Practice Test 3 Study Flashcards
Which of the following are components of an AWS Site-to-Site VPN (select two):
1. Customer gateway
2. AWS storage gateway
3. Virtual private gateway (VGW)
4. Internet gateway
5. Network Address Translation gateway
1 - Customer gateway
3 - Virtual private gateway (VGW)
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC).
A virtual private gateway (VGW) is the VPN concentrator on the Amazon side of the AWS Site-to-Site VPN connection. A customer gateway is a resource in AWS that provides information to AWS about your Customer gateway device.
A customer is running a comparative study of pricing models of Amazon EFS and Amazon Elastic Block Store (Amazon EBS) that are used with the Amazon EC2 instances that host the application. Which of the following statements are correct regarding this use-case? (Select two)
- Amazon EBS Snapshot storage pricing is based on the amount of space your data consumes in Amazon EBS
- You will pay a fee each time you read from or write data stored on the Amazon EFS - Infrequent Access storage class
- Amazon EC2 data transfer charges will apply for all Amazon EBS direct APIs for Snapshots
- With AWS Backup, you pay only for the amount of Amazon EFS backup storage you use in a month, you need not to pay for restoring this data
- Amazon EBS Snapshots are stored incrementally, which means you are billed only for the change blocks stored
2 - You will pay a fee each time you read from or write data stored on the Amazon EFS - Infrequent Access storage class
5 - Amazon EBS Snapshots are stored incrementally, which means you are billed only for the change blocks stored
Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class is cost-optimized for files accessed less frequently. Data stored on the Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class costs less than Standard and you will pay a fee each time you read from or write to a file.
Amazon EBS Snapshots are a point in time copy of your block data. For the first snapshot of a volume, Amazon EBS saves a full copy of your data to Amazon S3. Amazon EBS Snapshots are stored incrementally, which means you are billed only for the changed blocks stored.
Which of the following statements are CORRECT regarding security groups and network access control lists (network ACL)? (Select two)
- A security group is stateful, that is, it automatically allows the return traffic
- A security group is stateless, that is, the return traffic must be explicitly allowed
- A network ACL is stateful, that is, it automatically allows the return traffic
- A network ACL contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
- A security group contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
1 - A security group is stateful, that is, it automatically allows the return traffic
4 - A network ACL contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not at the subnet level. Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. A security group evaluates all rules before deciding whether to allow traffic.
A network access control list (network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (i.e. it works at subnet level). A network access control list (network ACL) contains a numbered list of rules. A network access control list (network ACL) evaluates the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766. AWS recommends that you start by creating rules in increments (for example, increments of 10 or 100) so that you can insert new rules where you need to later on.
An organization maintains separate Amazon Virtual Private Clouds (Amazon VPC) for each of its departments. With expanding business, the organization now wants to connect all Amazon Virtual Private Clouds (Amazon VPC) for better departmental collaboration. Which AWS service will help the organization tackle the issue effectively?
- AWS Site-to-Site VPN
- AWS Direct Connect
- VPC peering connection
- AWS Transit Gateway
4 - AWS Transit Gateway
AWS Transit Gateway connects Amazon Virtual Private Clouds (Amazon VPC) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. As you expand globally, inter-Region peering connects AWS Transit Gateways using the AWS global network. Your data is automatically encrypted and never travels over the public internet.
Compared to the on-demand instance prices, what is the highest possible discount offered for reserved instances (RI)?
- 50
- 90
- 72
- 40
3 - 72
Reserved instances (RI) provide you with significant savings (up to 72%) on your Amazon Elastic Compute Cloud (Amazon EC2) costs compared to on-demand instance pricing. Reserved Instances (RI) are not physical instances, but rather a billing discount applied to the use of on-demand instances in your account. You can purchase a reserved instance (RI) for a one-year or three-year commitment, with the three-year commitment offering a bigger discount.
AWS Identity and Access Management (AWS IAM) policies are written as JSON documents. Which of the following are mandatory elements of an IAM policy?
- Effect, Action
- Effect, Sid
- Sid, Principal
- Action, Condition
1 - Effect, Action
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
A research lab wants to optimize the caching capabilities for its scientific computations application running on Amazon Elastic Compute Cloud (Amazon EC2) instances. Which Amazon Elastic Compute Cloud (Amazon EC2) storage option is best suited for this use-case?
- Amazon S3
- Amazon EFS
- Amazon EBS
- Instance Store
4 - Instance Store
An Instance Store provides temporary block-level storage for your Amazon EC2 instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for the temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. Instance storage is temporary, data is lost if instance experiences failure or is terminated.
An IT company would like to move its IT resources (including any data and applications) from an AWS Region in the US to another AWS Region in Europe. Which of the following represents the correct solution for this use-case?
- The company should raise a ticket with AWS Support for this resource migration
- The company should just start creating new resources in the desitnation AWS Region and then migrate the relevant data and applications into this new AWS Region
- The company should use AWS Database Migration Service (AWS DMS) to more the resources (including any data and applications) from source AWS Region to destination AWS Region
- The company shoudl use AWS CloudFormation to move the resources (including any data and applications) from source AWS Region to destination AWS Region
2 - The company should just start creating new resources in the desitnation AWS Region and then migrate the relevant data and applications into this new AWS Region
There is no off-the-shelf solution or service that the company can use to facilitate this transition.
A company is looking for a guided path to help deploy, configure, and secure its new workloads while ensuring that it is ready for on-going operations in the cloud. Which of the following AWS services/tools can be leveraged for this use case?
- AWS Shared Responsibility MOdel
- AWS Config
- AWS Trusted Advisor
- Cloud Foundations
4 - Cloud Foundations
Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance.
Which of the following statements are true about Cost Allocation Tags in AWS Billing? (Select two)
- For each resource, each tag key must be unique, and each tag key can have only one value
- For each resource, each tag key must be unique, but can have multiple values
- Tags help in orgainizing resources and are a mandatory configuration item to run reports
- You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report
- Only user-defined tags need to be activated before they can appear in Cost Explorer or on a cost allocation report
1 - For each resource, each tag key must be unique, and each tag key can have only one value
4 - You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report
A Cost Allocation Tag is a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value. You can use tags to organize your resources, and cost allocation tags to track your AWS costs on a detailed level.
AWS provides two types of cost allocation tags, an AWS generated tags and user-defined tags. AWS defines, creates, and applies the AWS generated tags for you, and you define, create, and apply user-defined tags. You must activate both types of tags separately before they can appear in Cost Explorer or on a cost allocation report.
Which of the following is a perspective of the AWS Cloud Adoption Framework (AWS CAF)?
- Product
- Process
- Architecture
- Business
4 - Business
The AWS Cloud Adoption Framework (AWS CAF) leverages AWS experience and best practices to help you digitally transform and accelerate your business outcomes through innovative use of AWS. AWS CAF identifies specific organizational capabilities that underpin successful cloud transformations.
AWS CAF groups its capabilities in six perspectives: Business, People, Governance, Platform, Security, and Operations.
What are the six perspectives of Cloud Adoption Framework’s capabilities?
- Business
- People
- Governance
- Platform
- Security
- Operations
A cyber-security agency uses AWS Cloud and wants to carry out security assessments on its own AWS infrastructure without any prior approval from AWS. Which of the following describes/facilitates this practice?
- Penetration testing
- Amazon Inspector
- Network stress testing
- AWS Secrets Manager
1 - Penetration testing
Amazon CloudWatch billing metric data is stored in which AWS Region?
- In the AWS Region where the AWS resource is provisioned
- In the AWS Region where the AWS account is created
- US West (N. California) - us-west-1
- US East (N. Virginia) - us-east-1
4 - US East (N. Virginia) - us-east-1
ou can monitor your estimated AWS charges by using Amazon CloudWatch. Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. This data includes the estimated charges for every service in AWS that you use, in addition to the estimated overall total of your AWS charges.
Which of the following statements is correct regarding the Amazon Elastic File System (Amazon EFS) storage service?
- EC2 instances can access files on an EFS file system across many AZs and VPCs but not across Regions
- EC2 instances can access files an on an EFS file system across many AZs but not across VPC and Regions
- EC2 instances can access files on an EFS file system across amny AZs, Regions and VPCs
- EC2 instances can access files on an EFS file system only in one AZ.
3 - EC2 instances can access files on an EFS file system across amny AZs, Regions and VPCs
Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN.