From practice tests

Question 1

AWS RAM

Answer 1

AWS Resource Access Manager (AWS RAM) enables you to share specified AWS resources that you own with other AWS accounts. To enable trusted access with AWS Organizations:

trusted service can create an IAM role called a service-linked role in every account in your organization whenever that role is needed

Question 2

trusted access

Answer 2

From the AWS RAM CLI, use the enable-sharing-with-aws-organizations command.

Name of the IAM service-linked role that can be created in accounts when trusted access is enabled: AWSResourceAccessManagerServiceRolePolicy.

Question 3

SCPs

Answer 3

SCPs DO NOT affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.

Question 4

Direct Connect gateway

Answer 4

You can attach multiple private virtual interfaces to your Direct Connect gateway.

With Direct Connect Gateway, you no longer need to establish multiple BGP sessions for each VPC; this reduces your administrative workload as well as the load on your network devices.

Question 5

ElasticCache Redis

Answer 5

An ElastiCache Redis cluster provides varying levels of data durability, performance, and cost for implementing disaster recovery or fault tolerance of your cached data. You can choose the following options to improve the data durability of your ElastiCache cluster:

• Daily automatic backups
• Manual backups using Redis append-only file (AOF)
• Setting up a Multi-AZ with Automatic Failover

Question 6

What to do if your Lambda function needs Internet access?

Answer 6

if your Lambda function requires Internet access (for example, to access AWS services that don’t have VPC endpoints ), you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway.

You cannot use an Internet gateway attached to your VPC, since that requires the ENI to have public IP addresses.
****

Do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway. You should also ensure that the associated security group of the Lambda function allows outbound connections.

Question 7

A multinational investment bank has a hybrid cloud architecture which uses a single 1 Gbps AWS Direct Connect connection to integrate their on-premises network to AWS Cloud

Which of the following is the MOST cost-effective solution that you should implement in order to improve the connection redundancy of your hybrid network?

Answer 7

It costs a lot of money to establish a Direct Connect connection which you rarely use. For a more cost-effective solution, you can configure a backup VPN connection for failover with your AWS Direct Connect connection.

If you want a short-term or lower-cost solution, you might consider configuring a hardware VPN as a failover option for a Direct Connect connection. VPN connections are not designed to provide the same level of bandwidth available to most Direct Connect connections. Ensure that your use case or application can tolerate a lower bandwidth if you are configuring a VPN as a backup to a Direct Connect connection.

Question 8

You were just promoted as the IT Manager of a small, yet rapidly developing software consultancy company. Your CTO asked you to prepare the needed items in order to have a hybrid cloud architecture in which you have to connect your on-premises network to AWS Cloud.

Which of the following will enable federated user access to the AWS Management Console?

Answer 8

1. Inside your organization’s network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services, Shibboleth, etc
2. Create a SAML provider in IAM and create an IAM role that establishes a trust relationship between IAM and your organization’s IdP that identifies your IdP as a principal (trusted entity) for purposes of federation.

Must create SAML in IAM

Question 9

ELB Elastic IP

Answer 9

It is not recommended to use EIP on top of ELB. Also, you should use an Alias record instead of an A record:

Question 10

SSM Parameters Store vs Secrets Manager

Answer 10

If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager.

Question 11

Global DDB

Answer 11

Global DynamoDB Tables, it will not automatically create new replica tables on all AWS regions. You have to manually specify and create the replica tables in the specific AWS regions where you want to replicate your data. Take note as well that the DynamoDB Stream option must be enabled in order for the Global DynamoDB Table to work.

Multi-region, multi-master. Data automatically replicated into chosen regions.

Question 12

How can you ensure high availability of the online portal even in the event of application and database server failure?

Answer 12

In this scenario, the main priority is ensuring the availability of the online portal at all times. The application server as well as the database server should be configured to be highly available through the use of Auto Healing capabilities of OpsWorks stacks and RDS Multi-AZ deployments. If the Auto Healing capability in OpsWorks is enabled, any failed EC2 instances will be automatically replaced to avoid any downtime for the portal.

This is if no ASG

Question 13

Lambda@Edge

Answer 13

Lambda@Edge lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer.

Question 14

Route 53 Record Origins

Answer 14

EC2 - type A record, no alias
ELB, CloudFront, S3 - type A record with alias
RDS - CNAME record, no alias

Question 15

169.254.169.253

Answer 15

Amazon DNS Server

Question 16

CloudFront field encryption

Answer 16

Up to 10 fields, must specify public key

Question 17

With Certificate manager pay

Answer 17

Mostly for Private CA and private certificates

Question 18

Max DDB Item size

Answer 18

400KB

Question 19

Redshift EC2 Limits

Answer 19

Cannot use Spot instances

Question 20

Amazon Inspector

Answer 20

automated security assessment service that helps improve the security and compliance of applications deployed on AWS

Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment run of this target.

Uses IAM service-linked role.

Question 21

To activate the AWS generated tags

Answer 21

Activate it in the Billing and Cost Management console of the master account

Question 22

CodeDeploy

Answer 22

CodeDeploy does not launch the required AWS resources automatically unlike CloudFormation, Opsworks, and Elastic Beanstalk. It automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions but these resources should already exist before CodeDeploy can work.

Question 23

AWS Migration Hub

Answer 23

Provides a single location to track the progress of application migrations across multiple AWS and partner solutions. Using Migration Hub just allows you to choose the AWS and partner migration tools that best fits your needs while providing visibility into the status of migrations across your portfolio of applications. Although AWS Application Discovery Service can be integrated with AWS Migration Hub, this service alone is not enough to meet the requirement in this scenario.

Question 24

OpsWorks

Answer 24

OpsWorks can be integrated with on-premises servers

Question 25

IBM MQ to Amazon MQ

Answer 25

You cannot directly migrate your IBM MQ to Amazon MQ since these are two completely different systems. It is more suitable to host your IBM MQ on an EC2 instance.

Question 26

Provisioned IOPS storage is a storage type

Answer 26

For production application that requires fast and consistent I/O performance, AWS recommends Provisioned IOPS (input/output operations per second) storage, it delivers predictable performance and consistently low latency.

Question 27

AWS Trusted Advisor

Answer 27

Primarily used to check if your cloud infrastructure is in compliance with the best practices and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits.

Question 28

AWS Data Pipeline

Answer 28

Web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. With AWS Data Pipeline, you can regularly access your data where it’s stored, transform and process it at scale, and efficiently transfer the results to AWS services such as Amazon S3, Amazon RDS, Amazon DynamoDB, and Amazon EMR.

Question 29

AWS IoT Greengrass

Answer 29

Primarily used to enable connected devices to run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even without an Internet connection. Hence, this is not a suitable option for this scenario.

Question 30

Using fast invalidate feature provided in CloudFront is incorrect

Answer 30

Because invalidate is used to remove the content from CloudFront edge locations cache before it expires. The next time a viewer requests the object, CloudFront fetches the content from the origin; whereas, setting TTL to 0 enforces CloudFront to deliver the latest content as soon as the origin updates it.

Question 31

CloudFront origins

Answer 31

you cannot set EFS as the origin of your CloudFront web distribution.

Question 32

API Gateway per region limit

Answer 32

API Gateway has a default per region limit of 10,000 requests per second. If required for
production, this limit can be increased.

Question 33

Lambda and VPCs

Answer 33

Lambda functions cannot connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.

Question 34

Lambda sync vs async

Answer 34

For asynchronous invocation, if you see an increase in errors without corresponding CloudWatch Logs, invoke the Lambda function synchronously in the console to get the error responses.

Question 35

Elastic Load Balancing sticky

Answer 35

Elastic Load Balancing creates a cookie, named AWSELB, that is used to map the session to the instance.

Question 36

EFS

Answer 36

has file locking capabilities

Question 37

Snowball Edge

Answer 37

1. Local compute with AWS Lambda
2. Local compute instances
3. Use with AWS Greengrass (IoT)
4. Transfer files through NFS with a GUI

Question 38

Migrate VMs from a vCenter environment to AWS

Answer 38

It is recommended by AWS to use the Server Migration Service (SMS) to migrate VMs from a vCenter environment to AWS. SMS automates the migration process by replicating on-premises VMs incrementally and converting them to Amazon machine images (AMIs). You can continue using your on-premises VMs while migration is in progress. The Server Migration Connector is a FreeBSD VM that you install in your on-premises virtualization environment

Question 39

EC2Rescue

Answer 39

Can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances. You can run the tool manually or you can run the tool automatically by using Systems Manager Automation and the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue.

Question 40

HTTPS between viewers and CloudFront or between CloudFront and your origin

Answer 40

HTTPS between viewers and CloudFront

• You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, Symantec or other third-party providers.
• You can use a certificate provided by AWS Certificate Manager (ACM)

HTTPS between CloudFront and a custom origin

• If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, DigiCert, Symantec or other third-party providers.
• If your origin is an ELB load balancer, you can also use a certificate provided by ACM.
• You cannot directly upload a self-signed certificate in your ALB.

Question 41

The 502 internal server errors

Answer 41

The 502 internal server errors will be returned intermittently by API Gateway if the Lambda function
exceeds concurrency limits

Question 42

AWS Systems Manager Run Command

Answer 42

Administrators use Run Command to perform the following types of tasks on their managed instances: install or bootstrap applications, build a deployment pipeline, capture log files when an instance is terminated from an Auto Scaling group, and join instances to a Windows domain, to name a few.

Question 43

Kinesis Data Stream Shard limit

Answer 43

1MB

Question 44

CW vs CT

Answer 44

–is-multi-region-trail and –include-global-service-events
CT has both
CW only has multi region

Question 45

Redis AOF

Answer 45

AOF is disabled by default. To enable AOF for a cluster running Redis, you must create a parameter group with the appendonly parameter set to yes, and then assign that parameter group to your cluster. You can also modify the appendfsync parameter to control how often Redis writes to the AOF file.

Question 46

AWS Application Discovery Service

Answer 46

Helps you to plan migration projects by gathering information about your on-premises data centers but this service is not a suitable migration service.

Question 47

Benefits of using ELB health checks

Answer 47

There are certain benefits of using ELB health checks as opposed to the default EC2 status checks. It can monitor if your application is running on a certain port (e.g. 3000) which you cannot do with a regular EC2 status check. In addition, you can use many other health checks that suit your requirements such as HealthCheckPath, HealthyThresholdCount and many others

Question 48

With vs Without Cognito

Answer 48

If you don’t use Amazon Cognito, then you choose to write a custom code or app that interacts with a web IdP (Login with Amazon, Facebook, Google, or any other OIDC-compatible IdP) and then call the AssumeRoleWithWebIdentity API to trade the authentication token you get from those IdPs for AWS temporary security credentials. If you have already used this approach for existing apps, you can continue to use it. You can also deploy your app in S3 bucket.

Question 49

Setting up a diversified allocation strategy for your Spot Fleet

Answer 49

Using various instance types (c4.2xlarge, m3.2xlarge, r3.2xlarge etc…), it raises the chances that my Spot Instance requests will be approved.

Available for Spot Fleets but NOT ASG

Question 50

Cloud HSM is a cluster and for HA

Answer 50

Must be deployed to multiple AZs

Question 51

If you want to enable cross-region snapshot copy for an AWS KMS-encrypted cluster

Answer 51

You must configure a snapshot copy grant for a master key in the destination region so that Amazon Redshift can perform encryption operations in the destination region.

Question 52

Rolling with additional batch

Answer 52

Only applicable in Elastic Beanstalk and not for Lambda.

Question 53

Max VPC peering

Answer 53

125