC2 instances (number dependent on instances family/type). Default interfaces are terminated with instance termination. Manually added interfaces are not terminated by default”

Answer 286

2,3.. You can suspend and then resume one or more of the scaling processes for your Auto Scaling group. This can be useful when you want to investigate a configuration problem or other issue with your web application and then make changes to your application, without invoking the scaling processes. You can manually move an instance from an ASG and put it in the standby state Instances in standby state are still managed by Auto Scaling, are charged as normal, and do not count towards available EC2 instance for workload/application use. Auto scaling does not perform health checks on instances[…]”

Answer 287

for active/passive configurations..

Answer 288

Answer: 2,3 Performing in-place queries on a data lake allows you to run sophisticated analytics queries directly on the data in S3 without having to load it into a data warehouse You can use both Athena and Redshift Spectrum against the same data assets. You would typically use Athena for ad hoc data discovery and SQL querying, and then use Redshift Spectrum for more complex queries and scenarios where a large number of data lake users want to run concurrent BI and reporting workloads” (Lambda is good for functions but not analytics queries and AWS Glue is an ETL service)

Answer 289

3.. “An Alias record can be used for resolving apex or naked domain names (e.g. example.com). You can create an A record that is an Alias that uses the customer's website zone apex domain name and map it to the ELB DNS name”

Answer 290

1,3.. “The following are a few reasons why an instance might immediately terminate: - You've reached your EBS volume limit - An EBS snapshot is corrupt - The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption” AWS does not have capacity available

Answer 291

1… “SSD, General Purpose (GP2) provides enough IOPS to support this requirement and is the most economical option that does. Using Provisioned IOPS would be more expensive and the other two options do not provide an SLA for IOPS”

Answer 292

* 3 IOPS per GiB * up to 16,000 IOPS * volume size 1GB to 16 GB

Answer 293

* 50 IOPS per GiB * up to 64,000 IOPS * volume size 4GB to 16 GB

Answer 294

1,2 EBS-backed instances, the default is to delete the root EBS volume upon termination. EBS volumes can be detached and attached again without data being lost (instance stores cannot)

Answer 295

Answer: 1,2 Information is sent by the ELB to CloudWatch every 1 minute when requests are active. Can be used to trigger SNS notifications” “Access Logs are disabled by default. Includes information about the clients (not included in CloudWatch metrics) including identifying the requester, IP, request type etc. Access logs can be optionally stored and retained in S3”

Answer 296

2,5 The only application services here are API Gateway and Lambda and these are considered to be serverless services”

Answer 297

“Auto Scaling can perform rebalancing when it finds that the number of instances across AZs is not balanced. Auto Scaling rebalances by launching new EC2 instances in the AZs that have fewer instances first, only then will it start terminating instances in AZs that had more instances”

Answer 298

On-demand… you need it quickly, cost-effectively and without interruptions. (spot = interruptions, reserved = for longer requirements with 1-3 year contracts, flexible does not exist)

Answer 299

Answer: 1,2 * ECS Clusters are a logical grouping of container instances the you can place tasks on * Clusters can contain tasks using BOTH the Fargate and EC2 launch type * Each container instance may only be part of one cluster at a time * Clusters are region specific * For clusters with the EC2 launch type clusters can contain different container instance types”

Answer 300

2,4… “CloudFront distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served ELB automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource ELB, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances ELB also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances”

Answer 301

4… “If you are installing MySQL on an EC2 instance you cannot enable read replicas or multi-AZ. Instead you would need to use Amazon RDS with a MySQL DB engine to use these features Migrating to RDS would entail a major change to the architecture so is not really feasible. In this example it will therefore be easier to use the native HA features of MySQL rather than to migrate to RDS. You would want to place the second MySQL DB instance in another AZ to enable high availability and fault tolerance”

Answer 302

3….You can throttle and monitor requests to protect your backend. Resiliency through throttling rules is based on the number of requests per second for each HTTP method (GET, PUT). Throttling can be configured at multiple levels including Global and Service Call API Gateway is the front-end component of this application therefore that is where you need to implement the controls. You cannot use CloudFront or ElastiCache to cache APIs. You also cannot put APIs in a bucket and publish as a static website

Answer 303

4.. “You backup EBS volumes by taking snapshots. This can be automated via the AWS CLI command "create-snapshot". However the question is asking for a way to automate not just the creation of the snapshot but the retention and deletion too. The EBS Data Lifecycle Manager (DLM) is a new feature that can automate all of these actions for you and this can be performed centrally from within the management console”

Answer 304

Answer: 1,3 The proxy protocol only applies to L4 and the back-end listener must be TCP for proxy protocol When using the proxy protocol the front-end listener can be either TCP or SSL”

Answer 305

1… Amazon Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages. Aurora Global Database uses storage-based replication with typical latency of less than 1 second, using dedicated infrastructure that leaves your database fully available to serve application workloads. In the unlikely event of a regional degradation or outage, one of the secondary regions can be promoted to full read/write capabilities in less than 1 minute. You can create an Amazon Aurora MySQL DB cluster as a Read Replica in a different AWS Region than the source DB cluster. Taking this approach can improve your disaster recovery capabilities, let you scale read operations into an AWS “Region to another. However, this solution would not provide the fast storage replication and fast failover capabilities of the Aurora Global Database and is therefore not the best option Enabling Multi-AZ for the Aurora DB would provide AZ-level resiliency within the region not across regions”

Answer 306

Answer: 2,..... You can throttle and monitor requests to protect your backend. Resiliency through throttling rules based on the number of requests per second for each HTTP method (GET, PUT). Throttling can be configured at multiple levels including Global and Service Call When request submissions exceed the steady-state request rate and burst limits, API Gateway fails the limit-exceeding requests and returns 429 Too Many Requests error responses to the client”

Answer 307

1,3.. “When you resize an instance, you must select an instance type that is compatible with the configuration of the instance. You must stop your Amazon EBS–backed instance before you can change its instance type You can suspend and then resume one or more of the scaling processes for your Auto Scaling group. Suspending scaling processes can be useful when you want to investigate a configuration problem or other issue with your web application and then make changes to your application, without invoking the scaling processes You do not need to create a new launch configuration and you cannot edit an existing launch configuration You cannot change an instance type without first stopping the instance”

Answer 308

2.. “With an identity pool, users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB”