Cert Prep: Certified Cloud Practitioner for AWS

Question 1

How is Key Management Service (KMS) priced?

A. KMS is priced per KMS key; you are charged for the number of master keys maintained in KMS.
B. KMS is priced per data encryption keys; you are charged for the number of individual data keys maintained in KMS.
C. KMS is priced per number of encryption/decryption requests received from all services per month.
D. KMS is priced per KMS key and the number of requests received per month.

Answer 1

D. KMS is priced per KMS key and the number of requests received per month.

Explanation

KMS is priced per two factors: the number of KMS keys maintained in KMS and the number of requests received within a month.

Question 2

You are migrating your business environment to the AWS Cloud. You have identified the resources that must be created in the AWS environment to support the migration. What tool could you use to help project future costs given this information?

A. Trusted Advisor

B. AWS Pricing Calculator

C. Cost Explorer

D. Detailed Billing Reports

Answer 2

B. AWS Pricing Calculator

Explanation:
The AWS Pricing Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. It is not a method for evaluating the future costs of services in an AWS environment.

AWS Cost Explorer allows you to visualize, understand, and manage your AWS costs and usage over time, assuming you have already established AWS services.

Detailed billing reports are available to you once you have established services within AWS.

Question 3

AWS WAF requires which other AWS service to deploy a security solution?

A. Amazon CloudFront
B. Amazon CloudWatch
C. AWS Lambda
D. Amazon SNS

Answer 3

A. Amazon CloudFront

Explanation

AWS WAF relies heavily on Amazon CloudFront distributions, to the point that if you don’t have a distribution configured then AWS WAF is essentially redundant. However, it’s worth mentioning that this relationship is only one way, meaning that Amazon CloudFront can operate and exist without AWS WAF being configured.

Question 4

You have been asked to perform some penetration testing on your company’s AWS infrastructure. However, you are not sure who is responsible for this. Which statement describingthe AWS policy regarding penetration testing is correct?

A. Permission is required from AWS for all penetration testing.

B. AWS needs to perform the penetration tests.

C. You can always perform penetration testing with no prior AWS approval.

D. Penetration testing is possible withoutAWS approval depending on the services in use.

Answer 4

D. Penetration testing is possible withoutAWS approval depending on the services in use.

Explanation

There are several important things to note about penetration testing requests:

Permission may be required for penetration testing, depending on which AWS services are in use.
To request permission, you must be logged into the AWS portal using the root credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly.

Question 5

Which of the following statements best describes a key difference betweenElastic Beanstalk and CloudFormation?

A. CloudFormation offers more potential for customization than Elastic Beanstalk, because you can actually design and script yourself.
B. Elastic Beanstalk uses Elastic load balancing and CloudFormation doesn’t.
C. CloudFormation is faster in deploying applications than Elastic Beanstalk.
D. Elastic Beanstalk is faster in deploying applications than CloudFormation.

Answer 5

A. CloudFormation offers more potential for customization than Elastic Beanstalk, because you can actually design and script yourself.

Explanation:
These services are designed to complement each other. AWS Elastic Beanstalk provides an environment to easily develop and run applications in the cloud. It is integrated with developer tools and provides a one-stop experience for you to manage the lifecycle of your applications. AWS CloudFormation is a convenient deployment mechanism for a broad range of AWS resources. It supports the infrastructure needs of many different types of applications such as existing enterprise applications, legacy applications, applications built using a variety of AWS resources and container-based solutions (including those built using AWS Elastic Beanstalk).

AWS CloudFormation introduces two new concepts: The template, a JSON-format, text-based file that describes all the AWS resources you need to deploy to run your application and the stack, the set of AWS resources that are created and managed as a single unit when AWS CloudFormation instantiates a template

Question 6

An enterprise using AWS has ten departments and wants to track the costs of each department. Which option meets this requirement?

A. Setup IAM groups for each department and track their usage
B. Setup IAM users for each department and track their usage
C. Create separate accounts for each department and track them separately
D. Create separate accounts for each department and use consolidated billing for payment and tracking

Answer 6

D. Create separate accounts for each department and use consolidated billing for payment and tracking

Explanation

The cost of an IAM user or groups can never be tracked separately for the purpose of billing. The best solution, in this case, is to create a separate account for each department and use consolidated billing.

Question 7

You have a time-sensitivedevelopment question involving system issues and you decide that you need some support from AWS. Which is the most appropriate of the following severity levels to assist you in resolving the issue?

A. System impaired
B. Production system impaired
C. Production system down
D. Business-critical system down

Answer 7

A. System impaired

Explanation

In regards to AWS support, if you have a problem which meets any of the following, it is considered a system impairedpriority.

You can work around the problem
Non-critical functions of your application are behaving abnormally.
You have a time-sensitive development question. (Developer, Business, and Enterprise)

Question 8

Which of the following best describes the relationship between regions and Availability Zones?

A. Each region is completely independent and each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.
B. Each region is completely independent and Availability Zones are never isolated, but the Availability Zones in a region are connected through low-latency links.
C. Each region may be dependent on another region, each Availability Zone is isolated, and the Availability Zones in a region are not connected.
D. Each region may be dependent on another region, and each Availability Zone is completely independent.

Answer 8

A. Each region is completely independent and each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.

Explanation

Each region is completely independent and each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.

Question 9

What is NOT a feature of Amazon Inspector?

A. built-in rules library
B. expandable rules library allowing for custom policy rules
C. ability to publish findings through SNS
D. automate via API

Answer 9

B. expandable rules library allowing for custom policy rules

Explanation

Amazon Inspector has a fixed built-in library of best practices and rules. Currently it doesn’t support any custom rules beyond this default set.

Question 10

___________ are predefined, out-of-the-box policies that grant permissions for common use cases to eliminate the need to determine what permissions are needed.

A. Customer managed policies

B. AWS managed policies

C. Inline policies

D. Resource policies

Answer 10

B. AWS managed policies

Explanation

AWS managed policies are predefined by AWS, and grant permissions for common use cases so you can avoid having to determine what permissions are needed. For ElastiCache, AWS provides the following managed policies: AmazonElastiCacheReadOnlyAccess and AmazonElastiCacheFullAccess.

Question 11

When deploying a new environment within AWS, what does “think parallel” mean?

A. Test with new deployments and eliminate existing systems to confirm desired outcomes before scaling fully.

B. Test changes and validate the results at all lifecycle stages to confirm new features and minimize failed deployments.

C. Maintain the prior environment until there is confirmation of successful deployment.

D. Automate testing of deployed environments to confirm desired outcomes.

Answer 11

C. Maintain the prior environment until there is confirmation of successful deployment.

Explanation

When deploying a new environment within AWS, one aspect of the concept “think parallel” means maintaining the prior environment while testing and deploying a new one in order to reduce various risks associated with architecting the new environment.

Question 12

A user is uploading a backup of data to S3 Glacier as part of a disaster recovery plan. The data stored in S3 Glacier is part of a larger data recovery plan that involves other AWS services.There is a relatively small set of data (100 MB) that needs to be restored immediately when a disaster recoveryplan is executed, and the organization is planning a recovery time objective (RTO) of 1 hour.Assuming the data size meets the requirements for any of the given retrieval options below, which S3 Glacier data retrieval option would you plan in the event of a disaster?

A. Use Expedited retrievals without Provisioned Capacity

B. Use Expedited Retrievals with Provisioned Capacity
C. Use Bulk retrievals
D. Use Standard retrievals

Answer 12

C. Use Expedited Retrievals with Provisioned Capacity

Explanation

There are three retrieval options with Amazon S3 Glacier:

Expedited — There are two types of Expedited retrievals: On-Demand and Provisioned. On-Demand requests are similar to EC2 On-Demand instances and are available most of the time. Provisioned requests are guaranteed to be available when you need them, which is recommended for a DR plan.
Standard — Standard retrievals allow you to access any of your archives within several hours.
Bulk — Bulk retrievals are Amazon S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

Question 13

What service is used to store the log files generated by CloudTrail?

A. Amazon EFS

B. Amazon S3

C. Amazon RDS

D. Amazon EBS

Answer 13

B. Amazon S3

Explanation

The AWS CloudTrail uses Amazon’s Simple Storage Service (S3) to store log files. It also supports the use of S3 life cycle configuration rules to reduce storage costs.

Question 14

Which service provides durablestorage volumes you can attach to a running instance and which persist beyond the life of the instance?

A. Amazon Elastic Block Store (EBS)

B. Amazon EC2 Instance Store

C. Elastic File System (EFS)

D. Amazon FSx

Answer 14

A. Amazon Elastic Block Store (EBS)

Explanation

Amazon EBS provides durable, block-level storage volumes that you can attach to a running instance. You can use Amazon EBS as a primary storage device for data that requires frequent and granular updates. For example, Amazon EBS is the recommended storage option when you run a database on an instance.An EBS volume behaves like a raw, unformatted, external block device that you can attach to a single instance. The volume persists independently from the running life of an instance.

Question 15

An organization has launched a large EC2 instance froman EBS-backed AMI. The organization wants to ensure that even when thisinstance is terminated, all the critical data will be saved. How can they ensure the EBS volume persists after the instance is terminated?

A. Migrate all log files from the ephemeral drive to the EBS volume

B. Set the volume’s DeleteOnTermination flag to ‘False’

C. Take a frequent snapshots of the EBS volume

D. Migrate important data to S3 for higher durability

Answer 15

B. Set the volume’s DeleteOnTermination flag to ‘False’

Explanation

AWS provides an on demand, scalable infrastructure. Amazon EC2 allows the user to launch On-Demand instances and the organization should create an AMI of the running instance. If the organization has launched an instance with the EBS root device and an additional ephemeral drive, it is advised that the organization should keep taking a backup of all critical ephemeral data to EBS. The organization should also keep moving important data to S3 for higher durability. In this way even if the application fails the data can be restored. For the EBS backup, the organization should always take a snapshot at regular intervals.

Since the organization is launching an instance with an EBS based root device, by default the DeleteOnTermination flag is set to True. In the present scenario if the instance gets terminated the EBS will also be deleted.
It is recommended to have the flag as False so that when the instance is terminated it will not delete the volume

Question 16

Vital functions of your application are unavailable,you can’t work around the problem, and your business is at risk. You decide that you need some support from AWS. Which of the following severity levels do you think would be an appropriate choice for this issue?

A. General guidance
B. Production system impaired
C. Production system down
D. Business-critical system down

Answer 16

D. Business-critical system down

Explanation

In the context of AWS support, if you have a problem which meets any of the following, then the severity level is ‘business-critical system down.’

You can't work around the problem, and your business is at risk.
Critical functions of your application are unavailable. (Enterprise)

Question 17

What two options does RDS offer to backup information stored on DB instances? (Choose 2 answers)

A. Automated backup
B. DB snapshots
C. DB versioning
D. DB read replicas

Answer 17

A. Automated backup

Explanation

The two methods for backing up information stored on RDS DB instances are automated backups and DB snapshots. Automated backup is a managed process where RDS creates standby instances of any and all instances selected for Multi-Availability Zone (AZ) deployment rather than Single-AZ deployment.

DB snapshots are also copies of the DB instance, but snapshots are manual processes, and snapshots can be stored in availability zones or regions selected by the user.

DB versioning is not a method of backing up RDS DB instances. Versioning is a method for backing up objects stored in S3.

DB read replicas are not a method of backing up RDS DB instances. Read replicas allow databases to manage a level of read requests for a database that extends beyond an individual DB instance’s capability.

Question 18

When using Amazon Glacier’s standard retrieval option, which of the following statements is correct?

A. Amazon Glacier takes 3-5 hours to retrieve data.
B. Amazon Glacier takes 5 minutes to retrieve data.
C. Amazon Glacier takes 5-12 hours to retrieve data.
D. Amazon Glacier takes 1 hour to retrieve data.

Answer 18

A. Amazon Glacier takes 3-5 hours to retrieve data.

Explanation

Amazon Glacier is an extremely low-cost storage service that provides secure and durable storage for data archiving and backup. To keep costs low, Amazon Glacier is optimized for data that is infrequently accessed and for which retrieval times of several hours are suitable. The standard retrieval option, which is the default option, takes 3-5 hours to complete. The other options are expedited, which downloads a small amount of data (250 MB maximum) in 5 minutes, and bulk, which downloads large amounts of data (petabytes) in 5-12 hours.

Question 19

Your company wants you to choose an AWS support plan that includes a dedicated support team to review the account and provide recommendations for account optimization. Which of the following support levels should you choose?

A. Developer-level Support

B. Enterprise-level Support

C. Customer-level Support

D. Business-level Support

Answer 19

B. Enterprise-level Support

Explanation

Enterprise-level Support customers have access to Concierge Support to assist with AWS account reviews and provide recommendations for optimization.

Question 20

Which of the following statements is true of an Auto Scaling group?

A. An Auto Scaling group cannot span multiple regions.
B. An Auto Scaling group delivers log files within 30 minutes of an API call.
C. Auto Scaling publishes new log files about every 15 minutes.
D. An Auto Scaling group cannot be configured to scale automatically.

Answer 20

A. An Auto Scaling group cannot span multiple regions.

Explanation

An Auto Scaling group can contain EC2 instances that come from one or more Availability Zones within the same region. However, an Auto Scaling group cannot span multiple regions.

Question 21

When you launch an instance using Amazon EC2, you must specify a geographic region in which to launch the instance, and a corresponding ____, which is an isolated location in that region where the physical hardware on which the instance will be launched is located.

A. availability zone
B. sub-region
C. subnet
D. sector

Answer 21

A. availability zone

Explanation

Amazon EC2 is hosted in multiple locations worldwide. These locations are composed of regions and Availability Zones. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Each region is completely independent. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.

Question 22

Which choice is a stated benefit of using AWS?

A. reduced effort to meet compliance requirements
B. data center servers specifically for your account
C. security configuration is entirely managed by AWS
D. system compliance is entirely managed by AWS

Answer 22

A. reduced effort to meet compliance requirements

Explanation
AWS services are designed to comply with common compliance regulations, such as PCI DSS level. You will have to configure services to meet your specific compliance needs, but segments of your IT system on AWS should comply will several standard compliance regulations immediately.

You can request dedicated instances, but you cannot select specific data centers for your account, and with the Shared Responsibility Model, AWS will not assist you in configurations to meet your security or compliance requirements.

Question 23

Important functions of your application are unavailable. You cannot work around the problem, and your business is significantly impacted. You decide that you need support from AWS. Which of the following severity levels do you think would be an appropriate choice for this issue?

A. Guidance
B. System impaired
C. Production system down
D. Business-critical system down

Answer 23

C. Production system down

Explanation

In the context of AWS support, if you have a problem that meets any of the following criteria, the severity level will be ‘Production system down’.

You can't work around the problem, and your business is significantly impacted.
Important functions of your application are unavailable. (Business and Enterprise)

Question 24

_______ are objects created within IAM which have policy permissions associated to them. While they can be associated with users as groups are, they can also beassigned to instances at the time of launch.

A. IAM roles
B. IAM groups
C. IAM users
D. IAM organizations

Answer 24

A. IAM roles

Explanation:
IAM Roles are objects created within IAM which have Policy permissions associated to them. However, instead of just being associated with users as groups are, roles can be assigned to instances at the time of launch. This allows the instance to adopt the permissions given by the role without the need to have access keys stored locally on the instance.

IAM Users are account objects that allow an individual user to access your AWS environment with a set of credentials. You can issue user accounts to anyone you want to view or administer objects and resources within your AWS environment. Permissions can be applied individually to a user, but the best practice for permission assignments is to add the user to an IAM Group.

IAM Groups are objects that have permissions assigned to them via Policies allowing the members of the Group access to specific resources. Having Users assigned to these groups allows for a uniform approach to access management and control.

Question 25

In which componentdo users storedatain Amazon Glacier, similarto anS3 bucket?

A. a vault
B. an archive
C. a group
D. a container

Answer 25

A. a vault

Explanation:
The Amazon Glacier data model core concepts include vaults and archives. The vault is analogous to the S3 buckets as it also stores the archives like a bucket.

Question 26

What choice below accurately describes the ‘pilot light’ disaster recovery method?

A. A scaled-down version of your entire system in another region that can be scaled with minimal recovery time.

B. Backingup data to tape and to be sent offsite regularly, from which all data can be restored in the event of a disaster.

C. A very smallreplicaof only your business-critical systems that is always running in another region, in case you need to divert your workloads there in the event of a disaster.

D. A complete duplicate of your entire system in another region, to which all traffic can be directed in the event of a disaster.

Answer 26

C. A very smallreplicaof only your business-critical systems that is always running in another region, in case you need to divert your workloads there in the event of a disaster.

Explanation:
The idea of the pilot light is an analogy that comes from gas heating. In that scenario, a small flame that’s always on can quickly ignite the entire furnace to heat up a house. In this DR approach, you simply replicate part of your IT structure for a limited set of core services so that the AWS cloud environment seamlessly takes over in the event of a disaster. A small part of your infrastructure is always running simultaneously syncing mutable data (as databases or documents), while other parts of your infrastructure are switched off and used only during testing. Unlike a backup and recovery approach, you must ensure that your most critical core elements are already configured and running in AWS (the pilot light). When the time comes for recovery, you can rapidly provision a full-scale production environment around the critical core.

Question 27

Which of the following is specifically an AWS security best practice?

A. Applying the principle of least privilege
B. Applying the principle of mechanical sympathy
C. To democratize advanced technologies
D. To design for failure

Answer 27

A. Applying the principle of least privilege

Explanation;
Applying the ‘principle of least privilege’ is a security best practice that essentially focuses on only granting the level of access an identity requires to perform its role. This also looks at how to prevent and eliminate identities with long-term credentials.

Question 28

What does Amazon ElastiCache provide?

A. A virtual server with a huge amount of cache memory
B. A managed in-memory cache service
C. An automated in-memory service
D. An Amazon EC2 instance with the Autocached software pre-installed

Answer 28

B. A managed in-memory cache service

Explanation:
Amazon ElastiCache allows you to improve the performance of your application by providing an in-memory cache service for the objects of your database, as it allows you to reduce the retrieval time of your data by avoiding the costly secondary-memory access needed by typical disk-based databases.

Question 29

_______ gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

A. Amazon AppStream
B. AWS CloudFormation
C. Amazon Cognito
D. AWS Lambda

Answer 29

B. AWS CloudFormation

Explanation:
AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.

Question 30

How does installing the Amazon InspectorAgent onEC2 instances affect instanceperformance?

A. Inspector agent has minimal effect on the performance of EC2 instances only during assessment run process.
B. Inspector agent affects the performance of EC2 instances all the time as it keeps collecting behavioral and networking data as long as it is running.
C. Inspector agent has a large impact on the performance of EC2 instance and should be started only at off-peak hours.
D .Inspector agent’s impact on performance is determined based on network activity on the EC2 instance; for that reason it is better to reduce utilization of instances while assessment process is running.

Answer 30

A. Inspector agent has minimal effect on the performance of EC2 instances only during assessment run process.

Explanation:
Amazon Inspector and the Amazon Inspector agent have been designed for minimal performance impact during the assessment run process.

Question 31

Why is each Amazon region designed to be completely isolated fromother Amazon regions?

A. To reduce the operational costs

B. To maximizefault tolerance and stability

C. To provide low latency connections

D. To provide better security

Answer 31

B. To maximizefault tolerance and stability

Explanation:
Each Amazon region is designed to be completely isolated from the other Amazon regions. This achieves the greatest possible fault tolerance and stability.

Question 32

Which of the following is true of Reserved-Instance billing within AWS Organizations?

A. The pricing benefits of Reserved Instances are shared when the purchasing account is part of a set of accounts billed under one consolidated billing payer account.

B. The pricing benefits of Reserved Instances can be applied to users within the same organization across Availability Zones.

C. Reserved Instance discounts apply only to the account that purchased the Reserved Instance.

D. Reserved Instance discounts from other accounts in the organization’s consolidated billing family don’t apply.

Answer 32

A. The pricing benefits of Reserved Instances are shared when the purchasing account is part of a set of accounts billed under one consolidated billing payer account.

Explanation:
Within AWS Organizations, the pricing benefits of Reserved Instances are shared when the purchasing account is part of a set of accounts billed under one consolidated billing payer account. Users must be within the same Availability Zone to take advantage of shared Reserved Instances for an organization, and AWS organizations make it possible to apply billing discounts to more than one user account.

Question 33

Your company is considering moving its operations to the AWS cloud and is concerned about data resiliency. Which of the following would you recommend as an example of resiliency within AWS?

A. The ability to provision extra capacity

B. The ability to monitor hardware security

C. The ability to use access control mechanisms

D. The ability to use multiple Availability Zones

Answer 33

D. The ability to use multiple Availability Zones

Explanation:
One benefit of the AWS cloud is its ability to architect for resilience. In this case, using multiple Availability Zones could improve the resilience of data centers.

Question 34

AWS Lambda monitors Lambda functions and reports metrics through which Amazon service?

A. Amazon Kinesis
B. Amazon CloudWatch
C. Amazon Elastic Compute Cloud
D. Amazon CloudTrail

Answer 34

B. Amazon CloudWatch

Explanation:
AWS Lambda automatically monitors Lambda functions on your behalf, reporting metrics through Amazon CloudWatch.

Question 35

A user wants to increase the durability and availability of unencrypted data stored on an EBS volume. Which action could accomplish this?

A. Create a new EBS volume with greater storage capacity and copy the data to it.
B. Create an AMI from the host EC2 instance to backup the data.
C. Take regular snapshots of the data stored on the EBS volume.
D. Create a new EBS volume with data encryption enabled, and copy the data to it.

Answer 35

C. Take regular snapshots of the data stored on the EBS volume.

Explanation:
Amazon EBS volumes are designed for an annual failure rate (AFR) of between 0.1% - 0.2%, where failure refers to a complete or partial loss of the volume, depending on the size and performance of the volume. This makes EBS volumes 20 times more reliable than typical commodity disk drives, which fail with an AFR of around 4%. For example, if you have 1,000 EBS volumes running for 1 year, you should expect 1 to 2 will have a failure. EBS also supports a snapshot feature, which is a good way to take point-in-time backups of your data.

Question 36

Which of the following is true of Amazon CloudWatch?

A. Amazon CloudWatch monitors Amazon Web Services (AWS) resources and the applications that run on AWS in real-time.
B. Amazon CloudWatch is a web service that gives businesses an easy and cost-effective way to distribute content with low latency and high data transfer speeds.
C. Amazon CloudWatch runs code without provisioning or managing servers.
D. None of these are true.

Answer 36

A. Amazon CloudWatch monitors Amazon Web Services (AWS) resources and the applications that run on AWS in real-time.

Explanation:
Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real-time.

You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. CloudWatch alarms send notifications or automatically make changes to the resources you are monitoring based on rules that you define.

For example, you can monitor the CPU usage and disk reads and writes of your Amazon EC2 instances and then use this data to determine whether you should launch additional instances to handle an increased load. You can also use this data to stop under-used instances to save money. In addition to monitoring the built-in metrics that come with AWS, you can monitor your own custom metrics. With CloudWatch, you gain system-wide visibility into resource utilization, application performance, and operational health.

Question 37

Which choices below are benefits of using AWS-managed services instead of user-managed services? (Choose 2 answers.)

A. Increased user controls

B. additional customization

C. reduced complexity

D. reduced administration

Answer 37

C. reduced complexity

reduced administration

Explanation:
The AWS managed services reduce the amount of development time required to design and implement a working service, and reduce the operational cost, time and technical knowledge required. As a trade-off, developers have less control over how the operating system and other components operate ‘under the hood,’ and managed services, in general, offer a standard set of options that are not customized for each user.

Question 38

Complete the three definitions:___________ is the process of defining an identity and the verification of that identity___________ determines what resources an identity can access within a system once it has been authenticated.___________ is the method and process of how access is granted to a secure resource.

A. Authentication; Authorization; Access Control
B. Authorization; Authentication; Access Control
C. Authentication; Access Control; Authorization
D. Authorization; Access Control; Authentication

Answer 38

A. Authentication; Authorization; Access Control

Explanation:
Authentication: Process of defining an identity and the verification of that identity

    Example - username and password

Authorization: Determines what an identity can access within a system once it’s been authenticated to it

    Example - An identities permissions to access specific AWS services

Access Control: The method and process of how access is granted to a secure resource

    Example: Multi-Factor Authentication

Question 39

What is the meaning of pay-as-you-go, when related to Amazon Web Services?

A. You pay the Cloud provider only when your product is profitable.
B. You pay only when you leave the service.
C. You have no upfront costs, but rather pay on a monthly basis, based on usage.
D. You pay only when your instance is doing very intense computation

Answer 39

C. You have no upfront costs, but rather pay on a monthly basis, based on usage.

Explanation:
The concept of pay-as-you-go means that you pay only for a specific amount of resources that you use in a specific amount of time used in a given month. For instance, you can use an Amazon EC2 Instance only for 30 minutes and you will be charged only for that time, without any upfront costs to launch or terminate the instance.

Question 40

If your AWS data must meet specific regulations such as the EU Data protection laws, what must you do?

A. Be aware that they exist and comply with them when and if you have time to do so
B. Move your data somewhere else so you don’t have to worry about extra security
C. Architect your environment to meet these security requirements
D. Keep that data on-premise and do not move it to the cloud under any circumstance

Answer 40

C. Architect your environment to meet these security requirements

Explanation:
Some laws require specific security controls, retention requirements, etc, dependent on the data being stored. Other legislations exist where certain data may have to remain within a specific region and can not be transferred out of those boundaries. You need to architect your environment to meet these security requirement and mitigate the risk of data being stored in a geographic location that’s restricted. Breaches to this legislation could have a legal impact and lead to additional risks against your organization, so it’s fundamental that you are aware of your data privacy and storage location laws and regulations.

Question 41

How does AWS define cloud computing?

A. The on-demand delivery of IT resources through a cloud services platform via the Internet with pay-as-you-go pricing.

B. A pool of servers offering compute resources that are designed to be issued exclusively to individual users and organizations.

C. The term used by cloud architects to describe virtualized technology.

D. A secure pool of compute, storage, and network resources that are accessible only on-premises.

Answer 41

A. The on-demand delivery of IT resources through a cloud services platform via the Internet with pay-as-you-go pricing.

Explanation:
AWS cloud computing is described as the on-demand delivery of IT resources through a cloud services platform via the Internet with pay-as-you-go pricing.

Question 42

Which AWS service or tool helps identify idle Amazon RDS DB instances at no additional charge?

A. AWS Budgets

B. AWS Organizations

C. AWS Trusted Advisor

D. Cost Explorer

Answer 42

C. AWS Trusted Advisor

Explanation:
AWS Trusted Advisor is the AWS service that scans your environment and makes recommendations by comparing scan results with AWS best practices in 5 categories, including cost optimization. Using AWS Trusted Advisor would scan your environment and detect your Amazon Relational Database Service (Amazon RDS) for any database (DB) instances that appear to be idle. If a DB instance has not had a connection for a prolonged period of time, you can delete the instance to reduce costs. A DB instance is considered idle if the instance hasn’t had a connection in the past 7 days. If persistent storage is needed for data on the instance, you can use lower-cost options such as taking and retaining a DB snapshot. Manually created DB snapshots are retained until you delete them.

AWS Budgets allows you to set a budget that alerts you when you exceed (or are forecasted to exceed) your budgeted cost or usage amount. You can also set alerts based on your RI or Savings Plans Utilization and Coverage using AWS Budgets. However, it is not a service that evaluates your environment in order to identify under-utilized and therefore cost-ineffective instances or resources, such as a DB instance.

AWS Organizations is a service that allows you to consolidate billing costs within your organization by programmatically creating new AWS accounts and allocating resources, group accounts to organize your workflows, applying policies to accounts or groups for governance, and simplifying billing by using a single payment method for all of your accounts.

The Cost Explorer tool allows you to visualize, understand, and manage your AWS costs and usage over time. It is not a service that will scan your environment or make recommendations about usage.

Question 43

What is a security benefit of the AWS cloud?

A. AWS maintains all networks

B. AWS monitors facilities and hardware

C. AWS monitors platform security

D .AWS encrypts all data in the cloud

Answer 43

B. AWS monitors facilities and hardware

Explanation:
When using the AWS cloud, AWS is responsible for monitoring and maintaining the security of facilities and hardware, so that the customer can focus on security within the cloud. Network, platform, and data security within the cloud are all the responsibility of the customer.

Question 44

Network Access Control Lists (NACLs) are _______.
A. stateless
B. stateful
C. synchronous
D. asynchronous

Answer 44

A. stateless

Explanation:
Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

Question 45

Auto Scaling provides which of the following benefits for your application?

A. Your application gains better fault tolerance.
B. Your application and IT staff are held to compliance requirements you have set.
C. Your application reduces its latency in delivering content to a global market.
D. You acquire clarity on prototypes in your application.

Answer 45

A. Your application gains better fault tolerance.

Explanation:
When you use Auto Scaling, your applications gain better fault tolerance. Auto Scaling can detect when an instance is unhealthy, terminate it, and launch an instance to replace it. You can also configure Auto Scaling to use multiple Availability Zones. If one Availability Zone becomes unavailable, Auto Scaling can launch instances in another one to compensate.

Question 46

What AWS cloud characteristic makes a resource almost immediately available to allocate when and where you need it?

A. high availability
B. elasticity

C. on-demand resourcing
D. economy of scale

Answer 46

C. on-demand resourcing

Explanation:
On-demand resourcing provides you with the ability to provision resources within seconds and minutes, instead of days or weeks that it may take within an on-premise environment, especially if you had to order the additional hardware first. For example, if you had a server in AWS and its CPU utilization was steadily increasing with demand, you would be able to deploy a second server, which would be ready within minutes to take some of the load off of the first.

Question 47

Which feature of AWS Marketplace allows sellers to see how customers are using their products and provides estimates of product revenue?

A. Tax item data feeds

B. Daily business reports

C. Offer data feeds

D. Daily customer subscriber report

Answer 47

B. Daily business reports

Explanation:
Which feature of AWS Marketplace allows sellers to see how customers are using their products and provides estimates of product revenue?

Tax item data feeds

Daily business reports

Offer data feeds

Daily customer subscriber report
Explanation

The Daily business reports feature of AWS Marketplace allows sellers to understand how AWS customers are using your products on a daily basis and the estimated revenue from that usage.

Tax item data feeds are a feature of AWS Marketplace that provides information about tax calculations for a customer invoice.

Offer data feeds provide information about all offers you’ve created as the seller of record.

Daily customer subscriber reports are lists of data for customers who purchased your products. This report doesn’t specify current or past usage, only that a customer is subscribed to your product.

Question 48

In order for Amazon Inspector to access your EC2 instances and collect the assessment data, ________.

A. you have to select the KeyPair associated with your EC2 instance while configuring Amazon Inspector
assessment data is pushed to Inspector by AWS agent, no roles needed
B. you have to create an IAM role and associate it with Amazon Inspector
C. Amazon Inspector always runs with admin permissions and has access to EC2 instances by default unless D. you revoke the permissions

Answer 48

you have to create an IAM role and associate it with Amazon Inspector

Explanation:
As a pre-requisite to Amazon Inspector, an IAM role has to be created and associated with Inspector. The role must allow Inspector to ec2:describeInstances

Question 49

Amazon CloudFront is a ________.

A. fully managed desktop computing service in the cloud
B. content delivery network service
C. persistent block level storage volume
D. task coordination and state management service for cloud applications

Answer 49

B. content delivery network service

Explanation:
Amazon CloudFront is a content delivery network (CDN) service. It integrates with other Amazon Web Services to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no minimum usage commitments.

Question 50

What additional method of Access Control can be assigned to an AWS user that utilizes a random six-digit number that is only available for a very short time before the number changes?

A. Multi-Factor Authentication

B. Single Sign-On (SSO)
C. Multi-Access Authentication
D. Secure Sign-On (SSO)

Answer 50

A. Multi-Factor Authentication

Explanation:
IAM allows for Multi-Factor authentication, MFA. This means that any user configured with MFA must use an additional level of authentication as well as a password to be authenticated giving an additional layer of security. This additional authentication utilizes a random six-digit number that is generated by an MFA device that is only available for a very short period before the number changes again. There is no additional charge for this level of authentication. However, you will need your MFA device, which can be a physical token or a virtual device.

Question 51

What changes in overall expenditures can a business expect when it migrates from an on-premises IT environment to a public cloud environment?

A. A change from unpredictable on-premises costs to fixed capital expenditures in the cloud.

B. A change from Immediate Return on Investment (ROI) with on-premises operations to delayed ROI in the cloud.

C. Capital expenses for daily on-premises are replaced with variable operational expenses in the cloud

D. Variable capital expenditures for on-premises are replaced with fixed capital expenditures in the cloud.

Answer 51

C. Capital expenses for daily on-premises are replaced with variable operational expenses in the cloud

Explanation:
When migrating operations from on-premises to AWS, an organization will reduce upfront, capital expenditures on computers, servers, and other hardware related to business operations and experience variable costs depending on which AWS services are used within the cloud.

Question 52

Which Amazon EC2 pricing model offers a savings of up to 90%?

A. Reserved Instances

B. On-Demand Instances

C. Spot Instances

D. Dedicated Instances

Answer 52

C. Spot Instances

Explanation:
Spot Instances provide up to 90% savings over On-Demand instances, and they offer significant savings opportunities over Reserved Instances, which require a commitment of 1-3 years, and they are significantly cheaper than Dedicated instances, which would not be appropriate in this use case.

Question 53

You are reviewing AWS Elastic Beanstalk and considering how it can support versions of an application. Which statement below is correct?

A. AWS Elastic Beanstalk allows you to run multiple versions of an application at the same time.

B. AWS Elastic Beanstalk allows one version of an application to run at a time.

C. AWS Elastic Beanstalk can store unlimited application versions, but only one application version can run at a time.

D. The number of application versions you can run simultaneously depends on which environment type you select.

Answer 53

A. AWS Elastic Beanstalk allows you to run multiple versions of an application at the same time.

Explanation:
AWS Elastic Beanstalk is designed to support multiple running environments such as one for integration testing, one for pre-production, and one for production. Each environment is independently configured and runs on its own separate AWS resources.

Question 54

You are an AWS Solutions Architect helping a client plan a migration to the AWS cloud. The client is very cost-conscious and needs to understand the budget implications of any design decisions prior to signing off. Now that you’ve identified the resources that must be created in the AWS environment to support the migration, what tool could you use to help project future costs given this information?
Trusted Advisor

AWS Pricing Calculator
Cost Explorer
Detailed Billing Reports

Answer 54

AWS Pricing Calculator

Explanation:
The AWS Pricing Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Question 55

Which description of a Recovery Time Objective (RTO) is correct?

It is the maximum acceptable amount of time a system can be offline.

It is the maximum acceptable amount of data loss measured in time.

It is the maximum acceptable amount of income loss measured in transactions.

It is the minimum amount of data loss before a system can fully recover measured in time.

Answer 55

It is the maximum acceptable amount of time a system can be offline.

Explanation:
A recovery time objective (RTO) is the maximum acceptable time to restore system service after a disruption, while a recovery point objective (RPO) is the maximum acceptable amount of data loss measured in time. The two concepts are interrelated. The amount of data loss a business can tolerate usually determines the desired recovery time objective. The desired RTO then generally determines the disaster recovery method.

Question 56

hich of the following describes operational excellence, one of the five pillars of the AWS’s Well-Architected Framework?
Prepare, operate, and evolve
Infrastructure and data protection
Change management and failure management
Review, monitoring, and trade-offs

Answer 56

Prepare, operate, and evolve

Explanation:
Prepare, operate and evolve are interwoven in the following 6 design principles that make up this pillar

Perform operations as code: This explains how to deploy, respond to events and perform automated operational procedures using code to help prevent human error
Annotate documentation: This defines how it’s possible to automatically create and annotate documentation when provisioning AWS resources
Make frequent, small, reversible changes: The focus of this principle is to implement your changes at small scale, and frequently to allow you to easily roll-back the change without affecting a wide customer base if there are issues
Refine operations procedures frequently: This focuses on the importance of consistently refining your operational procedures, evolving them as your business evolves
Anticipate failure: The focus here is to understand and define your potential points of failure and how these can be mitigated
Learn from all operational failures: This principle explains how knowledge sharing is key and how to learn from issues and failures that have occurred.

Question 57

Which of the following costs associated with on-premises labor are significantly reduced when an organization migrates to AWS?

Application development

Server maintenance

Software design

Network encryption

Answer 57

Server maintenance

Explanation

When an organization migrates from on-premises to AWS, the responsibility of server maintenance shifts to AWS. Costs associated with application development, software design, and network encryption remain the responsibility of the organization.

Question 58

When scaling ________ you are altering the power of an instance, perhaps using one with greater CPU power to scale.
up and down
in and out
forward
backward

Answer 58

up and down

Explanation:
To scale an instance or resource up or down, you are effectively changing the power of that resource, essentially making it more powerful or making it weaker.

Question 59

Which of the following is an IAM best practice?
Assign MFA to users with minimal authorization
Assign permissions to groups and add users to that group
Assign permissions to users where possible

Rotate your access keys once every yea

Answer 59

Assign permissions to groups and add users to that group

Explanation:
IAM groups contain IAM users, and these groups will have IAM policies associated that will allow or explicitly deny access to AWS resources. These policies are either AWS Managed policies that can be selected from within IAM, or customer-managed policies that are created by you, the customer.

Groups are normally created that relate to a specific requirement or job role. Any users that are a member of that group inherit the permissions applied to the group. By applying permissions to a group instead of individual users, it makes it easy to modify permissions for multiple users at once. All you would need to do is modify the permissions of a group and all users associated with the group would inherit the new access.

Question 60

Which answer accurately describes reliability, one of the five pillars of the Well-Architected Framework?
How to maintain the stability of your environment, recover from failures, and automatically meet resource demands

How to manage and secure your infrastructure by protecting your data by focusing on confidentiality anddata integrity

Ensuring you can efficiently meetcompliance requirementsby monitoring activityand setting effective policy

How to manage the security of what is in AWS environmentsin the cloud while AWS maintains the security of the AWS environments

Answer 60

How to maintain the stability of your environment, recover from failures, and automatically meet resource demands

Explanation:
The pillar looks at how to maintain the stability of your environment and recover from outages and failures, in addition to automatically and dynamically meeting resourcing demands based put upon your infrastructure

The Reliability best practices are:

Foundations
Change Management
Failure Management

Question 61

You are viewing your AWS resources but can only see the resources tied to the region you’ve specified. What is the reason for this?
Because you only have permissions set to view one region at a time
Because you can only view resources in the region closest to you
Because this is probably an error as you should be able to view resources across all your regions at all times
Because regions are isolated from each other, and AWS does not replicate resources across regions automatically

Answer 61

Because regions are isolated from each other, and AWS does not replicate resources across regions automatically

Explanation:
When viewing your resources, you’ll only see the resources tied to the region you’ve specified. The reason for this is because regions are isolated from each other, and AWS does not replicate resources across regions automatically.

Question 62

As it relates to Amazon EC2 instances, what is the function of key pairs?

To encrypt the login information for Linux and Windows EC2 instancesand then decrypt the same information, allowing you to authenticate into the instance.
To encrypt data held on EBS volumes using AES-256 cryptography and then decrypt the data to be read again
To encrypt and decrypt passwords for AWS user accounts
To safely make programmatic API calls over an encrypted channel

Answer 62

To encrypt the login information for Linux and Windows EC2 instancesand then decrypt the same information, allowing you to authenticate into the instance.

Explanation:
A key pair, as the name implies, is made up of two components: a public key and a private key. These keys are 2048-bit SSH-2 RSA keys.

The function of key pairs is to encrypt the login information for Linux and Windows EC2 instances, and then decrypt the same information allowing you to authenticate onto the instance.

The public key uses public-key cryptography to encrypt data such as the username and password. For Windows instances, the private key is used to decrypt this data, allowing you to gain access to the login credentials including the password. For Linux instances, the private key is used to SSH into the instance.

The public key is held and kept by AWS. The private key is your responsibility to keep and ensure that it is not lost.

Question 63

What is a benefit of using identity federation?
It minimizes the amount of administration required within IAM.
You do not need to configure any IAM policies to control access.
You can use the same user to authenticate multiple users externally to your account.
It allows you to authenticate other users from other AWS accounts.

Answer 63

It minimizes the amount of administration required within IAM.

Explanation:
Identity federation allows you to access and manage AWS resources even if you don’t have a user account within IAM.

Identity federation allows users from identity providers (IdP) which are external to AWS to access AWS resources securely without having to supply AWS user credentials from a valid IAM user account. An example of an identity provider can be your own corporate Microsoft Active Directory; federated access would then allow the users within it to access AWS. Other forms of identity providers can be any OpenID Connect (OIDC) web provider. Common examples of these are FaceBook, Google & Amazon.

As a result, if you need users to access AWS resources that already have identities that could be used as an identity provider, then you could allow access to your environment using these existing accounts instead of setting each of them up a new identity within AWS IAM. The benefits of this are two-fold:

It minimizes the amount of administration required within IAM.
It allows for a Single Sign-On (SSO) solution.

Question 64

Which choice is correct regarding changing the security groups for instances in a VPC?
You can change an instance’s security groups anytime after the instance is launched.
You cannot change an instance’s security groups after the instance is launched.
You can change an instance’s security groups, but the instances must be stopped.
You can change an instance’s security groups, but you must reboot the instance for the changes to take effect.

Answer 64

You can change an instance’s security groups anytime after the instance is launched.

Explanation:
In a VPC, you are allowed to change the security groups an instance belongs to, even after it hasbeen launched.

Question 65

What is AWS Direct Connect?
AWS Direct Connect is a highly available and scalable DNS service designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications.
AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services.
AWS Direct Connect is a web service that makes it easy to schedule regular data movement and data processing activities in the AWS cloud.
AWS Direct Connect is a flexible application management solution with automation tools that enable you to model and control your applications and their supporting infrastructure.

Answer 65

AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services.

Explanation:
AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services. AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS cloud (for example, to Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3)) and to Amazon Virtual Private Cloud (Amazon VPC), bypassing Internet service providers in your network path.