JFD's AWS Practitioner Certification Flashcards

1
Q

In the S3 Intelligent-Tiering storage class, Amazon S3 moves objects between a frequent access tier and an infrequent access tier. Which storage classes are used for these tiers? (Select TWO.)

  • S3 Glacier Deep Archive
  • S3 Standard-IA
  • S3 Glacier
  • S3 One Zone-IA
  • S3 Standard
A
  • S3 Standard
  • S3 Standard-IA

In the S3 Intelligent-Tiering storage class, Amazon S3 monitors objects’ access patterns. If you haven’t accessed an object for 30 consecutive days, Amazon S3 automatically moves it to the infrequent access tier, S3 Standard-IA. If you access an object in the infrequent access tier, Amazon S3 automatically moves it to the frequent access tier, S3 Standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which service is used to quickly deploy and scale applications on AWS?

  • AWS Snowball
  • AWS Elastic Beanstalk
  • Amazon CloudFront
  • AWS Outposts
A
  • AWS Elastic Beanstalk.

You upload your application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring.

The other response options are incorrect because:

  • AWS Outposts is a service that enables you to run infrastructure in a hybrid cloud approach.
  • Amazon CloudFront is a content delivery service.
  • AWS Snowball is a device that enables you to transfer large amounts of data into and out of AWS.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You want Amazon S3 to monitor your objects’ access patterns. Which storage class should you use?

  • S3 One Zone-IA
  • S3 Glacier
  • S3 Standard-IA
  • S3 Intelligent-Tiering
A

S3 Intelligent-Tiering.

In the S3 Intelligent-Tiering storage class, Amazon S3 monitors objects’ access patterns. If you haven’t accessed an object for 30 consecutive days, Amazon S3 automatically moves it to the infrequent access tier, S3 Standard-IA. If you access an object in the infrequent access tier, Amazon S3 automatically moves it to the frequent access tier, S3 Standard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which pillar of the AWS Well-Architected Framework focuses on using computing resources in ways that meet system requirements?

  • Operational Excellence
  • Security
  • Reliability
  • Performance Efficiency
A

Performance Efficiency.

The Performance Efficiency pillar focuses on using computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve.

The other responses are incorrect because:

  • The Operational Excellence pillar includes the ability to run workloads effectively, gain insights into their operations, and continuously improve supporting processes to deliver business value.
  • The Security pillar focuses on protecting data, systems, and assets. It also focuses on using cloud technologies to improve the security of your workloads.
  • The Reliability pillar focuses on the ability of a workload to consistently and correctly perform its intended functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which service enables you to consolidate and manage multiple AWS accounts from a central location?

  • AWS Identity and Access Management (IAM)
  • AWS Artifact
  • AWS Organizations
  • AWS Key Management Service (AWS KMS)
A

AWS Organizations.

In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs). Additionally, you can use the consolidated billing feature in AWS Organizations to combine usage and receive a single bill for multiple AWS accounts.

The other response options are incorrect because:

  • AWS Identity and Access Management (IAM) is a service that you can use to manage access to AWS services and resources.
  • AWS Artifact is a service that enables you to access AWS security and compliance reports and special online agreements.
  • AWS Key Management Service (AWS KMS) enables you to create, manage, and use cryptographic keys.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which migration strategy involves changing how an application is architected and developed, typically by using cloud-native features?

  • Repurchasing
  • Rehosting
  • Replatforming
  • Refactoring
A

Refactoring.

The other response options are incorrect because:

  • Repurchasing involves replacing an existing application with a cloud-based version, such as software found in AWS Marketplace.
  • Rehosting involves moving an application to the cloud with little to no modifications to the application itself. It is also known as “lift and shift.”
  • Replatforming involves selectively optimizing aspects of an application to achieve benefits in the cloud without changing the core architecture of the application. It is also known as “lift, tinker, and shift.”
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which AWS Trusted Advisor category includes checks for your service limits and overutilized instances?

  • Cost Optimization
  • Security
  • Fault Tolerance
  • Performance
A

Performance.

In this category, AWS Trusted Advisor also helps improve the performance of your services by providing recommendations for how to take advantage of provisioned throughput.

The other response options are incorrect because:

  • The Security category includes checks that help you to review your permissions and identify which AWS security features to enable.
  • The Cost Optimization category includes checks for unused or idle resources that could be eliminated and provide cost savings.
  • The Fault Tolerance category includes checks to help you improve your applications’ availability and redundancy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which Support plans include access to all AWS Trusted Advisor checks? (Select TWO.)

  • AWS Free Tier
  • Enterprise
  • Developer
  • Business
  • Basic
A
  • Enterprise
  • Business

The other response options are incorrect because:

  • The Basic and Developer Support plans provide access to a limited selection of AWS Trusted Advisor checks.
  • The AWS Free Tier is not a Support plan. It is a program that consists of three types of offers that allow customers to use AWS services without incurring costs: Always free, 12 months free, and Trials.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which service enables you to review details for user activities and API calls that have occurred within your AWS environment?

  • Amazon Inspector
  • Amazon CloudWatch
  • AWS Trusted Advisor
  • AWS CloudTrail
A

AWS CloudTrail.

With CloudTrail, you can view a complete history of user activity and API calls for your applications and resources.

Events are typically updated in CloudTrail within 15 minutes after an API call was made. You can filter events by specifying the time and date that an API call occurred, the user who requested the action, the type of resource that was involved in the API call, and more.

The other response options are incorrect because:

  • Amazon CloudWatch is a service that provides data that you can use to monitor your applications, optimize resource utilization, and respond to system-wide performance changes.
  • Amazon Inspector is a service that checks applications for security vulnerabilities and deviations from security best practices.
  • AWS Trusted Advisor is an online tool that inspects your AWS environment and provides real-time guidance in accordance with AWS best practices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which service enables you to build the workflows that are required for human review of machine learning predictions?

  • Amazon Augmented AI
  • Amazon Lex
  • Amazon Aurora
  • Amazon Textract
A

Amazon Augmented AI.

Amazon Augmented AI (Amazon A2I) provides built-in human review workflows for common machine learning use cases, such as content moderation and text extraction from documents. With Amazon A2I, you can also create your own workflows for machine learning models built on Amazon SageMaker or any other tools.

The other response options are incorrect because:

  • Amazon Textract is a machine learning service that automatically extracts text and data from scanned documents.
  • Amazon Lex is a service that enables you to build conversational interfaces using voice and text.
  • Amazon Aurora is an enterprise-class relational database.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which Perspective of the AWS Cloud Adoption Framework focuses on recovering IT workloads to meet the requirements of your business stakeholders?

  • Governance Perspective
  • Operations Perspective
  • Business Perspective
  • People Perspective
A

Operations Perspective.

The Operations Perspective of the AWS Cloud Adoption Framework also includes principles for operating in the cloud by using agile best practices.

The other response options are incorrect because:

  • The Business Perspective helps you to move from a model that separates business and IT strategies into a business model that integrates IT strategy.
  • The People Perspective helps Human Resources (HR) employees prepare their teams for cloud adoption by updating organizational processes and staff skills to include cloud-based competencies.
  • The Governance Perspective helps you understand how to update the staff skills and organizational processes that are necessary to ensure business governance in the cloud.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which statement best describes Amazon GuardDuty?

  • A service that lets you monitor network requests that come into your web applications
  • A service that checks applications for security vulnerabilities and deviations from security best practices
  • A service that helps protect your applications against distributed denial-of-service (DDoS) attacks
  • A service that provides intelligent threat detection for your AWS infrastructure and resources
A

A service that provides intelligent threat detection for your AWS infrastructure and resources.

AWS GuardDuty identifies threats by continually monitoring the network activity and account behavior within your AWS environment.

The other response options are incorrect because:

  • A service that helps protect your applications against distributed denial-of-service (DDoS) attacks - This response option describes AWS Shield.
  • A service that checks applications for security vulnerabilities and deviations from security best practices - This response option describes Amazon Inspector.
  • A service that lets you monitor network requests that come into your web applications - This response option describes AWS WAF.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which service is used to transfer up to 100 PB of data to AWS?

  • AWS Snowmobile
  • Amazon Neptune
  • AWS DeepRacer
  • Amazon CloudFront
A

AWS Snowmobile.

AWS Snowmobile is a service that is used for transferring up to 100 PB of data to AWS. Each Snowmobile is a 45-foot long shipping container that is pulled by a semi-trailer truck.

The other response options are incorrect because:

  • Amazon Neptune is a graph database service. You can use Amazon Neptune to build and run applications that work with highly connected datasets, such as recommendation engines, fraud detection, and knowledge graphs.
  • Amazon CloudFront is a content delivery service.
  • AWS DeepRacer is an autonomous 1/18 scale race car that you can use to test reinforcement learning models.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are running an Amazon EC2 instance and want to store data in an attached resource. Your data is temporary and will not be kept long term. Which resource should you use?

  • Subnet
  • Amazon S3 bucket
  • Instance store
  • Amazon Elastic Block Store (Amazon EBS) volume
A

instance store.

Instance stores are ideal for temporary data that does not need to be kept long term.

When an Amazon EC2 instance is stopped or terminated, all the data that has been written to the attached instance store is deleted.

The other response options are incorrect because:

  • Amazon EBS volumes are ideal for data that needs to be retained. When an Amazon EC2 instance is stopped or terminated, all of the data on the attached EBS volume is still available.
  • Amazon S3 buckets cannot be attached to Amazon EC2 instances.
  • A subnet is a section of a virtual private cloud (VPC) in which you can group resources based on security or operational needs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When is the developer support plan valid (24×7, business hours…)

A

The developer support plan only offers support during business hours.

Remember that if production systems are being run and support is needed on a 24/7 basis, you will need to select either the business or enterprise support plans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What EC2 pricing model allows you to bid on availability capacity?

  • Temporary instances
  • Spot instances
  • Reserved instances
  • On-demand instances
A

Spot instances
They permit you to bid on pricing of EC2 resources so that you can take advantage of lower pricing during periods of low overall AWS utilization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

_____ is the ability of AWS to grow as demand increases.

  • Availability
  • Reliability
  • Elasticity
  • Scalability
A

Scalability

It is the ability of your infrastructure to grow on demand

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What two protocols are commonly permitted in security groups in order to permit remote administration of systems? (Choose two.)

  • RDP
  • ICMP
  • SFTP
  • SSH
A
  • RDP
  • SSH

Both Remote Desktop Protocol and the Secure Shell are often permitted in security groups to enable remote administration of AWS systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is not an element of good security design principles?

  • Security in depth
  • Automation
  • Root account usage
  • Traceability
A

Root account usage

The root account should be used as sparingly as possible

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

As part of the Shared Responsibility model, which of these would you, as the customer, be responsible for?

  • Compliance testing against the physical hardware
  • Configuring a software firewall in the operating system
  • Testing Marketplace images
  • Encrypting keying information stored in AWS
A

Configuring a software firewall in the operating system

Securing your operating systems in EC2 is your responsibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are two security advantages of working with AWS? (Choose two.)

  • You can use MFA.
  • AWS handles security of your compute resources.
  • You retain complete control and ownership of your data resources in a region.
  • AWS performs periodic penetration testing against your operating systems.
A
  • You can use MFA.

- You retain complete control and ownership of your data resources in a region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What two security measures are recommended for your root user account with AWS? (Choose two.)

  • Delete the access keys.
  • Use MFA.
  • Use the root user account for administration exclusively.
  • Clone the root user account for redundancy.
A
  • Delete the access keys.
  • Use MFA.

It is recommended to delete the root user access keys and to use MFA on the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Your security team wants information from you on the specifics that are permitted and prohibited against your AWS infrastructure. Where can you find this information?

  • Trusted Advisor
  • CloudWatch
  • AUP
  • IAM
A
  • AUP

The AWS Acceptable Use Policy (along with other agreements governing the use of AWS) can be found on the AWS website. If you have any questions about how your use case aligns with AWS policies, consult a legal advisor. AWS Support cannot provide legal advice regarding your use of Amazon Web Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following two data flows would be least likely to incur AWS charges? (Choose two.)

  • Flows outbound from your services
  • Flows inbound to your services
  • Outbound flows between services
  • Flows outbound from S3
A
  • Flows inbound to your services
  • Outbound flows between services

Neither inbound flows to your services not outbound flows between services incur charges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

____ is the fully managed configuration management service in AWS.

  • CloudTrail
  • OpsWorks
  • CloudFormation
  • CloudWatch
A
  • OpsWorks

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What component allows you to connect privately from your Virtual Private Cloud (VPC) to services you need?

  • VPC endpoint
  • Direct Connect
  • VPN
  • CloudFront
A
  • VPC endpoint

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an Internet gateway, a NAT device, a VPN connection, or an AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

____ permits you to use a private connection from your facility to AWS.

  • ClassicLink
  • Direct Connect
  • VPC peering
  • VPC endpoint
A
  • Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which is not a typical service or tool associated with HA in AWS?

  • Auto Scaling
  • ELB
  • CloudWatch
  • CloudTrail
A
  • CloudTrail

Of all of these AWS tools and services, CloudTrail is the least directly tied to high availability in AWS. Remember that CloudTrail is a tool that allows you to closely monitor the API calls that permit clients to configure and interact with AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Where should firewalling be accomplished in a web hosting design in AWS?

  • At the perimeter
  • At the core
  • At all design layers
  • For all access layer functions
A
  • At all design layers
    Thanks to the robust capabilities of firewalling in AWS web hosting designs, this security measure can be implemented at all layers of the design
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Why might you create many different accounts for one of your AWS engineers?

  • To follow the concept of least privilege
  • To reduce the resources required by IAM
  • To provide back doors into the system
  • To ensure that you can log activity
A
  • To follow the concept of least privilege

The least privilege concept is desired because you should have users with accounts that provide just the right level of control potential over the infrastructure. This can minimize security risks and the likelihood of costly errors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What identity in IAM is very similar to a user account but has no credentials associated with it?

  • Group
  • Role
  • Proxy user
  • Principle
A
  • Role

A role is a powerful alternative to a specific user account. A role is often perfect for use in a scenario where one service must access another service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Why is automation so easily accommodated in AWS?

  • CloudTrail provides automation templates for you.
  • Multiple regions facilitate code deployment.
  • Physical systems host the EC2 instances you work with daily.
  • All actions can be implemented through API calls.
A
  • All actions can be implemented through API calls.

The use of APIs for everything in AWS provides ease of automation, among other benefits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

How many discrete data centers are located in an AZ in the AWS global infrastructure?

  • At least one
  • At least two
  • At least three
  • At least four
A
  • At least one

There is at least one discrete data center in an Availability Zone (AZ). Some AZs have more than one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which is not a major category of the AWS discussion forums?

  • AWS Security Alerts
  • Amazon Web Services
  • German Forums
  • AWS Startups
A
  • AWS Security Alerts

There is no forum for AWS Security Alerts. There are, however, many different language forums and many forums for development-related topics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Which would not be considered a major benefit of IaaS?

  • Eliminating security concerns
  • Reducing CapEx
  • Increasing speed and agility
  • Leveraging AWS expertise
A
  • Eliminating security concerns

Even when you engage in Infrastructure as a Service (IaaS)with AWS, you are still responsible for aspects of securing the infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following are cost calculators available in AWS? (Choose two.)

  • TCO Calculator
  • AWS Fee Estimator
  • AWS Cost Comparison Calculator
  • AWS Simple Monthly Calculator
A
  • TCO Calculator
  • AWS Simple Monthly Calculator

Two very popular cost calculators for AWS are TCO Calculator and AWS Simply Monthly Calculator.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Why does AWS guarantee your exchange rate with AWS Billing and Cost Management?

  • To ensure that any refund uses the same exchange rate as the original transaction
  • To save you costs
  • To minimize the number of transactions in the system
  • To optimize your costs for resources
A
  • To ensure that any refund uses the same exchange rate as the original transaction
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following is associated with an Elastic Network Interface for providing security?

  • IGW
  • NACL
  • Security group
  • Subnet
A
  • Security group

Security groups can help control security of EC2 instances. These groups consist of rules for access. Security groups are associated with ENIs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What component does the Budgets tool in AWS use for visualization?

  • Cost Explorer
  • Excel
  • Tableau
  • AWS GraphSage
A
  • Cost Explorer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which is not a fundamental cost in AWS?

  • Data transfer in
  • Data transfer out
  • Storage
  • Compute
A
  • Data transfer in
41
Q

Which is not a common cost characteristic for EC2?

  • Clock hours
  • Detailed monitoring
  • AZ location
  • Hardware options
A
  • AZ location

The Availability Zone (AZ) location does not impact the cost of your EC2 resources.

42
Q

Your IT group maintains an application on AWS to provide development and testing platforms for your developers. Currently each environment consists of an m1.small EC2 instance. Your developers report to your group performance degradation as they increase network load in the test environment. How would you mitigate these performance issues in the test environment?

  • Upgrade the m1.small to a larger instance type.
  • Add an additional ENI to the test instance.
  • Use the EBS optimized option to offload EBS traffic.
  • Configure Amazon CloudWatch to provision more network bandwidth when network utilization exceeds 80 percent.
A
  • Configure Amazon CloudWatch to provision more network bandwidth when network utilization exceeds 80 percent
43
Q

What type of queue is available in all regions with SQS?

  • First-in, first-out delivery
  • High throughput
  • Limited throughput
  • Exactly-once processing
A
  • High throughput

The high throughput queue is available in all regions.

44
Q

Which of the following is not a storage option for uploading objects to an S3 bucket?

  • Glacier
  • Standard—Infrequent Access
  • Standard
  • Reduced Redundancy
A
  • Glacier
45
Q

What tool does AWS provide that allows you to monitor the activities of AWS involving your infrastructure?

  • CloudWatch
  • CloudAudit
  • CloudSecurityMonitor
  • CloudTrail
A
  • CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.

46
Q

If you create your VPC using the wizard with the option for private and public subnets, how does your public subnet access the Internet?

  • Using a routing instance in that subnet
  • Using a routing instance in the private subnet
  • Using an EC2 instance on the edge of the subnet
  • Using the NAT gateway with an elastic IP address
A
  • Using the NAT gateway with an elastic IP address

In this use of the wizard, using a NAT gateway and an elastic IP address makes the public subnet Internet accessible.

47
Q

How can you move a running EC2 instance to another AZ in AWS?

  • Create an AMI from the running instance.
  • Take a snapshot of the EBS for the EC2 instance and migrate that.
  • Use the ELB Service Migrate feature.
  • Stop the instance and then migrate it; you cannot move running instances.
A
  • Create an AMI from the running instance.

It is possible to moving a running instance to another Availability Zone (AZ), but you must first create an Amazon Machine Image (AMI) from this instance. That is then used to create another instance in another AZ.

48
Q

What type of service does AWS Kinesis provide?

  • Compute services
  • Database services
  • Networking services
  • Data stream analysis
A
  • Data stream analysis
49
Q

At which two levels can you configure access control for S3? (Choose two.)

  • Bucket
  • Folder
  • File
  • Object
A
  • Bucket

- Object

50
Q

AWS uses a Shared Responsibility model with its customers. What is an example of what AWS would be responsible for, according to this model?

  • Least privilege concept surrounding an EC2 instance
  • Encrypting communications between EC2 and ELB
  • Security patching ELB
  • Anti-spoofing
A
  • Anti-spoofing

Customer responsibility is based on the AWS cloud services that a customer selects. The services determine the amount of configuration work the customer must perform as part of security responsibilities. For example, services such as Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all the necessary security configuration and management tasks.

51
Q

Which two items are configured by the AMI? (Choose two.)

  • Memory
  • OS
  • Root volume
  • Storage
  • Region
A
  • Memory
  • Root volume

The Amazon Machine Image (AMI) contains the basic configuration for the operating system (OS) and the root volume

52
Q

Which of the following AWS service levels includes the compute, networking, and storage services?

  • Infrastructure
  • Platform
  • Information
  • Foundation
A
  • Foundation

Foundation services—the foundational services that AWS offers—include compute (EC2, Lambda, Auto Scaling), networking (Load-Balancing, Route53, VPC), and storage (S3, Block Storage, Glacier, EFS) services.

53
Q

What is the maximum number of security groups that can be applied to any one EC2 instance?

  • 1
  • 2
  • 5
  • 10
A
  • 5

The maximum number of security groups that can be applied to any one EC2 instance is 5, although this is a soft limit that can be raised.

54
Q

Which two of the following features can be used to restrict access to data in S3? (Choose two.)

  • Create a CloudFront distribution for the bucket.
  • Set an S3 bucket policy.
  • Use S3 virtual hosting.
  • Set an S3 ACL on the bucket or the object.
  • Enable IAM identity federation.
A
  • Set an S3 bucket policy.

- Set an S3 ACL on the bucket or the object.

55
Q

How can you save the most money with reserved instances?

  • Pay all up front
  • Pay some up front
  • Pay all at the end of the contract
  • Pay monthly
A
  • Pay all up front

AWS provides the largest discount possible when you pay for all your reserved instances up front.

56
Q

What security construct is associated with VPC subnets?

  • Security groups
  • NACLs
  • IDS
  • FirePower
A
  • NACLs

NACLs, which are associated with subnets, give you a powerful security capability to control traffic between your AWS resources.

57
Q

You are interested in performing penetration testing on your EC2 instances hosted in AWS. Which statement is correct, per the AWS Acceptable Use Policy?

  • It may be performed by customers against their own instances if performed from EC2 instances.
  • It is periodically performed by AWS.
  • It is performed by AWS upon customer request.
  • It is expressly prohibited under all circumstances.
  • It may be performed by customers against their own instances with prior authorization from AWS.
A
  • It may be performed by customers against their own instances with prior authorization from AWS.
58
Q

How many Auto Scaling groups can you have per region?

  • 10
  • 20
  • 50
  • 100
A
  • 20

The following limits are related to your Auto Scaling resources: 100 launch configurations per region and 20 Auto Scaling groups per region.

59
Q

Besides EC2 instances, which two the following AWS products can also take advantage of security groups? (Choose two.)

  • CloudFront
  • Redshift
  • Elastic MapReduce
  • Elastic Load Balancing
  • CloudWatch
A
  • Redshift
  • Elastic MapReduce

A security group acts as a virtual firewall for EC2 instances as well as various other AWS products. Keep in mind that security groups are not instance specific. Therefore, one security group can be shared among many instances.

60
Q

When using Elastic Load Balancing, which statement is true?

  • There is a limit of two ELB instances per AZ.
  • You do not assign security groups to an ELB but only to the EC2 instances it services.
  • You can specify the port for monitoring with the classic load balancer.
A
  • You can specify the port for monitoring with the classic load balancer.
61
Q

Which of the following AWS resources would incur charges against a Free Tier account, if used?

  • AWS ELB
  • An EC2 micro instance
  • AWS S3
  • An AWS provisioned IOPS EBS
A
  • An AWS provisioned IOPS EBS

Provisioned IOPS are a new Elastic Block Store (EBS) volume type designed to deliver predictable high performance for I/O-intensive workloads, such as database applications, that rely on consistent and fast response times. These would not be part of a Free Tier account.

62
Q

What is the default duration of time that CloudFront will keep files at Edge Locations?

  • 6 hours
  • 12 hours
  • 24 hours
  • 48 hours
A
  • 24 hours
63
Q

What is an example of a previous-generation instance?

  • d2.xlarge
  • m3.medium
  • t1.micro
  • f1.16xlarge
A
  • t1.micro
64
Q

What is the minimum size for a provisioned IOPS volume?

  • 1 GB
  • 4 GB
  • 50 GB
  • 500 GB
A
  • 4 GB
65
Q

What is AWS Directory Service built with?

  • NFS
  • NTFS
  • AD
  • SD
A
  • AD

AWS Directory Service for Microsoft Active Directory, also known as AWS Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS cloud. AWS Microsoft AD is built on Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO)

66
Q

You need to move an EBS volume into a new AZ. How is this done?

  • Use the EBS move option in the management console
  • Use a snapshot to create the volume in the new AZ
  • Use the EBS move option at the CLI
  • Create a new volume in the target AZ and map it to the source volume
A
  • Use a snapshot to create the volume in the new AZ

Snapshots allow you to create copies of volumes in other Availability Zones.

67
Q

Which is not a metric that is being monitored by default for your EC2 instances?

  • Network
  • Memory
  • Disk
  • CPU
A
  • Memory

Checking the Monitoring tab for your instance in EC2 reveals CPU, disk, and network metrics. Remember, you can add additional metrics through CloudWatch.

68
Q

As part of the Shared Responsibility model of security, what would be a responsibility of AWS when it comes to data storage?

  • Eliminating all data from an unused SSD
  • Setting encryption on S3 data at rest
  • Setting encryption on EBS data at rest
  • Ensuring the use of HTTPS when transferring data
A
  • Eliminating all data from an unused SSD

AWS is responsible for physical security controls, including wiping data from decommissioned hardware devices.

69
Q

What type of consistency do you get in S3 with an overwrite PUT?

  • Immediate
  • Read after write
  • Eventual
  • Timed
A
  • Eventual

Read after write consistency exists for the PUT of new objects. For a PUT overwrite, you get eventual consistency.

70
Q

Which statement is true regarding dedicated instances versus dedicated hosts?

  • There is a security advantage to dedicated hosts.
  • There is a performance advantage to dedicated h-hosts.
  • There is a reliability advantage to dedicated hosts.
  • There is a visibility advantage to dedicated hosts.
A
  • There is a visibility advantage to dedicated hosts.

Dedicated hosts and dedicated instances can both be used to launch Amazon EC2 instances onto physical servers that are dedicated for your use. There are no performance, security, or physical differences between dedicated instances and instances on dedicated hosts. However, dedicated hosts give you additional visibility and control over how instances are placed on a physical server.

71
Q

When you are evaluating S3 storage needs for a customer using AWS, which of the following should you should consider?

  • Total size of the required bucket
  • Size of individual objects
  • Number of requests per second
  • Number of customers
A
  • Number of requests per second

Due to the scalable and flexible nature of S3, you should consider the number of requests per second anticipated. This is far more important than things like bucket size and object size since these are flexible with S3.

72
Q

You have just created a new default subnet in your VPC. What is the size of this new default subnet?

/12
/24
/28
/20

A

/20

When you create a default subnet, it is created with a size /20 IPv4 CIDR block in the next available contiguous space in your default VPC.

73
Q

What Route 53 concept is the same as in a traditional DNS zone file?

  • Domain
  • Record set
  • Hosted zone
  • Edge Location
A
  • Hosted zone

Domain is a general DNS concept. Domain names are easily recognizable names for numerically addressed Internet resources. For example, amazon.com is a domain. Hosted zone is an Amazon Route 53 concept. A hosted zone is analogous to a traditional DNS zone file; it represents a collection of records that can be managed together and that belong to a single parent domain name.

74
Q

You need to ensure that data stored in S3 is automatically written to independent data centers that are geographically far apart. What should you do?

  • Create the bucket in multiple regions and configure cross-region replication
  • Create an S3 bucket in the appropriate region
  • Use EFS instead of S3
  • Use Glacier as the storage mechanism for S3 data
A
  • Create an S3 bucket in the appropriate region

Creating an S3 bucket in the appropriate region causes AWS to automatically write data to at least two separate facilities in different availability zones.

75
Q

What data transfer option permits the use of external USB drives?

  • Storage Gateway
  • EBS transfer
  • Import/Export
  • Snowball Express
A
  • Import/Export

The legacy Import/Export service permits you to use your own USB drives.

76
Q

Which of these options is not a valid reason to add additional virtual network interfaces to your EC2 instance?

  • To create a management network
  • To use network and security appliances in your VPC
  • To create dual-homed instances with workloads/roles on distinct subnets
  • To create a clustered group of compute resources with the lowest possible latency in AWS
A
  • To create a clustered group of compute resources with the lowest possible latency in AWS

Attaching multiple network interfaces to an instance is useful when you want to create a management network, use network and security appliances in your VPC, create dual-homed instances with workloads/roles on distinct subnets, and create a low-budget, high-availability solution.

77
Q

Which of the following is not an access control you would feature with S3?

  • Encryption
  • Bucket policy
  • IAM policy
  • Query string authentication
  • Network ACL
A
  • Network ACL

All the mechanisms listed here except for the use of a network ACL are common security practices for S3.

78
Q

What is the maximum IOPS per volume when you use a provisioned IOPS EBS volume?

  • 10,000
  • 20,000
  • 500
  • 250
A
  • 20,000

The maximum IOPS per volume is 20,000 with this volume type.

79
Q

You have been asked to design an S3 infrastructure for your AWS implementation. You must ensure that you protect against accidental object deletions due to overwrites. What two mechanisms should you consider implementing? (Choose two.)

  • Object lifecycle
  • Server access logging
  • Versioning
  • Website hosting
  • MFA
A
  • Versioning
  • MFA

Both versioning and multifactor authentication (MFA) can assist with protecting against accidental object deletions due to overwrites. Versioning does this directly as you can easily retrieve a deleted or overwritten file. Multifactor authentication does this indirectly as an un authorized user cannot delete content as easily.

80
Q

What are two components of an AWS VPN connection? (Choose two.)

  • Peering connection
  • Customer gateway
  • Internet gateway
  • Virtual private gateway
A
  • Customer gateway

- Virtual private gateway

81
Q

What technology is not fully supported by Route 53?

  • IPv4
  • IPv6
  • Load sharing
  • DNSSEC
A
  • DNSSEC

Amazon Route 53 does not support DNSSEC for DNS at this time. But Amazon Route 53 allows DNSSEC on domain registration.

82
Q

You delete an AWS S3 bucket and all of the objects inside it. Which statement is true?

  • You can create a new bucket with that name as long as no other S3 customer has now taken the name.
  • You cannot reuse the bucket name.
  • The bucket name is always available with a -01 suffix.
  • The bucket name is now reserved for you.
A
  • You can create a new bucket with that name as long as no other S3 customer has now taken the name.

The bucket name must be globally unique. You can use the name of a bucket that you deleted if it has not been taken by someone else.

83
Q

What does AWS recommend for creating an IPv4 outbound-only network component?

  • NAT gateway
  • Egress-only Internet gateway
  • Private gateway
  • Client gateway
A
  • NAT gateway

An egress-only Internet gateway is for use with IPv6 traffic only. To enable outbound-only Internet communication over IPv4, you use a NAT gateway instead.

84
Q

Which of the following services uses key pairs for access?

  • Kinesis
  • CloudFront
  • ELB
  • SDKs
A
  • CloudFront

A key pair consists of a public key and private key, where you use the private key to create a digital signature, and then AWS uses the corresponding public key to validate the signature. Key pairs are used only for Amazon EC2 and Amazon CloudFront

85
Q

How many S3 buckets can your AWS root account contain, by default?

  • 20
  • 50
  • 100
  • 200
A
  • 100

By default, customers can provision up to 100 buckets per AWS account. However, you can increase your Amazon S3 bucket according to the AWS Service Limits.

86
Q

Which of the following methods is a valid way to encrypt an existing EBS volume?

  • Mark the volume as encrypted in the management console
  • Export the volume with the encryption flag set
  • Create a snapshot of the unencrypted volume, copy the snapshot and encrypt it, and restore the snapshot to a new EBS volume
  • None of the above; EBS volumes do not support encryption
A
  • Create a snapshot of the unencrypted volume, copy the snapshot and encrypt it, and restore the snapshot to a new EBS volume

There is no direct way to encrypt an unencrypted EBS volume. You can use the encryption property of a snapshot, however, in order to encrypt the volume in an indirect way.

87
Q

Your customers are concerned about S3 storage limitations on some key buckets they are creating. Why should they not be concerned about this?

  • There is no limit to the amount of storage for S3.
  • They can always create additional buckets.
  • There is a bucket maximum size, but there is no limit on the number of buckets.
  • AWS can offload additional storage to Dropbox if Dropbox is hosted on AWS.
A
  • There is no limit to the amount of storage for S3.

Remember, there is a limit on the number of buckets you can create, and there is a limit to the size of an object, but when taken as a whole - there is no limit to the amount of data you can store in S3.

88
Q

our organization is currently doing work in the area of big data. Your research team needs timely, low-latency access to some of the data, but the bulk of the data can remain in an archive-like storage location at rest. What type of solution should you design?

  • Storage Gateway with a stored volume
  • Storage Gateway with a cached volume
  • Storage Gateway with a file gateway
  • Storage Gateway with a tape gateway
A
  • Storage Gateway with a cached volume

In this case, the storage gateway with a cached volume solution is ideal. Storage Gateway is an easy-to-implement tool to assist you in using a hybrid storage solution of local storage combined with cloud-based storage. The cached volume type permits the caching of frequently accessed data on site, with the bulk of data residing in the cloud.

89
Q

At what point can you encrypt an EBS volume in the management console?

  • During its creation
  • After it is stopped
  • After it has been resized
  • After its creation
A
  • During its creation
90
Q

Which RAID type doubles the amount of storage that you require because a mirrored copy of data is recorded as well?

  • RAID 0
  • RAID 1
  • RAID 4
  • RAID 5
A
  • RAID 1

RAID 1, or mirroring, makes a complete mirror of the source volume.

91
Q

Which statement below about S3 is false?

  • S3 buckets can be secured with ACLs or a policy.
  • S3 bucket names must be unique to a region.
  • By default, the creator of a bucket has full access to the bucket.
  • Bucket contents can be made globally available.
A
  • S3 bucket names must be unique to a region.

S3 bucket names must be globally unique because S3 buckets are a global resource.

92
Q

Which statement about EBS snapshots is true?

  • Before taking a snapshot of a root volume, stop the running instance.
  • Snapshots taken of encrypted volumes are not automatically encrypted.
  • You cannot take a snapshot of a mounted volume.
  • The snapshot does not include AWS Marketplace codes.
A
  • Before taking a snapshot of a root volume, stop the running instance.

You can take a snapshot of a volume in use, including the root volume. It is recommended that you stop any running instance on the volume before you do so, however.

93
Q

What is the size of the CIDR block you are permitted in an AWS VPC?

/24 to /28
/4 to /8
/16 to /28
/14 to /24

A

/16 to /28

When you create a VPC, you must specify an IPv4 CIDR block for the VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and a /28 netmask (16 IP addresses). After you’ve created your VPC, you can associate secondary CIDR blocks with the VPC.

94
Q

Which two statements about subnets in VPCs are correct? (Choose two.)

  • By default, all VPCs can route traffic to each other.
  • You cannot create new public subnets, only private ones.
  • A VPC contains only one entry and one exit point.
  • A VPC subnet maps to a single AZ
A
  • By default, all VPCs can route traffic to each other.

- A VPC subnet maps to a single AZ

95
Q

What is the default limit on the number of subnets you may have per VPC?

  • 10
  • 100
  • 200
  • 30
A
  • 200
96
Q

What two services are options for use with a Web Application Firewall in AWS? (Choose two.)

  • EC2
  • CloudFront
  • Kinesis
  • Application Load Balancer
A
  • CloudFront
  • Application Load Balancer

AWS Web Application Firewall (WAF) can be deployed on Amazon CloudFront and the Application Load Balancer (ALB). As part of Amazon CloudFront, it can be part of your content distribution network (CDN), protecting your resources and content at the Edge Locations, and as part of the Application Load Balancer, it can protect your origin web servers running behind the ALBs.

97
Q

Which of the following AWS services relies on a key/value store approach?

  • S3
  • SNS
  • SQS
  • SWS
A
  • S3

S3 is an example of a key/value storage approach. Objects are the values, and they are referenced by a key. Other examples of key/value stores includes ElastiCache and DynamoDB databases.

98
Q

What model of pricing is correct for Route 53?

  • Minimum usage fee
  • Minimum setup fee
  • Pay-as-you-use
  • Overage charging
A
  • Pay-as-you-use

Amazon Route 53 charges are based on actual usage of the service for hosted zones, queries, health checks, and domain names. You pay only for what you use. There are no minimum fees, no minimum usage commitments, and no overage charges.

99
Q

You create a bucket named mytest123-a in the us-west-1 region. What is the URL?

  • http://s3-us-west-1.mytest123-a.amazonaws.com
  • http://mytest123-a.s3-us-west-1.amazonaws.com
  • http://mytest123-a.s3.amazonaws.com
  • http://s3-us-west-1.amazonaws.com/mytest123-a
A
  • http://mytest123-a.s3-us-west-1.amazonaws.com

http: //bucket.s3-aws-region.amazonaws.com