CSA Flashcards
Which is the best definition of cloud architecture?
A. Applying cloud characteristics to a solution that uses cloud services and features to meet technical and business requirements
B. Combining frontend and backend software and components to create highly available and scalable web services that meet the needs of an organization
C. Relocating traditional on-premises data centers to internet-accessible data centers that a vendor manages
D. Designing applications in cloud-based, shared IT infrastructure by using virtual machines and fault-tolerant data stores in the cloud
A. Applying cloud characteristics to a solution that uses cloud services and features to meet technical and business requirements
The AWS Well-Architected Framework has six pillars. Three of the pillars are security, operational excellence, and sustainability. What are two of the other pillars of the Well-Architected Framework? (Select TWO.)
A. Privacy
B. Reliability
C. Governance
D. Cost Optimization
E. Risk Management
B. Reliability
D. Cost Optimization
Which actions are consistent with the operational excellence pillar of the AWS Well-Architected Framework? (Select TWO.)
A. Apply software engineering principles and methodology to infrastructure as code.
B. Ensure operations personnel document changes to the infrastructure.
C. Plan and manage the full lifecycle of hardware assets.
D. Evaluate organizational structures and roles to identify skill gaps.
E. Review and improve processes and procedures on a continuous cycle.
A. Apply software engineering principles and methodology to infrastructure as code.
E. Review and improve processes and procedures on a continuous cycle.
A specific application requires a frontend web tier of multiple servers that communicate with a backend application tier of multiple servers. Which design most closely follows AWS best practices?
A. Design the web tier to communicate with the application tier through the Elastic Load Balancing (ELB) service.
B. Create multiple instances that each combine a web frontend and application backend in the same instance.
C. Assign a dedicated application server and a dedicated connection to each web server.
D. Create a full mesh network between the web and application tiers, so that each web server can communicate directly with every application server.
A. Design the web tier to communicate with the application tier through the Elastic Load Balancing (ELB) service.
A solutions architect is developing a process for handling server failures. Which process most closely follows AWS best practices?
A. Amazon CloudWatch detects a system failure. It initiates automation to provision a new server.
B. Amazon CloudWatch detects a system failure. It notifies the systems administrator, who provisions a new server by using the AWS Management Console.
C. The operations staff detects a system failure. They initiate automation to provision a new server.
D. The operations staff detects a system failure. They notify the systems administrator, who provisions a new server by using the AWS Management Console.
A. Amazon CloudWatch detects a system failure. It initiates automation to provision a new server.
A company is considering moving their on-premises data center to the cloud. Their primary motivation is to increase their cost efficiency. Which approach most closely follows AWS best practices?
A. Replicate their on-premises data center in the cloud.
B. Maintain the on-premises data center as long as possible.
C. Provision some of the servers in the cloud and ensure the servers run 24/7.
D. Provision the servers that are needed and stop services when they are not being used.
D. Provision the servers that are needed and stop services when they are not being used.
A company stores read-only data in Amazon S3. Most users are in the same country as the company headquarters. Some users are located around the world. Which design decision most closely follows AWS best practices?
A. Replicate objects across buckets in AWS Regions around the world. Users access the bucket in the Region closest that is to them.
B. Use a bucket in the Region closest to the company headquarters.
C. Use a bucket in the AWS Region that is closest to the company headquarters. All users access the data through Amazon CloudFront.
D. Use a bucket in the Region that has the lowest average latency for all users.
C. Use a bucket in the AWS Region that is closest to the company headquarters. All users access the data through Amazon CloudFront.
A consultant must access a large object in an S3 bucket. They need one day to access the file. Which method for granting access most closely follows AWS best practices?
A. Enable public access on the S3 bucket. Give the object URL to the consultant.
B. Create a presigned URL to the object that expires in 24 hours, and give it to the consultant.
C. Create a user account for the consultant. Grant the user account permissions to access the S3 bucket through the AWS Management Console.
D. Copy the object to a new S3 bucket. Enable public access on the new bucket. From the new bucket, get the object URL, and give it to the consultant.
B. Create a presigned URL to the object that expires in 24 hours, and give it to the consultant.
Which are main considerations that influence which AWS Regions to use? (Select TWO.)
A. Security and access control
B. Protection against localized natural disasters
C. Compliance with laws and regulations
D. Application resiliency during system failures
E. Latency reduction for end users
C. Compliance with laws and regulations
E. Latency reduction for end users
Which statement reflects a design principle of the security pillar of the Well-Architected Framework?
A. Ensure that staff are actively monitoring potential risks manually.
B. Decentralize privilege management.
C. Apply security at all layers of an architecture.
D. Do not deploy a solution to production until you’re certain that no security risks exist.
C. Apply security at all layers of an architecture.
Which statements about responsibility are accurate based on the AWS shared responsibility model? (Select TWO.)
A. AWS is responsible for the configuration of security groups.
B. Customers are responsible for managing their user data.
C. AWS is responsible for the physical security of data centers.
D. Customers are responsible for the installation, maintenance, and decommissioning of the hardware that they use in the AWS data center.
E. AWS is responsible for host-based firewall configurations.
B. Customers are responsible for managing their user data.
C. AWS is responsible for the physical security of data centers.
Which options are characteristics of the principle of least privilege? (Select TWO.)
A. Use encryption.
B. Always use groups.
C. Craft security policies that limit access to specific tasks.
D. Monitor actions and changes.
E. Grant access only as needed.
C. Craft security policies that limit access to specific tasks.
E. Grant access only as needed.
Which statement about AWS Identity and Access Management (IAM) is true?
A. With IAM, you can manage encryption for items that require encryption at rest.
B. IAM provides an audit trail of who performed an action, what action they performed, and when they performed it.
C. IAM provides an extra layer of security by offering anomaly detection on resources.
D. With IAM, you can grant principals granular access to resources.
D. With IAM, you can grant principals granular access to resources.
Which statements describe AWS Identity and Access Management (IAM) roles? (Select TWO.)
A. They provide temporary security credentials.
B. They are uniquely associated to an individual.
C. Individuals, applications, and services can assume roles.
D. They provide permanent security credentials.
E. They can only be used by accounts that are associated to the person who creates the role.
A. They provide temporary security credentials.
C. Individuals, applications, and services can assume roles.
Which statement reflects a best practice for the root user on an AWS account?
A. Create an admin user and perform most admin tasks with this user instead of the root user.
B. Remove unneeded permissions from the root user account.
C. To avoid getting locked out of the account, do not enable multi-factor authentication (MFA) on the root account.
D. Create two root users with separate credentials and distribute them to two different individuals.
A. Create an admin user and perform most admin tasks with this user instead of the root user.
How does AWS Identity and Access Management (IAM) evaluate a policy?
A. It checks for explicit allow statements before it checks for explicit deny statements.
B. It checks for explicit deny statements before it checks for explicit allow statements.
C. An explicit deny statement does not override an explicit allow statement.
D. If the policy doesn’t have any explicit deny statements or explicit allow statements, users have access by default.
B. It checks for explicit deny statements before it checks for explicit allow statements.
Which statement about AWS Identity and Access Management (IAM) policies is accurate?
A. Identity-based policies can only be attached to a single entity.
B. Resource-based policies are attached to a user, group, or role.
C. Identity-based policies are attached to a user, group, or role.
D. Resource-based policies allow access by default.
C. Identity-based policies are attached to a user, group, or role.
Which AWS Identity and Access Management (IAM) policy element includes information about whether to allow or deny a request?
A. Action
B. Effect
C. Principal
D. Condition
B. Effect
Which option accurately describes the statement element in an AWS Identity and Access Management (IAM) policy?
A. The statement element contains other elements that together define what is allowed or denied.
B. The statement element is an optional part of an IAM policy.
C. A policy can only have one statement element.
D. The statement element does not apply to identity-based policies.
A. The statement element contains other elements that together define what is allowed or denied.
Which are main considerations that influence which Availability Zones to use? (Select TWO.)
A. Protection against localized natural disasters
B. Application resiliency during system failures
C. Compliance with laws and regulations
D. Latency reduction for end users
E. Security and access control
A. Protection against localized natural disasters
B. Application resiliency during system failures
Due to a company merger, a data engineer needs to increase their object storage capacity. They are not sure how much storage they will need. They want a highly scalable service that can store unstructured, semistructured, and structured data. Which service would be the most cost-effective to accomplish this task?
A. Amazon S3
B. Amazon Elastic Block Store (Amazon EBS)
C. AWS Storage Gateway
D. Amazon RDS
A. Amazon S3
Amazon S3 provides a good solution for which use case?
A. A data warehouse for business intelligence
B. An internet-accessible storage location for video files that an external website can access
C. Hourly storage of frequently accessed temporary files
D. Ledger data that is updated and accessed frequently
B. An internet-accessible storage location for video files that an external website can access
A company is interested in using Amazon S3 to host their website instead of a traditional web server. Which types of content does Amazon S3 support for static web hosting? (Select THREE.)
A. HTML files and image files
B. Database engine
C. Server-side scripts
D. Video and sound files
E. Dynamic HTML files
F. Client-side scripts
A. HTML files and image files
D. Video and sound files
F. Client-side scripts
A company wants to use an S3 bucket to store sensitive data. Which actions can they take to protect their data? (Select TWO.)
A. Uploading unencrypted files to Amazon S3 because Amazon S3 encrypts the files by default
B. Enabling server-side encryption on the S3 bucket before uploading sensitive data
C. Using Secure File Transfer Protocol (SFTP) to connect directly to Amazon S3
D. Using client-side encryption to protect data in transit before it is sent to Amazon S3
E. Enabling server-side encryption on the S3 bucket after uploading sensitive data
B. Enabling server-side encryption on the S3 bucket before uploading sensitive data
D. Using client-side encryption to protect data in transit before it is sent to Amazon S3