Exam 3 Flashcards
Which of the following is correct regarding the AWS Shield Advanced pricing?
AWS Shield Advanced is a free service for AWS Enterprise Support plan
AWS Shield Advanced is a free service for AWS Business Support plan
AWS Shield Advanced offers protection against higher fees that could result from a DDoS attack
AWS Shield Advanced is a free service for all AWS Support plans
AWS Shield Advanced offers protection against higher fees that could result from a DDoS attack
AWS Shield Advanced offers some cost protection against spikes in your AWS bill that could result from a DDoS attack. This cost protection is provided for your Elastic Load Balancing load balancers, Amazon CloudFront distributions, Amazon Route 53 hosted zones, Amazon Elastic Compute Cloud instances, and your AWS Global Accelerator accelerators.
AWS Shield Advanced is a paid service for all customers, irrespective of the Support plan.
Name 4 best practices for AWS Identity and Access Management (AWS IAM) service
Enable multi-factor authentication (MFA) for all users
AWS recommends that you require multi-factor authentication (MFA) for all users in your account. With multi-factor authentication (MFA), users have a device that generates a response to an authentication challenge. Both the user’s credentials and the device-generated response are required to complete the sign-in process.
Rotate credentials regularly
AWS recommends that you change your own passwords and access keys regularly, and make sure that all IAM users in your account do as well. That way, if a password or access key is compromised without your knowledge, you limit how long the credentials can be used to access your resources. You can apply a password policy to your account to require all your IAM users to rotate their passwords.
Require human users to use federation with an identity provider to access AWS using temporary credentials
Human users, also known as human identities, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your AWS environments and applications. Human users that are members of your organization are also known as workforce identities. Human users can also be external users with whom you collaborate, and who interact with your AWS resources. They can do this via a web browser, client application, mobile app, or interactive command-line tools.
Require your human users to use temporary credentials when accessing AWS. You can use an identity provider for your human users to provide federated access to AWS accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use AWS IAM Identity Center (IAM Identity Center) to manage access to your accounts and permissions within those accounts. You can manage your user identities with IAM Identity Center, or manage access permissions for user identities in IAM Identity Center from an external identity provider. For more information, see What is AWS IAM Identity Center in the AWS IAM Identity Center User Guide.
Require workloads to use temporary credentials with IAM roles to access AWS
A workload is a collection of resources and code that delivers business value, such as an application or backend process. Your workload can have applications, operational tools, and components that require an identity to make requests to AWS services, such as requests to read data. These identities include machines running in your AWS environments, such as Amazon EC2 instances or AWS Lambda functions. You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access AWS by relying on temporary security credentials with a role session. Additionally, you might have machines outside of AWS that need access to your AWS environments. For machines that run outside of AWS you can use AWS Identity and Access Management Roles Anywhere.
A development team is looking for a forum where the most frequent questions and requests from AWS customers are listed along with AWS provided solutions.
Which AWS forum/service can be used for troubleshooting an issue or checking for a solution?
AWS Knowledge Center
AWS Knowledge Center contains the most frequent & common questions and requests and AWS provided solutions for the same. This should be the starting point of checking for a solution or troubleshooting an issue with AWS services.
Which AWS service will you use if you have to move large volumes of on-premises data to AWS Cloud from a remote location with limited bandwidth?
AWS Snowball
AWS Snowball, a part of the AWS Snow Family, is a data migration and edge computing device. If you have large quantities of data you need to migrate into AWS, offline data transfer with AWS Snowball can overcome the challenge of limited bandwidth, and avoid the need to lease additional bandwidth. AWS Snowball moves terabytes of data in about a week. You can use it to move things like databases, backups, archives, healthcare records, analytics datasets, IoT sensor data and media content, especially when network conditions prevent realistic timelines for transferring large amounts of data both into and out of AWS.
Which of the following statements are CORRECT regarding security groups and network access control lists (network ACL)? (Select two)
A security group is stateful, that is, it automatically allows the return traffic
A security group contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
A network access control list (network ACL) is stateful, that is, it automatically allows the return traffic
A security group is stateless, that is, the return traffic must be explicitly allowed
A network access control list (network ACL) contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
A security group is stateful, that is, it automatically allows the return traffic
A network access control list (network ACL) contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not at the subnet level. Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. A security group evaluates all rules before deciding whether to allow traffic.
A financial services enterprise plans to enable Multi-Factor Authentication (MFA) for its employees. For ease of travel, they prefer not to use any physical devices to implement Multi-Factor Authentication (MFA). Which of the below options is best suited for this use case?
Virtual Multi-Factor Authentication (MFA) device
A software app that runs on a phone or other device and emulates a physical device. The device generates a six-digit numeric code based upon a time-synchronized one-time password algorithm. The user must type a valid code from the device on a second webpage during sign-in. Each virtual Multi-Factor Authentication (MFA) device assigned to a user must be unique. A user cannot type a code from another user’s virtual Multi-Factor Authentication (MFA) device to authenticate.
Microsoft Authenticator is an example of a Virtual Multi-Factor Authentication (MFA) device
Which budget types can be created under AWS Budgets ?
AWS Budgets enable you to plan your service usage, service costs, and instance reservations. AWS Budgets information is updated up to three times a day. Updates typically occur between 8 to 12 hours after the previous update. Budgets track your unblended costs, subscriptions, refunds, and RIs. There are four different budget types you can create under AWS Budgets - Cost budget, Usage budget, Reservation budget and Savings Plans budget.
Cost budget - Helps you plan how much you want to spend on a service.
Usage budget - Helps you plan how much you want to use one or more services.
Reservation budget - This helps you track the usage of your Reserved Instances (RI). Two ways of doing it - Reserved Instance (RI) utilization budgets (This lets you see if your Reserved Instances (RI) are unused or under-utilized), Reserved Instance (RI) coverage budgets (This lets you see how much of your instance usage is covered by a reservation).
An AWS user is trying to launch an Amazon Elastic Compute Cloud (Amazon EC2) instance in a given region. What is the region-specific constraint that the Amazon Machine Image (AMI) must meet so that it can be used for this Amazon Elastic Compute Cloud (Amazon EC2) instance?
You must use an Amazon Machine Image (AMI) from the same region as that of the Amazon EC2 instance. The region of the Amazon Machine Image (AMI) has no bearing on the performance of the Amazon EC2 instance
An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an Amazon Machine Image (AMI) when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration.
The Amazon Machine Image (AMI) must be in the same region as that of the Amazon EC2 instance to be launched. If the Amazon Machine Image (AMI) exists in a different region, you can copy that Amazon Machine Image (AMI) to the region where you want to launch the EC2 instance. The region of Amazon Machine Image (AMI) has no bearing on the performance of the Amazon EC2 instance.
What is the primary benefit of deploying an Amazon Relational Database Service (Amazon RDS) database in a Read Replica configuration?
Read Replica improves database scalability
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. Read Replicas allow you to create read-only copies that are synchronized with your master database. Read Replicas are used for improved read performance. You can also place your read replica in a different AWS Region closer to your users for better performance. Read Replicas are an example of horizontal scaling of resources.
Which AWS service can be used for online analytical processing?
Amazon Redshift
Amazon Redshift is a fast, fully managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against terabytes to petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution.
Which of the following AWS services are regional in scope? (Select two)
AWS Lambda
Amazon CloudFront
AWS Identity and Access Management (AWS IAM)
AWS Rekognition
AWS Web Application Firewall (AWS WAF)
AWS Lambda
AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. AWS Lambda is a regional service.
Amazon Rekognition
With Amazon Rekognition, you can identify objects, people, text, scenes, and activities in images and videos, as well as detect any inappropriate content. Amazon Rekognition also provides highly accurate facial analysis and facial search capabilities that you can use to detect, analyze, and compare faces for a wide variety of user verification, people counting, and public safety use cases. Amazon Rekognition is a regional service.
A company is looking for a guided path to help deploy, configure, and secure its new workloads while ensuring that it is ready for on-going operations in the cloud. Which of the following AWS services/tools can be leveraged for this use case?
Cloud Foundations
Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance.
https://aws.amazon.com/architecture/cloud-foundations/
AWS Identity and Access Management (AWS IAM) policies are written as JSON documents. Which of the following are mandatory elements of an IAM policy?
Action, Condition
Effect, Sid
Effect, Action
Sid, Principal
Effect, Action
Most policies are stored in AWS as JSON documents. Identity-based policies and policies used to set permissions boundaries are JSON policy documents that you attach to a user or role. Resource-based policies are JSON policy documents that you attach to a resource.
A JSON policy document includes these elements:
Optional policy-wide information at the top of the document
One or more individual statements
Each statement includes information about a single permission. The information in a statement is contained within a series of elements.
Version – Specify the version of the policy language that you want to use. As a best practice, use the latest 2012-10-17 version.
Statement – Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
Sid (Optional) – Include an optional statement ID to differentiate between your statements.
Effect – Use Allow or Deny to indicate whether the policy allows or denies access.
Principal (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
Action – Include a list of actions that the policy allows or denies.
Resource (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached.
Condition (Optional) – Specify the circumstances under which the policy grants permission.
An e-commerce company uses AWS Cloud and would like to receive separate invoices for development and production environments. As a Cloud Practioner, which of the following solutions would you recommend for this use-case?
Tag all resources in the AWS account as either development or production. Then use the tags to create separate invoices
Create separate AWS accounts for development and production environments to receive separate invoices
Use AWS Organizations to create separate invoices for development and production environments
Use AWS Cost Explorer to create separate invoices for development and production environments -
Create separate AWS accounts for development and production environments to receive separate invoices
Every AWS account provides its own invoice end of the month. You can get separate invoices for development and production environments by setting up separate AWS accounts for each environment.
A research lab wants to optimize the caching capabilities for its scientific computations application running on Amazon Elastic Compute Cloud (Amazon EC2) instances. Which Amazon Elastic Compute Cloud (Amazon EC2) storage option is best suited for this use-case?
Elastic Block Store
Instance Store
Elastic File System
Simple Storage Service (Amazon S3)
Instance Store
An Instance Store provides temporary block-level storage for your Amazon EC2 instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for the temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. Instance storage is temporary, data is lost if instance experiences failure or is terminated.
