CloudAcademy Knowledge Check: Management (SAA-C03) 1 of 2 Flashcards
Where does AWS Config record resource change information and relevant metadata related to the change?
A. In a Configuration Item
B. In an AWS Config rule
C. In a CloudTrail log
D. In a Conformance Pack
A. In a Configuration Item
Explanation:
AWS Config can capture resource changes. So any change to a resource supported by Config can be recorded, which will record what change along with other useful metadata all held within a file known as a configuration item, a CI.
It can act as a resource inventory. AWS Config can discover supported resources running within your environment, allowing you to see data about that resource type.
Which of the following tasks can AWS Config help you accomplish?
A. Manage and maintain compliance
B. Track resource metrics
C. Automatically delete non-compliant resources
D. Log all API calls to your resources
A. Manage and maintain compliance
Explanation:
AWS Config can:
Enforce rules that check the compliance of your resource against specific controls: Predefined and custom rules can be configured within AWS Config, allowing you to check resources compliance against these rules Act as a resource inventory: AWS Config can discover supported resources running within your environment allowing you to see data about that resource type
The other choices include services offered by AmazonCloudWatch and Amazon CloudTrail.
Store configuration history for individual resources: The service will record and hold all existing changes that have happened against the resource, providing a useful historical record of changes
An IAM user is part of an IAM groupthat is allowed permissionto create Amazon EC2 instances. This user is also part of an organizational unit (OU) assigned a service control policy (SCP) that denies all access to Amazon EC2. If this user tries to create and launch an EC2 instance, what will happen?
A. The user will be denied access to Amazon EC2 because denies in SCPs assigned in AWS Organizations can overrule allows identity-based permissions granted through IAM.
B. The user will be grantedaccess to Amazon EC2 becauseidentity-based permissions allowedthrough IAMoverrule denies in SCPs assigned throughAWS Organizations.
C. The user’s request will be reviewed for approval by the AWS Organizations master account.
D. The user’s request will be reviewed for approval by both the owner of the related AWS account and the AWS Organizations master account.
A. The user will be denied access to Amazon EC2 because denies in SCPs assigned in AWS Organizations can overrule allows identity-based permissions granted through IAM.
Explanation:
Here is how AWS Organizations’ SCPs and IAM policies work together:
Users and roles must still be granted permissions with appropriate IAM permission policies. A user without any IAM permission policies has no access, even if the applicable SCPs allow all services and all actions.
If a user or role has an IAM permission policy that grants access to an action that is also allowed by the applicable SCPs, the user or role can perform that action.
If a user or role has an IAM permission policy that grants access to an action that is either not allowed or explicitly denied by the applicable SCPs, the user or role can’t perform that action.
_____________ in AWS Control Tower help to keep all of your users’ accounts and make sure everything is in compliance with basic security regulations.
A.Guardrails
B. Registries
C. Service control policies
D. Rule groups
A.Guardrails
Explanation:
Guardrails is an appropriately named service that helps to keep all of your users’ accounts and everything under AWS Control Tower and compliance with basic security regulations.
Which Amazon CloudWatch feature allows CloudWatch to implement machine learning algorithms against your metric data to help detect any activity that sits outside of the normal baseline parameters?
A. alarms
B. anomaly detection
C. EventBridge
D. logs
B. anomaly detection
Explanation:
CloudWatch metrics also allow you to enable a feature known as anomaly detection. This allows CloudWatch to implement machine learning algorithms against your metric data to help detect any activity that sits outside of the normal baseline parameters that are generally expected.
What is the general workflow of AWS Systems Manager?
A. Group your AWS resources, examine your AWS resources’ relevant operational data via dashboards, and take action to mitigate any issues reported.
B. View your resources via dashboards and take action to mitigate any issues reported.
C. Take action to mitigate any issues reported, group your AWS resources, and examine your AWS resources’ relevant operational data via dashboards.
D. Examine your AWS resources’ relevant operational data via dashboards, group your AWS resources, and take action to mitigate any issues reported.
A. Group your AWS resources, examine your AWS resources’ relevant operational data via dashboards, and take action to mitigate any issues reported.
Explanation:
In general, using Systems Manager entails grouping your AWS resources, examining their relevant operational data via dashboards, and, finally, taking action to mitigate any issues reported.
What is a service control policy (SCP) within the AWS Organizations service?
A. A hierarchical, visual representationofyourcompany’sentire AWS account structure
B. A method of categorizing acompany’s multiple AWS accounts
C. A method of controlling which AWS services are accessible forspecific AWS accounts within your AWS account structure
D. A container at the top of a company’s AWS accounts structure
C. A method of controlling which AWS services are accessible forspecific AWS accounts within your AWS account structure
Explanation:
An Organization is an element that serves to form a hierarchical structure of multiple AWS accounts. You could think of an organization as a family tree which provides a graphical view of your entire AWS account structure. At the very top of this Organization, there will be a Root container.
The Root object is simply a container that resides at the top of your Organization. All of your AWS accounts and Organizational units will then sit underneath this Root. Within any Organization, there will only be one single Root object.
Organizational Units (OUs) provide a means of categorizing your AWS Accounts. Again, like the Root, these are simply containers that allow you to group together specific AWS accounts. An organizational unit (or OU) can connect directly below the Root or even below another OU (which can be nested up to 5 times). This allows you to create a hierarchical structure as I mentioned previously.
Accounts. These are your AWS accounts that you use and create to be able to configure and provision AWS resources. Each of your AWS accounts has a 12 digit account number.
Service control policies, or SCPs, allow you to control what services and features are accessible from within an AWS account. These SCPs can either be associated with the Root, Organizational Units, or individual accounts. When an SCP is applied to any of these objects, its associated controls are fed down to all child objects. Think of it as a permission boundary that sets the maximum permission level for the objects that it is applied to.
Amazon CloudWatch _____ allow you to implement automatic actions based on specific thresholds that you can configure related to each metric.
A. anomaly detections
B. rules
C. alarms
D. events
C. alarms
Explanation:
Amazon CloudWatch alarms tightly integrate with the metrics that I just discussed and they allow you to implement automatic actions based on specific thresholds that you can configure related to each metric.
What is the primary function of AmazonCloudWatch?
A. To notify you regardingconfiguration changes toyour AWS resources
B. To monitor your AWS resources’ performance against specific metrics and thresholds
C. To track and record API requests made in AWS
D. To provide feedback on your AWS cloud environment’s configuration based on best practices
B. To monitor your AWS resources’ performance against specific metrics and thresholds
Explanation:
The primary function of Amazon CloudWatch is to provide a means of monitoring theresources that you’re running within AWS via a series of metrics, which are individual to each service that you are using. This allows you to quickly react to events, and diagnose, and dynamically adjust any availability or scalability issue that you might be experiencing.
In Amazon CloudWatch EventBridge, a(n) _____ acts as a filter for incoming streams of event traffic and then routes these events to the appropriate target.
A. log
B. event bus
C. rule
D. alarm
C. rule
Explanation:
A rule acts as a filter for incoming streams of event traffic and then routes these events to the appropriate target defined within the rule.
In AWS Service Catalog, which type of constraint lets you configure where you want your products to launch?
A. tag update
B. template
C. launch
D. stack set
D. stack set
Explanation:
Stack set constraint: This constraint gives you the option to configure where you want your products to launch.
AWS Control Tower is a service that offers a larger and more controlled method of _____.
A. searching, visualizing, and analyzing up to petabytes of text and unstructured data
B. creating, distributing, managing, and auditing multiple accounts
C. provisioning, managing, and deploying SSL/TLS certificates
D. centrally managing firewall rules
B. creating, distributing, managing, and auditing multiple accounts
Explanation:
AWS Control Tower is a service that offers a larger and more controlled method of creating, distributing, managing, and auditing multiple accounts.
Which three AWS Config components use configuration items? (Choose 3 answers)
A. Configuration history
B. Configuration snapshots
C. Configuration streams
D. Config rules
A. Configuration history
B. Configuration snapshots
C. Configuration streams
Explanation:
Configuration items are used by other features and components of AWS Config, such as:
Configuration History - Configuration items are used to look up all changes that have been made to a resource Configuration Streams - Configuration items are sent to an SNS Topic to enable analysis of the data Configuration Snapshots - Configuration items are used to create a point in time snapshot of all supported resources
What is AWS Systems Manager?
A. a service that continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations
B. a service that monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost
C. a set of fully managed AWS services that enable automated configuration and ongoing management of systems at scale in a secure and reliable way across all your Linux and Windows instances running on Amazon EC2, your own data center, or other cloud platforms
D. a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account
C. a set of fully managed AWS services that enable automated configuration and ongoing management of systems at scale in a secure and reliable way across all your Linux and Windows instances running on Amazon EC2, your own data center, or other cloud platforms
Explanation:
Systems Manager is a set of fully managed AWS services that enable automated configuration and ongoing management of systems at scale in a secure and reliable way across all your Linux and Windows instances running on Amazon EC2, your own data center, or other cloud platforms.
The _____ feature of AWS Systems Manager is a fully-managed capability that lets you connect to any managed instance using an interactive browser shell login for Linux, Windows, and MacOS instances.
A. Session Manager
B. Fleet Manager
C. Patch Manager
D. State Manager
A. Session Manager
Explanation:
The Session Manager feature of Systems Manager is a fully-managed capability that lets you connect to any managed instance using an interactive browser shell login for Linux, Windows, and MacOS instances.
