Neal Davis - Practice Test 6 - Incorrect

Question 1

Question 1:
A legacy application is being migrated into AWS. The application has a large amount of data that is rarely accessed. When files are accessed they are retrieved sequentially. The application will be migrated onto an Amazon EC2 instance.
What is the LEAST expensive EBS volume type for this use case?

A. Provisioned IOPS SSD (io1)

B. Throughput Optimized HDD (st1)

C. Cold HDD (sc1)

D. General Purpose SSD (gp2)

Answer 1

Explanation
The cold HDD (sc1) EBS volume type is the lowest cost option that is suitable for this use case. The sc1 volume type is suitable for infrequently accessed data and use cases that are oriented towards throughput like sequential data access.

CORRECT: “Cold HDD (sc1)” is the correct answer.

INCORRECT: “Provisioned IOPS SSD (io1)” is incorrect. This is the most expensive option and used for use cases that demand high IOPS.

INCORRECT: “General Purpose SSD (gp2)” is incorrect. This is a more expensive SSD volume type that is used for general use cases.

INCORRECT: “Throughput Optimized HDD (st1)” is incorrect. This is also used for throughput-oriented use cases however it is higher cost than sc1 and better for frequently accessed data.

Question 2

Question 4:
An application uses an Amazon RDS database and Amazon EC2 instances in a web tier. The web tier instances must not be directly accessible from the internet to improve security.
How can a Solutions Architect meet these requirements?

A. Launch the EC2 instances in a public subnet and use AWS WAF to protect the instances from internet-based attacks

B. Launch the EC2 Instances in a private subnet and create an Application Load Balancer in a public subnet

C. Launch the EC2 instances in a public subnet and create an Application Load Balancer in a public subnet

D. Launch the EC2 instances in a private subnet with a NAT gateway and update the route table

Answer 2

Explanation
To prevent direct connectivity to the EC2 instances from the internet you can deploy your EC2 instances in a private subnet and have the ELB in a public subnet. To configure this you must enable a public subnet in the ELB that is in the same AZ as the private subnet.

CORRECT: “Launch the EC2 instances in a private subnet and create an Application Load Balancer in a public subnet” is the correct answer.

INCORRECT: “Launch the EC2 instances in a private subnet with a NAT gateway and update the route table” is incorrect. This configuration will not allow the application to be accessible from the internet, the aim is to only prevent direct access to the EC2 instances.

INCORRECT: “Launch the EC2 instances in a public subnet and use AWS WAF to protect the instances from internet-based attacks” is incorrect. With the EC2 instances in a public subnet, direct access from the internet is possible. It only takes a security group misconfiguration or software exploit and the instance becomes vulnerable to attack.

INCORRECT: “Launch the EC2 instances in a public subnet and create an Application Load Balancer in a public subnet” is incorrect. The EC2 instances should be launched in a private subnet.

Question 3

Question 7:
An Auto Scaling group of Amazon EC2 instances behind an Elastic Load Balancer (ELB) is running in an Amazon VPC. Health checks are configured on the ASG to use EC2 status checks. The ELB has determined that an EC2 instance is unhealthy and has removed it from service. A Solutions Architect noticed that the instance is still running and has not been terminated by EC2 Auto Scaling.
What would be an explanation for this behavior?

A. The health check grace period has not yet expired

B. The ASG is waiting for the cooldown timer to expire before terminating the instance

C. The ELB health check type has not been selected for the ASG and so it is unaware that the instance has been determined to be unhealthy by the ELB and has been removed from service

D. Connection draining is enabled and the ASG is waiting for in-flight requests to complete

Answer 3

Explanation
If using an ELB it is best to enable ELB health checks as otherwise EC2 status checks may show an instance as being healthy that the ELB has determined is unhealthy. In this case the instance will be removed from service by the ELB but will not be terminated by Auto Scaling
More information on ASG health checks:
- By default uses EC2 status checks.
- Can also use ELB health checks and custom health checks.
- ELB health checks are in addition to the EC2 status checks.
- If any health check returns an unhealthy status the instance will be terminated.
- With ELB an instance is marked as unhealthy if ELB reports it as OutOfService
- A healthy instance enters the InService state.
- If an instance is marked as unhealthy it will be scheduled for replacement.
- If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances.
- The health check grace period allows a period of time for a new instance to warm up before performing a health check (300 seconds by default).

CORRECT: “The ELB health check type has not been selected for the ASG and so it is unaware that the instance has been determined to be unhealthy by the ELB and has been removed from service” is the correct answer.

INCORRECT: “The ASG is waiting for the cooldown timer to expire before terminating the instance” is incorrect as the ASG does not wait for the cooldown time to expire.

INCORRECT: “Connection draining is enabled and the ASG is waiting for in-flight requests to complete” is incorrect. Connection draining is not the correct answer as the ELB has taken the instance out of service so there are no active connections.

INCORRECT: “The health check grace period has not yet expired” is incorrect. The health check grace period allows a period of time for a new instance to warm up before performing a health check.

Question 4

Question 8:
A company has a fleet of Amazon EC2 instances behind an Elastic Load Balancer (ELB) that are a mixture of c4.2xlarge instance types and c5.large instances. The load on the CPUs on the c5.large instances has been very high, often hitting 100% utilization, whereas the c4.2xlarge instances have been performing well.
What should a Solutions Architect recommend to resolve the performance issues?

A. Add all of the instances into a Placement Group

B. Enable the weighted routing policy on the ELB and configure a higher weighting for the c4.2xlarge instances

C. Change the configuration to use only c4.2xlarge instance types

D. Add more c5.large instances to spread the load more evenly

Answer 4

Explanation
The 2xlarge instance type provides more CPUs. The best answer is to use this instance type for all instances as the CPU utilization has been lower.

CORRECT: “Change the configuration to use only c4.2xlarge instance types” is the correct answer.

INCORRECT: “Enable the weighted routing policy on the ELB and configure a higher weighting for the c4.2xlarge instances” is incorrect. The weighted routing policy is a Route 53 feature that would not assist in this situation.

INCORRECT: “Add all of the instances into a Placement Group” is incorrect. A placement group helps provide low-latency connectivity between instances and would not help here.

INCORRECT: “Add more c5.large instances to spread the load more evenly” is incorrect. This would not help as this instance type is underperforming with high CPU utilization rates.

Question 5

Question 10:
A Solutions Architect needs to run a PowerShell script on a fleet of Amazon EC2 instances running Microsoft Windows. The instances have already been launched in an Amazon VPC. What tool can be run from the AWS Management Console that to execute the script on all target EC2 instances?

A. AWS OpsWorks

B. AWS CodeDeploy

C. AWS Config

D. Run Command

Answer 5

Explanation
Run Command is designed to support a wide range of enterprise scenarios including installing software, running ad hoc scripts or Microsoft PowerShell commands, configuring Windows Update settings, and more.
Run Command can be used to implement configuration changes across Windows instances on a consistent yet ad hoc basis and is accessible from the AWS Management Console, the AWS Command Line Interface (CLI), the AWS Tools for Windows PowerShell, and the AWS SDKs.

CORRECT: “Run Command” is the correct answer.

INCORRECT: “AWS CodeDeploy” is incorrect. AWS CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.

INCORRECT: “AWS Config” is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It is not used for ad-hoc script execution.

INCORRECT: “AWS OpsWorks” is incorrect. AWS OpsWorks provides instances of managed Puppet and Chef.

Question 6

Question 14:
Some data has become corrupted in an Amazon RDS database. A Solutions Architect plans to use point-in-time restore to recover the data to the last known good configuration. Which of the following statements is correct about restoring an RDS database to a specific point-in-time? (choose 2)

A. You can restore up to the last 5 minutes

B. The database restore overwrites the existing database

C. You can restore up to the last 1 minute

D. Custom DB security groups are applied to the new DB instance

E. The default DB security group is applied to the new DB instance

Answer 6

Explanation
You can restore a DB instance to a specific point in time, creating a new DB instance. When you restore a DB instance to a point in time, the default DB security group is applied to the new DB instance. If you need custom DB security groups applied to your DB instance, you must apply them explicitly using the AWS Management Console, the AWS CLI modify-db-instance command, or the Amazon RDS API ModifyDBInstance operation after the DB instance is available.
Restored DBs will always be a new RDS instance with a new DNS endpoint and you can restore up to the last 5 minutes.

CORRECT: “You can restore up to the last 5 minutes” is a correct answer.

CORRECT: “The default DB security group is applied to the new DB instance” is also a correct answer.

INCORRECT: “Custom DB security groups are applied to the new DB instance” is incorrect. Only default DB parameters and security groups are restored – you must manually associate all other DB parameters and SGs..

INCORRECT: “You can restore up to the last 1 minute” is incorrect. You can restore up to the last 5 minutes.

INCORRECT: “The database restore overwrites the existing database” is incorrect. You cannot restore from a DB snapshot to an existing DB – a new instance is created when you restore.

Question 7

Question 18:
A company has multiple Amazon VPCs that are peered with each other. The company would like to use a single Elastic Load Balancer (ELB) to route traffic to multiple EC2 instances in peered VPCs within the same region. How can this be achieved?

A. This is possible using the Classic Load Balancer (CLB) if using Instance IDs

B. This is not possible with ELB, you would need to use Route 53

C. This is possible using the Network Load Balancer (NLB) and Application Load Balancer (ALB) if using IP addresses as targets

D. This is not possible, the instances an ELB routes traffic to must be in the same VPC

Answer 7

Explanation
With ALB and NLB IP addresses can be used to register:
- Instances in a peered VPC.
- AWS resources that are addressable by IP address and port.
- On-premises resources linked to AWS through Direct Connect or a VPN connection.

CORRECT: “This is possible using the Network Load Balancer (NLB) and Application Load Balancer (ALB) if using IP addresses as targets” is the correct answer.

INCORRECT: “This is not possible, the instances that an ELB routes traffic to must be in the same VPC” is incorrect. Instances can be in peered VPCs.

INCORRECT: “This is possible using the Classic Load Balancer (CLB) if using Instance IDs” is incorrect. This is not possible with the CLB.

INCORRECT: “This is not possible with ELB, you would need to use Route 53” is incorrect. This is not true, as detailed above.

Question 8

Question 20:
A Solutions Architect has logged into an Amazon EC2 Linux instance using SSH and needs to determine a few pieces of information including what IAM role is assigned, the instance ID and the names of the security groups that are assigned to the instance.
From the options below, what would be the best source of this information?

A. Metadata
B. Tags
C. Parameters
D. User data

Answer 8

Explanation
Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.
Instance metadata is available at http://169.254.169.254/latest/meta-data.

CORRECT: “Metadata” is the correct answer.

INCORRECT: “Tags” is incorrect. Tags are used to categorize and label resources.

INCORRECT: “User data” is incorrect. User data is used to configure the system at launch time and specify scripts.

INCORRECT: “Parameters” is incorrect. Parameters are used in databases.

Question 9

Question 21:
A Solutions Architect needs to capture information about the traffic that reaches an Amazon Elastic Load Balancer. The information should include the source, destination, and protocol.
What is the most secure and reliable method for gathering this data?

A. Use Amazon CloudWatch Logs to review detailed logging information

B. Create a VPC flow log for each network interface associated with the ELB

C. Enable Amazon CloudTrail logging and configure packet capturing

D. Create a VPC flow log for the subnets in which the ELB is running

Answer 9

Explanation
You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Elastic Load Balancer. Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet.

CORRECT: “Create a VPC flow log for each network interface associated with the ELB” is the correct answer.

INCORRECT: “Enable Amazon CloudTrail logging and configure packet capturing” is incorrect. CloudTrail performs auditing of API actions, it does not do packet capturing.

INCORRECT: “Use Amazon CloudWatch Logs to review detailed logging information” is incorrect as this service does not record this information in CloudWatch logs.

INCORRECT: “Create a VPC flow log for the subnets in which the ELB is running” is incorrect as the more secure option is to use the ELB network interfaces.

Question 10

Question 22:
The load on a MySQL database running on Amazon EC2 is increasing and performance has been impacted. Which of the options below would help to increase storage performance? (choose 2)

A. Use EBS optimized instances

B. Use Provisioned IOPS (io1) EBS volumes

C. Create a RAID1 array from multiple EBS volumes

D. Use HDD, Cold (sc1) EBS volumes

E. Use a larger instance size within the instance family

Answer 10

Explanation
EBS optimized instances provide dedicated capacity for Amazon EBS I/O. EBS optimized instances are designed for use with all EBS volume types.
Provisioned IOPS EBS volumes allow you to specify the amount of IOPS you require up to 50 IOPS per GB. Within this limitation you can therefore choose to select the IOPS required to improve the performance of your volume.
RAID can be used to increase IOPS, however RAID 1 does not. For example:
– RAID 0 = 0 striping – data is written across multiple disks and increases performance but no redundancy.
– RAID 1 = 1 mirroring – creates 2 copies of the data but does not increase performance, only redundancy.
HDD, Cold – (SC1) provides the lowest cost storage and low performance

CORRECT: “Use Provisioned IOPS (I01) EBS volumes” is a correct answer.

CORRECT: “Use EBS optimized instances” is also a correct answer.

INCORRECT: “Use a larger instance size within the instance family” is incorrect as this may not increase storage performance.

INCORRECT: “Use HDD, Cold (SC1) EBS volumes” is incorrect. As this will likely decrease storage performance.

INCORRECT: “Create a RAID 1 array from multiple EBS volumes” is incorrect. As explained above, mirroring does not increase performance.

Question 11

Question 26:
A Solutions Architect has created a new Network ACL in an Amazon VPC. No rules have been created. Which of the statements below are correct regarding the default state of the Network ACL? (choose 2)

A. There is a default inbound rule denying all traffic

B. There is a default inbound rule allowing traffic from the VPC CIDR block

C. There is a default outbound rule allowing all traffic

D. There is a default outbound rule allowing traffic to the Internet Gateway

E. There is a default outbound rule denying all traffic

Answer 11

Explanation
A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic. A custom NACL denies all traffic both inbound and outbound by default.
Network ACL’s function at the subnet level and you can have permit and deny rules. Network ACLs have separate inbound and outbound rules and each rule can allow or deny traffic.
Network ACLs are stateless so responses are subject to the rules for the direction of traffic. NACLs only apply to traffic that is ingress or egress to the subnet not to traffic within the subnet.

CORRECT: “There is a default inbound rule denying all traffic” is a correct answer.

CORRECT: “There is a default outbound rule denying all traffic” is also a correct answer.

INCORRECT: “There is a default inbound rule allowing traffic from the VPC CIDR block” is incorrect as inbound traffic is not allowed from anywhere by default.

INCORRECT: “There is a default outbound rule allowing traffic to the Internet Gateway” is incorrect as outbound traffic is not allowed to anywhere by default.

INCORRECT: “There is a default outbound rule allowing all traffic” is incorrect as all traffic is denied.

Question 12

Question 29:
A Solutions Architect is designing the system monitoring and deployment layers of a serverless application. The system monitoring layer will manage system visibility through recording logs and metrics and the deployment layer will deploy the application stack and manage workload changes through a release management process.
The Architect needs to select the most appropriate AWS services for these functions. Which services and frameworks should be used for the system monitoring and deployment layers? (choose 2)

A. Use AWS Lambda to package, test, and deploy the serverless application stack

B. Use AWS SAM to package, test, and deploy the serverless application stack

C. Use Amazon CloudWatch for consolidating system and application logs and monitoring custom metrics

D. Use AWS X-Ray to package, test, and deploy the serverless application stack

E. Use AWS CloudTrail for consolidating system and application logs and monitoring custom metrics

Answer 12

Explanation
AWS Serverless Application Model (AWS SAM) is an extension of AWS CloudFormation that is used to package, test, and deploy serverless applications.
With Amazon CloudWatch, you can access system metrics on all the AWS services you use, consolidate system and application level logs, and create business key performance indicators (KPIs) as custom metrics for your specific needs.

CORRECT: “Use AWS SAM to package, test, and deploy the serverless application stack” is a correct answer.

CORRECT: “Use Amazon CloudWatch for consolidating system and application logs and monitoring custom metrics” is also a correct answer.

INCORRECT: “Use AWS CloudTrail for consolidating system and application logs and monitoring custom metrics” is incorrect as CloudTrail is used for auditing not performance monitoring.

INCORRECT: “Use AWS X-Ray to package, test, and deploy the serverless application stack” is incorrect. AWS X-Ray lets you analyze and debug serverless applications by providing distributed tracing and service maps to easily identify performance bottlenecks by visualizing a request end-to-end.

INCORRECT: “Use AWS Lambda to package, test, and deploy the serverless application stack” is incorrect. AWS Lambda is used for executing your code as functions, it is not used for packaging, testing and deployment. AWS Lambda is used with AWS SAM.

Question 13

Question 30:
An Amazon DynamoDB table has a variable load, ranging from sustained heavy usage some days, to only having small spikes on others. The load is 80% read and 20% write. The provisioned throughput capacity has been configured to account for the heavy load to ensure throttling does not occur.
What would be the most efficient solution to optimize cost?

A. Use DynamoDB DAX to increase the performance of the database

B. Create a DynamoDB Auto Scaling scaling policy

C. Create a CloudWatch alarm that notifies you of increased/decreased load, and manually adjust the provisioned throughput

D. Create a CloudWatch alarm that triggers an AWS Lambda function that adjusts the provisioned throughput

Answer 13

Explanation
Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This is the most efficient and cost-effective solution to optimizing for cost.

CORRECT: “Create a DynamoDB Auto Scaling scaling policy” is the correct answer.

INCORRECT: “Create a CloudWatch alarm that triggers an AWS Lambda function that adjusts the provisioned throughput” is incorrect. Using AWS Lambda to modify the provisioned throughput is possible but it would be more cost-effective to use DynamoDB Auto Scaling as there is no cost to using it.

INCORRECT: “Create a CloudWatch alarm that notifies you of increased/decreased load, and manually adjust the provisioned throughput” is incorrect. Manually adjusting the provisioned throughput is not efficient.

INCORRECT: “Use DynamoDB DAX to increase the performance of the database” is incorrect. DynamoDB DAX is an in-memory cache that increases the performance of DynamoDB. However, it costs money and there is no requirement to increase performance.

Question 14

Question 37:
A Solutions Architect is designing the disk configuration for an Amazon EC2 instance. The instance needs to support a MapReduce process that requires high throughput for a large dataset with large I/O sizes.
Which Amazon EBS volume is the MOST cost-effective solution for these requirements?

A. EBS General Purpose SSD

B. EBS Throughput Optimized HDD

C. EBS Provisioned IOPS SSD

D. EBS General Purpose SSD in a RAID1 configuration

Answer 14

Explanation
EBS Throughput Optimized HDD is good for the following use cases (and is the most cost-effective option:
- Frequently accessed, throughput intensive workloads with large datasets and large I/O sizes, such as MapReduce, Kafka, log processing, data warehouse, and ETL workloads.
Throughput is measured in MB/s, and includes the ability to burst up to 250 MB/s per TB, with a baseline throughput of 40 MB/s per TB and a maximum throughput of 500 MB/s per volume.

CORRECT: “EBS Throughput Optimized HDD” is the correct answer.

INCORRECT: “EBS General Purpose SSD in a RAID 1 configuration” is incorrect. This is not the best solution for the requirements or the most cost-effective.

INCORRECT: “EBS Provisioned IOPS SSD” is incorrect. SSD disks are more expensive.

INCORRECT: “EBS General Purpose SSD” is incorrect. SSD disks are more expensive.

Question 15

Question 38:
Several Amazon EC2 Spot instances are being used to process messages from an Amazon SQS queue and store results in an Amazon DynamoDB table. Shortly after picking up a message from the queue AWS terminated the Spot instance. The Spot instance had not finished processing the message. What will happen to the message?

A. The message will be lost as it would have been deleted from the queue when processed

B. The message will remain in the queue and be immediately picked up by another instance

C. The results may be duplicated in DynamoDB as the message will likely be processed multiple times

D. The message will become available for processing again after the visibility timeout expires

Answer 15

Explanation
The visibility timeout is the amount of time a message is invisible in the queue after a reader picks up the message. If a job is processed within the visibility timeout the message will be deleted. If a job is not processed within the visibility timeout the message will become visible again (could be delivered twice). The maximum visibility timeout for an Amazon SQS message is 12 hours.

CORRECT: “The message will become available for processing again after the visibility timeout expires” is the correct answer.

INCORRECT: “The message will be lost as it would have been deleted from the queue when processed” is incorrect. The message will not be lost and will not be immediately picked up by another instance.

INCORRECT: “The message will remain in the queue and be immediately picked up by another instance” is incorrect. As mentioned above it will be available for processing in the queue again after the timeout expires.

INCORRECT: “The results may be duplicated in DynamoDB as the message will likely be processed multiple times” is incorrect. As the instance had not finished processing the message it should only be fully processed once. Depending on your application process however it is possible some data was written to DynamoDB.

Question 16

Question 43:
A Solutions Architect has created an AWS account and selected the Asia Pacific (Sydney) region. Within the default VPC there is a default security group. What settings are configured within this security group by default? (choose 2)

A. There is an inbound rule that allows all traffic from the security group itself

B. There is an outbound rule that allows all traffic to the security group itself

C. There is an outbound rule that allows traffic to the VPC router

D. There is an outbound rule that allows all traffic to all addresses

E. There is an inbound rule that allows all traffic from any address

Answer 16

Explanation
Default security groups have inbound allow rules (allowing traffic from within the group) whereas custom security groups do not have inbound allow rules (all inbound traffic is denied by default). All outbound traffic is allowed by default in custom and default security groups.

CORRECT: “There is an inbound rule that allows all traffic from the security group itself” is a correct answer.

CORRECT: “There is an outbound rule that allows all traffic to all addresses” is also a correct answer.

INCORRECT: “There is an inbound rule that allows all traffic from any address” is incorrect as explained above.

INCORRECT: “There is an outbound rule that allows all traffic to the security group itself” is incorrect as explained above.

INCORRECT: “There is an outbound rule that allows traffic to the VPC router” is incorrect as explained above.

Question 17

Question 46:
A company runs a streaming media service and the content is stored on Amazon S3. The media catalog server pulls updated content from S3 and can issue over 1 million read operations per second for short periods. Latency must be kept under 5ms for these updates. Which solution will provide the BEST performance for the media catalog updates?

A. Implement Amazon CloudFront and cache the content at Edge Locations

B. Implement an Instance store volume on the media catalog server

C. Update the application code to use an Amazon DynamoDB Accelerator cluster

D. Update the application code to use an Amazon ElastiCache for Redis cluster

Answer 17

Explanation
Some applications, such as media catalog updates require high frequency reads, and consistent throughput. For such applications, customers often complement S3 with an in-memory cache, such as Amazon ElastiCache for Redis, to reduce the S3 retrieval cost and to improve performance.
ElastiCache for Redis is a fully managed, in-memory data store that provides sub-millisecond latency performance with high throughput. ElastiCache for Redis complements S3 in the following ways:
- Redis stores data in-memory, so it provides sub-millisecond latency and supports incredibly high requests per second.
- It supports key/value based operations that map well to S3 operations (for example, GET/SET => GET/PUT), making it easy to write code for both S3 and ElastiCache.
- It can be implemented as an application side cache. This allows you to use S3 as your persistent store and benefit from its durability, availability, and low cost. Your applications decide what objects to cache, when to cache them, and how to cache them.
In this example the media catalog is pulling updates from S3 so the performance between these components is what needs to be improved. Therefore, using ElastiCache to cache the content will dramatically increase the performance.

CORRECT: “Update the application code to use an Amazon ElastiCache for Redis cluster” is the correct answer.

INCORRECT: “Implement Amazon CloudFront and cache the content at Edge Locations” is incorrect. CloudFront is good for getting media closer to users but in this case we’re trying to improve performance within the data center moving data from S3 to the media catalog server.

INCORRECT: “Update the application code to use an Amazon DynamoDB Accelerator cluster” is incorrect. DynamoDB Accelerator (DAX) is used with DynamoDB but is unsuitable for use with Amazon S3.

INCORRECT: “Implement an Instance store volume on the media catalog server” is incorrect. This will improve local disk performance but will not improve reads from Amazon S3.

Question 18

Question 48:
A company is investigating ways to analyze and process large amounts of data in the cloud faster, without needing to load or transform the data in a data warehouse. The data resides in Amazon S3.
Which AWS services would allow the company to query the data in place? (choose 2)

A. Amazon Kinesis Data Streams
B. Amazon SWF
C. Amazon RedShift Spectrum
D. Amazon Elastisearch
E. Amazon S3 Select

Answer 18

Explanation
Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions
Amazon Redshift Spectrum allows you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required.

CORRECT: “Amazon S3 Select” is a correct answer.

CORRECT: “Amazon RedShift Spectrum” is also a correct answer.

INCORRECT: “Amazon Kinesis Data Streams” is incorrect. Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. It does not allow you to perform query-in-place operations on S3.

INCORRECT: “Amazon Elasticsearch” is incorrect. Amazon Elasticsearch Service, is a fully managed service that makes it easy for you to deploy, secure, operate, and scale Elasticsearch to search, analyze, and visualize data in real-time.

INCORRECT: “Amazon SWF” is incorrect. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps.

Question 19

Question 50:
An on-premise data center will be connected to an Amazon VPC by a hardware VPN that has public and VPN-only subnets. The security team has requested that traffic hitting public subnets on AWS that’s destined to on-premise applications must be directed over the VPN to the corporate firewall.
How can this be achieved?

A. In the public subnet route table, add a route for your remote network and specify the customer gateway as the target

B. In the VPN-only subnet route table, add a route that directs all Internet traffic to the virtual private gateway

C. Configure a NAT Gateway and configure all traffic to be directed via the virtual private gateway

D. In the public subnet route table, add a route for your remote network and specify the virtual private gateway as the target

Answer 19

Explanation
Route tables determine where network traffic is directed. In your route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

CORRECT: “In the public subnet route table, add a route for your remote network and specify the virtual private gateway as the target” is the correct answer.

INCORRECT: “In the VPN-only subnet route table, add a route that directs all Internet traffic to the virtual private gateway” is incorrect. You must create the route table rule in the route table attached to the public subnet, not the VPN-only subnet.

INCORRECT: “In the public subnet route table, add a route for your remote network and specify the customer gateway as the target” is incorrect. You must select the virtual private gateway (AWS side of the VPN) not the customer gateway (customer side of the VPN) in the target in the route table.

INCORRECT: “Configure a NAT Gateway and configure all traffic to be directed via the virtual private gateway” is incorrect. NAT Gateways are used to enable Internet access for EC2 instances in private subnets, they cannot be used to direct traffic to VPG.

Question 20

Question 54:
An application uses a MySQL database running on an Amazon EC2 instance. The application generates high I/O and constant writes to a single table on the database. Which Amazon EBS volume type will provide the MOST consistent performance and low latency?

A. Provisioned IOPS SSD (io1)
B. Cold HDD (sc1)
C. Throughput Optimized HDD (st1)
D. General Purpose SSD (gp2)

Answer 20

Explanation
The Provisioned IOPS SSD (io1) volume type will offer the most consistent performance and can be configured with the amount of IOPS required by the application. It will also provide the lowest latency of the options presented.

CORRECT: “Provisioned IOPS SSD (io1)” is the correct answer.

INCORRECT: “General Purpose SSD (gp2)” is incorrect. This is not the best solution for when you require high I/O, consistent performance and low latency.

INCORRECT: “Throughput Optimized HDD (st1)” is incorrect. This is a HDD type of disk and not suitable for low latency workloads that require consistent performance.

INCORRECT: “Cold HDD (sc1)” is incorrect. This is the lowest cost option and not suitable for frequently accessed workloads.

Question 21

Question 55:
A large quantity of data that is rarely accessed is being archived onto Amazon Glacier. Your CIO wants to understand the resilience of the service. Which of the statements below is correct about Amazon Glacier storage? (choose 2)

A. Provides 99.9% availability of archives

B. Data is replicated globally

C. Provides 99.999999999% durability of archives

D. Data is resilient in the event of one entire region destruction

E. Data is resilient in the event of one entire Availability Zone destruction

Answer 21

Explanation
Glacier is designed for durability of 99.999999999% of objects across multiple Availability Zones. Data is resilient in the event of one entire Availability Zone destruction. Glacier supports SSL for data in transit and encryption of data at rest. Glacier is extremely low cost and is ideal for long-term archival.

CORRECT: “Provides 99.999999999% durability of archives” is the correct answer.

CORRECT: “Data is resilient in the event of one entire Availability Zone destruction” is the correct answer.

INCORRECT: “Data is replicated globally” is incorrect. Data is not replicated globally.

INCORRECT: “Data is resilient in the event of one entire region destruction” is incorrect. Data is not resilient to the failure of an entire region.

INCORRECT: “Provides 99.9% availability of archives” is incorrect. Glacier is “designed for” availability of 99.99%

Question 22

Question 56:
An Amazon EBS-backed EC2 instance has been launched. A requirement has come up for some high-performance ephemeral storage.
How can a Solutions Architect add a new instance store volume?

A. You can use a block device mapping to specify additional instance store volumes when you launch your instance, or you can attach additional instance store volumes after your instance is running

B. You must use an Elastic Network Adapter (ENA) to add instance store volumes. First, attach an ENA, and then attach the instance store volume

C. You must shutdown the instance in order to be able to add the instance store volume

D. You can specify the instance store volumes for your instance only when you launch an instance

Answer 22

Explanation
You can specify the instance store volumes for your instance only when you launch an instance. You can’t attach instance store volumes to an instance after you’ve launched it.

CORRECT: “You can specify the instance store volumes for your instance only when you launch an instance” is the correct answer.

INCORRECT: “You must shutdown the instance in order to be able to add the instance store volume” is incorrect. You can use a block device mapping to specify additional EBS volumes when you launch your instance, or you can attach additional EBS volumes after your instance is running.

INCORRECT: “You must use an Elastic Network Adapter (ENA) to add instance store volumes. First, attach an ENA, and then attach the instance store volume” is incorrect. An Elastic Network Adapter has nothing to do with adding instance store volumes.

INCORRECT: “You can use a block device mapping to specify additional instance store volumes when you launch your instance, or you can attach additional instance store volumes after your instance is running” is incorrect. You can’t attach instance store volumes to an instance after you’ve launched it.

Question 23

Question 64:
A company needs to capture detailed information about all HTTP requests that are processed by their Internet facing Application Load Balancer (ALB). The company requires information on the requester, IP address, and request type for analyzing traffic patterns to better understand their customer base.
Which actions should a Solutions Architect recommend?

A. Configure metrics in CloudWatch for the ALB

B. Enable Access Logs and store the data on S3

C. Use CloudTrail to capture all API calls made to the ALB

D. Enable EC2 detailed monitoring

Answer 23

Explanation
You can enable access logs on the ALB and this will provide the information required including requester, IP, and request type. Access logs are not enabled by default. You can optionally store and retain the log files on S3.

CORRECT: “Enable Access Logs and store the data on S3” is the correct answer.

INCORRECT: “Configure metrics in CloudWatch for the ALB” is incorrect. CloudWatch is used for performance monitoring and CloudTrail is used for auditing API access..

INCORRECT: “Enable EC2 detailed monitoring” is incorrect. Enabling EC2 detailed monitoring will not capture the information requested.

INCORRECT: Use CloudTrail to capture all API calls made to the ALB”” is incorrect. CloudTrail captures API activity and would not include the requested information.

Question 24

Question 65:
An Amazon Elastic File System (EFS) has been created to store data that will be accessed by a large number of Amazon EC2 instances. The data is sensitive and a Solutions Architect is creating a design for security measures to protect the data. It is required that network traffic is restricted correctly based on firewall rules and access from hosts is restricted by user or group.
How can this be achieved with Amazon EFS? (choose 2)

A. Use IAM groups to control access by user or group

B. Use Network ACLs to control the traffic

C. Use POSIX permissions to control access from hosts by user or group

D. Use EFS Security Groups to control network traffic

E. Use AWS Web Application Firewall (WAF) to protect EFS

Answer 24

Explanation
You can control who can administer your file system using IAM. You can control access to files and directories with POSIX-compliant user and group-level permissions. POSIX permissions allows you to restrict access from hosts by user and group. EFS Security Groups act as a firewall, and the rules you add define the traffic flow.

CORRECT: “Use POSIX permissions to control access from hosts by user or group” is the correct answer.

CORRECT: “Use EFS Security Groups to control network traffic” is the correct answer.

INCORRECT: “Use AWS Web Application Firewall (WAF) to protect EFS” is incorrect. You cannot use AWS WAF to protect EFS data using users and groups.

INCORRECT: “Use Network ACLs to control the traffic” is incorrect. You use EFS Security Groups to control network traffic to EFS, not Network ACLs.

INCORRECT: “Use IAM groups to control access by user or group” is incorrect. You do not use IAM to control access to files and directories by user and group, but you can use IAM to control who can administer the file system configuration.