Ch11 Additional Key Services Flashcards
What origin servers are supported by Amazon CloudFront? (Choose 3 answers)
A. An Amazon Route 53 Hosted Zone
B. An Amazon Simple Storage Service (Amazon S3) bucket
C. An HTTP server running on Amazon Elastic Compute Cloud (Amazon EC2)
D. An Amazon EC2 Auto Scaling Group
E. An HTTP server running on-premises
B, C, E. Amazon CloudFront can use an Amazon S3 bucket or any HTTP server, whether
or not it is running in Amazon EC2. A Route 53 Hosted Zone is a set of DNS resource
records, while an Auto Scaling Group launches or terminates Amazon EC2 instances
automatically. Neither can be specified as an origin server for a distribution.
Which of the following are good use cases for Amazon CloudFront? (Choose 2 answers)
A. A popular software download site that supports users around the world, with
dynamic content that changes rapidly
B. A corporate website that serves training videos to employees. Most employees are
located in two corporate campuses in the same city.
C. A heavily used video and music streaming service that requires content to be
delivered only to paid subscribers
D. A corporate HR website that supports a global workforce. Because the site contains
sensitive data, all users must connect through a corporate Virtual Private Network
(VPN).
A, C. The site in A is “popular” and supports “users around the world,” key indicators that
CloudFront is appropriate. Similarly, the site in C is “heavily used,” and requires private
content, which is supported by Amazon CloudFront. Both B and D are corporate use
cases where the requests come from a single geographic location or appear to come from
one (because of the VPN). These use cases will generally not see benefit from Amazon
CloudFront.
Your company data center is completely full, but the sales group has determined a need
to store 200TB of product video. The videos were created over the last several years, with
the most recent being accessed by sales the most often. The data must be accessed
locally, but there is no space in the data center to install local storage devices to store this
data. What AWS cloud service will meet sales’ requirements?
A. AWS Storage Gateway Gateway-Stored volumes
B. Amazon Elastic Compute Cloud (Amazon EC2) instances with attached Amazon EBS
Volumes
C. AWS Storage Gateway Gateway-Cached volumes
D. AWS Import/Export Disk
C. AWS Storage Gateway allows you to access data in Amazon S3 locally, with the
Gateway-Cached volume configuration allowing you to expand a relatively small amount
of local storage into Amazon S3.
Your company wants to extend their existing Microsoft Active Directory capability into
an Amazon Virtual Private Cloud (Amazon VPC) without establishing a trust relationship
with the existing on-premises Active Directory. Which of the following is the best
approach to achieve this goal?
A. Create and connect an AWS Directory Service AD Connector.
B. Create and connect an AWS Directory Service Simple AD.
C. Create and connect an AWS Directory Service for Microsoft Active Directory
(Enterprise Edition).
D. None of the above
B. Simple AD is a Microsoft Active Directory-compatible directory that is powered by
Samba 4. Simple AD supports commonly used Active Directory features such as user
accounts, group memberships, domain-joining Amazon Elastic Compute Cloud (Amazon
EC2) instances running Linux and Microsoft Windows, Kerberos-based Single Sign-On
(SSO), and group policies.
Which of the following are AWS Key Management Service (AWS KMS) keys that will never exit AWS unencrypted? A. AWS KMS data keys B. Envelope encryption keys C. AWS KMS Customer Master Keys (CMKs) D. A and C
C. AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs can
never leave AWS KMS unencrypted, but data keys can.
Which cryptographic method is used by AWS Key Management Service (AWS KMS) to encrypt data? A. Password-based encryption B. Asymmetric C. Shared secret D. Envelope encryption
D. AWS KMS uses envelope encryption to protect data. AWS KMS creates a data key,
encrypts it under a Customer Master Key (CMK), and returns plaintext and encrypted
versions of the data key to you. You use the plaintext key to encrypt data and store the
encrypted key alongside the encrypted data. You can retrieve a plaintext data key only if
you have the encrypted data key and you have permission to use the corresponding
master key.
Which AWS service records Application Program Interface (API) calls made on your
account and delivers log files to your Amazon Simple Storage Service (Amazon S3)
bucket?
A. AWS CloudTrail
B. Amazon CloudWatch
C. Amazon Kinesis
D. AWS Data Pipeline
A. AWS CloudTrail records important information about each API call, including the
name of the API, the identity of the caller, the time of the API call, the request
parameters, and the response elements returned by the AWS Cloud service.
You are trying to decrypt ciphertext with AWS KMS and the decryption operation is
failing. Which of the following are possible causes? (Choose 2 answers)
A. The private key does not match the public key in the ciphertext.
B. The plaintext was encrypted along with an encryption context, and you are not
providing the identical encryption context when calling the Decrypt API.
C. The ciphertext you are trying to decrypt is not valid.
D. You are not providing the correct symmetric key to the Decrypt API.
B, C. Encryption context is a set of key/value pairs that you can pass to AWS KMS when
you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext APIs. Although the encryption context is not included
in the ciphertext, it is cryptographically bound to the ciphertext during encryption and
must be passed again when you call the Decrypt (or ReEncrypt) API. Invalid ciphertext
for decryption is plaintext that has been encrypted in a different AWS account or
ciphertext that has been altered since it was originally encrypted
Your company has 30 years of financial records that take up 15TB of on-premises
storage. It is regulated that you maintain these records, but in the year you have worked
for the company no one has ever requested any of this data. Given that the company data
center is already filling the bandwidth of its Internet connection, what is an alternative
way to store the data on the most appropriate cloud storage?
A. AWS Import/Export to Amazon Simple Storage Service (Amazon S3)
B. AWS Import/Export to Amazon Glacier
C. Amazon Kinesis
D. Amazon Elastic MapReduce (AWS EMR)
B. Because the Internet connection is full, the best solution will be based on using AWS
Import/Export to ship the data. The most appropriate storage location for data that must
be stored, but is very rarely accessed, is Amazon Glacier.
Your company collects information from the point of sale registers at all of its franchise
locations. Each month these processes collect 200TB of information stored in Amazon
Simple Storage Service (Amazon S3). Analytics jobs taking 24 hours are performed to
gather knowledge from this data. Which of the following will allow you to perform these
analytics in a cost-effective way?
A. Copy the data to a persistent Amazon Elastic MapReduce (Amazon EMR) cluster,
and run the MapReduce jobs.
B. Create an application that reads the information of the Amazon S3 bucket and runs
it through an Amazon Kinesis stream.
C. Run a transient Amazon EMR cluster, and run the MapReduce jobs against the data
directly in Amazon S3.
D. Launch a d2.8xlarge (32 vCPU, 244GB RAM) Amazon Elastic Compute Cloud
(Amazon EC2) instance, and run an application to read and process each object
sequentially.
C. Because the job is run monthly, a persistent cluster will incur unnecessary compute
costs during the rest of the month. Amazon Kinesis is not appropriate because the
company is running analytics as a batch job and not on a stream. A single large instance
does not scale out to accommodate the large compute needs.
Which service allows you to process nearly limitless streams of data in flight?
A. Amazon Kinesis Firehose
B. Amazon Elastic MapReduce (Amazon EMR)
C. Amazon RedshiftD. Amazon Kinesis Streams
D. The Amazon Kinesis services enable you to work with large data streams. Within the
Amazon Kinesis family of services, Amazon Kinesis Firehose saves streams to AWS
storage services, while Amazon Kinesis Streams provide the ability to process the data in
the stream.
What combination of services enable you to copy daily 50TB of data to Amazon storage,
process the data in Hadoop, and store the results in a large data warehouse?
A. Amazon Kinesis, Amazon Data Pipeline, Amazon Elastic MapReduce (Amazon
EMR), and Amazon Elastic Compute Cloud (Amazon EC2)
B. Amazon Elastic Block Store (Amazon EBS), Amazon Data Pipeline, Amazon EMR,
and Amazon Redshift
C. Amazon Simple Storage Service (Amazon S3), Amazon Data Pipeline, Amazon EMR,
and Amazon Redshift
D. Amazon S3, Amazon Simple Workflow, Amazon EMR, and Amazon DynamoDB
C. Amazon Data Pipeline allows you to run regular Extract, Transform, Load (ETL) jobs
on Amazon and on-premises data sources. The best storage for large data is Amazon S3,
and Amazon Redshift is a large-scale data warehouse service.
Your company has 50,000 weather stations around the country that send updates every 2
seconds. What service will enable you to ingest this stream of data and store it to
Amazon Simple Storage Service (Amazon S3) for future processing?
A. Amazon Simple Queue Service (Amazon SQS)
B. Amazon Kinesis Firehose
C. Amazon Elastic Compute Cloud (Amazon EC2)
D. Amazon Data Pipeline
B. Amazon Kinesis Firehose allows you to ingest massive streams of data and store the
data on Amazon S3 (as well as Amazon Redshift and Amazon Elasticsearch).
Your organization uses Chef heavily for its deployment automation. What AWS cloud
service provides integration with Chef recipes to start new application server instances,
configure application server software, and deploy applications?
A. AWS Elastic Beanstalk
B. Amazon Kinesis
C. AWS OpsWorks
D. AWS CloudFormation
C. AWS OpsWorks uses Chef recipes to start new app server instances, configure
application server software, and deploy applications. Organizations can leverage Chef
recipes to automate operations like software configurations, package installations,
database setups, server scaling, and code deployment.
A firm is moving its testing platform to AWS to provide developers with instant access to
clean test and development environments. The primary requirement for the firm is to
make environments easily reproducible and fungible. What service will help the firm
meet their requirements?
A. AWS CloudFormation
B. AWS Config
C. Amazon Redshift
D. AWS Trusted Advisor
A. With AWS CloudFormation, you can reuse your template to set up your resources
consistently and repeatedly. Just describe your resources once and then provision the
same resources over and over in multiple stacks.
