CSA Flashcards
Which is the best definition of cloud architecture?
A. Applying cloud characteristics to a solution that uses cloud services and features to meet technical and business requirements
B. Combining frontend and backend software and components to create highly available and scalable web services that meet the needs of an organization
C. Relocating traditional on-premises data centers to internet-accessible data centers that a vendor manages
D. Designing applications in cloud-based, shared IT infrastructure by using virtual machines and fault-tolerant data stores in the cloud
A. Applying cloud characteristics to a solution that uses cloud services and features to meet technical and business requirements
The AWS Well-Architected Framework has six pillars. Three of the pillars are security, operational excellence, and sustainability. What are two of the other pillars of the Well-Architected Framework? (Select TWO.)
A. Privacy
B. Reliability
C. Governance
D. Cost Optimization
E. Risk Management
B. Reliability
D. Cost Optimization
Which actions are consistent with the operational excellence pillar of the AWS Well-Architected Framework? (Select TWO.)
A. Apply software engineering principles and methodology to infrastructure as code.
B. Ensure operations personnel document changes to the infrastructure.
C. Plan and manage the full lifecycle of hardware assets.
D. Evaluate organizational structures and roles to identify skill gaps.
E. Review and improve processes and procedures on a continuous cycle.
A. Apply software engineering principles and methodology to infrastructure as code.
E. Review and improve processes and procedures on a continuous cycle.
A specific application requires a frontend web tier of multiple servers that communicate with a backend application tier of multiple servers. Which design most closely follows AWS best practices?
A. Design the web tier to communicate with the application tier through the Elastic Load Balancing (ELB) service.
B. Create multiple instances that each combine a web frontend and application backend in the same instance.
C. Assign a dedicated application server and a dedicated connection to each web server.
D. Create a full mesh network between the web and application tiers, so that each web server can communicate directly with every application server.
A. Design the web tier to communicate with the application tier through the Elastic Load Balancing (ELB) service.
A solutions architect is developing a process for handling server failures. Which process most closely follows AWS best practices?
A. Amazon CloudWatch detects a system failure. It initiates automation to provision a new server.
B. Amazon CloudWatch detects a system failure. It notifies the systems administrator, who provisions a new server by using the AWS Management Console.
C. The operations staff detects a system failure. They initiate automation to provision a new server.
D. The operations staff detects a system failure. They notify the systems administrator, who provisions a new server by using the AWS Management Console.
A. Amazon CloudWatch detects a system failure. It initiates automation to provision a new server.
A company is considering moving their on-premises data center to the cloud. Their primary motivation is to increase their cost efficiency. Which approach most closely follows AWS best practices?
A. Replicate their on-premises data center in the cloud.
B. Maintain the on-premises data center as long as possible.
C. Provision some of the servers in the cloud and ensure the servers run 24/7.
D. Provision the servers that are needed and stop services when they are not being used.
D. Provision the servers that are needed and stop services when they are not being used.
A company stores read-only data in Amazon S3. Most users are in the same country as the company headquarters. Some users are located around the world. Which design decision most closely follows AWS best practices?
A. Replicate objects across buckets in AWS Regions around the world. Users access the bucket in the Region closest that is to them.
B. Use a bucket in the Region closest to the company headquarters.
C. Use a bucket in the AWS Region that is closest to the company headquarters. All users access the data through Amazon CloudFront.
D. Use a bucket in the Region that has the lowest average latency for all users.
C. Use a bucket in the AWS Region that is closest to the company headquarters. All users access the data through Amazon CloudFront.
A consultant must access a large object in an S3 bucket. They need one day to access the file. Which method for granting access most closely follows AWS best practices?
A. Enable public access on the S3 bucket. Give the object URL to the consultant.
B. Create a presigned URL to the object that expires in 24 hours, and give it to the consultant.
C. Create a user account for the consultant. Grant the user account permissions to access the S3 bucket through the AWS Management Console.
D. Copy the object to a new S3 bucket. Enable public access on the new bucket. From the new bucket, get the object URL, and give it to the consultant.
B. Create a presigned URL to the object that expires in 24 hours, and give it to the consultant.
Which are main considerations that influence which AWS Regions to use? (Select TWO.)
A. Security and access control
B. Protection against localized natural disasters
C. Compliance with laws and regulations
D. Application resiliency during system failures
E. Latency reduction for end users
C. Compliance with laws and regulations
E. Latency reduction for end users
Which statement reflects a design principle of the security pillar of the Well-Architected Framework?
A. Ensure that staff are actively monitoring potential risks manually.
B. Decentralize privilege management.
C. Apply security at all layers of an architecture.
D. Do not deploy a solution to production until you’re certain that no security risks exist.
C. Apply security at all layers of an architecture.
Which statements about responsibility are accurate based on the AWS shared responsibility model? (Select TWO.)
A. AWS is responsible for the configuration of security groups.
B. Customers are responsible for managing their user data.
C. AWS is responsible for the physical security of data centers.
D. Customers are responsible for the installation, maintenance, and decommissioning of the hardware that they use in the AWS data center.
E. AWS is responsible for host-based firewall configurations.
B. Customers are responsible for managing their user data.
C. AWS is responsible for the physical security of data centers.
Which options are characteristics of the principle of least privilege? (Select TWO.)
A. Use encryption.
B. Always use groups.
C. Craft security policies that limit access to specific tasks.
D. Monitor actions and changes.
E. Grant access only as needed.
C. Craft security policies that limit access to specific tasks.
E. Grant access only as needed.
Which statement about AWS Identity and Access Management (IAM) is true?
A. With IAM, you can manage encryption for items that require encryption at rest.
B. IAM provides an audit trail of who performed an action, what action they performed, and when they performed it.
C. IAM provides an extra layer of security by offering anomaly detection on resources.
D. With IAM, you can grant principals granular access to resources.
D. With IAM, you can grant principals granular access to resources.
Which statements describe AWS Identity and Access Management (IAM) roles? (Select TWO.)
A. They provide temporary security credentials.
B. They are uniquely associated to an individual.
C. Individuals, applications, and services can assume roles.
D. They provide permanent security credentials.
E. They can only be used by accounts that are associated to the person who creates the role.
A. They provide temporary security credentials.
C. Individuals, applications, and services can assume roles.
Which statement reflects a best practice for the root user on an AWS account?
A. Create an admin user and perform most admin tasks with this user instead of the root user.
B. Remove unneeded permissions from the root user account.
C. To avoid getting locked out of the account, do not enable multi-factor authentication (MFA) on the root account.
D. Create two root users with separate credentials and distribute them to two different individuals.
A. Create an admin user and perform most admin tasks with this user instead of the root user.
How does AWS Identity and Access Management (IAM) evaluate a policy?
A. It checks for explicit allow statements before it checks for explicit deny statements.
B. It checks for explicit deny statements before it checks for explicit allow statements.
C. An explicit deny statement does not override an explicit allow statement.
D. If the policy doesn’t have any explicit deny statements or explicit allow statements, users have access by default.
B. It checks for explicit deny statements before it checks for explicit allow statements.
Which statement about AWS Identity and Access Management (IAM) policies is accurate?
A. Identity-based policies can only be attached to a single entity.
B. Resource-based policies are attached to a user, group, or role.
C. Identity-based policies are attached to a user, group, or role.
D. Resource-based policies allow access by default.
C. Identity-based policies are attached to a user, group, or role.
Which AWS Identity and Access Management (IAM) policy element includes information about whether to allow or deny a request?
A. Action
B. Effect
C. Principal
D. Condition
B. Effect
Which option accurately describes the statement element in an AWS Identity and Access Management (IAM) policy?
A. The statement element contains other elements that together define what is allowed or denied.
B. The statement element is an optional part of an IAM policy.
C. A policy can only have one statement element.
D. The statement element does not apply to identity-based policies.
A. The statement element contains other elements that together define what is allowed or denied.
Which are main considerations that influence which Availability Zones to use? (Select TWO.)
A. Protection against localized natural disasters
B. Application resiliency during system failures
C. Compliance with laws and regulations
D. Latency reduction for end users
E. Security and access control
A. Protection against localized natural disasters
B. Application resiliency during system failures
Due to a company merger, a data engineer needs to increase their object storage capacity. They are not sure how much storage they will need. They want a highly scalable service that can store unstructured, semistructured, and structured data. Which service would be the most cost-effective to accomplish this task?
A. Amazon S3
B. Amazon Elastic Block Store (Amazon EBS)
C. AWS Storage Gateway
D. Amazon RDS
A. Amazon S3
Amazon S3 provides a good solution for which use case?
A. A data warehouse for business intelligence
B. An internet-accessible storage location for video files that an external website can access
C. Hourly storage of frequently accessed temporary files
D. Ledger data that is updated and accessed frequently
B. An internet-accessible storage location for video files that an external website can access
A company is interested in using Amazon S3 to host their website instead of a traditional web server. Which types of content does Amazon S3 support for static web hosting? (Select THREE.)
A. HTML files and image files
B. Database engine
C. Server-side scripts
D. Video and sound files
E. Dynamic HTML files
F. Client-side scripts
A. HTML files and image files
D. Video and sound files
F. Client-side scripts
A company wants to use an S3 bucket to store sensitive data. Which actions can they take to protect their data? (Select TWO.)
A. Uploading unencrypted files to Amazon S3 because Amazon S3 encrypts the files by default
B. Enabling server-side encryption on the S3 bucket before uploading sensitive data
C. Using Secure File Transfer Protocol (SFTP) to connect directly to Amazon S3
D. Using client-side encryption to protect data in transit before it is sent to Amazon S3
E. Enabling server-side encryption on the S3 bucket after uploading sensitive data
B. Enabling server-side encryption on the S3 bucket before uploading sensitive data
D. Using client-side encryption to protect data in transit before it is sent to Amazon S3
A company must create a common place to store shared files. Which requirements does Amazon S3 support? (Select TWO.)
A. Lock a file so that only one person at a time can edit it.
B. Recover deleted files.
C. Compare file contents between files.
D. Maintain different versions of files.
E. Attach comments to files.
B. Recover deleted files.
D. Maintain different versions of files.
A customer service team accesses case data daily for up to 30 days. Cases can be reopened and require immediate access for 1 year after they are closed. Reopened cases require 2 days to process. Which solution meets the requirements and is the most cost-efficient?
A. Store case data in S3 Standard. Use a lifecycle policy to move the data into S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
B. Store case data in S3 Standard. Use a lifecycle policy to move the data into Amazon S3 Glacier Flexible Retrieval after 30 days.
C. Store case data in S3 Intelligent-Tiering to automatically move data between tiers based on access frequency.
D. Store all case data in S3 Standard so that it is available whenever it is needed.
A. Store case data in S3 Standard. Use a lifecycle policy to move the data into S3 Standard-Infrequent Access (S3 Standard-IA) after 30 days.
Which option takes advantage of edge locations in Amazon CloudFront to transfer files over long distances to an S3 bucket?
A. AWS SDKs
B. AWS Transfer Family
C. Amazon S3 Transfer Acceleration
D. Amazon S3 REST API
C. Amazon S3 Transfer Acceleration
A video producer must regularly transfer several video files to Amazon S3. The files range from 100–700 MB. The internet connection has been unreliable, causing some uploads to fail. Which solution provides the fastest, most reliable, and most cost-effective way to transfer these files to Amazon S3?
A. AWS Transfer Family
B. Amazon S3 multipart uploads
C. AWS Management Console
D. Amazon S3 Transfer Acceleration
B. Amazon S3 multipart uploads
Which Amazon S3 storage class is designed for backup copies of on-premises data or easily re-creatable data?
a. S3 One Zone-Infrequent Access (S3 One Zone-IA)
b. S3 Intelligent-Tiering
c. S3 Glacier Instant Retrieval
d. S3 Standard-Infrequent Access (S3 Standard-IA)
a. S3 One Zone-Infrequent Access (S3 One Zone-IA)
A company needs to retain records for regulatory purposes for a 7-year period. These records are rarely accessed (once or twice a year). What is the lowest-cost storage class for Amazon S3?
a. S3 One Zone-Infrequent Access (S3 One Zone-IA)
b. S3 Standard-Infrequent Access (S3 Standard-IA)
c. S3 Glacier Deep Archive
d. S3 Intelligent-Tiering
c. S3 Glacier Deep Archive
Which attributes are reasons to choose Amazon EC2? (Select TWO.)
a. Ability to run serverless applications
b. AWS management of operating system (OS) patches
c. Complete control of computing resources
d. Ability to run any type of workload
e. AWS management of operating system (OS) security
c. Complete control of computing resources
d. Ability to run any type of workload
What are the benefits of using an Amazon Machine Image (AMI)? (Select THREE.)
a. Selling or sharing software solutions packaged as an AMI
b. Launching instances with the same configuration
c. Updating systems by patching their AMI
d. Automating security group settings for instances
e. Using an AMI as a server backup for Amazon EC2 instances
f. Migrating data from on premises to Amazon EC2 instances
a. Selling or sharing software solutions packaged as an AMI
b. Launching instances with the same configuration
e. Using an AMI as a server backup for Amazon EC2 instances
A system administrator must change the instance types of multiple running Amazon EC2 instances. The instances were launched with a mix of Amazon Elastic Block Store (Amazon EBS) backed Amazon Machine Images (AMIs) and instance-store-backed AMIs. Which method is a valid way to change the instance type?
a. Change the instance type of an instance-store-backed instance without stopping it.
b. Stop an instance-store-backed instance, change its instance type, and start the instance.
c. Stop an Amazon EBS backed instance, change its instance type, and start the instance.
d. Change the instance type of an Amazon EBS backed instance without stopping it.
c. Stop an Amazon EBS backed instance, change its instance type, and start the instance.
A workload requires high read/write access to large local datasets. Which instance types would perform best for this workload? (Select TWO.)
A. Compute optimized
B. Accelerated computing
C. Storage optimized
D. Memory optimized
E. General purpose
C. Storage optimized
D. Memory optimized
An application requires the media access control (MAC) address of the host Amazon EC2 instance. The architecture uses an AWS Auto Scaling group to dynamically launch and terminate instances. What is the best way for the application to obtain the MAC address?
A. Include the MAC address in a custom AMI for each instance in the AWS Auto Scaling group.
B. Use the user data of each instance to access the MAC address through the instance metadata.
C. Write the MAC address in the application configuration file of each instance.
D. Include the MAC address in the Amazon Machine Image (AMI) that is used to launch all of the instances in the AWS Auto Scaling group.
B. Use the user data of each instance to access the MAC address through the instance metadata.
Which statements about user data are correct? (Select two.)
A. User data cannot be run while the instance is stopped.
B. The cloud architect must remove the config_user_scripts file to rerun the user data scripts.
C. By default, user data runs only once, when an instance is launched.
D. By default, user data runs after every instance restart.
E. The cloud architect must run the /var/lib/cloud/instance/scripts/part-001 command for the user data script to run again.
C. By default, user data runs only once, when an instance is launched.
E. The cloud architect must run the /var/lib/cloud/instance/scripts/part-001 command for the user data script to run again.
A transactional workload on an Amazon EC2 instance performs high amounts of frequent read and write operations. Which Amazon Elastic Block Store (Amazon EBS) volume type is BEST for this workload?
A. Provisioned IOPS solid state drive (SSD)
B. Throughput Optimized hard disk drive (HDD)
C. General Purpose solid state drive (SSD)
D. Cold hard disk drive (HDD)
A. Provisioned IOPS solid state drive (SSD)
It is possible to create an NFS share on an Amazon Elastic Block Store (Amazon EBS) backed Linux instance by installing and configuring an NFS server on the instance. In this way, multiple Linux systems can share the file system of that instance. Which advantages does Amazon Elastic File System (Amazon EFS) provide compared to this solution? (Select TWO.)
A. File locking
B. Automatic scaling
C. High availability
D. Strong consistency
E. No need for backups
B. Automatic scaling and C. High availability
Which feature does Amazon FSx for Windows File Server provide?
A. Backup solution for on-premises Windows file servers
B. Fully managed Windows file servers
C. Amazon management agent for Windows file servers
D. Microsoft Active Directory server for Windows file servers
B. Fully managed Windows file servers
Which descriptions of Amazon EC2 pricing options are correct? (Select TWO.)
A. Dedicated Hosts are servers that are dedicated to one purpose, such as a firewall.
B. With On-Demand Instances, customers can pay for compute capacity by usage time with no long-term commitments.
C. Savings Plans are budgeting tools that help customers manage Amazon EC2 costs.
D. Reserved Instances are physical servers that are reserved exclusively for customer use.
E. Spot Instances offer spare compute capacity at discounted prices and can be interrupted.
B. With On-Demand Instances, customers can pay for compute capacity by usage time with no long-term commitments.
E. Spot Instances offer spare compute capacity at discounted prices and can be interrupted.
Which statement that compares a database service that AWS manages with a database on an Amazon EC2 instance is true?
A. Configuring backups for a database on an EC2 instance isn’t needed.
B. AWS manages database patches for a database on a managed database service.
C. Configuring backups for a database on a managed database service isn’t needed.
D. AWS manages operating system (OS) patches for a database on an EC2 instance.
B. AWS manages database patches for a database on a managed database service.
A small startup company is deciding which database service to use for an enrollment system for their online training website. Which requirements might lead them to select Amazon RDS rather than Amazon DynamoDB? (Select TWO.)
A. The enrollment system must be highly available.
B. Data and transactions must be encrypted to protect personal information.
C. The data is highly structured.
D. Student, course, and registration data are stored in many different tables.
E. Data must be backed up in case of disasters.
C. The data is highly structured.
D. Student, course, and registration data are stored in many different tables.
A startup company is building an order inventory system with a web frontend and is looking for a real-time transactional database. Which service would best meet their needs?
A. Amazon DocumentDB (with MongoDB compatibility)
B. Amazon Neptune
C. Amazon DynamoDB
D. Amazon Redshift
C. Amazon DynamoDB
A small game company is designing an online game, where thousands of players can create their own in-game objects. The current design uses a MySQL database in Amazon RDS to store data for player-created objects. Which proposed online game object features could make Amazon DynamoDB a better solution? (Select TWO.)
A. Game data items that include binary data and might exceed 700 MB
B. A set of common object attributes for player-created objects
C. Game items that can be modified using data contained in other tables
D. A high amount of read activity on player-created objects and a low amount of writes
E. Unpredictable object attributes for player-created objects
D. A high amount of read activity on player-created objects and a low amount of writes
E. Unpredictable object attributes for player-created objects
An organization is concerned about an increase in fraud. Which service could help with building real-time graph database queries for fraud detection?
A. Amazon RDS
B. Amazon Neptune
C. Amazon Redshift
D. Amazon DynamoDB
B. Amazon Neptune
A data engineer must host a new Microsoft SQL Server database in AWS for a project. Which service could they use to accomplish this task?
A. Amazon Aurora
B. Amazon DocumentDB (with MongoDB compatibility)
C. Amazon Neptune
D. Amazon DynamoDB
A. Amazon Aurora
Which techniques should be used to secure an Amazon RDS database? (Select THREE.)
A. Security groups to control network access to individual RDS instances
B. A virtual private cloud (VPC) to provide instance isolation
C. A virtual private gateway (VGW) to filter traffic from restricted networks
D. Encryption both at rest and in transit to protect sensitive data
E. AWS Identity and Access Management (IAM) policies to define access at the table, row, and column levels
F. An Amazon Virtual Private Cloud (Amazon VPC) gateway endpoint to prevent traffic from traversing the internet
A. Security groups to control network access to individual RDS instances
B. A virtual private cloud (VPC) to provide instance isolation
D. Encryption both at rest and in transit to protect sensitive data
Which techniques should be used to secure Amazon DynamoDB? (Select THREE.)
A. A virtual private gateway (VGW) to filter traffic from restricted networks
B. A virtual private cloud (VPC) to provide instance isolation and firewall protection
C. AWS Identity and Access Management (IAM) policies to define access at the table, item, or attribute level
D. An Amazon Virtual Private Cloud (Amazon VPC) gateway endpoint to prevent traffic from traversing the internet
E. Security groups to control network access to individual instances
F. Encryption to protect sensitive data
C. AWS Identity and Access Management (IAM) policies to define access at the table, item, or attribute level
D. An Amazon Virtual Private Cloud (Amazon VPC) gateway endpoint to prevent traffic from traversing the internet
F. Encryption to protect sensitive data
A company wants to migrate their on-premises Oracle database to Amazon Aurora MySQL. Which process describes the high-level steps most accurately?
A. Use AWS Database Migration Service (AWS DMS) to migrate the data, and then use AWS Schema Conversion Tool (AWS SCT) to convert the schema.
B. Use AWS Database Migration Service (AWS DMS) to directly migrate from the Oracle database to Amazon Aurora MySQL.
C. Use AWS Schema Conversion Tool (AWS SCT) to convert the schema, and then use AWS Database Migration Service (AWS DMS) to migrate the data.
D. Use AWS Schema Conversion Tool (AWS SCT) to synchronously convert the schema and migrate the data.
C. Use AWS Schema Conversion Tool (AWS SCT) to convert the schema, and then use AWS Database Migration Service (AWS DMS) to migrate the data.
A cloud architect is setting up an application to use an Amazon RDS MySQL DB instance. The database must be architected for high availability across Availability Zones and AWS Regions with minimal downtime. How should they meet this requirement?
A. Set up an RDS MySQL Multi-AZ DB instance. Configure a read replica in a different Region.
B. Set up an RDS MySQL Multi-AZ DB instance. Configure an appropriate backup window.
C. Set up an RDS MySQL Single-AZ DB instance. Copy automated snapshots to at least one other Region.
D. Set up an RDS MySQL Single-AZ DB instance. Configure a read replica in a different Region.
A. Set up an RDS MySQL Multi-AZ DB instance. Configure a read replica in a different Region.
Which definition describes a virtual private cloud (VPC)?
A. An extension of an on-premises network into AWS
B. A logically isolated virtual network that you define in the AWS Cloud
C. A virtual private network (VPN) in the AWS Cloud
D. A fully managed service that extends the AWS Cloud to customer premises
B. A logically isolated virtual network that you define in the AWS Cloud
Which component does not have direct access to the internet?
A. Elastic IP address interface
B. EC2 instance inside a private subnet
C. Network address translation (NAT) gateway inside a public subnet
D. EC2 instance inside a public subnet
B. EC2 instance inside a private subnet
A company’s virtual private cloud (VPC) has the Classless Inter-Domain Routing (CIDR) block 172.16.0.0/21 (2048 addresses). It has two subnets (A and B). Each subnet must support 100 usable addresses now, but this number is expected to rise to at most 254 usable addresses soon. Which subnet addressing scheme meets the requirements and follows AWS best practices?
A. Subnet A: 172.16.0.0/24 (256 addresses) Subnet B: 172.16.1.0/24 (256 addresses)
B. Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (128 addresses)
C. Subnet A: 172.16.0.0/22 (1024 addresses) Subnet B: 172.16.4.0/22 (1024 addresses)
D. Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses)
D. Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses)
Several EC2 instances launch in a virtual private cloud (VPC) that has internet access. These instances should not be accessible from the internet, but they must be able to download updates from the internet. How should the instances launch?
A. Without public IP addresses, in a subnet with a default route to an internet gateway
B. With public IP addresses, in a subnet with a default route to an internet gateway
C. Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway
D. With Elastic IP addresses, in a subnet with a default route to an internet gateway
C. Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway
A group of consultants requires access to an EC2 instance from the internet for 3 consecutive days each week. The instance is shut down the rest of the week. The virtual private cloud (VPC) has internet access. How should you assign one IPv4 address to the instance to give the consultants access?
A. Assign the IP address in the operating system (OS) boot configuration.
B. Enable automatic address assignment for the EC2 instance.
C. Associate an Elastic IP address with the EC2 instance.
D. Enable automatic address assignment for the subnet.
C. Associate an Elastic IP address with the EC2 instance.
An application uses a bastion host to allow access to EC2 instances in a private subnet within a virtual private cloud (VPC). What security group configurations would allow SSH access from the source IP to the EC2 instances? (Select TWO.)
A. Add a rule to the EC2 instance security group to allow traffic from the bastion host security group on port 22.
B. Add a rule to the private subnet EC2 instance security group to allow return traffic to the bastion host security group.
C. Add a rule to the bastion host security group to deny all traffic from the internet.
D. Add a rule to the bastion host security group to allow traffic on port 22 from your source IP address.
E. Add a rule to the bastion host security group to allow return traffic to your source IP address.
A. Add a rule to the EC2 instance security group to allow traffic from the bastion host security group on port 22.
D. Add a rule to the bastion host security group to allow traffic on port 22 from your source IP address.
A solution deployed in a virtual private cloud (VPC) needs a subnet with limited access to specific internet addresses. How can an architect configure the network to limit traffic from and to the EC2 instances in the subnet using a network access control list (ACL)?
A. Add rules to the default network ACL to allow traffic from and to allowed internet addresses.
B. Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
C. Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.
D. Add rules to the default network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
C. Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.
Which actions are best practices for designing a virtual private cloud (VPC)? (Select THREE.)
A. Match the size of the VPC Classless Inter-Domain Routing (CIDR) block to the number of hosts that are required for a workload.
B. Divide the VPC network range evenly across all Availability Zones that are available.
C. Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
D. Use the same Classless Inter-Domain Routing (CIDR) block for subnets in different Availability Zones that are part of the same AWS Auto Scaling group.
E. Reserve some address space for future use.
F. Use the same Classless Inter-Domain Routing (CIDR) block as your on-premises network.
B. Divide the VPC network range evenly across all Availability Zones that are available.
C. Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
E. Reserve some address space for future use.
Where can you have VPC flow logs delivered? (Select THREE.)
A. Amazon S3 bucket
B. AWS Management Console
C. Amazon OpenSearch Service
D. Amazon CloudWatch
E. Amazon Kinesis Data Firehose
F. Amazon Athena
A. Amazon S3 bucket
D. Amazon CloudWatch
E. Amazon Kinesis Data Firehose
An EC2 instance must connect to an Amazon S3 bucket. What component provides this connectivity with no additional charge and no throughput packet limits?
A. Gateway Load Balancer endpoint
B. Interface VPC endpoint
C. Gateway VPC endpoint
D. Public region access point
C. Gateway VPC endpoint
What is the simplest way to connect 100 virtual private clouds (VPCs) together?
A. Chain VPCs together by using VPC peering.
B. Create a hub-and-spoke network by using AWS VPN CloudHub.
C. Connect the VPCs to AWS Transit Gateway.
D. Connect each VPC to all the other VPCs by using VPC peering.
C. Connect the VPCs to AWS Transit Gateway.
A company needs network traffic to flow between an AWS account in one Region to another account in a different Region. What should they set up between the transit gateways in each region?
A. AWS Direct Connect
B. Transit gateway peering attachment
C. AWS Site-to-Site VPN
D. AWS PrivateLink
B. Transit gateway peering attachment
A company has two virtual private clouds (VPCs). VPC A has a Classless Inter-Domain Routing (CIDR) block of 10.1.0.0/16. VPC B has CIDR block of 10.2.0.0/16. Both VPCs belong to the same AWS account. What is the simplest way to connect the two VPCs so that they can route all traffic between them?
A. AWS Site-to-Site VPN
B. VPC peering
C. AWS Direct Connect
D. VPC endpoints
B. VPC peering
Systems in a secure subnet in a virtual private cloud (VPC) must access a bucket in Amazon S3. Which solutions stop traffic from crossing the internet? (Select TWO.)
A. Create a VPC gateway endpoint for Amazon S3.
B. Use the private IP address of Amazon S3.
C. Use a private IP address for the system.
D. Create a VPC peering connection to Amazon S3.
E. Use VPC interface endpoints.
A. Create a VPC gateway endpoint for Amazon S3.
E. Use VPC interface endpoints.
A company has three virtual private clouds (VPCs). VPCs A, B, and C have Classless Inter-Domain Routing (CIDR) blocks that do not overlap. Both A and C have separate VPC peering connections with B. However, A cannot communicate with C. What is the simplest and most cost-effective way to enable full communication between A and C?
A. Create VPC endpoints in A and C for the individual hosts that need to communicate with each other.
B. Link all three VPCs through a transit VPC, and route all traffic through the transit VPC.
C. Add a peering connection between A and C, and route traffic between A and C through the peering connection.
D. Add routes to B to enable traffic between A and C through B.
C. Add a peering connection between A and C, and route traffic between A and C through the peering connection.
Because of a natural disaster, a company moved a secondary data center to a temporary facility with internet connectivity. It needs a secure connection to the company’s virtual private cloud (VPC) that must be operational as soon as possible. The data center will move again in 2 weeks. Which option meets the requirements?
A. AWS Site-to-Site VPN
B. AWS Direct Connect
C. VPC endpoints
D. VPC peering
A. AWS Site-to-Site VPN
A company is concerned about internet disruptions. It wants to efficiently route traffic from their on-premises network to an AWS edge location close to their customer gateway device. What should they use?
A. AWS Direct Connect
B. AWS Transit Gateway
C. AWS VPN CloudHub
D. AWS Global Accelerator
D. AWS Global Accelerator
A company is implementing a system to back up on-premises systems to AWS. Which network connectivity method provides a solution with the most consistent performance?
A. Virtual private cloud (VPC) peering
B. Virtual private cloud (VPC) endpoints
C. AWS Site-to-Site VPN
D. AWS Direct Connect
D. AWS Direct Connect
A company uses a single AWS Direct Connect connection between their on-premises network and their virtual private cloud (VPC). They want to ensure that the network connectivity is highly available by adding a backup connection. Which network connectivity method provides the most cost-effective solution for the backup connection?
A. Another AWS Direct Connect connection through the same Direct Connect location
B. An on-demand AWS Client VPN connection across the internet
C. Another AWS Direct Connect connection through a different Direct Connect location
D. An on-demand AWS Site-to-Site VPN connection across the internet
D. An on-demand AWS Site-to-Site VPN connection across the internet
A company is connecting a virtual private cloud (VPC) to multiple on-premises data centers using a virtual private network (VPN). Which implementation ensures resiliency and predictable bandwidth requirements?
A. Implement Direct Connect as the primary connection and use the VPN as a secondary failover connection from each data center.
B. Establish multiple Border Gateway Protocol (BGP) sessions for each VPC to create connectivity to multiple VPCs across multiple AWS Regions.
C. Implement AWS Transit Gateway to connect to each on-premises data center.
D. Use a many-to-many mesh topology, such as Amazon VPC peering.
A. Implement Direct Connect as the primary connection and use the VPN as a secondary failover connection from each data center.
Which are characteristics of an AWS Identity and Access Management (IAM) group? (Select TWO.)
A. A group can belong to another group.
B. A user can belong to more than one group.
C. New users added to a group inherit the group’s permissions.
D. Permissions in a group policy always override permissions in a user policy.
E. A group can have security credentials.
B. A user can belong to more than one group.
C. New users added to a group inherit the group’s permissions.
What is an advantage of using attribute-based access control (ABAC) over role-based access control (RBAC)?
A. ABAC permissions are more secure than RBAC permissions.
B. ABAC will likely require fewer policies than RBAC.
C. ABAC permissions explicitly identify the resources that they protect.
D. ABAC requires less testing than RBAC.
B. ABAC will likely require fewer policies than RBAC.
A developer is a member of an AWS Identity and Access Management (IAM) group that has a group policy attached to it. The group policy allows access to Amazon S3 and Amazon EC2 and denies access to Amazon Elastic Container Service (Amazon ECS). The developer also has a user policy attached which allows access to Amazon ECS and Amazon CloudFront. Which option describes the user’s access?
A. Access to Amazon ECS and Amazon CloudFront, but no access to Amazon S3 and Amazon EC2
B. Access to Amazon S3, Amazon EC2, and Amazon CloudFront, but no access to Amazon ECS
C. Access to Amazon S3, Amazon EC2, Amazon ECS, and Amazon CloudFront
D. Access to Amazon S3 and Amazon EC2, but no access to Amazon ECS and Amazon CloudFront
B. Access to Amazon S3, Amazon EC2, and Amazon CloudFront, but no access to Amazon ECS
What is a benefit of identity federation with the AWS Cloud?
A. It assigns roles to authenticated users to control their access to AWS resources.
B. It enables the use of an external identity provider to authenticate workforce users and give them access to AWS resources.
C. It centralizes the storage and management of user identities inside of the AWS Cloud.
D. It eliminates the need for defining permissions in AWS Identity and Access Management (IAM) to secure the access to AWS resources.
B. It enables the use of an external identity provider to authenticate workforce users and give them access to AWS resources.
Which service enables identity federation for accessing a web application running in the AWS Cloud?
A. Amazon Cognito
B. AWS WAF
C. AWS Key Management Service (AWS KMS)
D. AWS CloudHSM
A. Amazon Cognito
Which service helps centrally manage billing, control access, compliance and security, and share resources across multiple AWS accounts?
A. AWS Systems Manager
B. AWS Organizations
C. AWS Identity and Access Management (IAM)
D. Amazon Cognito
B. AWS Organizations
A technology company has multiple production accounts grouped into a production organizational unit (OU) in AWS Organizations. The company wants to prevent all AWS Identity and Access Management (IAM) users in the production accounts from deleting AWS CloudTrail logs. How can a system administrator enforce this restriction?
a) Create an IAM policy and attach it to each IAM user in the production accounts.
b) Create an Amazon S3 bucket policy and associate it with all buckets containing AWS CloudTrail logs.
c) Create a service control policy (SCP), and attach it to the production OU.
d) Create a tag policy and attach it to the production accounts.
c) Create a service control policy (SCP), and attach it to the production OU.
A developer is writing a client application that encrypts sensitive data using a data key before sending it to a server application. The client application sends the data key to the server application so that the server application can decrypt the sensitive information. The developer is concerned that the confidentiality of the sensitive data might be compromised if the data key is stolen. Which type of encryption should the developer use to fully protect the sensitive information?
a) Server-side encryption
b) Asymmetric encryption
c) Envelope encryption
d) Symmetric encryption
c) Envelope encryption
Which functions does the AWS Key Management Service (AWS KMS) provide? (Select TWO.)
a) Store encrypted data
b) Rotate keys
c) Create AWS Identity and Access Management (IAM) access keys
d) Authenticate external users
e) Create symmetric and asymmetric keys
b) Rotate keys
e) Create symmetric and asymmetric keys
Which AWS service discovers and protects sensitive information stored on Amazon S3 in an AWS account?
a) Amazon Detective
b) AWS Resource Access Manager (AWS RAM)
c) Amazon Macie
d) AWS Audit Manager
c) Amazon Macie
Which statement about Amazon EC2 Auto Scaling is accurate?
a) It can launch Amazon EC2 instances, but customers must terminate instances after they are no longer needed.
b) It requires the customer to use Reserved Instances only.
c) It can launch new Amazon EC2 instances based on a schedule.
d) It can launch Amazon EC2 instances in multiple Availability Zones.
d) It can launch Amazon EC2 instances in multiple Availability Zones.
A devops engineer detected that the demand on a fleet of Amazon EC2 instances in an Auto Scaling group increases by a set amount on weekend days. Which type of scaling is the MOST appropriate in this case?
a) Predictive
b) Scheduled
c) Manual
d) Dynamic
b) Scheduled
A devops engineer launches a fleet of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The EC2 instances must maintain 50 percent average CPU utilization. Which type of scaling is appropriate to use based on CPU utilization usage?
a) Manual scaling
b) Target tracking scaling
c) Simple scaling
d) Step scaling
b) Target tracking scaling
How can a user vertically scale an Amazon RDS database?
a) By changing the instance class or size
b) By adding read replicas
c) By sharding the database
d) By creating dedicated read and write nodes
a) By changing the instance class or size
How can an AWS customer horizontally scale an Amazon Aurora database?
a) By creating Amazon CloudWatch alarms
b) By creating a scaling policy
c) By adding Aurora Replica instances by using Aurora Auto Scaling
d) By changing the instance type
c) By adding Aurora Replica instances by using Aurora Auto Scaling
How does Amazon DynamoDB perform automatic scaling?
a) It adjusts the provisioned throughput capacity in response to traffic patterns.
b) It adds read replicas in response to increased read demand.
c) It adds and removes database instances in response to changes in traffic.
d) It changes the instance type in response to changes in processing load.
a) It adjusts the provisioned throughput capacity in response to traffic patterns.
A fleet of Amazon EC2 instances is launched in an Amazon EC2 Auto Scaling group. The instances run an application that uses a custom protocol on TCP port 42000. Connections from client systems on the internet must balance across the instances. Which load balancing solution is the best solution?
a) Gateway Load Balancer
b) Application Load Balancer
c) Network Load Balancer
d) Classic Load Balancer
c) Network Load Balancer
A company must build a highly available website that uses server-side scripts to serve dynamic HTML. Which solution provides the highest availability for the least cost and complexity?
a) Amazon S3 hosts the website. DNS name resolution points to the S3 bucket.
b) An Auto Scaling group launches Amazon EC2 instances, which are served by a Network Load Balancer. Amazon Route 53 uses latency-based routing.
c) An Auto Scaling group launches Amazon EC2 instances, which are served by an Application Load Balancer. DNS name resolution points to the load balancer.
d) The customer deploys a second web server in another Region. Amazon Route 53 uses failover routing for disaster recovery (DR).
c) An Auto Scaling group launches Amazon EC2 instances, which are served by an Application Load Balancer. DNS name resolution points to the load balancer.
Users in location A connect to an application in Region A. Users in location B connect to the same application in Region B. If the application in Region A becomes unhealthy, traffic for location A must be redirected to the application in Region B. Which solution meets this requirement?
a) Use an Application Load Balancer with Amazon CloudWatch alarms.
b) Use geoproximity routing and a Network Load Balancer that is attached to both Regions.
c) Use geolocation routing with failover records in Amazon Route 53.
d) Use latency-based routing in Amazon Route 53 with Amazon CloudWatch alarms.
c) Use geolocation routing with failover records in Amazon Route 53.
As software engineer has created an AWS account for- their own personal development and testing. They want the account to stay within the AWS Free Tier and to not generate
unexpected costs.
Which approach will work and will require the LEAST effort?
a) Create a service control policy (SCP) to restrict services that are not included in the AWS Free Tier.
b) Sign in to the AWS Management Console each month and check the billing dashboard.
c) Create an Amazon CloudWatch alarm to send an email message when the account billing exceeds $0.
d) Create an Amazon CloudWatch metric to monitor account billing and limit it to $0.
c) Create an Amazon CloudWatch alarm to send an email message when the account billing exceeds $0.
Which are reasons to use automation to provision resources? (Select TWO.)
a) Lack of version control with manual processes
b) Alignment with the reliability design principle
c) Automation requirement for creating some resources
d) Greater expense with manual processes
e) Automation requirement for high availability
a) Lack of version control with manual processes
b) Alignment with the reliability design principle
Which are benefits of using infrastructure as code (IaC) over manual processes? (Select TWO.)
a) Automate system-wide security scans.
b) Deploy environments with configuration consistency.
c) Propagate updates from a single environment to all environments.
d) Manage all account users.
e) Protect environments from deletion.
b) Deploy environments with configuration consistency.
c) Propagate updates from a single environment to all environments.
A cloud architect wants to quickly set up a secure implementation of an Amazon FSx for Windows File Server that follows AWS best practices. Which solution should they use?
a) An AWS Quick Start
b) AWS CloudFormation Designer
c) An Amazon Machine Image (AMI) on AWS Marketplace
d) An AWS CloudFormation template that was downloaded from the internet
a) An AWS Quick Start
What is Amazon Q Developer?
a) A set of automated reference architectures
b) An artificial intelligence (AI)-powered coding companion
c) A template for rapid application deployment
d) An integrated development environment (IDE)
b) An artificial intelligence (AI)-powered coding companion
Which are reasons to use Amazon Q Developer? (Select TWO.)
a) Write compliance tests.
b) Enhance application security.
c) Accelerate coding tasks.
d) Share open-source code.
e) Automate for high availability.
b) Enhance application security.
c) Accelerate coding tasks.
What is AWS CloudFormation?
a) An AWS service that you can use to create, model, and manage AWS resources
b) A package of all the information that is needed to launch an Amazon EC2 instance
c) A description of best practices for designing an AWS implementation
d) A template that describes your infrastructure
a) An AWS service that you can use to create, model, and manage AWS resources
What is AWS CloudFormation Designer?
a) A tool for automating deployments
b) A source code repository for AWS CloudFormation templates
c) A graphical design interface for creating AWS CloudFormation templates
d) A collection of reusable templates
c) A graphical design interface for creating AWS CloudFormation templates
Which option can be used to accomplish deployment-specific differences in an AWS CloudFormation template?
a) Use drift detection.
b) Use conditions.
c) Use AWS CloudFormation Designer.
d) Use change sets.
b) Use conditions.
Which option is a good way to preview changes before implementing them in AWS CloudFormation Designer?
a) Visually inspect the template.
b) Run Update Stack.
c) Create a change set.
d) Run Detect Drift.
c) Create a change set.
Which option is a good way to know which resources in an application environment were manually modified if the environment was created by running an AWS CloudFormation stack?
a) Run a change set on the stack.
b) Run a comparison in AWS CloudFormation Designer on the stack.
c) Run conditions on the stack.
d) Run drift detection on the stack.
d) Run drift detection on the stack.
