AWSExam_2 Flashcards

Question 1

Q

Your IT Director instructed you to ensure that all of the AWS resources in your VPC don’t go beyond their respective service limits. You should prepare a system that provides you real-time guidance in provisioning your resources that adheres to the AWS best practices.

Which of the following is the MOST appropriate service to use to satisfy this task?

Answer

A

AWS Trusted Advisor

AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. It inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps.

Question 2

Q

What is Amazon Inspector?

Answer

A

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

Question 3

Q

You are a Solutions Architect working for a startup which is currently migrating their production environment to AWS. Your manager asked you to set up access to the AWS console using Identity Access Management (IAM). You have created 5 users for your system administrators using the AWS CLI.

What further steps do you need to take to enable your system administrators to get access to the AWS console?

Answer

A

Provide a password for each user created and give these passwords to your system administrators..

The AWS Management Console is the web interface used to manage your AWS resources using your web browser. To access this, your users should have a password that they can use to login to the web console.

Question 4

Q

You have EC2 instances running on your VPC. You have both UAT and production EC2 instances running. You want to ensure that employees who are responsible for the UAT instances don’t have the access to work on the production instances to minimize security risks. Which of the following would be the best way to achieve this?

Answer

A

Define the tags on the UAT and production servers and add a condition to the IAM policy which allows access to specific tags.

Question 5

Q

A leading e-commerce company is in need of a storage solution that can be accessed by 1000 Linux servers in multiple availability zones. The service should be able to handle the rapidly changing data at scale while still maintaining high performance. It should also be highly durable and highly available whenever the servers will pull data from it, with little need for management. As the Solutions Architect, which of the following services is the most cost-effective choice that you should use to meet the above requirement?

Answer

A

EFS

in this scenario, the keywords are rapidly changing data and 1000 Linux servers.

Amazon EFS is a file storage service for use with Amazon EC2. Amazon EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently-accessible storage for up to thousands of Amazon EC2 instances. EFS provides the same level of high availability and high scalability like S3 however, this service is more suitable for scenarios where it is required to have a POSIX-compatible file system or if you are storing rapidly changing data.

Question 6

Q

You are assigned to design a highly available architecture in AWS. You have two target groups with three EC2 instances each, which are added to an Application Load Balancer. In the security group of the EC2 instance, you have verified that the port 80 for HTTP is allowed. However, the instances are still showing out of service from the load balancer. What could be the root cause of this issue?

The wrong instance type was used for the EC2 instance
The instances are using the wrong AMI
The health check configuration is not properly defined
The wrong subnet was used in your VPC

Answer

A

The health check configuration is not properly defined

Question 7

Q

You are working as an IT Consultant for a large media company where you are tasked to design a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this S3 bucket to immediately receive over 2000 PUT requests and 3500 GET requests per second at peak hour. What should you do to ensure optimal performance?

Answer

A

Do nothing. Amazon S3 will automatically manage performance at this scale.

Amazon S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data, which can save significant processing time for no additional charge. Each S3 prefix can support these request rates, making it simple to increase performance significantly.

Question 8

Q

company which has both an on-premises data center as well as an AWS cloud infrastructure. They store their graphics, audios, videos, and other multimedia assets primarily in their on-premises storage server and use an S3 Standard storage class bucket as a backup. Their data are heavily used for only a week (7 days) but after that period, it will be infrequently used by their customers. You are instructed to save storage costs in AWS yet maintain the ability to fetch their media assets in a matter of minutes for a surprise annual data audit, which will be conducted both on-premises and on their cloud storage. Which of the following options should you implement to meet the above requirement? (Choose 2)

set af lifecycle policy in the bucket to transition to S3 - IA after 30 days
set a lifecycle policy in the bucket to transition the data to S3 - OneZone IA after one week (7 days)
set a lifecycle policy in the bucket to transition to S3 Glacier Deep Archive after one week (7 days)
set a lifecycle policy to transition to S3 - IA after one week (7 days)
set a lifecycle policy to transition to Glacier after one week (7 days)

Answer

A

set af lifecycle policy in the bucket to transition to S3 - IA after 30 days
- ⇒ Objects must be stored at least 30 days in S3 standard before you can transition them to S3 IA or S3 OneZone IA
set a lifecycle policy to transition to Glacier after one week (7 days)
- can retrieve data within minutes

Question 9

Q

You are setting up a cost-effective architecture for a log processing application which has frequently accessed, throughput-intensive workloads with large, sequential I/O operations. The application should be hosted in an already existing On-Demand EC2 instance in your VPC. You have to attach a new EBS volume that will be used by the application. Which of the following is the most suitable EBS volume type that you should use in this scenario?

Answer

A

EBS throughput optimized HDD (st1)

Throughput Optimized HDD (st1) volumes provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS. This volume type is a good fit for large, sequential workloads such as Amazon EMR, ETL, data warehouses, and log processing. Bootable st1 volumes are not supported.

Throughput Optimized HDD (st1) volumes, though similar to Cold HDD (sc1) volumes, are designed to support frequently accessed data. (Cold HDD for less frequently accessed workloads)

Question 10

Q

You have an existing On-demand EC2 instance and you are planning to create a new EBS volume that will be attached to this instance. The data that will be stored are confidential medical records so you have to make sure that the data is protected. How can you secure the data at rest of the new EBS volume that you will create?

Answer

A

Create an encrypted EBS volume by ticking the encryption tickbox and attach it to the instance

Question 11

Q

You created a new CloudFormation template that creates 4 EC2 instances and are connected to one Elastic Load Balancer (ELB). Which section of the template should you configure to get the Domain Name Server hostname of the ELB upon the creation of the AWS stack?

Answer

A

Outputs

Outputs is an optional section of the CloudFormation template that describes the values that are returned whenever you view your stack’s properties.

Question 12

Q

An On-Demand EC2 instance is launched into a VPC subnet with the Network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group has an inbound rule to allow SSH from any IP address and does not have any outbound rules. In this scenario, what are the changes needed to allow SSH connection to the instance?

Answer

A

The outbound network ACL needs to be modified to allow outbound traffic

In order for you to establish an SSH connection from your home computer to your EC2 instance, you need to do the following:

On the Security Group, add an Inbound Rule to allow SSH traffic to your EC2 instance.
On the NACL, add both an Inbound and Outbound Rule to allow SSH traffic to your EC2 instance.

Question 13

Q

An investment bank has a distributed batch processing application which is hosted in an Auto Scaling group of Spot EC2 instances with an SQS queue. You configured your components to use client-side buffering so that the calls made from the client will be buffered first and then sent as a batch request to SQS. What is a period of time during which the SQS queue prevents other consuming components from receiving and processing a message?

Answer

A

Visibility Timeout

Immediately after the message is received, it remains in the queue. To prevent other consumers from processing the message again, Amazon SQS sets a visibility timeout, a period of time during which Amazon SQS prevents other consumers from receiving and processing the message. The default visibility timeout for a message is 30 seconds. The maximum is 12 hours.

Question 14

Q

A web application is deployed in an On-Demand EC2 instance in your VPC. There is an issue with the application which requires you to connect to it via an SSH connection. Which of the following is needed in order to access an EC2 instance from the Internet? (Choose 3)

An Internet gateway
A Private IP address attached to the instance
A Public IP address attached to the instance
a Private Elastic IP address attached to the instance
A route entry to the internet gateway in the Route table of the VPC
a VPN peering connection

Answer

A

An Internet gateway
A Public IP address attached to the instance
A route entry to the internet gateway in the Route table of the VPC

Question 15

Q

An e-commerce application is using a fanout messaging pattern for its order management system. For every order, it sends an Amazon SNS message to an SNS topic, and the message is replicated and pushed to multiple Amazon SQS queues for parallel asynchronous processing. A Spot EC2 instance retrieves the message from each SQS queue and processes the message. There was an incident that while an EC2 instance is currently processing a message, the instance was abruptly terminated, and the processing was not completed in time. In this scenario, what happens to the SQS message?

Answer

A

when the message visibility timeout expires, the message becomes available for processing by other EC2 instances..

Because Amazon SQS is a distributed system, there’s no guarantee that the consumer actually receives the message (for example, due to a connectivity issue, or due to an issue in the consumer application). Thus, the consumer must delete the message from the queue after receiving and processing it.

Immediately after the message is received, it remains in the queue. To prevent other consumers from processing the message again, Amazon SQS sets a visibility timeout, a period of time during which Amazon SQS prevents other consumers from receiving and processing the message. The default visibility timeout for a message is 30 seconds. The maximum is 12 hour

Question 16

Q

What are Dead Letter Queues?

Answer

A

Amazon SQS supports dead-letter queues, which other queues (source queues) can target for messages that can’t be processed (consumed) successfully. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn’t succeed.

Question 17

Q

You just joined a large tech company with an existing Amazon VPC. When reviewing the Auto Scaling events, you noticed that their web application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?

Answer

A

Change the cooldown period of the Auto Scaling group and set the CloudWatch metric to a higher threshold….

Since the application is scaling up and down multiple times within the hour, the issue lies on the cooldown period of the Auto Scaling group.

The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect. After the Auto Scaling group dynamically scales using a simple scaling policy, it waits for the cooldown period to complete before resuming scaling activities.

When you manually scale your Auto Scaling group, the default is not to wait for the cooldown period, but you can override the default and honor the cooldown period. If an instance becomes unhealthy, the Auto Scaling group does not wait for the cooldown period to complete before replacing the unhealthy instance.

Question 18

Q

You are a working as a Solutions Architect for a fast-growing startup which just started operations during the past 3 months. They currently have an on-premises Active Directory and 10 computers. To save costs in procuring physical workstations, they decided to deploy virtual desktops for their new employees in a virtual private cloud in AWS. The new cloud infrastructure should leverage on the existing security controls in AWS but can still communicate with their on-premises network. Which set of AWS services will you use to meet these requirements?

AWS Directory Services, VPN connection and AWS IAM
AWS Directory Services, VPN Connection and Amazon workspace
AWS Directory Services, VPN Connection and ClassicLink
AWS Directory Services, VPN connection and S3

Answer

A

AWS Directory Services, VPN Connection and Amazon workspace

First, you need a VPN connection to connect the VPC and your on-premises network. Second, you need AWS Directory Services to integrate with your on-premises Active Directory and lastly, you need to use Amazon Workspace to create the needed virtual desktops in your VPC.

Question 19

Q

You are running an EC2 instance store-based instance. You shut it down and then start the instance. You noticed that the data which you have saved earlier is no longer available. What might be the cause of this?

Answer

A

the EC2 instance was using instance store volumes, which are ephemeral and ony live for the life of the instance

An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.

Question 20

Q

You are working for a top IT Consultancy that has a VPC with two On-Demand EC2 instances with Elastic IP addresses. You were notified that your EC2 instances are currently under SSH brute force attacks over the Internet. Their IT Security team has identified the IP addresses where these attacks originated. You have to immediately implement a temporary fix to stop these attacks while the team is setting up AWS WAF, GuardDuty, and AWS Shield Advanced to permanently fix the security vulnerability. Which of the following provides the quickest way to stop the attacks to your instances?

Answer

A

Block the IP addresses in the Network Access Control List

(Removing the Internet Gateway from the VPC is incorrect because doing this will also make your EC2 instance inaccessible to you as it will cut down the connection to the Internet.)

Question 21

Q

What is a static Anycast IP address for?

Answer

A

Assigning a static Anycast IP address to each EC2 instance is primarily used by AWS Global Accelerator to enable organizations to seamlessly route traffic to multiple regions and improve availability and performance for their end-users.

Question 22

Q

You have a web application hosted on a fleet of EC2 instances located in two Availability Zones that are all placed behind an Application Load Balancer. As a Solutions Architect, you have to add a health check configuration to ensure your application is highly-available. Which health checks will you implement?

Answer

A

HTTP or HTTPS health check

The type of ELB that is mentioned here is an Application Elastic Load Balancer. This is used if you want a flexible feature set for your web applications with HTTP and HTTPS traffic. Conversely, it only allows 2 types of health check: HTTP and HTTPS.

Question 23

Q

When is TCP health checks offered?

Answer

A

TCP health checks are only offered in Network Load Balancer. it is used if you need ultra-high performance.

Question 24

Q

You are implementing a hybrid architecture for your company where you are connecting their Amazon Virtual Private Cloud (VPC) to their on-premises network. Which of the following can be used to create a private connection between the VPC and your company’s on-premises network?

Answer

A

Direct Connect

Direct Connect creates a direct, private connection from your on-premises data center to AWS, letting you establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable.

Question 25

Q

You are consulted by a multimedia company that needs to deploy web services to an AWS region which they have never used before. The company currently has an IAM role for their Amazon EC2 instance which permits the instance to access Amazon DynamoDB. They want their EC2 instances in the new region to have the exact same privileges. What should you do to accomplish this?

Answer

A

Assign the existing IAM role to instances in the new region

In this scenario, the company has an existing IAM role hence you don’t need to create a new one. IAM roles are global service that are available to all regions hence, all you have to do is assign the existing IAM role to the instance in the new region.

Question 26

Q

A company has 10 TB of infrequently accessed financial data files that would need to be stored in AWS. These data would be accessed infrequently during specific weeks when they are retrieved for auditing purposes. The retrieval time is not strict as long as it does not exceed 24 hours. Which of the following would be a secure, durable, and cost-effective solution for this scenario?

upload the data directly to Amazon Glacier through the AWS Management console

upload the data to S3 and set a lifecycle policy to transition to Glacier after 0 days
upload the data to S3 and transition to S3 OneZone IA
upload the data to S3 and transition to S3 IA

Answer

A

upload the data to S3 and set a lifecycle policy to transition to Glacier after 0 days

Glacier has a management console which you can use to create and delete vaults. However, you cannot directly upload archives to Glacier by using the management console. To upload data, such as photos, videos, and other documents, you must either use the AWS CLI or write code to make requests, by using either the REST API directly or by using the AWS SDKs.

Question 27

Q

You are managing a global news website which has a very high traffic. To improve the performance, you redesigned the application architecture to use a Classic Load Balancer with an Auto Scaling Group in multiple Availability Zones. However, you noticed that one of the Availability Zones is not receiving any traffic. What is the root cause of this issue?

by default, you are not allowed to use a load balancer with multi-AZ. you have to send a request form to AWS in order for this to work
the AZ is not properly added to the load balancer which is why it is not receiving any traffic
auto scaling should be disable for the load balancer to route the traffic to multiple AZs
the classic load balancer is down

Answer

A

the AZ is not properly added to the load balancer which is why it is not receiving any traffic

In this scenario, one of the Availability Zones is not properly added to the Elastic load balancer. Hence, that Availability Zone is not receiving any traffic.

You can set up your load balancer in EC2-Classic to distribute incoming requests across EC2 instances in a single Availability Zone or multiple Availability Zones. First, launch EC2 instances in all the Availability Zones that you plan to use. Next, register these instances with your load balancer. Finally, add the Availability Zones to your load balancer. After you add an Availability Zone, the load balancer starts routing requests to the registered instances in that Availability Zone. Note that you can modify the Availability Zones for your load balancer at any time.

By default, the load balancer routes requests evenly across its Availability Zones. To route requests evenly across the registered instances in the Availability Zones, enable cross-zone load balancing.

Question 28

Q

You have a web application running on EC2 instances which processes sensitive financial information. All of the data are stored on an Amazon S3 bucket. The financial information is accessed by users over the Internet. The security team of the company is concerned that the Internet connectivity to Amazon S3 is a security risk. In this scenario, what will you do to resolve this security concern?

Answer

A

change the web architecture to access the financial data in your S3 bucket through a Gateway VPC endpoint..

Take note that your VPC lives within a larger AWS network and the services, such as S3, DynamoDB, RDS and many others, are located outside of your VPC, but still within the AWS network. By default, the connection that your VPC uses to connect to your S3 bucket or any other service traverses the public Internet via your Internet Gateway.

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

Question 29

Q

You are planning to migrate a MySQL database from your on-premises data center to your AWS Cloud. This database will be used by a legacy batch application which has steady-state workloads in the morning but has its peak load at night for the end-of-day processing. You need to choose an EBS volume which can handle a maximum of 450 GB of data and can also be used as the system boot volume for your EC2 instance. Which of the following is the most cost-effective storage type to use in this scenario?

Answer

A

Amazon EBS general purpose SSD (gp2)

The EBS volume that you should use has to handle a maximum of 450 GB of data and can also be used as the system boot volume for your EC2 instance. Since HDD volumes cannot be used as a bootable volume, we can narrow down our options by selecting SSD volumes. In addition, SSD volumes are more suitable for transactional database workloads

General Purpose: These volumes deliver single-digit millisecond latencies and the ability to burst to 3,000 IOPS for extended periods of time. Between a minimum of 100 IOPS (at 33.33 GiB and below) and a maximum of 10,000 IOPS (at 3,334 GiB and above), baseline performance scales linearly at 3 IOPS per GiB of volume size

Question 30

Q

Your company has a web-based ticketing service that utilizes Amazon SQS and a fleet of EC2 instances. The EC2 instances that consume messages from the SQS queue are configured to poll the queue as often as possible to keep end-to-end throughput as high as possible. You noticed that polling the queue in tight loops is using unnecessary CPU cycles, resulting in increased operational costs due to empty responses. In this scenario, what will you do to make the system more cost-effective?

Answer

A

Configure the SQS to use long polling by setting the ReceiveMessageWaitTimeSeconds to a number greater than zero

The ReceiveMessageWaitTimeSeconds is the queue attribute that determines whether you are using Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long polling.

Question 31

Q

A health organization is using a large Dedicated EC2 instance with multiple EBS volumes to host its health records web application. The EBS volumes must be encrypted due to the confidentiality of the data that they are handling and also to comply with the HIPAA (Health Insurance Portability and Accountability Act) standard. In EBS encryption, what service does AWS use to secure the volume’s data at rest? (Choose 2)

by using Amazon-managed keys in AWS KMS
by using a password stored in CloudHSM
by using your own keys in AWS KMS
by using the SSL certificates provided by the AWS Certificate Manager
by using S3 client-side encryption
by using S3 server-side encryption

Answer

A

the correct answers are: using your own keys in AWS Key Management Service (KMS) and using Amazon-managed keys in AWS Key Management Service (KMS).

Amazon EBS encryption offers seamless encryption of EBS data volumes, boot volumes, and snapshots, eliminating the need to build and maintain a secure key management infrastructure. EBS encryption enables data at rest security by encrypting your data using Amazon-managed keys, or keys you create and manage using the AWS Key Management Service (KMS).

(using S3 server-side or client-side encryption relates only to S3)

Question 32

Q

A Solutions Architect is migrating several Windows-based applications to AWS that require a scalable file system storage for high-performance computing (HPC). The storage service must have full support for the SMB protocol and Windows NTFS, Active Directory (AD) integration, and Distributed File System (DFS). Which of the following is the MOST suitable storage service that the Architect should use to fulfill this scenario?

Answer

A

Amazon FSx for Windows File Server

Amazon FSx provides fully managed third-party file systems. Amazon FSx provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA). You don’t have to worry about managing file servers and storage, as Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even more useful for a broader set of workloads.

(Amazon FSx for Lustre is incorrect because this service doesn’t support the Windows-based applications as well as Windows servers.)

Amazon FSx for Windows File Server

Amazon FSx provides fully managed third-party file systems. Amazon FSx provides you with the native compatibility of third-party file systems with feature sets for workloads such as Windows-based storage, high-performance computing (HPC), machine learning, and electronic design automation (EDA). You don’t have to worry about managing file servers and storage, as Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. Amazon FSx integrates the file systems with cloud-native AWS services, making them even more useful for a broader set of workloads.

(Amazon FSx for Lustre is incorrect because this service doesn’t support the Windows-based applications as well as Windows servers.)

Question 33

Q

The social media company that you are working for needs to capture the detailed information of all HTTP requests that went through their public-facing application load balancer every five minutes. They want to use this data for analyzing traffic patterns and for troubleshooting their web applications in AWS. Which of the following options meet the customer requirements?

Answer

A

enables access logs on the application load balancer

Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

Question 34

Q

A company is planning to launch a High Performance Computing (HPC) cluster in AWS that does Computational Fluid Dynamics (CFD) simulations. The solution should scale-out their simulation jobs to experiment with more tunable parameters for faster and more accurate results. The cluster is composed of Windows servers hosted on t3a.medium EC2 instances. As the Solutions Architect, you should ensure that the architecture provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. Which is the MOST suitable and cost-effective solution that the Architect should implement to achieve the above requirements?

Answer

A

enable Enhanced Networking with Elastic Network Adapter (ENA) on the windows EC2 instance..

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking.

Amazon EC2 provides enhanced networking capabilities through the Elastic Network Adapter (ENA). It supports network speeds of up to 100 Gbps for supported instance types. Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking.

An Elastic Fabric Adapter (EFA) is simply an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with additional OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality.

The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities.

Hence, the correct answer is to enable Enhanced Networking with Elastic Network Adapter (ENA) on the Windows EC2 Instances.

Question 35

Q

You are working for a large financial company. In their enterprise application, they want to apply a group of database-specific settings to their Relational Database Instances.

Which of the following options can be used to easily apply the settings in one go for all of the Relational database instances?

Answer

A

Parameter Groups

You manage your DB engine configuration through the use of parameters in a DB parameter group. DB parameter groups act as a container for engine configuration values that are applied to one or more DB instances.

Question 36

Q

A Junior DevOps Engineer deployed a large EBS-backed EC2 instance to host a NodeJS web app in AWS which was developed by an IT contractor. He properly configured the security group and used a key pair named “tutorialsdojokey” which has a tutorialsdojokey.pem private key file. The EC2 instance works as expected and the junior DevOps engineer can connect to it using an SSH connection. The IT contractor was also given the key pair and he has made various changes in the instance as well to the files located in .ssh folder to make the NodeJS app work. After a few weeks, the IT contractor and the junior DevOps engineer cannot connect the EC2 instance anymore, even with a valid private key file. They are constantly getting a “Server refused our key” error even though their private key is valid.

In this scenario, which one of the following options is not a possible reason for this issue?

the SSH private key that you are using has a file permission of 0777
you don’t have permissions for the .ssh file
you’re using an SSH private key but the corresponding public is not the authorized_keys file
you don’t have permissions for your authorized_keys file

Answer

A

All of the options here are correct except for the option that says: The SSH private key that you are using has a file permission of 0777 because if the private key that you are using has a file permission of 0777, then it will throw an “Unprotected Private Key File” error and not a “Server refused our key” error.

You might be unable to log into an EC2 instance if:

You’re using an SSH private key but the corresponding public key is not in the authorized_keys file.
You don’t have permissions for your authorized_keys file.
You don’t have permissions for the .ssh folder.
Your authorized_keys file or .ssh folder isn’t named correctly.
Your authorized_keys file or .ssh folder was deleted.
Your instance was launched without a key, or it was launched with an incorrect key.

Question 37

Q

You have just launched a new API Gateway service which uses AWS Lambda as a serverless computing service. In what type of protocol will your API endpoint be exposed?

Answer

A

HTTPS

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only (unencrypted, HTTP endpoints are not supported)

Question 38

Q

In a startup company you are working for, you are asked to design a web application that requires a NoSQL database that has no limit on the storage size for a given table. The startup is still new in the market and it has very limited human resources who can take care of the database infrastructure.

Which is the most suitable service that you can implement that provides a fully managed, scalable and highly available NoSQL service?

Question 39

Q

Your manager instructed you to use Route 53 instead of an ELB to load balance the incoming request to your web application. The system is deployed to two EC2 instances to which the traffic needs to be distributed to. You want to set a specific percentage of traffic to go to each instance. Which routing policy would you use?

Answer

A

Weighted

Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes including load balancing and testing new versions of software. You can set a specific percentage of how much traffic will be allocated to the resource by specifying the weights.

Question 40

Q

The start-up company that you are working for has a batch job application that is currently hosted on an EC2 instance. It is set to process messages from a queue created in SQS with default settings. You configured the application to process the messages once a week. After 2 weeks, you noticed that not all messages are being processed by the application. What is the root cause of this issue?

Answer

A

Amazon SQS has automatically deleted the messages that have been in a queue for more than the maximum message retention period…

Amazon SQS automatically deletes messages that have been in a queue for more than the maximum message retention period. The default message retention period is 4 days. Since the queue is configured to the default settings and the batch job application only processes the messages once a week, the messages that are in the queue for more than 4 days are deleted. This is the root cause of the issue.

To fix this, you can increase the message retention period to a maximum of 14 days using the SetQueueAttributes action.

Question 41

Q

An application is hosted in an On-Demand EC2 instance and is using Amazon SDK to communicate to other AWS services such as S3, DynamoDB, and many others. As part of the upcoming IT audit, you need to ensure that all API calls to your AWS resources are logged and durably stored. Which is the most suitable service that you should use to meet this requirement?

Answer

A

AWS CloudTrail

AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.

Question 42

Q

A client is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The client also uses Amazon Route 53 to manage their public DNS. How should the client configure the DNS zone apex record to point to the load balancer?

Create an alias for CNAME record to the load balancer DNS name
create a CNAME record pointing to the load balancer DNS name
Create an A record pointing to the IP address of the load balancer
Create an A record aliased to the load balancer DNS name

Answer

A

Create an A record aliased to the load balancer DNS name

Additionally, Route 53 supports the alias resource record set, which lets you map your zone apex (e.g. tutorialsdojo.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route 53 responds to each request for an Alias resource record set with one IP address for the load balancer.

Question 43

Q

A website is running on an Auto Scaling group of On-Demand EC2 instances which are abruptly getting terminated from time to time. To automate the monitoring process, you started to create a simple script which uses the AWS CLI to find the root cause of this issue. Which of the following is the most suitable command to use?

aws ec2 describe-images
aws ec2 get-console-screenshot
aws ec2 describe-volume-status
aws ec2 describe-instances

Answer

A

aws ec2 describe-instances….

The describe-instances command shows the status of the EC2 instances including the recently terminated instances. It also returns a StateReason of why the instance was terminated.

Question 44

Q

A news company is planning to use a Hardware Security Module (CloudHSM) in AWS for secure key storage of their web applications. You have launched the CloudHSM cluster but after just a few hours, a support staff mistakenly attempted to log in as the administrator three times using an invalid password in the Hardware Security Module. This has caused the HSM to be zeroized, which means that the encryption keys on it have been wiped. Unfortunately, you did not have a copy of the keys stored anywhere else.

How can you obtain a new copy of the keys that you have stored on Hardware Security Module?

Answer

A

the keys are lost permanently if you did not have a copy

Attempting to log in as the administrator more than twice with the wrong password zeroizes your HSM appliance. When an HSM is zeroized, all keys, certificates, and other data on the HSM is destroyed. You can use your cluster’s security group to prevent an unauthenticated user from zeroizing your HSM.

Amazon does not have access to your keys nor to the credentials of your Hardware Security Module (HSM) and therefore has no way to recover your keys if you lose your credentials. Amazon strongly recommends that you use two or more HSMs in separate Availability Zones in any production CloudHSM Cluster to avoid loss of cryptographic keys.

Question 45

Q

You recently launched a fleet of on-demand EC2 instances to host a massively multiplayer online role-playing game (MMORPG) server in your VPC. The EC2 instances are configured with Auto Scaling and AWS Systems Manager. What can you use to configure your EC2 instances without having to establish a RDP or SSH connection to each instance?

Answer

A

Run Command…

You can use Run Command from the console to configure instances without having to login to each instance.

Question 46

Q

You are working for a data analytics startup that collects clickstream data and stores them in an S3 bucket. You need to launch an AWS Lambda function to trigger your ETL jobs to run as soon as new data becomes available in Amazon S3. Which of the following services can you use as an extract, transform, and load (ETL) service in this scenario?

Answer

A

AWS Glue

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog.

Question 47

Q

A financial analytics application that collects, processes and analyzes stock data in real-time is using Kinesis Data Streams. The producers continually push data to Kinesis Data Streams while the consumers process the data in real time. In Amazon Kinesis, where can the consumers store their results? (Choose 2)

Answer

A

S3
Redshift

Consumers (such as a custom application running on Amazon EC2, or an Amazon Kinesis Data Firehose delivery stream) can store their results using an AWS service such as Amazon DynamoDB, Amazon Redshift, or Amazon S3.

Question 48

Q

A leading bank has an application that is hosted on an Auto Scaling group of EBS-backed EC2 instances. As the Solutions Architect, you need to provide the ability to fully restore the data stored in their EBS volumes by using EBS snapshots. Which of the following approaches provide the lowest cost for Amazon Elastic Block Store snapshots?

just maintain a single snapshot of the BS volume since the latest snapshot is both incremental and complete
maintain a volume snapshot, subsequent snapshots will overwrite one another
maintain two snapshots, the original snapshot and the latest incremental snapshot
maintain the most current snapshot and then archive the original and incremental snapshots to Glacier
*

Answer

A

just maintain a single snapshot of the BS volume since the latest snapshot is both incremental and complete

Question 49

Q

You recently launched a news website which is expected to be visited by millions of people around the world. You chose to deploy the website in AWS to take advantage of its extensive range of cloud services and global infrastructure. Aside from AWS Region and Availability Zones, which of the following is part of the AWS Global Infrastructure that is used for content distribution?

Answer

A

Edge Locations

Question 50

Q

An application is hosted on an EC2 instance with multiple EBS Volumes attached and uses Amazon Neptune as its database. To improve data security, you encrypted all of the EBS volumes attached to the instance to protect the confidential data stored in the volumes. Which of the following statements are true about encrypted Amazon Elastic Block Store volumes? (Choose 2)

all data moving between the volume and the instance are encrypted
snapshots are not automatically encrypted
snapshots are automatically encrypted
only the data in the volume is encrypted and not all the data moving between the volume and the instance
the volumes created from the encrypted snapshots are not encrypted

Answer

A

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume
All volumes created from those snapshots

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt both the boot and data volumes of an EC2 instance.

Question 51

Q

You are working as a Solutions Architect for a multinational IT consultancy company where you are managing an application hosted in an Auto Scaling group of EC2 instances which stores data in an S3 bucket. You must ensure that the data are encrypted at rest using an encryption key that is both provided and managed by the company. This change should also provide AES-256 encryption to their data to comply with the strict security policy of the company. Which of the following actions should you implement to achieve this? (Choose 2)

implement S3 server-side encryption with AWS KMS
encrypt the data on the client-side before sending to S3 using their own master key
implement S3 server-side encryption with customer-provided keys (SSE-C)
use SSL to encrypt the data while in transit to S3
implement s3 server-side encryption with Amazon managed encryption keys

Answer

A

encrypt data on the client-side before sending to S3 using their own master key + implement s3 server-side encryption with customer-provided keys (SSE-C)

(using SSL to encrypt the data while in transit to S3 is incorrect because the requirement is to only secure the data at rest and not data in transit)

Question 52

Q

A company has recently adopted a hybrid cloud architecture and is planning to migrate a database hosted on-premises to AWS. The database currently has over 12 TB of consumer data, handles highly transactional (OLTP) workloads, and is expected to grow exponentially. The Solutions Architect should ensure that the database is ACID-compliant and can handle complex queries of the application. Which type of database service should the Architect use?

Answer

A

Amazon Aurora…..

!=Amazon Redshift is incorrect because this is primarily used for OLAP applications and not for OLTP. Moreover, it doesn’t scale automatically to handle the exponential growth of the database.

!=Amazon DynamoDB is incorrect because although you can use this to have an ACID-compliant database, it is not capable of handling complex queries and highly transactional (OLTP) workloads.

!=Amazon RDS is incorrect because although it is an ACID-compliant relational database that can handle complex queries and transactional (OLTP) workloads, it is not scalable to handle the growth of the database. Amazon Aurora is the better choice as its underlying storage can grow automatically as needed.

Question 53

Q

What is AWS Database Migration Service for?

Answer

A

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from most widely used commercial and open-source databases.

Question 54

Q

What is Amazon Neptune?

Answer

A

Amazon Neptune is a fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

Question 55

Q

A financial company wants to store their data in Amazon S3 but at the same time, they want to store their frequently accessed data locally on their on-premises server. This is due to the fact that they do not have the option to extend their on-premises storage, which is why they are looking for a durable and scalable storage service to use in AWS. What is the best solution for this scenario?

Answer

A

Use Storage Gateway - Cached Volumes

By using Cached volumes, you store your data in Amazon Simple Storage Service (Amazon S3) and retain a copy of frequently accessed data subsets locally in your on-premises network. Cached volumes offer substantial cost savings on primary storage and minimize the need to scale your storage on-premises. You also retain low-latency access to your frequently accessed data. This is the best solution for this scenario.

Question 56

Q

A loan processing application is hosted in a single On-Demand EC2 instance in your VPC. To improve the scalability of your application, you have to use Auto Scaling to automatically add new EC2 instances to handle a surge of incoming requests. Which of the following items should be done in order to add an existing EC2 instance to an Auto Scaling group? (Choose 2)

the instance is launched into one of the AZs defined in your Auto Scaling Group
you must stop the instance first
you have to ensure that the AMI used to launch the instance no longer exists
you have to ensure that the AMI used to launch the instance still exists
you have to ensure that the instance is in a different AZ as the Auto Scaling group

Answer

A

The instance that you want to attach must meet the following criteria:

The instance is in the running state.
The AMI used to launch the instance must still exist.
The instance is not a member of another Auto Scaling group.
The instance is launched into one of the Availability Zones defined in your Auto Scaling group.
If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.

Question 57

Q

A local bank has an in-house application which handles sensitive financial data in a private subnet. After the data is processed by the EC2 worker instances, they will be delivered to S3 for ingestion by other services. How should you design this solution so that the data does not pass through the public Internet?

Answer

A

Configure a VPC Gateway Endpoint along with a corresponding route entry that directs the data to S3

The important concept that you have to understand in the scenario is that your VPC and your S3 bucket are located within the larger AWS network. However, the traffic coming from your VPC to your S3 bucket is traversing the public Internet by default. To better protect your data in transit, you can set up a VPC endpoint so the incoming traffic from your VPC will not pass through the public Internet, but instead through the private AWS network.

Question 58

Q

You are an IT Consultant for a top investment bank which is in the process of building its new Forex trading platform. To ensure high availability and scalability, you designed the trading platform to use an Elastic Load Balancer in front of an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones. For its database tier, you chose to use a single Amazon Aurora instance to take advantage of its distributed, fault-tolerant and self-healing storage system. In the event of system failure on the primary database instance, what happens to Amazon Aurora during the failover?

Answer

A

Aurora will first attempt to create a new DB instance in the same AZ as the original instance. If unable to do so, Aurora will attempt to create a new DB instance in a different AZ.

= If you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

(The options that say: Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary and Amazon Aurora flips the A record of your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary are incorrect because this will only happen if you are using an Amazon Aurora Replica. In addition, Amazon Aurora flips the canonical name record (CNAME) and not the A record (IP address) of the instance.)

Question 59

Q

You are designing an online banking application which needs to have a distributed session data management. Currently, the application is hosted on an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones with a Classic Load Balancer that distributes the load. Which of the following options should you do to satisfy the given requirement?

Answer

A

Use Amazon ElastiCache

In this question, the keyword is distributed session data management. In AWS, you can use Amazon ElastiCache which offers fully managed Redis and Memcached service to manage and store session data for your web applications.

Question 60

Q

A data analytics company keeps a massive volume of data which they store in their on-premises data center. To scale their storage systems, they are looking for cloud-backed storage volumes that they can mount using Internet Small Computer System Interface (iSCSI) devices from their on-premises application servers. They have an on-site data analytics application which frequently access the latest data subsets locally while the older data are rarely accessed. You are required to minimize the need to scale the on-premises storage infrastructure while still providing their web application with low-latency access to the data. Which type of AWS Storage Gateway service will you use to meet the above requirements?

Answer

A

Cached Volume Gateway

In this scenario, the technology company is looking for a storage service that will enable their analytics application to frequently access the latest data subsets and not the entire data set because it was mentioned that the old data are rarely being used. This requirement can be fulfilled by setting up a Cached Volume Gateway in AWS Storage Gateway.

Question 61

Q

You are working as a Solutions Architect for a leading technology company where you are instructed to troubleshoot the operational issues of your cloud architecture by logging the AWS API call history of your AWS resources. You need to quickly identify the most recent changes made to resources in your environment, including creation, modification, and deletion of AWS resources. One of the requirements is that the generated log files should be encrypted to avoid any security issues. Which of the following is the most suitable approach to implement the encryption?

Answer

A

Use CloudTrail with its default settings…

By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).

Question 62

Q

You are building a prototype for a cryptocurrency news website of a small startup. The website will be deployed to a Spot EC2 Linux instance and will use Amazon Aurora as its database. You requested a spot instance at a maximum price of $0.04/hr which has been fulfilled immediately and after 90 minutes, the spot price increases to $0.06/hr and then your instance was terminated by AWS. In this scenario, what would be the total cost of running your spot instance?

Answer

A

$0.06

Since the Spot instance has been running for more than an hour, which is past the first instance hour, this means that you will be charged from the time it was launched till the time it was terminated by AWS. The computation for your 90 minute usage would be $0.04 (60 minutes) + $0.02 (30 minutes) = $0.06 hence, the correct answer is $0.06.

Question 63

Q

How will I be charged if my Spot instance is interrupted?

Answer

A

If your Spot instance is terminated or stopped by Amazon EC2 in the first instance hour, you will not be charged for that usage. However, if you terminate the instance yourself, you will be charged to the nearest second. If the Spot instance is terminated or stopped by Amazon EC2 in any subsequent hour, you will be charged for your usage to the nearest second. If you are running on Windows and you terminate the instance yourself, you will be charged for an entire hour.

Question 64

Q

You are setting up a configuration management in your existing cloud architecture where you have to deploy and manage your EC2 instances including the other AWS resources using Chef and Puppet. Which of the following is the most suitable service to use in this scenario?

Answer

A

AWS OpsWorks

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.

Answer 64

A

Amazon S3 IA

In this scenario, the requirement is to have a storage option that is cost-effective and has the ability to access or retrieve the archived data immediately. The cost-effective options are Amazon Glacier Deep Archive and Amazon S3 Standard- Infrequent Access (Standard - IA). However, the former option is not designed for rapid retrieval of data which is required for the surprise audit.

Answer 65

A

The EBS volume can be used while the snapshot is in progress…

Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed.

While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the EBS volume normally.

Answer 66

A

Step Scaling

Amazon EC2 Auto Scaling supports the following types of scaling policies:

Target tracking scaling - Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest.

Step scaling - Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.

Simple scaling - Increase or decrease the current capacity of the group based on a single scaling adjustment.

If you are scaling based on a utilization metric that increases or decreases proportionally to the number of instances in an Auto Scaling group, then it is recommended that you use target tracking scaling policies. Otherwise, it is better to use step scaling policies instead.

Answer 67

A

SQS polling from an EC2 instance using IAM user credentials

For decoupled applications, it is best to use SWF and SQS which are both available in all options. Note that this question asks you for the option that you would LEAST likely to recommend.

SQS polling from an EC2 instance using IAM user credentials is not the recommended way to do so. It should use an IAM role instead.

Answer 68

A

In this scenario, enabling IAM cross-account access for all corporate IT administrators in each child account and using AWS Consolidated Billing by creating AWS Organizations to link the divisions’ accounts to a parent corporate account are the correct choices. The combined use of IAM and Consolidated Billing will support the autonomy of each corporate division while enabling corporate IT to maintain governance and cost oversight.

Answer 69

A

CloudWatch Logs agent

The CloudWatch Logs agent provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. The agent is comprised of the following components: A plug-in to the AWS CLI that pushes log data to CloudWatch Logs.

Answer 70

A

in order to use Cross-Region Replication feature in S3, you need to first enable versioning on the bucket

To enable the cross-region replication feature in S3, the following items should be met:

The source and destination buckets must have versioning enabled.
The source and destination buckets must be in different AWS Regions.
Amazon S3 must have permissions to replicate objects from that source bucket to the destination bucket on your behalf.

Answer 71

A

First, create a snapshot of the EBS volume. Afterwards, create a volume using thr snapshot in the other AZ.

Answer 72

A

EFS

In this question, you should take note of this phrase: “allows concurrent connections from multiple EC2 instances”. There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a “block” storage and can only have one connection to one EC2 instance at a time.

Answer 73

A

create a virtual overlay network on the OS level of the instance

Creating a virtual overlay network running on the OS level of the instance is correct because overlay multicast is a method of building IP level multicast across a network fabric supporting unicast IP routing, such as Amazon Virtual Private Cloud (Amazon VPC).

(Amazon VPC does not support multicast or broadcast networking)

Answer 74

A

ElastiCache in-memory caching

For sub-millisecond latency caching, ElastiCache is the best choice.

(Multi-master DynamoDB and Multi-AZ RDS are incorrect because although you can use DynamoDB and RDS for storing session state, these two are not the best choices in terms of cost-effectiveness and performance when compared to ElastiCache. There is a significant difference in terms of latency if you used DynamoDB and RDS when you store the session data.)

Answer 75

A

create a set of Access Keys for the user and attach the necessary permissions

You can choose the credentials that are right for your IAM user. When you use the AWS Management Console to create a user, you must choose to at least include a console password or access keys. By default, a brand new IAM user created using the AWS CLI or AWS API has no credentials of any kind. You must create the type of credentials for an IAM user based on the needs of your user. + Assigning an IAM Policy to the user to allow it to send API calls is incorrect because adding a new IAM policy to the new user will not grant the needed Access Keys needed to make API calls to the AWS resources.

Answer 76

A

By default, data records in Kinesis are only accessible for 24 hours from the time they are added to a stream

Answer 77

A

$0.00

If your Spot instance is terminated or stopped by Amazon EC2 in the first instance hour, you will not be charged for that usage. However, if you terminate the instance yourself, you will be charged to the nearest second.

If the Spot instance is terminated or stopped by Amazon EC2 in any subsequent hour, you will be charged for your usage to the nearest second. If you are running on Windows and you terminate the instance yourself, you will be charged for an entire hour.

Answer 78

A

Using MyISAM as the storage engine for MySQL is not recommended. The recommended storage engine for MySQL is InnoDB and not MyISAM.

Answer 79

A

use Scheduled Reserved instances, which compute capacity that is always on the specified recurring schedule

Scheduled Reserved Instances (Scheduled Instances) enable you to purchase capacity reservations that recur on a daily, weekly, or monthly basis, with a specified start time and duration, for a one-year term.

Answer 80

A

it makes the database fault-tolerant to an AZ failure
increased database availability in the case of system upgrades like OS patching or DB instance scaling

Answer 81

A

stop and restart the instances in the Placement Group and then try the launch again

The option that says: Stop and restart the instances in the Placement Group and then try the launch again is correct because you can resolve this issue just by launching again. If the instances are stopped and restarted, AWS may move the instances to a hardware that has capacity for all the requested instances.

Answer 82

A

Sticky sessions

By default, a Classic Load Balancer routes each request independently to the registered instance with the smallest load. However, you can use the sticky session feature (also known as session affinity), which enables the load balancer to bind a user’s session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.

Answer 83

A

consider not using a multi-AZ RDS deployment for the development and test data

One thing that you should notice here is that the company is using Multi-AZ databases in all of their environments, including their development and test environment. This is costly and unnecessary as these two environments are not critical. It is better to use Multi-AZ for production environments to reduce costs, which is why the option that says: Consider not using a Multi-AZ RDS deployment for the development and test database is the correct answer.

Answer 84

A

You can create a snapshot of the instance to save its data and then sell the instance to the Reserved Instance Marketplace.

Answer 85

A

Create a role in IAM. Afterwards, assign this role to a new EC2 instance.

The best option is to create a role in IAM. Afterwards, assign this role to a new EC2 instance. Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances.

(storing your API credentials in S3 Glacier is incorrect as S3 Glacier is used for data archives and not for managing API credentials)

Answer 86

A

AWS elastic beanstalk

Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment. You can choose your own platform, programming language, and any application dependencies (such as package managers or tools), that aren’t supported by other platforms. Docker containers are self-contained and include all the configuration information and software your web application requires to run.

Answer 87

A

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet

Answer 88

A

CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions. It allows you to rapidly release new features, update Lambda function versions, avoid downtime during application deployment, and handle the complexity of updating your applications, without many of the risks associated with error-prone manual deployments.

Answer 89

A

Use deployment groups in CodeDeploy to automate code deployments in a consistent manner.

Answer 90

A

Launch an Auto-scaling group of EC2 instances to host your application services and an SQS queue. Include an Auto Scaling trigger to watch the SQS queue size which will either scale in or out the number of EC2 instances based on the queue

There are three main parts in a distributed messaging system: the components of your distributed system which can be hosted on EC2 instance; your queue (distributed on Amazon SQS servers); and the messages in the queue.

To improve the scalability of your distributed system, you can add Auto Scaling group to your EC2 instances.

Answer 91

A

Direct Connect + IPsec VPN Connection

You can connect your VPC to remote networks by using a VPN connection which can be Direct Connect, IPsec VPN connection, AWS VPN CloudHub, or a third party software VPN appliance. Hence, IPsec VPN connection and AWS Direct Connect are the correct answers.

(Amazon Connect is incorrect because this is not a VPN connectivity option. It is actually a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost. Amazon Connect is based on the same contact center technology used by Amazon customer service associates around the world to power millions of customer conversations.)

Answer 92

A

It is actually a self-service, cloud-based contact center service in AWS that makes it easy for any business to deliver better customer service at a lower cost. Amazon Connect is based on the same contact center technology used by Amazon customer service associates around the world to power millions of customer conversations.)

(Amazon Connect is NOT a VPN connectivity option unlike Direct Connect.)

Answer 93

A

use AWS Organizations and Service Control Policies to control services on each account

AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes. It allows you to create Service Control Policies (SCPs) that centrally control AWS service use across multiple AWS accounts.

(The option that says: Connect all departments by setting up a cross-account access to each of the AWS accounts of the company. Create and attach IAM policies to your resources based on their respective departments to control access is incorrect because although you can set up cross-account access to each department, this entails a lot of configuration compared with using AWS Organizations and Service Control Policies (SCPs). Cross-account access would be a more suitable choice if you only have two accounts to manage, but not for multiple accounts.)

Answer 94

A

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. There is no additional charge for using enhanced networking.

when you need consistently lower inter-instance latencies
when you need a higher packet-per-second performance

Answer 95

A

Launch the instances in the AWS VPC

In EC2-Classic, your EC2 instance receives a private IPv4 address from the EC2-Classic range each time it’s started. In EC2-VPC on the other hand, your EC2 instance receives a static private IPv4 address from the address range of your default VPC. Hence, the correct answer is launching the instances in the Amazon Virtual Private Cloud (VPC) and not launching the instances in EC2-Classic

Answer 96

A

Amazon Route 53’s DNS services does not support DNSSEC at this time. However, their domain name registration service supports configuration of signed DNSSEC keys for domains when DNS service is configured at another provider.

AWS Route 53 currently supports:

-A (address record)
-AAAA (IPv6 address record)
-CNAME (canonical name record)
-CAA (certification authority authorization)
-MX (mail exchange record)
-NAPTR (name authority pointer record)
-NS (name server record)
-PTR (pointer record)
-SOA (start of authority record)
-SPF (sender policy framework)
-SRV (service locator)
-TXT (text record)

Answer 97

A

Use Multi-AZ deployment! (this is the best you can do)

next, Create Amazon Aurora Replicas (For most use cases, including read scaling and high availability, it is recommended using Amazon Aurora Replicas)

Answer 98

A

AWS hosts a variety of public datasets that anyone can access for free.

Answer 99

A

Immediately

The correct answer is Immediately. Changes made in a security group are immediately implemented. There is no need to wait for some amount of time for propagation nor reboot any instances for your changes to take effect.

Answer 100

A

Increase the number of shards of the Kinesis stream by using the “UpdateShardCount” command

Amazon Kinesis Data Streams supports resharding, which lets you adjust the number of shards in your stream to adapt to changes in the rate of data flow through the stream.

There are two types of resharding operations: shard split and shard merge. In a shard split, you divide a single shard into two shards. In a shard merge, you combine two shards into a single shard. Splitting increases the number of shards in your stream and therefore increases the data capacity of the stream. Because you are charged on a per-shard basis, splitting increases the cost of your stream. Similarly, merging reduces the number of shards in your stream and therefore decreases the data capacity—and cost—of the stream.

Answer 101

A

Inter-Region VPC Peering

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.

Answer 102

A

Use Route 42 latency based routing to distribute the load to the multiple EC2 instances across all AWS regions

Answer 103

A

simply a service that provides a fast way to move large amounts of data online between on-premises storage and Amazon S3 or Amazon EFS.

Answer 104

A

Web Identity Federation

With web identity federation, you don’t need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure because you don’t have to embed and distribute long-term security credentials with your application.

Answer 105

A

Remove the stored access keys in the AMI. Create a new IAM role with permissions to access the DynamoDB table and assign it to the EC2 instances…

You should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use an IAM role, you don’t have to distribute long-term credentials (such as a user name and password or access keys) to an EC2 instance.

Answer 106

A

User Data

When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can write and run scripts that install new packages, software, or tools in your instance when it is launched.

Answer 107

A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWSresources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 108

A

Storage Optimized Instances

Storage Optimized Instances is the correct answer. Storage optimized instances are designed for workloads that require high, sequential read and write access to very large data sets on local storage. They are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications.

Answer 109

A

Memory Optimized Instances are designed to deliver fast performance for workloads that process large data sets in memory, which is quite different from handling high read and write capacity on local storage (as Storage Optimized)

Answer 110

A

Compute Optimized Instances are ideal for compute-bound applications that benefit from high-performance processors, such as batch processing workloads and media transcoding.

Answer 111

A

HTTP 200 result code and MD5 checksum

If you triggered an S3 API call and got HTTP 200 result code and MD5 checksum, then it is considered as a successful upload. The S3 API will return an error code in case the upload is unsuccessful.

Answer 112

A

Egress-only Internet gateway

An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.

Take note that an egress-only Internet gateway is for use with IPv6 traffic only. To enable outbound-only Internet communication over IPv4, use a NAT gateway instead.

Answer 113

A

NAT Gateway

(Egress-Only Internet Gateway is incorrect because this is primarily used for VPCs that use IPv6 to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances, just like what NAT Instance and NAT Gateway do. The scenario explicitly says that the EC2 instances are using IPv4 addresses which is why Egress-only Internet gateway is invalid, even though it can provide the required high availability.)

Answer 114

A

set up an RDS database and enable the IAM DB Authentication

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don’t need to use a password when you connect to a DB instance. Instead, you use an authentication token.

Answer 115

A

there is no cost if the instance is running and it has only one associated EIP

An Elastic IP address doesn’t incur charges as long as the following conditions are true:

-The Elastic IP address is associated with an Amazon EC2 instance.
-The instance associated with the Elastic IP address is running.
-The instance has only one Elastic IP address attached to it.

Answer 116

A

use path conditions to define rules that forward request to different target groups based on the URL in the request

You can use path conditions to define rules that forward requests to different target groups based on the URL in the request (also known as path-based routing). This type of routing is the most appropriate solution for this scenario

OBS… only Application Load Balancer supports path-based routing

Answer 117

A

In this scenario, the main culprit is that the Cache-Control max-age directive is set to a low value, which is why the request is always directed to your origin server. Hence the correct answer is the option that says: The Cache-Control max-age directive is set to zero.

The Cache-Control and Expires headers control how long objects stay in the cache. The Cache-Control max-age directive lets you specify how long (in seconds) you want an object to remain in the cache before CloudFront gets the object again from the origin server. The minimum expiration time CloudFront supports is 0 seconds for web distributions and 3600 seconds for RTMP distributions.

Answer 118

A

Amazon FSx for Lustre

For compute-intensive and fast processing workloads, like high-performance computing (HPC), machine learning, EDA, and media processing, Amazon FSx for Lustre, provides a file system that’s optimized for performance, with input and output stored on Amazon S3.

Answer 119

A

Use AWS Lambda and Amazon API Gateway

The best possible answer here is to use Lambda and API Gateway because this solution is both scalable and cost-effective. You will only be charged when you use your Lambda function, unlike having an EC2 instance which always runs even though you don’t use it.

Answer 120

A

Cross-Zone Load Balancing

Answer 121

A

set up the security group of the database tier to allow database traffic from the security of the application servers.

In the scenario, the servers of the application-tier are in an Auto Scaling group which means that the number of EC2 instances could grow or shrink over time. An Auto Scaling group could also cover one or more Availability Zones (AZ) which have their own subnets. Hence, the most suitable solution would be to set up the security group of the database tier to allow database traffic from the security group of the application servers since you can utilize the security group of the application-tier Auto Scaling group as the source for the security group rule in your database tier.

Answer 122

A

Since you are using a Remote Desktop connection to access your EC2 instance, you have to ensure that the Remote Desktop Protocol is allowed in the security group. By default, the server listens on TCP port 3389 and UDP port 3389.

(the option with port 22 is incorrect as port 22 is used for SSH connections and not RDP)

Answer 123

A

Amazon RDS is a suitable database service for online transaction processing (OLTP) applications. However, the question asks for a list of AWS services for the web tier and not the database tier. Also, when it comes to services providing scalability and elasticity for your web tier, Auto Scaling and Elastic Load Balancer should immediately come into mind. Therefore, Elastic Load Balancing, Amazon EC2, and Auto Scaling is the correct answer.

Answer 124

A

the Failed Lambda functions have been running for over 15 minutes and reached the maximum execution time

=> You pay for the AWS resources that are used to run your Lambda function. To prevent your Lambda function from running indefinitely, you specify a timeout. When the specified timeout is reached, AWS Lambda terminates execution of your Lambda function. It is recommended that you set this value based on your expected execution time. The default timeout is 3 seconds and the maximum execution duration per request in AWS Lambda is 900 seconds, which is equivalent to 15 minutes.

Hence, the correct answer is the option that says: The failed Lambda functions have been running for over 15 minutes and reached the maximum execution time.

Answer 125

A

Use S3 Multipart upload API

The main issue is the slow upload time of the video objects to Amazon S3. To address this issue, you can use Multipart upload in S3 to improve the throughput. It allows you to upload parts of your object in parallel thus, decreasing the time it takes to upload big objects. Each part is a contiguous portion of the object’s data.

Answer 126

A

use versioned objects..

to control the versions of files that are served from your distribution, you can either invalidate files or give them versioned file names. If you want to update your files frequently, AWS recommends that you primarily use file versioning:

Versioning enables you to control which file a request returns even when the user has a version cached either locally or behind a corporate caching proxy. If you invalidate the file, the user might continue to see the old version until it expires from those caches.
- CloudFront access logs include the names of your files, so versioning makes it easier to analyze the results of file changes.
- Versioning provides a way to serve different versions of files to different users.
- Versioning simplifies rolling forward and back between file revisions.
- Versioning is less expensive. You still have to pay for CloudFront to transfer new versions of your files to edge locations, but you don’t have to pay for invalidating files

(Invalidating the files in your CloudFront web distribution is incorrect because even though using invalidation will solve this issue, this solution is more expensive as compared to using versioned objects.)

Answer 127

A

The correct answer is the option that says: Application files are stored in S3. The server log files can also optionally be stored in S3 or in CloudWatch Logs. AWS Elastic Beanstalk stores your application files and optionally, server log files in Amazon S3.

Answer 128

A

Amazon Kinesis

Answer 129

A

1,3

“Access policies define access to resources and can be associated with resources (buckets and objects) and users

You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. Bucket policies can be used to grant permissions to objects”

Answer 130

A

1 OpenID Connect + 4.Another AWS account

“The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)

Federation can come from three sources:

Federation (typically AD)
Federation with Mobile Apps (e.g. Facebook, Amazon, Google or other OpenID providers)
Cross account access (another AWS account)

The question has asked for supported sources for users. Cognito user pools contain users, but identity pools do not”

Answer 131

A

DynamoDB

“Amazon Dynamo DB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability
Push button scaling means that you can scale the DB at any time without incurring downtime
DynamoDB provides low read and write latency”

Answer 132

A

ALB…1

“An Application Load Balancer is a type of Elastic Load Balancer that can use layer 7 (HTTP/HTTPS) protocol data to make forwarding decisions. An ALB supports both path-based (e.g. /images or /orders) and host-based routing (e.g. example.com)”

Answer 133

A

3…..NAT Gateway

“A NAT Gateway is created in a specific AZ and can have a single Elastic IP address associated with it. NAT Gateways are deployed in public subnets and the route tables of the private subnets where the EC2 instances reside are configured to forward Internet-bound traffic to the NAT Gateway. You do pay for using a NAT Gateway based on hourly usage and data processing, however this is still a cost-effective solution”

Answer 134

A

“Storing the file in an S3 bucket is cost-efficient, and using S3 event notifications to invoke a Lambda function works well for this unpredictable workload and is cost-efficient”

“SQS queues have a maximum message size of 256KB. You can use the extended client library for Java to use pointers to a payload on S3 but the maximum payload size is 2GB”

Answer 135

A

2…

security group membership can be changed whilst instances are running
any changes to security groups will take effect immediately
you can only assign permit rules in a security group, you cannot assign deny rules

Answer 136

A

2 Launch a single ALB and bind multiple SSL certificates to the same secure listener. Clients will use the Server Name Indication (SNI) extension

“You can use a single ALB and bind multiple SSL certificates to the same listener

With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener”

Answer 137

A

A key pair consist of a public key that AWS stores and a private key file that you store

For Linux AMIs, the private key file allows you to securely SSH into your instance

Answer 138

A

2…

“Either create an encrypted volume and copy data to it or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot”

Answer 139

A

3.. Kinesis Streams

“This is a good use case for Amazon Kinesis streams as it is able to scale to the required load, allow multiple applications to access the records and process them sequentially

Amazon Kinesis Data Streams enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications”

Answer 140

A

2.. Use RDS in a Multi-AZ configuration

“Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. With RDS you can configure Multi-AZ which creates a replica in another AZ and synchronously replicates to it (DR only)”

Answer 141

A

1,4

“Public subnets are subnets that have:

“Auto-assign public IPv4 address” set to “Yes” which will assign a public IP

The subnet route table has an attached Internet Gateway

The instance will also need to a security group with an inbound rule allowing the traffic”

Answer 142

A

1,4…

“For serving both the media player and media files you need two types of distributions:

A web distribution for the media player
An RTMP distribution for the media files

RTMP:

Distribute streaming media files using Adobe Flash Media Server’s RTMP protocol
Allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location
Files must be stored in an S3 bucket (not an EBS volume or EC2 instance)”

Answer 143

A

1,4

Redis:
- “Redis engine stores data persistently
- Redis engine supports Multi-AZ using read replicas in another AZ in the same region”
Memached:
- Memcached engine does not store data persistently
- Memcached does not support multi-aZ failover or replication

Answer 144

A

2,4

“Glacier objects are visible through S3 only (not Glacier directly)
The contents of an archive that has been uploaded cannot be modified
Uploading archives is synchronous
Downloading archives is asynchronous
Retrieval can take a few hours”

Answer 145

A

Device Farm

“AWS Device Farm is an app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time”

Answer 146

A

1,4

“This question is really just asking you to identify which of the listed services are stream-based services. DynamoDB and Kinesis are both used for streaming data”

Answer 147

A

2…

“Amazon Kinesis Data Analytics is the easiest way to process and analyze real-time, streaming data. Kinesis Data Analytics can use standard SQL queries to process Kinesis data streams and can ingest data from Kinesis Streams and Kinesis Firehose but Firehose cannot be used for running SQL queries”

Answer 148

A

3…

“Cross-region replication allows you to replicate across regions:

Amazon DynamoDB global tables provides a fully managed solution for deploying a multi-region, multi-master database”

Answer 149

A

1….ALB

“An Application Load Balancer allows dynamic port mapping. You can have multiple tasks from a single service on the same container instance.”

Answer 150

A

2…Management Console + 5. AWS API

“You can authenticate using an MFA device in the following ways:

Through the AWS Management Console – the user is prompted for a user name, password and authentication code”
“Using the AWS API – restrictions are added to IAM policies and developers can request temporary security credentials and pass MFA parameters in their AWS STS API requests
Using the AWS CLI by obtaining temporary security credentials from STS (aws sts get-session-token)”

Answer 151

A

3… Install an additional Microsoft Active Directory Domain Controller for your existing domain on EC2 and configure the application to authenticate to the local DC

“The best answer is to Install an additional Microsoft Active Directory Domain Controller for your existing domain on EC2:

When you build your own you can join an existing on-premise Active Directory domain/directory (replication mode)”

Answer 152

A

AWS Simple AD

“AWS Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone, fully managed, directory “on the AWS cloud. Simple AD is generally the least expensive option and the best choice for less than 50000 users and don’t need advanced AD features. It is powered by SAMBA 4 Active Directory compatible server”

Answer 153

A

2… AWS Budgets

“AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic”

Answer 154

A

1, 3

“Amazon EMR is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3. EMR uses Apache Hadoop as its distributed data processing engine which is an open source, Java soft”“ware framework that supports data-intensive distributed applications running on large clusters of commodity hardware

EMR launches all nodes for a given cluster in the same Amazon EC2 Availability Zone”

Answer 155

A

1,4…

“Options for storing logs:

- CloudWatch Logs
- Centralized logging system (e.g. Splunk)
- Custom script and store on S3”

Answer 156

A

3.. you have 24 hours to download data after retrieval (24h is default and can be changed)+ 4..Glacier must complete a job before you can get its output

Answer 157

A

1,5..

can be sold on RI marketplace

can be used in placement groups

can also be used in auto scaling groups

can also change instance size within same instance type

can also switch AZ within same region

Answer 158

A

“Unlike gp2, which uses a bucket and credit model to calculate performance, an io1 volume allows you to specify a consistent IOPS rate when you create the volume, and Amazon EBS delivers within 10 percent of the provisioned IOPS performance 99.9 percent of the time over a given year. Therefore you should expect to get 900 IOPS most of the year”

Answer 159

A

3,4

“Proxy protocol for TCP/SSL carries the source (client) IP/port information

X-forwarded-for for HTTP/HTTPS carries the source IP/port information

In both cases the protocol carries the source IP/port information right through to the web server. If you were happy to just record the source connections on the load balancer you could use access logs”

Answer 160

A

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer.

Answer 161

A

3, 4..

“You cannot do transitive peering so a hub and spoke architecture would not allow all VPCs to communicate directly with each other. For this you need to establish a mesh topology”

Answer 162

A

Elastic Transcoder

“Amazon Elastic Transcoder is a highly scalable, easy to use and cost-effective way for developers and businesses to convert (or “transcode”) video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs”

Answer 163

A

1, 3

“Regional Edge Caches are located between origin web servers and global edge locations and have a larger cache than any individual edge location, so your objects remain in cache longer at these locations.

Regional Edge caches aim to get content closer to users and are enabled by default for CloudFront Distributions (so you don’t need to update your distributions)

There are no additional charges for using Regional Edge Caches”

Answer 164

A

1,4.

“There are two parts to this solution. First you need to copy the S3 data to each region (as the instances are stateless), then you need to be able to deploy instances from an ASG using the same AMI in each regions.

CRR is an Amazon S3 feature that automatically replicates data across AWS Regions. With CRR, every object uploaded to an S3 bucket is automatically replicated to a destination bucket in a different AWS Region that you choose, this enables you to copy the existing data across to each region
AMIs of both Amazon EBS-backed AMIs and instance store-backed AMIs can be copied between regions. You can then use the copied AMI to create a new launch configuration (remember that you cannot modify an ASG launch configuration, you must create a new launch configuration)”

Answer 165

A

2,4

“RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy

SSD, Provisioned IOPS – I01 provides higher performance than General Purpose SSD (GP2) and you can specify the IOPS required up to 50 IOPS per GB and a maximum of 32000 IOPS”

Answer 166

A

“RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy
RAID 1 = 1 mirroring – creates 2 copies of the data but does not increase performance, only redundancy”

Answer 167

A

3…

“Server access logging provides detailed records for the requests that are made to a bucket. To track requests for access to your bucket, you can enable server access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and an error code, if relevant”

(“CloudWatch metrics do not include the bucket operations specified in the question)

Answer 168

A

1,4

“The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect so this would help. After the Auto Scaling group dynamically scales using a simple scaling policy, it waits for the cooldown period to complete before resuming scaling activities

The CloudWatch Alarm Evaluation Period is the number of the most recent data points to evaluate when determining alarm state. This would help as you can increase the number of datapoints required to trigger an alarm”

Answer 169

A

1,3

“DynamoDB charges:

DynamoDB is more cost effective for read heavy workloads

it is priced based on provisioned throughput (read/write) regardless of whether you use it or not

NOTE: With the DynamoDB Auto Scaling feature you can now have DynamoDB dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. However, this is relatively new and may not yet feature on the exam. See the link below for more details”

Answer 170

A

3…Cache content using CloudFront

Answer 171

A

2.. enable DynamoDB Streams and create an event source mapping between AWS Lambda and the relevant stream

Answer 172

A

REDIS

“Redis

Data is persistent
Can be used as a datastore
Not multi-threaded
Scales by adding shards, not nodes”

Answer 173

A

2… “AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation”. “Before you can use a stack set to create stacks in a target account, you must set up a trust relationship between the administrator and target accounts”

Answer 174

A

Simple AD

“Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a standalone, fully managed, directory on the AWS cloud and is generally the least expensive option. It is the best choice for less than 5000 users and when you don’t need advanced AD features”

Answer 175

A

1,5. “For this solution Kinesis Data Firehose can be used as it can use Kinesis Data Streams as a source and can capture, transform, and load streaming data into a RedShift cluster. Kinesis Data Firehose can invoke a Lambda function to transform data before delivering it to destinations”

Answer 176

A

DynamoDB

“Out of the options in the list, DynamoDB requires the least operational overhead as there are no backups, maintenance periods, software updates etc. to deal with”

Answer 177

A

2..EFS.. “Amazon EFS is the best solution as it is the only solution that is a file-level storage solution (not block/object-based), stores data redundantly across multiple AZs within a region and you can concurrently connect up to thousands of EC2 instances to a single filesystem”

Answer 178

A

1,3

“RedShift always keeps three copies of your data and provides continuous/incremental backups

Answer 179

A

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console.

Answer 180

A

AWS KMS API

“The AWS KMS API can be used for encrypting data keys (envelope encryption)”

Answer 181

A

Cluster Subnet Group

“A cluster subnet group allows you to specify a set of subnets in your VPC”

Answer 182

A

Generate a pre-signed URL and distribute it to the consumers..

“S3 pre-signed URLs can be used to provide temporary access to a specific object to those who do not have AWS credentials.”

Answer 183

A

Athena.. “Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run”

Answer 184

A

1,2

“When the launch configuration is created from the CLI detailed monitoring of EC2 instances is enabled by default”

Answer 185

A

4, 5

“There are two possible solutions here. In one you create a new IAM role with multiple policies, in the other you add a new policy to the existing IAM role.

Contrary to one of the incorrect answers, you can modify IAM roles after an instance has been launched - this was changed quite ”“some time ago now. However, you cannot add multiple IAM roles to a single EC2 instance. If you need to attach multiple policies you must attach them to a single IAM role. There is no such thing as delegating access using the API Gateway management console”

“You are using an Application Load Balancer (ALB) for distributing traffic for a number of application servers running on EC2 instances. The configuration consists of a single ALB with a single target group. The front-end listeners are receiving traffic for digitalcloud.training on port 443 (SSL/TLS) and the back-end listeners are receiving traffic on port 80 (HTTP).

Answer 186

A

1,3

“The traffic is coming in on standard ports (443/HTTPS, 80/HTTP) to a single front-end listener. You can only have a single listener running on a single port. Therefore to be able to direct traffic for a specific web page you need to use an ALB and path-based routing to direct the traffic to a specific back-end listener. As only one protocol and one port can be defined per target group you also need to create a new target group that uses port 8080 as a target.”

Answer 187

A

1,4

“The ECS container agent allows container instances to connect to the cluster nd runs on each infrastructure resource on an ECS cluster. The ECS container agent is included in the Amazon ECS optimized AMI and can also be installed on any EC2 instance that supports the ECS specification (only supported on EC2 instances). It is available for Linux and Windows”

Answer 188

A

“System status checks detect (StatusCheckFailed_System) problems with your instance that require AWS involvement to repair whereas Instance status checks (StatusCheckFailed_Instance) detect problems that require your involvement to repair”

Answer 189

A

4.,.. “The important points here are that you need to utilize the on-premise AD for authentication with AWS services whilst not synchronizing the AD database into the cloud or setting up trust relationships(adding permissions to resources in another AD domain). AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory and eliminates the need for directory synchronization. AD connector is considered the best choice when you want to use an existing AD with AWS services. The small AD connector is for up to 500 users and the large version caters for up to 5000 so in this case we need to use the large AD connector”

“Active Directory Service for Microsoft Active Directory is the best choice if you have more than 5000 users and is a standalone AD service in the cloud. You can also setup trust relationships with existing on-premise AD instances (though you can’t replicate/synchronize). In this case we want to leverage the on-premise AD and want to avoid trust relationships”

Answer 190

A

3… “With AWS Direct Connect you can provision a low latency, high performance private connection between the client’s data center and AWS. Direct Connect connections connect you to a region and all AZs within that region. In this case the client has a single VPC so we know their resources are container within a single region and therefore a single Direct Connect connection satisfies the requirements.”

Answer 191

A

1,3

“CloudTrail is used for recording API calls (auditing) whereas CloudWatch is used for recording metrics (performance monitoring). The solution can be deployed with a single trail that is applied to all regions. A single KMS key can be used to encrypt log files for trails applied to all regions. CloudTrail log files are encrypted using S3 Server Side Encryption (SSE) and you can also enable encryption SSE KMS for additional security”

Answer 192

A

Query string parameters

“Query string parameters cause CloudFront to forward query strings to the origin and to cache based on the language parameter”

Answer 193

A

control access to CloudFront distributions

Answer 194

A

“Amazon API Gateway decouples the client application from the back-end application-layer services by providing a single endpoint for API requetss”

Answer 195

A

“Amazon Cognito is used for adding sign-up, sign-in and access control to mobile apps”

Answer 196

A

DynamoDB

“Amazon DynamoDB is a fully managed NoSQL database service that provides a durable and persistent data store. You can scale DynamoDB using push button scaling which means that you can scale the DB at any time without incurring downtime. Amazon DynamoDB stores three geographically distributed replicas of each table to enable high availability and data durability”

“As a Solutions Architect for Digital Cloud Training you are designing an online shopping application for a new client. The application will be composed of distributed, decoupled components to ensure that the failure of a single component does not affect the availability of the application.

Answer 197

A

3 = FIFO

“FIFO (first-in-first-out) queues preserve the exact order in which messages are sent and received.. If you use a FIFO queue, you don’t have to place sequencing information in your message and they provide exactly-once processing, which means that each message is delivered once and remains available until a consumer processes it and deletes it. A FIFO queue would fit the solution requirements for this question”

Answer 198

A

“DynamoDB a NoSQL DB which means you can change the schema easily. It’s also the only DB in the list that you can scale without any downtime

Amazon Aurora, RDS MySQL and RedShift all require changing instance sizes in order to scale which causes an outage. They are also all relational databases (SQL) so changing the schema is difficult”

Answer 199

A

“Multi-AZ RDS creates a replica in another AZ and synchronously replicates to it. This provides a DR solution as if the AZ in which the primary DB resides fails, multi-AZ will automatically fail over to the replica instance with minimal downtime”

Answer 200

A

3…

“You can only apply one IAM role to a Task Definition so you must create a separate Task Definition.. A Task Definition is required to run Docker containers in Amazon ECS and you can specify the IAM role (Task Role) that the task should use for permissions

It is incorrect to say that you cannot implement granular permissions with ECS containers as IAM roles are granular and are applied through Task Definitions/Task Roles

You can apply different IAM roles to different EC2 instances, but to grant permissions to ECS application containers you must use Task Definitions and Task Roles”

Answer 201

A

Cloudfront and ELB

“CloudFront and ELB support Perfect Forward Secrecy which creates a new private key for each SSL session

Perfect Forward Secrecy (PFS) provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key”

Answer 202

A

CloudFormation

“AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion. AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment”

Answer 203

A

1=memory usage

Answer 204

A

“With EMR and EC2 you have access to the underlying operating system which means “you can connect to the operating system using protocols such as SSH and then manage the operating system”

Answer 205

A

1,3

“An Amazon API Gateway is a collection of resources and methods that are integrated with back-end HTTP endpoints, Lambda function or other AWS services. API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls. Throttling can be configured at multiple levels including Global and Service Call”

Answer 206

A

“EBS volume data is replicated across multiple servers within an AZ”

Answer 207

A

EFS

“The Amazon Elastic File System (EFS) is a file-based (not block or object-based) system that is accessed using the NFSv4.1 protocol. You can concurrently connect 1 to 1000s of EC2 instances from multiple AZs to a single EFS file system. EFS is elastic and provides high levels of aggregate throughput and IOPS.”

Answer 208

A

“In this scenario we are not looking to backup the instances but to create identical copies of them in the other region. These are often called golden images. We must assume that any data used by the instances resides in another service and will be accessible to them when they are launched in a DR situation

You launch EC2 instances using AMIs not snapshots (you can create AMIs from snapshots). Therefore, you should create AMIs of each instance (rather than snapshots), copy the AMIs between regions and then create new EC2 instances from the AMIs”

Answer 209

A

1,3

“None of the answer options present the full solution. However, you have been asked which services will help you to achieve the desired outcome. In this case we need high availability for on-demand EC2 instances.

A single Auto Scaling Group will enable the on-demand instances to be launched into multiple availability zones with an elastic load balancer distributing incoming connections to the available EC2 instances. This provides high availability and elasticity

Amazon S3 and CloudFront could be used to serve static content from an S3 bucket, however the question states that the web application runs on EC2 instances”

Answer 210

A

“A Recovery Point Objective (RPO) relates to the amount of data loss that can be allowed, in this case a low RPO means that you need to minimize the amount of data lost so synchronous replication is required. Out of the options presented only Amazon RDS in a multi-AZ configuration uses synchronous replication”

Answer 211

A

“If you do not want to manage EC2 instances you must use the AWS Fargate launch type which is a serverless infrastructure managed by AWS. Fargate only supports container images hosted on Elastic Container Registry (ECR) or Docker Hub”

Answer 212

A

1,5 = “S3 can be used to host static websites and you can use a custom domain name with S3 using a Route 53 Alias record. When using a custom domain name the bucket name must be the same as the domain name

The Alias record is a Route 53 specific record type. Alias records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites”

Answer 213

A

“This scenario asks that when retrieving data the chosen storage solution should always return the most up-to-date data. Therefore we must use Amazon RDS as it provides read-after-write consistency”

Answer 214

A

1,4 = “The customer wants to leverage their existing directory but not replicate account credentials into the cloud. Therefore they can use the Active Directory Service for Microsoft Active Directory and create a trust relationship with their existing AD domain. This will allow them to authenticate using local user accounts in their existing directory without creating an AD Domain Controller in the cloud (which would entail replicating account credentials)

Active Directory Service for Microsoft Active Directory is the best choice if you have more than 5000 users and/or need a trust relationship set up”

Answer 215

A

“The Architect requires a solution that removes the need to manage instances. Therefore it must be a serverless service which rules out EC2. The two remaining options use AWS Lambda at the back-end for processing. Though CloudFront can trigger Lambda functions it is more suited to customizing content delivered from an origin. Therefore API Gateway with AWS Lambda is the most workable solution presented”

Answer 216

A

2,4

“You cannot automatically register EC2 instances with private hosted zones

Route 53 can be used to route Internet traffic for domains registered with another domain registrar (any domain)

You can transfer domains to Route 53 only if the Top Level Domain (TLD) is supported”

Answer 217

A

3,5 =

“The in-memory caching provided by ElastiCache can be used to significantly improve latency and throughput for many read-heavy application workloads or compute-intensive workloads

ElastiCache is best for scenarios where the DB load is based on Online Analytics Processing (OLAP) transactions not Online Transaction Processing (OLTP)

Elasticache EC2 nodes cannot be accessed from the Internet, nor can they be accessed by EC2 instances in other VPCs

You cannot mix Memcached and Redis in a cluster”

Answer 218

A

2… “Auto Scaling rebalances by launching new EC2 instances in the AZs that have fewer instances first, only then will it start terminating instances in AZs that had more instances”

Answer 219

A

1..“IAM roles for ECS tasks enabled you to secure your infrastructure by assigning an IAM role directly to the ECS task rather than to the EC2 container instance. This means you can have one task that uses a specific IAM role for access to S3 and one task that uses an IAM role to access DynamoDB

With IAM roles for EC2 instances you assign all of the IAM policies required by tasks in the cluster to the EC2 instances that host the cluster. This does not allow the secure separation requested”

Answer 220

A

2.. “As the client needs to access the operating system of the database servers, we need to use EC2 instances not RDS (which does not allow operating system access). We can implement EC2 instances with Microsoft SQL in two different AZs which provides the requested location redundancy and AZs are connected by low-latency, high throughput and redundant networking”

Answer 221

A

“Security Groups can be configured with Inbound (ingress) and Outbound (egress) rules. You can only assign permit rules in a security group,”

Answer 222

A

1…Kinesis Firehose is the easiest way to load streaming data stores and “analytics tools. It captures, transforms, and loads streaming data and can invoke a Lambda function to transform data before delivering it to destinations. Firehose Destinations include: S3, RedShift, Elasticsearch and Splunk”

Answer 223

A

“Kinesis Data Streams processes data and then stores it for applications to access. It does not deliver it to destinations such as Splunk”

Answer 224

A

“Kinesis Data Analytics is used for processing and analyzing real-time streaming data. It can only output data to S3, RedShift, Elasticsearch and Kinesis Data Streams”

Answer 225

A

1,5… “API Gateway can scale to any level of traffic received by an API. API Gateway scales up to the default throttling limit of 10,000 requests per second, and can burst past that up to 5,000 RPS. Throttling is used to protect back-end instances from traffic spikes

Lambda uses continuous scaling – scales out not up. Lambda scales concurrently executing functions up to your default limit (1000)”

Answer 226

A

2…“A spread placement group is a group of instances that are each placed on distinct underlying hardware”

Answer 227

A

Hibernate and Stop

“You can specify whether Amazon EC2 should hibernate, stop, or terminate Spot Instances when they are interrupted. You can choose the interruption behavior that meets your needs. The default is to terminate Spot Instances when they are interrupted”

Answer 228

A

Configure Amazon DAX

“Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. You can enable DAX for a DynamoDB database with a few clicks”

Answer 229

A

1..“You can enable Instance Protection to protect a specific instance in an ASG from a scale in action”

Answer 230

A

Answer: 1,4”

“You can use server-side encryption with SSE-KMS to protect your data with a master key or you can use an AWS KMS customer master key

KMS uses customer master keys (CMKs), not customer provided keys

SSE-KMS requires that AWS manage the data key but you manage the master key in AWS KMS

Auditable master keys can be created, rotated, and disabled from the IAM console

You can use the Amazon S3 encryption client in the AWS SDK from your own application to encrypt objects and upload them to Amazon S3, otherwise data is encrypted on Amazon S3, not on the client side”

Answer 231

A

3,4

“A custom CMK key must be used for encryption if you want to share the snapshot

You must share the CMK key as well as the snapshot with the other AWS account

Snapshots of encrypted volumes are encrypted automatically

To share an encrypted snapshot you must encrypt it in the source account with a custom CMK key and then share the key with the target account”

Answer 232

A

2,3

“The relevant facts are there is a soft limit of 20 On-demand or 20 reserved instances per region by default and there are 32 possible hosts in a /27 subnet. AWS reserve the first 4 and last 1 IP address. ELB requires 8 addresses within your subnet which only leaves 19 addresses available for use

There are 16 EC2 instances so a capacity increase of 50% would bring the total up to 24 instances which exceeds the address space and the default account limit for On-Demand instances”

Answer 233

A

3,5

“Network ACLs contain a numbered list of rules that are evaluated in order from the lowest number until the explicit deny. Network ACLs only apply to traffic that is ingress or egress to the subnet not to traffic within the subnet

Network ACL’s function at the subnet level, not the instance level

With NACLs you can have permit and deny rules

All rules are not evaluated before making a decision (security groups do this), they are evaluated in order until a permit or deny is encountered”

Answer 234

A

“The easiest and recommended option is to create an AMI (image) from the instance and launch an instance from the AMI in the other AZ. AMIs are backed by snapshots which in turn are backed by S3 so the data is available from any AZ within the region

You can take a snapshot, launch an instance in the destination AZ. Stop the instance, detach its root volume, create a volume from the snapshot you took and attach it to the instance. However, this is not the best option

There’s no way to move an EC2 instance from the management console

You cannot perform a copy operation to move the instance”

Answer 235

A

“Add a rule to the Network ACL to deny traffic from the identified IP addresses. Ensure all subnets are associated with the Network ACL”

the best way to handle this situation is to create a deny rule in a network ACL using the identified IP addresses as the source. You would apply the network ACL to the subnet(s) that are seeing suspicious traffic”

Answer 236

A

1… IAM is global

Answer 237

A

create a DynamoDB Accelerator (DAX) cluster

Answer 238

A

“Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs). Public VIFs allow access to public services such as S3, EC2, and DynamoDB. Private VIFs allow access to your VPC. You must use public IP addresses on public VIFs, and private IP addresses on private VIFs

Once you have connected to an AWS region using AWS Direct Connect you can connect to all AZs within that region. You can also establish IPSec connections over public VIFs to remote regions.”

Answer 239

A

S3…

is object-based storage + allow concurrent access = can be shared by multiple instances

Answer 240

A

1,3

“AWS currently supports enhanced networking capabilities using SR-IOV which provides direct access to network adapters, provides higher performance (packets-per-second) and lower latency. You must launch an HVM AMI with the appropriate drivers and it is only available for certain instance types and only supported in VPC”

Answer 241

A

2… “The key facts here are that whilst minimizing application downtime you need to take a consistent snapshot and are unable to pause writes long enough to do so. Therefore the best option is to unmount the EBS volume and take the snapshot. This will be much faster than shutting down the instance, taking the snapshot, and then starting it back up again

Snapshots capture a point-in-time state of an instance and are stored on S3. To take a consistent snapshot writes must be stopped (paused) until the snapshot is complete – if not possible the volume needs to be detached, or if it’s an EBS root volume the instance must be stopped”

(if taking snapshot while attached you may not get a fully consistent snapshot which is needed here)

Answer 242

A

“AWS recommends that you always use the default predefined security policy. When choosing a custom security policy you can select the ciphers and protocols (only for CLB)”

(AES is an encryption policy, not a policy)

Answer 243

A

1…decoupling

Answer 244

A

3…“Maintenance windows are configured to allow DB instance modifications to take place such as scaling and software patching. Some operations require the DB instance to be taken offline briefly and this includes security patching”

(the others do not take place during a maintenance window)

Answer 245

A

2,4

“Amazon Dynamo DB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability that provides low read and write latency. Because of its performance profile and the fact that it is a NoSQL type of database, DynamoDB is good for rapidly ingesting clickstream data

You should use a relational database such as RDS when you need to do complex queries and joins. Microsoft SQL and Oracle DB are both relational databases so DynamoDB is not a good backup target or migration destination for these types of DB”

Answer 246

A

1,3

both a web application using Amazon RDS and a long running worker process (where it manages an SQS queue) are good examples of when yo use Beanstalk as multiple services are being used which is what Beanstalk is for = orchestration engine

Answer 247

A

2… Access keys are a combination of an access Key ID and a secret access key and you can assign “two active access keys to a user at a time. These can be used to make programmatic calls to AWS when using the API in program code or at a command prompt when using the AWS CLI or the AWS PowerShell tools”

(a password is needed for logging into the console yes, but a password is not needed to make API calls)

Answer 248

A

1,2..

“When using S3 encryption your data is always encrypted at rest and you can choose to use KMS managed keys or customer-provided keys. If you encrypt the data at the source and transfer it in an encrypted state it will also be encrypted in-transit

With client side encryption data is encrypted on the client side and transferred in an encrypted state and with server-side encryption data is encrypted by S3 before it is written to disk (data is decrypted when it is downloaded)”

Answer 249

A

Cloud HardwareSecurityModule is used to create and manage encryption keys but not actually encrypting the data

Answer 250

A

3,5…“Placement groups are recommended for applications that benefit from low latency and high bandwidth and it s recommended to use an instance type that supports enhanced networking. Instances within a placement group can communicate with each other ”

Answer 251

A

“EFS provides a highly-available data store with consistent low latencies and elasticity to scale as required”

(DynamoDB is a low latency, highly-available NoSQL Database and you can also store JSON files but only up to 400 kb in size and thus EFS is the only plausible solution here)

Answer 252

A

CloudFormation

Answer 253

A

1…why?

CloudFront caches near end users and ensure low latency
API Gateway and API Lambda are present in all options
DynamoDB can be used for storing session state data
- (RDS is not a serverless service so can be ruled out)

Answer 254

A

2,4… “If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances. Auto Scaling will terminate the existing instance before launching a replacement instance”

(the process is different for AZ rebalancing where it launches new instances first in the other AZ before it closes instances down).

Answer 255

A

Redshift = Data warehouse

“Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing Business Intelligence (BI) tools. RedShift is a SQL based data warehouse that is used for analytics applications. RedShift is 10x faster than a traditional SQL DB”

Answer 256

A

Expedited Retrieval… typically 1-5 minutes (standard retrieval is 3-5hours, bulk retrieval is more cost-effective but 5-12 hours))

Answer 257

A

4…Kinesis Firehose with Redshift

“Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. Firehose Destinations include: Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and existing Business Intelligence tools.

Answer 258

A

“Kinesis Data Streams enables you to build custom applications that process or analyze streaming data for specialized needs. It enables real-time processing of streaming big data and can be used for rapidly moving data off data producers and then continuously processing the data. Kinesis Data Streams stores data for later processing by applications (key difference with Firehose which delivers data directly to AWS services)

(Kinesis Firehose can allow transformation of data and it then delivers data to supported services”)

Answer 259

A

“The SSH protocol uses TCP port 22

Answer 260

A

2…“Using the CloudFront content delivery network (CDN) would offload the processing from the EC2 instance as the videos would be cached and accessed without hitting the EC2 instance”

(“Using CloudFront is preferable to using an Auto Scaling group to launch more instances as it is designed for caching content and would provide the best user experience”)

Answer 261

A

3… “Always use IAM roles when you can

It is an AWS best practice not to store API credentials within applications, on file systems or on instances (such as in metadata).”

Answer 262

A

2… “Throughput Optimized HDD is the most cost-effective storage option and for a small DB with low traffic volumes it may be sufficient. Note that the volume must be at least 500 GB in size

(AWS recommend using General Purpose SSD rather than Throughput Optimized HDD for most use cases but it is more expensive”)

Answer 263

A

4…“Aurora databases can scale up to 64 TB and Aurora replicas features millisecond latency

All other RDS engines have a limit of 16 TiB maximum DB size and asynchronous replication typically takes seconds”

Answer 264

A

CloudFormation

“CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts”

Answer 265

A

a deployment service that “automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions”

Answer 266

A

2,4…

“AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory. AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure and connects your existing on-premise AD to AWS. It is the best choice when you want to use an existing Active Directory with AWS services

IAM Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests. With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. user name and password)”.

you map the groups in AD to IAM Roles (not IAM users or groups)

Answer 267

A

“AD Connector is a directory gateway for redirecting directory requests to your on-premise Active Directory. AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure and connects your existing on-premise AD to AWS. It is the best choice when you want to use an existing Active Directory with AWS services

Answer 268

A

“AWS Directory Service Simple AD is an inexpensive Active Directory-compatible service with common directory features. It is a fully cloud-based solution and does not integrate with an on-premises Active Directory service.

Answer 269

A

3,5…

“The key requirements are that historical data that data is recorded in a low latency, durable data store and then moved into a data warehouse when the data is over 1 year old for historical analytics. This is a good use case for DynamoDB as a data store and RedShift as a data warehouse. Kinesis is used for real-time data, not historical data so is not a good fit”

Answer 270

A

“Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information.

Answer 271

A

“You can use MFA with a Cognito user pool (not in IAM) and this satisfies the requirement.

A user pool is a user directory in Amazon Cognito. With a user pool, your users can sign in to your web or mobile app through Amazon Cognito. Your users can also sign in through social identity providers like Facebook or Amazon, and through SAML identity providers”

Answer 272

A

2,5.

“Due to the reverse proxy being a bottleneck to scalability, we need to replace it with a solution that can perform content-based routing. This means we must use an ALB not a CLB as ALBs support path-based and host-based routing

Auto Scaling should be added to the architecture so that the back end EC2 instances do not become a bottleneck. With Auto Scaling instances can be added and removed from the back end fleet as demand changes”

Answer 273

A

3..TTL

“Caches are provisioned for a specific stage of your APIs. Caching features include customisable keys and time-to-live (TTL) in seconds for your API data which enhances response times and reduces load on back-end services

You can throttle and monitor requests to protect your back-end, but the cache is used to reduce the load on the back-end”

Answer 274

A

“Using PrivateLink you can connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services”

Answer 275

A

3… to connect to other AWS accounts privately you need to use PrivateLink.

Answer 276

A

2.5…

“Best practices for securing operating systems and applications include:

Disable root API access keys and secret key
Restrict access to instances from limited IP ranges using Security Groups
Password protect the .pem file on user machines
Delete keys from the authorized_keys file on your instances when someone leaves your organization or no longer requires access
Rotate credentials (DB, Access Keys)
Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
Use bastion hosts to enforce control and visibility”
*

Answer 277

A

1… SQS allows us to decouple the application and store messages waiting to be processed. Then we add some EC2 instances to process this queue

Answer 278

A

1.Redshift

“Amazon RedShift uses columnar storage and is used for analyzing data using business intelligence tools (SQL)”

(DynamoDB is not columnar as it is NoSQL, RDS is better for OLTP work and not analytics and Elasticache is an in-memory caching service)

Answer 279

A

2…. “The possible values are ok, impaired, warning, or insufficient-data. If all checks pass, the overall status of the volume is ok. If the check fails, the overall status is impaired. If the status is insufficient-data, then the checks may still be taking place on your volume at the time”

Answer 280

A

stop sending traffic

“The ELB will simply stop sending traffic to the instance as it has determined it to be unhealthy

ELBs are not responsible for terminating EC2 instances.

The ELB does not send instructions to the ASG, the ASG has its own health checks and can also use ELB health checks to determine the status of instances”

Answer 281

A

4,5

“To use Route 53 for an existing domain the Architect needs to change the NS records to point to the Amazon Route 53 name servers. This will direct name resolution to Route 53 for the domain name. The most cost-effective solution for hosting the website will be to use an Amazon S3 bucket. To do this you create a bucket using the same name as the domain name (e.g. example.com) and use a Route 53 Alias record to map to it

Using an EC2 instance instead of an S3 bucket would be more costly so that rules out 2 options that explicitly mention EC3

Elastic Beanstalk provisions EC2 instances so again this would be a more costly option”

Answer 282

A

EFS.. “EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. EFS is good for big data and analytics, media processing workflows, content management, web serving, home directories etc.. EFS uses the NFSv4.1 protocol which is a protocol for mounting file systems (similar to Microsoft’s SMB)”

(DynamoDB is only good with OLTP)

Answer 283

A

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

Answer 284

A

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts.

Answer 285

A

IAM roles for EC2 instances simplifies management and deployment of AWS access keys to EC2 instances. Using this feature, you associate an IAM role with an instance. Then your EC2 instance provides the temporary security credentials to applications running on the instance, and the applications can use these credentials to make requests securely to the AWS service resources defined in the role.

= IAM roles for EC2 instances enables your applications running on EC2 to make requests to AWS services such as Amazon S3, Amazon SQS, and Amazon SNS without you having to copy AWS access keys to every instance

Answer 286

A

Temporary security credentials consist of the AWS access key ID, secret access key, and security token. Temporary security credentials are valid for a specified duration and for a specific set of permissions. Temporary security credentials are sometimes simply referred to as tokens.

(default 12 hours, min 15 minutes, max 36 hours)

Answer 287

A

AWS Identity and Access Management (IAM) supports identity federation for delegated access to the AWS Management Console or AWS APIs. With identity federation, external identities are granted secure access to resources in your AWS account without having to create IAM users. These external identities can come from your corporate identity provider (such as Microsoft Active Directory or from the AWS Directory Service) or from a web identity provider (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider).

Answer 288

A

Federated users (external identities) are users you manage outside of AWS in your corporate directory, but to whom you grant access to your AWS account using temporary security credentials. They differ from IAM users, which are created and maintained in your AWS account.

Answer 289

A

Web identity federation allows you to create AWS-powered mobile apps that use public identity providers (such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible provider) for authentication. With web identity federation, you have an easy way to integrate sign-in from public identity providers (IdPs) into your apps without having to write any server-side code and without distributing long-term AWS security credentials with the app.

Answer 290

A

For best results, use Amazon Cognito as your identity broker for almost all web identity federation scenarios.

Answer 291

A

1,4.

AWS recommends that you use the AWS SDKs to make programmatic API calls to IAM. However, you can also use the IAM Query API to make direct calls to the IAM web service.

An access key ID and secret access key must be used for authentication when using the Query API.

Answer 292

A

2…“This is simply about understanding the performance characteristics of the different EBS volume types. The only EBS volume type that supports over 10,000 IOPS is Provisioned IOPS SSD”

(Provisioned IOPS for… +10,000 IOPS, up to 32,000 IOPS per volume, up to 50 IOPS per GiB)

Answer 293

A

Soft limit of 20 on-demand instances per region
300 TiB of aggregate PIOPS volumes per region and 300,000 aggregate PIOPS

Answer 294

A

“ELB nodes have public IPs and route traffic to the private IP addresses of the EC2 instances. You need one public subnet in each AZ where the ELB is defined and the private subnets are located”

Answer 295

A

1,3

policies are documents that define permissions and can be applied to users, groups, and roles.

=> within an IAM policy you can grant either programmatic access or AWS Management Console access to Amazon S3 resources.

Answer 296

A

to access EC2 instances

Answer 297

A

1,2

“Athena also allows you to easily query encrypted data stored in Amazon S3 and write encrypted results back to your S3 bucket. Both, server-side encryption and client-side encryption are supported

With IAM policies, you can grant IAM users fine-grained control to your S3 buckets, and is preferable to using bucket ACLs”

Answer 298

A

3…

“Single sign-on using federation allows users to login to the AWS console without assigning IAM credentials

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (such as federated users from an on-premise directory)

Federation (typically Active Directory) uses SAML 2.0 for authentication and grants temporary access based on the users AD credentials. The user does not need to be a user in IAM”

Answer 299

A

to authenticate users to web and mobile apps

(not for providing single sign-on between on-premises directories and AWS management console… here we use Federation (STS and SAML)

Answer 300

A

API Gateway
Lambda
S3
DynamoDB
SNS
SQS
Kinesis

Answer 301

A

1..snapshots capture a point-in-time state of an instance and snapshots of EBS volumes are automatically stored in S3

Answer 302

A

Answer: 2

DynamoDB can throttle requests that exceed the provisioned throughput for a table. When a request is throttled it fails with an HTTP 400 code (Bad Request) and a ProvisionedThroughputExceeded exception (not a 503 or 200 status code)

When using the provisioned capacity pricing model DynamoDB does not automatically scale. DynamoDB can automatically scale when using the new on[…]”

Answer 303

A

2…when you create a new subnet, it is automatically associated with the main route table. Therefore, the EC2 instance will not have a route to the Internet in this example. The architect should associate the new subnet with the custom route table.

Answer 304

A

Answer: 2

With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Using this feature you can achieve the required outcome by using IAM roles for tasks and splitting the containers according to the permissions required to different task profiles.”

Answer 305

A

3…“If any health check returns an unhealthy status the instance will be terminated. Unlike AZ rebalancing, termination of unhealthy instances happens first, then Auto Scaling attempts to launch new instances to replace terminated instances

AS will not launch a new instance immediately as it always terminates unhealthy instance before launching a replacement”

Answer 306

A

1,2

“It is not specified what types of documents are being moved into the cloud or what services they will be placed on. Therefore we can assume that options include S3 and EBS. Both of these services provide native encryption functionality to ensure security of the sensitive documents. With EBS you can use KMS-managed or customer-managed encryption keys. With S3 you can use client-side or server-side encryption

(IAM access policies are not used for controlling encryption”)

Answer 307

A

in a private subnet of your VPC

Answer 308

A

3 tags… a tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define. TAGS enable you to categorize your AWS resources in different ways, for example, by purpose, owner or environment

Answer 309

A

Answer: 1

By default Eth0 is the only Elastic Network Interface (ENI) created with an EC2 instance when launched. You can add additional interfaces to EC2 instances (number dependent on instances family/type). Default interfaces are terminated with instance termination. Manually added interfaces are not terminated by default”

Answer 310

A

2,3..

You can suspend and then resume one or more of the scaling processes for your Auto Scaling group. This can be useful when you want to investigate a configuration problem or other issue with your web application and then make changes to your application, without invoking the scaling processes. You can manually move an instance from an ASG and put it in the standby state

Instances in standby state are still managed by Auto Scaling, are charged as normal, and do not count towards available EC2 instance for workload/application use. Auto scaling does not perform health checks on instances[…]”

Answer 311

A

for active/passive configurations..

Answer 312

A

Answer: 2,3

Performing in-place queries on a data lake allows you to run sophisticated analytics queries directly on the data in S3 without having to load it into a data warehouse

You can use both Athena and Redshift Spectrum against the same data assets. You would typically use Athena for ad hoc data discovery and SQL querying, and then use Redshift Spectrum for more complex queries and scenarios where a large number of data lake users want to run concurrent BI and reporting workloads”

(Lambda is good for functions but not analytics queries and AWS Glue is an ETL service)

Answer 313

A

3.. “An Alias record can be used for resolving apex or naked domain names (e.g. example.com). You can create an A record that is an Alias that uses the customer’s website zone apex domain name and map it to the ELB DNS name”

Answer 314

A

1,3..

“The following are a few reasons why an instance might immediately terminate:

You’ve reached your EBS volume limit
An EBS snapshot is corrupt
The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption”

AWS does not have capacity available

Answer 315

A

1… “SSD, General Purpose (GP2) provides enough IOPS to support this requirement and is the most economical option that does. Using Provisioned IOPS would be more expensive and the other two options do not provide an SLA for IOPS”

Answer 316

A

3 IOPS per GiB
up to 16,000 IOPS
volume size 1GB to 16 GB

Answer 317

A

50 IOPS per GiB
up to 64,000 IOPS
volume size 4GB to 16 GB

Answer 318

A

1,2 EBS-backed instances, the default is to delete the root EBS volume upon termination.

EBS volumes can be detached and attached again without data being lost (instance stores cannot)

Answer 319

A

Answer: 1,2

Information is sent by the ELB to CloudWatch every 1 minute when requests are active. Can be used to trigger SNS notifications”

“Access Logs are disabled by default. Includes information about the clients (not included in CloudWatch metrics) including identifying the requester, IP, request type etc. Access logs can be optionally stored and retained in S3”

Answer 320

A

2,5 The only application services here are API Gateway and Lambda and these are considered to be serverless services”

Answer 321

A

“Auto Scaling can perform rebalancing when it finds that the number of instances across AZs is not balanced. Auto Scaling rebalances by launching new EC2 instances in the AZs that have fewer instances first, only then will it start terminating instances in AZs that had more instances”

Answer 322

A

On-demand… you need it quickly, cost-effectively and without interruptions.

(spot = interruptions, reserved = for longer requirements with 1-3 year contracts, flexible does not exist)

Answer 323

A

Answer: 1,2

ECS Clusters are a logical grouping of container instances the you can place tasks on
Clusters can contain tasks using BOTH the Fargate and EC2 launch type
Each container instance may only be part of one cluster at a time
Clusters are region specific
For clusters with the EC2 launch type clusters can contain different container instance types”

Answer 324

A

2,4…

“CloudFront distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts. CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served

ELB automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource

ELB, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances

ELB also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances”

Answer 325

A

4… “If you are installing MySQL on an EC2 instance you cannot enable read replicas or multi-AZ. Instead you would need to use Amazon RDS with a MySQL DB engine to use these features

Migrating to RDS would entail a major change to the architecture so is not really feasible. In this example it will therefore be easier to use the native HA features of MySQL rather than to migrate to RDS. You would want to place the second MySQL DB instance in another AZ to enable high availability and fault tolerance”

Answer 326

A

3….You can throttle and monitor requests to protect your backend. Resiliency through throttling rules is based on the number of requests per second for each HTTP method (GET, PUT). Throttling can be configured at multiple levels including Global and Service Call

API Gateway is the front-end component of this application therefore that is where you need to implement the controls. You cannot use CloudFront or ElastiCache to cache APIs. You also cannot put APIs in a bucket and publish as a static website

Answer 327

A

4.. “You backup EBS volumes by taking snapshots. This can be automated via the AWS CLI command “create-snapshot”. However the question is asking for a way to automate not just the creation of the snapshot but the retention and deletion too. The EBS Data Lifecycle Manager (DLM) is a new feature that can automate all of these actions for you and this can be performed centrally from within the management console”

Answer 328

A

Answer: 1,3

The proxy protocol only applies to L4 and the back-end listener must be TCP for proxy protocol

When using the proxy protocol the front-end listener can be either TCP or SSL”

Answer 329

A

1… Amazon Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each region, and provides disaster recovery from region-wide outages. Aurora Global Database uses storage-based replication with typical latency of less than 1 second, using dedicated infrastructure that leaves your database fully available to serve application workloads. In the unlikely event of a regional degradation or outage, one of the secondary regions can be promoted to full read/write capabilities in less than 1 minute.

You can create an Amazon Aurora MySQL DB cluster as a Read Replica in a different AWS Region than the source DB cluster. Taking this approach can improve your disaster recovery capabilities, let you scale read operations into an AWS “Region to another. However, this solution would not provide the fast storage replication and fast failover capabilities of the Aurora Global Database and is therefore not the best option

Enabling Multi-AZ for the Aurora DB would provide AZ-level resiliency within the region not across regions”

Answer 330

A

Answer: 2,….. You can throttle and monitor requests to protect your backend. Resiliency through throttling rules based on the number of requests per second for each HTTP method (GET, PUT). Throttling can be configured at multiple levels including Global and Service Call

When request submissions exceed the steady-state request rate and burst limits, API Gateway fails the limit-exceeding requests and returns 429 Too Many Requests error responses to the client”

Answer 331

A

1,3..

“When you resize an instance, you must select an instance type that is compatible with the configuration of the instance. You must stop your Amazon EBS–backed instance before you can change its instance type

You can suspend and then resume one or more of the scaling processes for your Auto Scaling group. Suspending scaling processes can be useful when you want to investigate a configuration problem or other issue with your web application and then make changes to your application, without invoking the scaling processes

You do not need to create a new launch configuration and you cannot edit an existing launch configuration

You cannot change an instance type without first stopping the instance”

Answer 332

A

2.. “With an identity pool, users can obtain temporary AWS credentials to access AWS services, such as Amazon S3 and DynamoDB”

Brainscape's Knowledge GenomeTM

AWSExam_2 Flashcards

Brainscape's Knowledge Genome^TM