MyCloudGuru Practice Tests Flashcards
What is true about Amazon S3 URLs for accessing a bucket?
(Choose 3)
A) Path-Style URLs (such as https://s3.Region.amazonaws.com/bucket-name/key name) are supported to access an S3 bucket
B) Virtual-host-style URLs will be eventually deprecated in favor of Path-Style URLs for S3 bucket access
C) Virtual-host-style URLs (such as: https://bucket-name.s3.Region.amazonaws.com/key name) are supported to access an S3 bucket
D) Path-Style URLs will be eventually deprecated in favor of virtual hosted-style URLs for S3 bucket access
A) Path-Style URLs (such as https://s3.Region.amazonaws.com/bucket-name/key name) are supported to access an S3 bucket
C) Virtual-host-style URLs (such as: https://bucket-name.s3.Region.amazonaws.com/key name) are supported to access an S3 bucket
D) Path-Style URLs will be eventually deprecated in favor of virtual hosted-style URLs for S3 bucket access
You are working in the media industry, and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security.
A) Don’t save your API credentials. Instead, create a role in IAM and assign this role to an EC2 instance when you first create it.
B) Save your API credentials in a public Github repository.
C) Get the API credentials using the EC2 instances User Data.
D) Save the API credentials locally to each EC2 instance.
A) Don’t save your API credentials. Instead, create a role in IAM and assign this role to an EC2 instance when you first create it.
Which of the following AWS services allow native encryption of data, while at rest?
(Choose 3)
A) Elasticache for Memcached
B) S3
C) Elastic Block Store (EBS)
D) Elastic File System (EFS)
B) S3
C) Elastic Block Store (EBS)
D) Elastic File System (EFS)
EBS, S3 and EFS all allow the user to configure encryption at rest using either the AWS Key Management Service (KMS) or, in some cases, using customer provided keys. The exception on the list is Elasticache for Memcached which does not offer a native encryption service, although Elasticache for Redis does.
You have been asked by your employer to create an identical copy of your production environment in another Region for disaster recovery purposes. In the list below, which AWS resources would you NOT need to recreate, because they are available universally across the console?
(Choose 2)
A) Elastic Load Balancers
B) Route 53
C) Identity Access Management Roles
D) Security Groups
E) EC2 Key Pairs
B) Route 53
C) Identity Access Management Roles
The Customer Experience manager comes to see you about some odd behaviors with the ticketing system: messages presented to the support team are not arriving in the order in which they were generated, and occasionally they are receiving a duplicate copy of the message. You know that this is due to the way that the underlying SQS standard queue service is being used to manage messages. Which of the following are correct explanations?
(Choose 2)
A) SQS has been set up to prioritize messages in the queue based on keywords.
B) If an agent abandons a message or takes a break before finishing with a message, it will be offered in the queue again. In order to ensure that no message is lost, a message will persist in the SQS queue until it is processed successfully or until the message retention quota is reached.
C) As the SQS service gets busy, some of the hosts will automatically swap from FIFO to LIFO to provide a better workload balance and clearance rate.
D) SQS uses multiple hosts, and each host holds only a portion of all the messages. When a staff member calls for their next message, the consumer process does not see all the hosts or all the messages. As such, messages are not necessarily delivered in the order in which they were generated.
E) The support staff are probably using the provided admin tools to amend the priority in the SQS queue based on their experience and insights about the issues.
B) If an agent abandons a message or takes a break before finishing with a message, it will be offered in the queue again. In order to ensure that no message is lost, a message will persist in the SQS queue until it is processed successfully or until the message retention quota is reached.
D) SQS uses multiple hosts, and each host holds only a portion of all the messages. When a staff member calls for their next message, the consumer process does not see all the hosts or all the messages. As such, messages are not necessarily delivered in the order in which they were generated.
When a consumer receives and processes a message from a queue, the message remains in the queue. Amazon SQS doesn’t automatically delete the message. To prevent other consumers from processing the message again, Amazon SQS sets a visibility timeout, a period of time during which Amazon SQS prevents other consumers from receiving and processing the message. The visibility timeout begins when Amazon SQS returns a message. During this time, the consumer processes and deletes the message. However, if the consumer fails before deleting the message and your system doesn’t call the DeleteMessage action for that message before the visibility timeout expires, the message becomes visible to other consumers and the message is received again. If a message must be received only once, your consumer should delete it within the duration of the visibility timeout.
Standard queues support at-least-once message delivery. However, occasionally (because of the highly distributed architecture that allows nearly unlimited throughput), more than one copy of a message might be delivered out of order.
You are a consultant planning to deploy DynamoDB across three AZs. Your lead DBA is concerned about data consistency. Which of the following do you advise the lead DBA to do?
A) To ask the development team to code an maintenance task to run on a schedule to check consistency.
B) To ask the development team to code for strongly consistent reads. As the consultant, you will advise the CTO it may have higher latency than eventually consistent reads.
C) To ask the development team to code a Lambda function to check data consistency after each write.
D) To ask the development team to code to check for a successful completion code (200) at the completion of every write.
E) To ask the development team to implement a checksum algorithm to confirm that the data is consistent across all the AZs.
F) To ask the development team to code for Strongly Consistent Reads, as it will impact the read times slightly, but not the throughput capacity.
B) To ask the development team to code for strongly consistent reads. As the consultant, you will advise the CTO it may have higher latency than eventually consistent reads.
When you request a strongly consistent read, DynamoDB returns a response with the most up-to-date data, reflecting the updates from all prior write operations that were successful. However, this consistency comes with some disadvantages such as read might not be available if there is a network delay or outage, higher latency than eventually consistent reads, global secondary indexes not supported, and use of more throughput capacity than eventually consistent reads.
Which options are valid to protect your Amazon S3 data at rest using server-side encryption?
(Choose 3)
A) Server-Side Encryption with AWS Encryption SDK
B) Server-Side Encryption with SSL/TLS
C) Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
D) Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
E) Server-Side Encryption with Customer-Provided Keys (SSE-C)
C) Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)
Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) is similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.
D) Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
When you use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.
E) Server-Side Encryption with Customer-Provided Keys (SSE-C)
With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.
Which of the following Amazon S3 Storage Classes offer 99.999999999% (11 x 9s) durability?
A)Standard, Glacier, Reduced Redundancy Storage
B) Standard, Standard-Infrequent Access, One Zone-Infrequent Access
C) Reduced Redundancy Storage, Standard, One Zone-Infrequent Access
D) Standard-Infrequent Access, One Zone-Infrequent Access, Reduced Redundancy Storage
B) Standard, Standard-Infrequent Access, One Zone-Infrequent Access
Currently the S3 Classes are; Standard, Standard-Infrequent Access, One Zone-Infrequent Access, Reduced Redundancy Storage and for archive, Glacier & Glacier Deep Archive. Reduced Redundancy Storage is the only S3 Class that does not offer 99.999999999% durability and therefore any of the answers that contain Reduced Redundancy Storage cannot be correct.
You are a solutions architect at a large digital media company. The company has decided that they want to operate within the Japanese region, and they need a bucket called “testbucket” set up immediately for testing purposes. You log in to the AWS console and try to create this bucket in the Japanese region. However, you are told that the bucket name is already taken. What should you do to resolve this?
A) Run a WHOIS request on the bucket name and get the registered owners email address. Contact the owner and ask if you can purchase the rights to the bucket.
B) Raise a ticket with AWS and ask them to release the name “testbucket” to you.
C) Change your region to Korea and then create the bucket “testbucket”.
D) Bucket names are global, not regional. This is a popular bucket name and is already taken. You must choose another bucket name.
D) Bucket names are global, not regional. This is a popular bucket name and is already taken. You must choose another bucket name.
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue?
A) 12 hours
B) 1 hour
C) 14 days
D) 1 day
A) 12 hours
The visibility timeout controls how long a message is invisible in the queue while it is being worked on by a processing instance. This interval should not be confused with how long the message can remain in the queue.
Which of the following strategies does AWS use to deliver the promised levels of DynamoDB performance?
(Choose 2)
A) The Database is partitioned across a number of nodes.
B) AWS deploy caching instances in front of the DynamoDB cluster.
C) Data is stored on Solid State Drives (SSDs).
D) AWS deploys Read Replicas of the database to balance the load.
E) DynamoDB instances can be configured with EBS-Optimised connections.
A) The Database is partitioned across a number of nodes.
DynamoDB makes use of parallel processing to achieve predictable performance. You visualise each partition as an independent DB server of fixed size. Each responsible for a defined block of data. In SQL terminology it is called sharding.
C) Data is stored on Solid State Drives (SSDs).
AWS DynamoDB delivers predictable performance brought on by the use of Solid State Drives, better known as SSDs.
At the monthly product meeting, one of the Product Owners proposes an idea to address an immediate shortcoming of the product system: storing a copy of the customer price schedule in the customer record in the database. You know that you can store large text or binary objects in DynamoDB. You give a tentative OK to do a Minimal Viable Product test, but stipulate that it must comply with the size limitation on the Attribute Name & Value. Which is the correct limitation?
A) The combined Value and Name must not exceed 500 KB.
B) The Name must not exceed 64 KB and the Value must not exceed 255 KB.
C) The Name must not exceed 64 KB and the Value must not exceed 500 KB.
D) The combined Value and Name must not exceed 400 KB.
E) The Name must not exceed 64 KB and the Value must not exceed 400 KB.
F) The combined Value and Name must not exceed 255 KB.
D) The combined Value and Name must not exceed 400 KB.
When it comes to Security Groups within a custom VPC, which of the following statements are correct?
(Choose 2)
A) Updates to security groups are applied immediately.
B) Updates to security groups are not applied immediately, however they are applied within the hour in which they are made.
C) Security Groups are stateful.
D) Security Groups are stateless.
A) Updates to security groups are applied immediately.
C) Security Groups are stateful.
You are a solutions architect working for a construction company. Your company is migrating their production estate to AWS, and you are in the process of setting up access to the AWS console using Identity Access Management (IAM). You have created 15 users for your system administrators. What further steps do you need to take to enable your system administrators to get access to the AWS console in a secure fashion?
(Choose 2)
A) Get the systems administrators to download the CLI and configure this on their laptop, using their user names and passwords.
B) Generate a password for each administrator user and give these passwords to your system administrators.
C) Give the system administrators the secret access key and access key id, and tell them to use these credentials to log in to the AWS console.
D) Have each user set up multi-factor authentication once they have logged in to the console.
B) Generate a password for each administrator user and give these passwords to your system administrators.
You should generate a password for each administrator user and give these passwords to your system administrators. You should then have each user set up multi-factor authentication once they have been able to log in to the console. You cannot use the secret access key and access key id to log in to the AWS console; rather, these credentials are used to call Amazon API’s.
D) Have each user set up multi-factor authentication once they have logged in to the console.
You should generate a password for each administrator user and give these passwords to your system administrators. It is best practice to require the user to change their password after the initial logon. You should then have each user set up multi-factor authentication once they have been able to log in to the console. You cannot use the secret access key and access key id to log in to the AWS console; rather, these credentials are used to call Amazon APIs.
You run a meme creation website that stores the original images in S3 and each meme’s metadata in DynamoDB. You need to decide upon a low-cost storage option for the memes, which won’t be accessed on a regular basis, but require rapid access when needed. If a meme object is unavailable or lost, a Lambda function will automatically recreate it but at a $10 licensing cost per creation. There is a very large number of files. Which storage solution should you use to store the memes in the most cost-effective way?
A) Glacier
B) S3 - OneZone-IA
C) S3 - IA
D) S3 - RRS
E) S3
C) S3 - IA
The storage savings between IA and OneZone-IA are about $0.0025 this is small compared to the $10 for licensing if many files are lost. The durability of S3 - IA and S3 - OneZone-IA is the same: 99.999999999%., but there is far more of a risk of high costs if it is in one zone. S3 - IA guards against that possibility.
You have been engaged as a consultant by a company that generates utility bills and publishes them online. PDF images are generated, then stored on a high-performance RDS instance. Customers view invoices once per month. Recently, the number of customers has increased threefold, and the wait-time necessary to view invoices has increased unacceptably. The CTO is unwilling to alter the codebase more than necessary this quarter, but needs to return performance to an acceptable level before the end-of-the-month print run. Which of the following solutions would you feel comfortable proposing to the CTO and GM?
(Choose 2)
A) Install an ElastiCache cluster in front of the RDS installation.
B) Move the metadata to a DynamoDB solution, permitting real-time scaling of Read IOPS to match demand.
C) Create RDS Read-Replicas and additional Web/App instances across all the available AZs.
D) Evaluate the risks and benefits associated with an RDS instance type upgrade.
E) Use CloudFront to accelerate presentation of the PDF images.
C) Create RDS Read-Replicas and additional Web/App instances across all the available AZs.
Read Replicas are often a great way to help read queries on your database.
D) Evaluate the risks and benefits associated with an RDS instance type upgrade.
One way of scaling is vertical scaling. The decision must make sure the new instance size is the best solution.
You are a solutions architect working for a large anti-virus company and your job is to secure your company’s production AWS environment. A new policy dictates that a particular public-facing subnet needs to allow RDP on port 3389 at custom network ACL layer. You create an inbound rule allowing traffic to port 3389 on the ACL level. However, users complain that they still cannot connect. Which of the following answers may represent the root cause of the connectivity issues?
(Choose 2)
A) Network Access Control lists are stateful.
B) You need to create an outbound rule allowing RDP response traffic to go back out again.
C) Updates to network access control lists can take time to propagate.
D) Network Access Control lists are stateless.
B) You need to create an outbound rule allowing RDP response traffic to go back out again.
D) Network Access Control lists are stateless.
Network Access Control Lists are stateless, so rules must be created for both inbound and outbound traffic.
You’re building out a single-region application in us-west-2. However, disaster recovery is a strong consideration, and you need to build the application so that if us-west-2 becomes unavailable, you can fail-over to us-west-1. Your application relies exclusively on pre-built AMI’s, and has specific launch permissions, custom tags, and security group rules. In order to run your application leveraging those AMI’s in your backup region, which process would you follow?
A) Create a new instance in us-west-1, making certain the instance in the failover region shares a security group with the instance in the default region.
B) Copy the AMI from us-west-2 to us-west-1 and launch as-is.
C) Copy the AMI from us-west-2 to us-west-1. After the copy operation is complete, apply launch permissions, user-defined tags, and security group configurations.
D) Nothing: AMIs are specific to an account, and they can be used anywhere.
C) Copy the AMI from us-west-2 to us-west-1. After the copy operation is complete, apply launch permissions, user-defined tags, and security group configurations.
AWS does not copy launch permissions, user-defined tags, or security group rules from the source AMI to the new AMI. After the copy operation is complete, you can apply launch permissions, user-defined tags, and security group configurations to the new AMI.
A single m4.large NAT instance inside a VPC supports a company of 100 people. This NAT instance allows individual EC2 instances in private subnets to communicate out to the internet without being directly accessible via the internet. As the company has grown over the last year, they are finding that the additional traffic through the NAT instance is causing serious performance degradation. What might you do to solve this problem?
A) Increase the class size of the NAT instance from an m4.large to an m4.xlarge.
B) Use an Elastic Load Balancer and forward traffic out through this ELB. The ELB will automatically scale on-demand as traffic increases.
C) Attach an additional IGW to your VPC.
D) Instead of using a NAT, use Direct Connect to route all traffic through your VPC and back out to the Internet.
A) Increase the class size of the NAT instance from an m4.large to an m4.xlarge.
The network bandwidth of the NAT instance depends on the bandwidth of the instance type. m4.xlarge instances deliver high network performance, whereas m4.large have moderate network performance. Hence, increasing the class size of the NAT instance would solve the performance degradation issue.
You have provisioned a custom VPC with a subnet that has a CIDR block of 10.0.3.0/28 address range. Inside this subnet, you have 2 web servers, 2 application servers, 2 database servers, and a NAT. You have configured an Autoscaling group on the two web servers to automatically scale when the CPU utilization goes above 90%. Several days later you notice that autoscaling is no longer deploying new instances into the subnet, despite the CPU utilization of all web servers being at 100%. Which of the following answers may offer an explanation?
(Choose 2)
A) AWS reserves both the first two and the last two IP addresses in each subnet’s CIDR block.
B) AWS reserves both the first four and the last IP address in each subnet’s CIDR block.
C) AWS reserves both the first three and the last two IP addresses in each subnet’s CIDR block.
D) Your internet gateway (IGW) on your VPC has provisioned too many EC2 instances.
E) Your Autoscaling Group (ASG) has provisioned too many EC2 instances and has exhausted the number of internal IP addresses available in the subnet.
B) AWS reserves both the first four and the last IP address in each subnet’s CIDR block.
E) Your Autoscaling Group (ASG) has provisioned too many EC2 instances and has exhausted the number of internal IP addresses available in the subnet.
A /28 subnet will only have 16 addresses available. AWS reserve both the first four and last IP addresses in each subnet’s CIDR block. It is likely that your autoscaling group has provisioned too many EC2 instances and you have run out of internal private IP addresses.
Your company is looking for an inexpensive solution for offsite backups that you can easily recover to your local data center. You need low-latency access to your entire dataset. Which AWS Storage Gateway configuration would you use to achieve both of these ends?
A) File Gateway
B) Volume Gateway - Stored volumes
C) Volume Gateway - Cached volumes
D) Gateway-Snapshot
E) Tape Gateway
B) Volume Gateway - Stored volumes
A volume gateway provides cloud-backed storage volumes that you can mount as Internet Small Computer System Interface (iSCSI) devices from your on-premises application servers. The gateway supports stored volumes if you need low-latency access to your entire dataset. You can configure your on-premises gateway to store all your data locally, then asynchronously back up point-in-time snapshots of this data to Amazon S3. This configuration provides durable and inexpensive offsite backups that you can recover to your local data center or Amazon Elastic Compute Cloud (Amazon EC2). For example, if you need replacement capacity for disaster recovery, you can recover the backups to Amazon EC2.
When editing Amazon S3 bucket permissions (policies and ACLs), to whom does the concept of the “resource owner” refer?
A) The “resource owner” is the IAM user who created the object via the GUI, CLI, or API.
B) There is no special concept of “resource owner” in Amazon S3 buckets.
C) The “resource owner” is IAM Role used to create the object via the GUI, CLI, or API.
D) The “resource owner” refers to the AWS account that creates Amazon S3 buckets and objects.
D) The “resource owner” refers to the AWS account that creates Amazon S3 buckets and objects.
The “resource owner” concept comes into play especially when setting or locking down access to various objects.
How does AWS deliver high availability for DynamoDB?
A) AWS maintain a schedule of incremental backups and log shipping.
B) DynamoDB data is automatically replicated across multiple AZs.
C) DynamoDB supports user Snapshots to S3.
B) DynamoDB data is automatically replicated across multiple AZs.
Being automatically replicated across multiple AZs makes DynamoDB highly available.
Route 53, the AWS implementation of DNS, supports a number of Routing policies. Which of the following are valid Policy types?
(Choose 5)
A) Latency Routing Policy
B) Simple Routing Policy
C) Failover Routing Policy
D) Geolocation Routing Policy
E) Geoproximity Routing Policy
F) Load Balanced Routing Policy
G) Default Routing Policy
A) Latency Routing Policy
B) Simple Routing Policy
C) Failover Routing Policy
D) Geolocation Routing Policy
E) Geoproximity Routing Policy
Route 53 provides an advanced level of service and sophistication going beyond the basic service of the normal DNS implementation.
Your company provides an online image recognition service and uses SQS to decouple system components. Your EC2 instances poll the image queue as often as possible to keep end-to-end throughput as high as possible, but you realize that all this polling is resulting in both a large number of CPU cycles and skyrocketing costs. How can you reduce cost without compromising service?
A) Enable long polling by setting the ReceiveMessageWaitTimeMinutes to a number > 0.
B) Enable short polling by setting the ReceiveMessageWaitTimeMinutes to a number > 0.
C) Enable short polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0.
D) Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0.
D) Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0.
SQS long polling doesn’t return a response until a message arrives in the queue, reducing your overall cost over time. Short polling WILL return empty responses.
Your company has hired a young and enthusiastic accountant. After reviewing the AWS documentation and usage graphs, he announces that you are wasting vast amounts of money running your Windows servers for a full hour instead of spinning them up only when they are needed and down again as soon as they are idle for 1 minute. He cites the AWS claim that you only pay for what you use, and that as a senior engineer, you should be more conscious of wasting company money. How do you respond?
A) You thank him for his concern, and acknowledge that Windows instances are billed by second increments, with a minimum of 1 minute. However, you explain that storage charges are incurred even if the instance sits idle. Taking into account productivity losses, stopping and restarting instances may actually result in additional costs. As such, your solution is fine as it now stands.
B) You grudgingly acknowledge his point and change your scheduling and tuning settings.
C) You leap across the meeting table and slap him for insulting you in front of your peers.
D) You acknowledge the problem and propose that you could downsize the instances so that the workload over the hour consumes the full instance capacity for the full hour. You might also propose closer monitoring and automation to allow you to up-size and down-size the instance each hour over the day to match the instance performance to the anticipated workload.
A) You thank him for his concern, and acknowledge that Windows instances are billed by second increments, with a minimum of 1 minute. However, you explain that storage charges are incurred even if the instance sits idle. Taking into account productivity losses, stopping and restarting instances may actually result in additional costs. As such, your solution is fine as it now stands.
The study of AWS Billing is a discipline unto itself. For more information, please see the AWS Cost Control Course on the A Cloud Guru platform.
You are a systems administrator and you need to monitor the health of your production environment. You decide to do this using CloudWatch. However, you notice that you cannot see the health of every important metric in the default dashboard. When monitoring the health of your EC2 instances, for which of the following metrics do you need to design a custom CloudWatch metric?
A) Network in
B) Memory usage
C) Disk read operations
D) CPU Usage
B) Memory usage
Remember, under the shared security model, AWS can see the instance, but not inside the instance to indicate how it is doing. AWS can see that you have memory, but not how much of the memory is being used. In the case of CPU, AWS can see how much of CPU you are using, but cannot see what you are using it for.
You are a solutions architect working for a busy media company with offices in Japan and the United States. Your production environment is hosted both in US-EAST-1 and AP-NORTHEAST-1. Your European users have been connecting to the production environment in Japan, and are seeing the site in Japanese rather than in English. You need to ensure that they view the English language version. Which of the routing policies could help you achieve this?
(Choose 2)
A) Weighted routing policy
B) Simple routing policy
C) Geolocation routing policy
D) Latency routing policy
E) Failover routing policy
F) Geoproximity routing policy
C) Geolocation routing policy
F) Geoproximity routing policy
The aim is to direct sessions to the host that will provide the correct language. Geolocation is the best option because it is based on national borders. Geoproximity routing is another option where the decision can be based on distance. While latency-based routing will usually direct the client to the correct host, connectivity issues with the US Regions might direct traffic to AP. In this case, the word “ensure” is operative: users MUST connect to the English-language site. Watch the wording in the exam: a requirement may be presented very casually in the wording of the question. However, understanding that requirement is mandatory if you’re going to arrive at the correct answer.
What is the maximum response time for a Business Level ‘production down’ Support Case?
A) 12 Hours
B) 1 Day
C) 15 Minutes
D) < 1 Hour
D) < 1 Hour
The business support plan has a maximum response time of < 1 hour for “production system down” cases.
You successfully configure VPC Peering between VPC A and VPC B. You then establish an IGW and a Direct Connect connection in VPC B. Can instances in VPC A connect to your corporate office via the Direct Connect service, and connect to the Internet via the IGW?
A) Instances in VPC A will be able to access the Internet, but not the corporate office.
B) Instances in VPC A will be able to access the corporate office, but not the Internet.
C) VPC peering does not support edge to edge routing.
D) Yes: VPC Peering is designed to route traffic between the VPCs.
C) VPC peering does not support edge to edge routing.
VPC peering only routes traffic between source and destination VPCs. VPC peering does not support edge to edge routing.
Which of the following are valid Route 53 routing policies?
(Choose 3)
A) Latency
B) Shortest First
C) Multitarget answer
D) Simple
E) Complex
F) Weighted
A) Latency
D) Simple
F) Weighted
Route 53 has the following routing policies - Simple, Weighted, Latency, Failover, Multivalue answer, Geoproximity. and Geolocation
You work for a large software company in Seattle. They have their production environment provisioned on AWS inside a custom VPC. The VPC contains both a public and private subnet. The company tests their applications on custom EC2 instances inside a private subnet. There are approximately 500 instances, and they communicate to the outside world via a proxy server. At 3am every night, the EC2 instances pull down OS updates, which are usually 150MB or so. They then apply these updates and reboot: if the software has not downloaded within half an hour, then the update will attempt to download the following day. You notice that a number of EC2 instances are continually failing to download the updates in the allotted time. Which of the following answers might explain this failure?
(Choose 2)
A) The proxy server is on an inadequately sized EC2 instance and does not have sufficient network throughput to handle all updates simultaneously. You should increase the instance size or type of the EC2 instance for the proxy server.
B) Your proxy server is blacklisting the address from which the updates are being downloaded, resulting in failed downloads.
C) The proxy server has an inadequately sized EBS volume attached to it. The network buffer is stored on the EBS volume, and it is running out of disk space when trying to buffer the 500 simultaneous connections. You should provision an EBS volume with provisioned IOPS.
D) The proxy server is in a private subnet and uses a NAT instance to connect to the internet. However, this instance is too small to handle the required network traffic. You should re-provision the NAT solution so that it’s able to handle the throughput.
E) The proxy server has only one elastic IP address added to it. To increase network throughput, you should add additional elastic IP addresses.
A) The proxy server is on an inadequately sized EC2 instance and does not have sufficient network throughput to handle all updates simultaneously. You should increase the instance size or type of the EC2 instance for the proxy server.
D) The proxy server is in a private subnet and uses a NAT instance to connect to the internet. However, this instance is too small to handle the required network traffic. You should re-provision the NAT solution so that it’s able to handle the throughput.
Network throughput is the obvious bottleneck. You are not told in this question whether the proxy server is in a public or private subnet. If it is in a public subnet, the proxy server instance size itself may not be large enough to cope with the current network throughput. If the proxy server is in a private subnet, then it must be using a NAT instance or NAT gateway to communicate out to the internet. If it is a NAT instance, this may also be inadequately provisioned in terms of size. You should therefore increase the size of the proxy server and/or the NAT solution.
A client is concerned that someone other than approved administrators is trying to gain access to the Linux web app instances in their VPC. She asks what sort of network access logging can be added. Which of the following might you recommend?
A) Set up a flow log for the group of instances to analyze actual traffic content, detect and stop insider abuse or compromised workloads. Publish the flow log data to Amazon CloudWatch Logs.
B) Set up a Flow Log for the group of instances to capture DHCP traffic, and forward them to S3.
C) Create a flow log for a VPC, subnet, or individual network interface. Publish the flow log data to either Amazon CloudWatch Logs or Amazon S3.
D) Set up a traffic logging rule on the network firewall and direct the log to CloudWatch or S3.
E) Use Event Log filters to trigger alerts that are forwarded to CloudWatch Logs.
C) Create a flow log for a VPC, subnet, or individual network interface. Publish the flow log data to either Amazon CloudWatch Logs or Amazon S3.
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination. You can create a flow log for a VPC, a subnet, or a network interface. If you create a flow log for a subnet or VPC, each network interface in that subnet or VPC is monitored.
A user of your web-site makes an HTTP request to access a static resource on your server. The request is automatically redirected to the nearest CloudFront server. For some reason, the requested resource does not exist on the CloudFront server. Which of the following is true?
A) The request will be put on hold until the resource has been cached at the edge location
B) Your user will receive a 404 error.
C) The request will be sent to the nearest available edge location that contains that resource
D) CloudFront will query the origin server and then cache the resource on the edge location.
D) CloudFront will query the origin server and then cache the resource on the edge location.
CloudFront checks its cache for the requested files. If the files are in the cache, CloudFront returns them to the user. If the files are not in the cache, it does the following: a) CloudFront compares the request with the specifications in your distribution and forwards the request for the files to your origin server for the corresponding file type—for example, to your Amazon S3 bucket for image files and to your HTTP server for HTML files. b) The origin servers send the files back to the edge location. c) As soon as the first byte arrives from the origin, CloudFront begins to forward the files to the user. CloudFront also adds the files to the cache in the edge location for the next time someone requests those files.
