Quizzes Flashcards
This deck contains the AWS Udemy course quizzes and their answers
What is a proper definition of an IAM Role?
- IAM Users in multiple User Groups
- An IAM entity that defines a password policy for IAM Users
- An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS Service
- Permissions assigned to IAM Users to perform actions
An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS Service
Some AWS services need to perform actions on your behalf. To do so, you assign permissions to AWS services with IAM Roles.
Which of the following is an IAM Security Tool?
- IAM Credentials Report
- IAM Root Account Manager
- IAM Services Report
- IAM Security Advisor
IAM Credentials Report
IAM Credentials Report lists all your AWS Account’s IAM Users and the status of their various credentials.
Which answer is INCORRECT regarding IAM Users?
- IAM Users can belong to multiple User Groups
- IAM Users don’t have to belong to a User Group
- IAM Policies can be attached directly to IAM Users
- IAM Users access AWS Services using root account credentials
IAM Users access AWS Services using root account credentials
IAM Users access AWS services using their own credentials (username & password or Access Keys).
Which of the following is an IAM best practice?
- Create several IAM Users for one physical person
- Don’t use the root user account
- Share your AWS account credentials with your colleague, so (s)he can perform a task for you
- Do not enable MFA for easier access
Don’t use the root user account
Use the root account only to create your first IAM User and a few account/service management tasks. For everyday tasks, use an IAM User.
What are IAM Policies?
- A set of policies that defines how AWS accounts interact with each other
- JSON document that defines a set of permissions for making requests to AWS services, and can be used by AWS Users, User Groups, and IAM Roles
- A set of policies that define a password for IAM Users
- A set of policies defined by AWS that show how customers interact with AWS
JSON document that defines a set of permissions for making requests to AWS services, and can be used by AWS Users, User Groups, and IAM Roles
Which principle should you apply regarding IAM Permissions?
- Grant most privilege
- Grant more permissions if your employee asks you to
- Grant least privilege
- Restrict root account permissions
Grant least privilege
Don’t give more permissions than the user needs.
What should you do to increase your root account security?
- Remove permissions from the root account
- Only access AWS services through AWS Command Line Interface (CLI)
- Don’t create IAM Users, only access your AWS account using the root account
- Enable Multi-Factor Authentication (MFA)
Enable Multi-Factor Authentication (MFA)
When you enable MFA, this adds another layer of security. Even if your password is stolen, lost, or hacked your account is not compromised.
IAM User Groups can contain IAM Users and other User Groups
- True
- False
False
IAM User Groups can contain only IAM Users.
An IAM policy consists of one or more statements. A statement in IAM Policy consists of the following, EXCEPT:
- Effect
- Principal
- Version
- Action
- Resource
Version
A statement in an IAM Policy consists of Sid, Effect, Principal, Action, Resource, and Condition. Version is part of the IAM Policy itself, not the statement.
Which EC2 Purchasing Option can provide you the biggest discount, but it is not suitable for critical jobs or databases?
- Convertible Reserved Instances
- Dedicated Hosts
- Spot Instances
Spot Instances
Spot Instances are good for short workloads and this is the cheapest EC2 Purchasing Option. But, they are less reliable because you can lose your EC2 instance.
What should you use to control traffic in and out of EC2 instances?
- Network Access Control List (NACL)
- Security Groups
- IAM Policies
Security Groups
Security Groups operate at the EC2 instance level and can control traffic.
How long can you reserve an EC2 Reserved Instance?
- 1 or 3 years
- 2 or 4 years
- 6 months or 1 year
- Anytime between 1 and 3 years
1 or 3 years
EC2 Reserved Instances can be reserved for 1 or 3 years only.
You would like to deploy a High-Performance Computing (HPC) application on EC2 instances. Which EC2 instance type should you choose?
- Storage Optimized
- Compute Optimized
- Memory Optimized
- General Purpose
Compute Optimized
Compute Optimized EC2 instances are great for compute-intensive workloads requiring high-performance processors (e.g., batch processing, media transcoding, high-performance computing, scientific modeling & machine learning, and dedicated gaming servers).
Which EC2 Purchasing Option should you use for an application you plan to run on a server continuously for 1 year?
- Reserved Instances
- Spot Instances
- On-Demand Instances
Reserved Instances
Reserved Instances are good for long workloads. You can reserve EC2 instances for 1 or 3 years.
You are preparing to launch an application that will be hosted on a set of EC2 instances. This application needs some software installation and some OS packages need to be updated during the first launch. What is the best way to achieve this when you launch the EC2 instances?
- Connect to each EC2 instance using SSH, then install the required software and update your OS packages manually
- Write a bash script that installs the required software and updates to your OS, then contact AWS Support and provice them with the script. They will run it on your EC2 instances at launch
- Write a bash script that installs the required software and updates to your OS, then use this script in EC2 User Data when you launch your EC2 instances
Write a bash script that installs the required software and updates to your OS, then use this script in EC2 User Data when you launch your EC2 instances
EC2 User Data is used to bootstrap your EC2 instances using a bash script. This script can contain commands such as installing software/packages, download files from the Internet, or anything you want.
Which EC2 Instance Type should you choose for a critical application that uses an in-memory database?
- Compute Optimized
- Storage Optimized
- Memory Optimized
- General Purpose
Memory Optimized
Memory Optimized EC2 instances are great for workloads requiring large data sets in memory.
Security Groups can be attached to only one EC2 instance.
- True
- False
False
Security Groups can be attached to multiple EC2 instances within the same AWS Region/VPC.
You have an e-commerce application with an OLTP database hosted on-premises. This application has popularity which results in its database having thousands of requests per second. You want to migrate the database to an EC2 instance. Which EC2 Instance Type should you choose to handle this high-frequency OLTP database?
- Compute Optimized
- Storage Optimized
- Memory Optimized
- General Purpose
Storage Optimized
Storage Optimized EC2 instances are great for workloads requiring high, sequential read/write access to large data sets on local storage.
You’re planning to migrate on-premises applications to AWS. Your company has strict compliance requirements that require your applications to run on dedicated servers. You also need to use your own server-bound software license to reduce costs. Which EC2 Purchasing Option is suitable for you?
- Convertible Reserved Instances
- Dedicated Hosts
- Spot Instances
Dedicated Hosts
Dedicated Hosts are good for companies with strong compliance needs or for software that have complicated licensing models. This is the most expensive EC2 Purchasing Option available.
You would like to deploy a database technology on an EC2 instance and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 Purchasing Option allows you to get visibility into them?
- Spot Instances
- On-Demand
- Dedicated Hosts
- Reserved Instances
Dedicated Hosts
Spot Fleet is a set of Spot Instances and optionally ……………
- Reserved Instances
- On-Demand Instances
- Dedicated Hosts
- Dedicated Instances
On-Demand Instances
Spot Fleet is a set of Spot Instances and optionally On-demand Instances. It allows you to automatically request Spot Instances with the lowest price.
You have launched an EC2 instance that will host a NodeJS application. After installing all the required software and configured your application, you noted down the EC2 instance public IPv4 so you can access it. Then, you stopped and then started your EC2 instance to complete the application configuration. After restart, you can’t access the EC2 instance, and you found that the EC2 instance public IPv4 has been changed. What should you do to assign a fixed public IPv4 to your EC2 instance?
- Allocate an Elastic IP and assign it to your EC2 instance
- From inside your EC2 instance OS, change network configuration from DHCP to static and assign a public IPv4
- Contact AWS Support and request a fixed public IPv4 to your EC2 instance
- This can’t be done, you can only assign a fixed private IPv4 to your EC2 instance
Allocate an Elastic IP and assign it to your EC2 instance
Elastic IP is a public IPv4 that you own as long as you want and you can attach it to one EC2 instance at a time.
You have an application performing big data analysis hosted on a fleet of EC2 instances. You want to ensure your EC2 instances have the highest networking performance while communicating with each other. Which EC2 Placement Group should you choose?
- Spread Placement Group
- Cluster Placement Group
- Partition Placement Group
Cluster Placement Group
Cluster Placement Groups place your EC2 instances next to each other which gives you high-performance computing and networking.
You have a critical application hosted on a fleet of EC2 instances in which you want to achieve maximum availability when there’s an AZ failure. Which EC2 Placement Group should you choose?
- Spread Placement Group
- Cluster Placement Group
- Partition Placement Group
Spread Placement Group
Spread Placement Group places your EC2 instances on different physical hardware across different AZs.
Elastic Network Interface (ENI) can be attached to EC2 instances in another AZ.
- True
- False
False
Elastic Network Interfaces (ENIs) are bounded to a specific AZ. You can not attach an ENI to an EC2 instance in a different AZ.
The following are true regarding EC2 Hibernate, EXCEPT:
- EC2 Instance Root Volume must be an Instance Store Volume
- Supports On-Demand and Reserved Instances
- EC2 Instance RAM must be less than 150GB
- EC2 Instance Root Volume type must be an EBS Volume
EC2 Instance Root Volume must be an Instance Store Volume
To enable EC2 Hibernate, the EC2 Instance Root Volume type must be an EBS volume and must be encrypted to ensure the protection of sensitive content.
You have just terminated an EC2 instance in us-east-1a, and its attached EBS volume is now available. Your teammate tries to attach it to an EC2 instance in us-east-1b but he can’t. What is a possible cause for this?
- He’s missing IAM permissions
- EBS volumes are locked to an AWS Region
- EBS volumes are locked to an Availability Zone
EBS volumes are locked to an Availability Zone
EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZs using EBS Snapshots.
You have launched an EC2 instance with two EBS volumes, Root volume type and the other EBS volume type to store the data. A month later you are planning to terminate the EC2 instance. What’s the default behavior that will happen to each EBS volume?
- Both the Root volume type and the EBS volume type will be deleted
- The Root volume type will be deleted and the EBS volume type will not be deleted
- The Root volume type will not be deleted and the EBS volume type will be deleted
- Both the Root volume type and the EBS volume type will not be deleted
The Root volume type will be deleted and the EBS volume type will not be deleted
By default, the Root volume type will be deleted as its “Delete On Termination” attribute checked by default. Any other EBS volume types will not be deleted as its “Delete On Termination” attribute disabled by default.
You can use an AMI in N.Virginia Region us-east-1 to launch an EC2 instance in any AWS Region.
- True
- False
False
AMIs are built for a specific AWS Region, they’re unique for each AWS Region. You can’t launch an EC2 instance using an AMI in another AWS Region, but you can copy the AMI to the target AWS Region and then use it to create your EC2 instances.
Which of the following EBS volume types can be used as boot volumes when you create EC2 instances?
- gp2, gp3, st1, sc1
- gp2, gp3, io1, io2
- io1, io2 st1, sc1
gp2, gp3, io1, io2
When creating EC2 instances, you can only use the following EBS volume types as boot volumes: gp2, gp3, io1, io2, and Magnetic (Standard).
What is EBS Multi-Attach?
- Attach the same EBS volume to multiple EC2 instances in multiple AZs
- Attach multiple EBS volumes in the same AZ to the same EC2 instance
- Attach the same EBS volume to multiple EC2 instances in the same AZ
- Attach multiple EBS volumes in multiple AZs to the same EC2 instance
Attach the same EBS volume to multiple EC2 instances in the same AZ
Using EBS Multi-Attach, you can attach the same EBS volume to multiple EC2 instances in the same AZ. Each EC2 instance has full read/write permissions.
You would like to encrypt an unencrypted EBS volume attached to your EC2 instance. What should you do?
- Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume
- Select your EBS volume, choose Edit Attributes, then tick the Encrypt using KMS option
- Create a new encrypted EBS volume, then copy data from your unencrypted EBS volume to the new EBS volume
- Submit a request to AWS Support to encrypt your EBS volume
Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume
You have a fleet of EC2 instances distributes across AZs that process a large data set. What do you recommend to make the same data to be accessible as an NFS drive to all of your EC2 instances?
- Use EBS
- Use EFS
- Use an Instance Store
Use EFS
EFS is a network file system (NFS) that allows you to mount the same file system on EC2 instances that are in different AZs.
You would like to have a high-performance local cache for your application hosted on an EC2 instance. You don’t mind losing the cache upon the termination of your EC2 instance. Which storage mechanism do you recommend as a Solutions Architect?
- EBS
- EFS
- Instance Store
Instance Store
EC2 Instance Store provides the best disk I/O performance.
You are running a high-performance database that requires an IOPS of 310,000 for its underlying storage. What do you recommend?
- Use an EBS gp2 drive
- Use an EBS io1 drive
- Use an EC2 Instance Store
- Use an EBS io2 Block Express drive
Use an EC2 Instance Store
You can run a database on an EC2 instance that uses an Instance Store, but you’ll have a problem that the data will be lost if the EC2 instance is stopped (it can be restarted without problems). One solution is that you can set up a replication mechanism on another EC2 instance with an Instance Store to have a standby copy. Another solution is to set up backup mechanisms for your data. It’s all up to you how you want to set up your architecture to validate your requirements. In this use case, it’s around IOPS, so we have to choose an EC2 Instance Store.
Scaling an EC2 instance from ` r4.large to r4.4xlarge` is called …………………
- Horizontal Scalability
- Vertical Scalability
Vertical Scalability
Running an application on an Auto Scaling Group that scales the number of EC2 instances in and out is called …………………
- Horizontal Scalability
- Vertical Scalability
Horizontal Scalability
Elastic Load Balancers provide a …………………..
- static IPv4 we can use in our application
- static DNS name we can use in our application
- static IPv6 we can use in our application
static DNS name we can use in our application
Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.
You are running a website on 10 EC2 instances fronted by an Elastic Load Balancer. Your users are complaining about the fact that the website always asks them to re-authenticate when they are moving between website pages. You are puzzled because it’s working just fine on your machine and in the Dev environment with 1 EC2 instance. What could be the reason?
- Your website must have an issue when hosted on multiple EC2 instances
- The EC2 instances log out users as they can’t see their IP addresses, instead, they receive ELB IP addresses
- The Elastic Load Balancer does not have Sticky Sessions enabled
The Elastic Load Balancer does not have Sticky Sessions enabled
ELB Sticky Session feature ensures traffic for the same client is always redirected to the same target (e.g., EC2 instance). This helps that the client does not lose his session data.
You are using an Application Load Balancer to distribute traffic to your website hosted on EC2 instances. It turns out that your website only sees traffic coming from private IPv4 addresses which are in fact your Application Load Balancer’s IP addresses. What should you do to get the IP address of clients connected to your website?
- Modify your website’s frontend so that users send their IP in every request
- Modify your website’s backend to get the client IP address from the X-Forwarded-For header
- Modify your website’s backend to get the client IP address from the X-Forwarded-Port header
- Modify your website’s backend to get the client IP address from the X-Forwarded-Proto header
Modify your website’s backend to get the client IP address from the X-Forwarded-For header
When using an Application Load Balancer to distribute traffic to your EC2 instances, the IP address you’ll receive requests from will be the ALB’s private IP addresses. To get the client’s IP address, ALB adds an additional header called “X-Forwarded-For” contains the client’s IP address.
You hosted an application on a set of EC2 instances fronted by an Elastic Load Balancer. A week later, users begin complaining that sometimes the application just doesn’t work. You investigate the issue and found that some EC2 instances crash from time to time. What should you do to protect users from connecting to the EC2 instances that are crashing?
- Enable ELB Health Checks
- Enable ELB Stickiness
- Enable SSL Termination
- Enable Cross-Zone Load Balancing
Enable ELB Health Checks
When you enable ELB Health Checks, your ELB won’t send traffic to unhealthy (crashed) EC2 instances.
You are working as a Solutions Architect for a company and you are required to design an architecture for a high-performance, low-latency application that will receive millions of requests per second. Which type of Elastic Load Balancer should you choose?
- Application Load Balancer
- Classic Load Balancer
- Network Load Balancer
Network Load Balancer
Network Load Balancer provides the highest performance and lowest latency if your application needs it.
Application Load Balancers support the following protocols, EXCEPT:
- HTTP
- HTTPS
- TCP
- WebSocket
TCP
Application Load Balancers support HTTP, HTTPS and WebSocket.
Application Load Balancers can route traffic to different Target Groups based on the following, EXCEPT:
- Client’s Location (Geography)
- Hostname
- Request URL Path
- Source IP Address
Client’s Location (Geography)
ALBs can route traffic to different Target Groups based on URL Path, Hostname, HTTP Headers, and Query Strings.
Registered targets in a Target Groups for an Application Load Balancer can be one of the following, EXCEPT:
- EC2 Instances
- Network Load Balancer
- Private IP Addresses
- Lambda Functions
Network Load Balancer
For compliance purposes, you would like to expose a fixed static IP address to your end-users so that they can write firewall rules that will be stable and approved by regulators. What type of Elastic Load Balancer would you choose?
- Application Load Balancer with an Elastic IP attached to it
- Network Load Balancer
- Classic Load Balancer
Network Load Balancer
Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.
You want to create a custom application-based cookie in your Application Load Balancer. Which of the following you can use as a cookie name?
- AWSALBAPP
- APPUSERC
- AWSALBTG
- AWSALB
APPUSERC
The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG).
You have a Network Load Balancer that distributes traffic across a set of EC2 instances in us-east-1. You have 2 EC2 instances in us-east-1b AZ and 5 EC2 instances in us-east-1e AZ. You have noticed that the CPU utilization is higher in the EC2 instances in us-east-1b AZ. After more investigation, you noticed that the traffic is equally distributed across the two AZs. How would you solve this problem?
- Enable Cross-Zone Load Balancing
- Enable Sticky Sessions
- Enable ELB Health Checks
- Enable SSL Termination
Enable Cross-Zone Load Balancing
When Cross-Zone Load Balancing is enabled, ELB distributes traffic evenly across all registered EC2 instances in all AZs.
Which feature in both Application Load Balancers and Network Load Balancers allows you to load multiple SSL certificates on one listener?
- TLS Termination
- Server Name Indication (SNI)
- SSL Security Policies
- Host Headers
Server Name Indication (SNI)
You have an Application Load Balancer that is configured to redirect traffic to 3 Target Groups based on the following hostnames: users.example.com, api.external.example.com, and checkout.example.com. You would like to configure HTTPS for each of these hostnames. How do you configure the ALB to make this work?
- Use an HTTP to HTTPS redirect rule
- Use a security group SSL certificate
- Use Server Name Indication (SNI)
Use Server Name Indication (SNI)
Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/
You have an application hosted on a set of EC2 instances managed by an Auto Scaling Group that you configured both desired and maximum capacity to 3. Also, you have created a CloudWatch Alarm that is configured to scale out your ASG when CPU Utilization reaches 60%. Your application suddenly received huge traffic and is now running at 80% CPU Utilization. What will happen?
- Nothing
- The desired capacity will go up to 4 and the maximum capacity will stay at 3
- The desired capacity will go up to 4 and the maximum capacity will stay at 4
Nothing
The Auto Scaling Group can’t go over the maximum capacity (you configured) during scale-out events.
You have an Auto Scaling Group fronted by an Application Load Balancer. You have configured the ASG to use ALB Health Checks, then one EC2 instance has just been reported unhealthy. What will happen to the EC2 instance?
- The ASG will keep the instance running and re-start the application
- The ASG will detach the EC2 instance and leave it running
- The ASG will terminate the EC2 instance
The ASG will terminate the EC2 instance
You can configure the Auto Scaling Group to determine the EC2 instances’ health based on Application Load Balancer Health Checks instead of EC2 Status Checks (default). When an EC2 instance fails the ALB Health Checks, it is marked unhealthy and will be terminated while the ASG launches a new EC2 instance.
Your boss asked you to scale your Auto Scaling Group based on the number of requests per minute your application makes to your database. What should you do?
- Create a CloudWatch custom metric then create a Cloudwatch Alarm on this metric to scale your ASG
- You politelly tell him it’s impossible
- Enable Detailed Monitoring then create a CloudWatch alarm to scale your ASG
Create a CloudWatch custom metric then create a Cloudwatch Alarm on this metric to scale your ASG
There’s no CloudWatch Metric for “requests per minute” for backend-to-database connections. You need to create a CloudWatch Custom Metric, then create a CloudWatch Alarm.
An application is deployed with an Application Load Balancer and an Auto Scaling Group. Currently, you manually scale the ASG and you would like to define a Scaling Policy that will ensure the average number of connections to your EC2 instances is around 1000. Which Scaling Policy should you use?
- Simple Scaling Policy
- Step Scaling Policy
- Target Tracking Policy
- Scheduled Scaling Policy
Target Tracking Policy
You have an ASG and a Network Load Balancer. The application on your ASG supports the HTTP protocol and is integrated with the Load Balancer health checks. You are currently using the TCP health checks. You would like to migrate to using HTTP health checks, what do you do?
- Migrate to an Application Load Balancer
- Migrate to health check to HTTP
Migrate to health check to HTTP
the NLB supports HTTP health checks as well as TCP and HTTPS
You have a website hosted in EC2 instances in an Auto Scaling Group fronted by an Application Load Balancer. Currently, the website is served over HTTP, and you have been tasked to configure it to use HTTPS. You have created a certificate in ACM and attached it to the Application Load Balancer. What you can do to force users to access the website using HTTPS instead of HTTP?
- Send an email to all customers to use HTTPS instead of HTTP
- Configure the Application Load Balancer to redirect HTTP to HTTPS
- Configure the DNS record to redirect HTTP to HTTPS
Configure the Application Load Balancer to redirect HTTP to HTTPS
Amazon RDS supports the following databases, EXCEPT:
- MongoDB
- MySQL
- MariaDB
- Microsoft SQL Server
MongoDB
RDS supports MySQL, PostgreSQL, MariaDB, Oracle, MS SQL Server, and Amazon Aurora.
You’re planning for a new solution that requires a MySQL database that must be available even in case of a disaster in one of the Availability Zones. What should you use?
- Create Read Replicas
- Enable Encryption
- Enable Multi-AZ
Enable Multi-AZ
Multi-AZ helps when you plan a disaster recovery for an entire AZ going down. If you plan against an entire AWS Region going down, you should use backups and replication across AWS Regions.
We have an RDS database that struggles to keep up with the demand of requests from our website. Our million users mostly read news, and we don’t post news very often. Which solution is NOT adapted to this problem?
- An ElastiCache Cluster
- RDS Multi-AZ
- RDS Read Replicas
RDS Multi-AZ
ElastiCache and RDS Read Replicas do indeed help with scaling reads.
You have set up read replicas on your RDS database, but users are complaining that upon updating their social media posts, they do not see their updated posts right away. What is a possible cause for this?
- There must be a bug in your application
- Read Replicas have Asynchronous Replication, therefore it’s likely your users will only read Eventual Consistency
- You should have setup Multi-AZ instead
Read Replicas have Asynchronous Replication, therefore it’s likely your users will only read Eventual Consistency
Which RDS (NOT Aurora) feature when used does not require you to change the SQL connection string?
- Multi-AZ
- Read Replicas
Multi-AZ
Multi-AZ keeps the same connection string regardless of which database is up.
Your application running on a fleet of EC2 instances managed by an Auto Scaling Group behind an Application Load Balancer. Users have to constantly log back in and you don’t want to enable Sticky Sessions on your ALB as you fear it will overload some EC2 instances. What should you do?
- Use your own custom Load Balancer on EC2 instances instead of using ALB
- Store session data in RDS
- Store session data in ElastiCache
- Store session data in a shared EBS volume
Store session data in ElastiCache
Storing Session Data in ElastiCache is a common pattern to ensuring different EC2 instances can retrieve your user’s state if needed.
An analytics application is currently performing its queries against your main production RDS database. These queries run at any time of the day and slow down the RDS database which impacts your users’ experience. What should you do to improve the users’ experience?
- Setup a Read Replica
- Setup Multi-AZ
- Run the analytics queries at night
Setup a Read Replica
Read Replicas will help as your analytics application can now perform queries against it, and these queries won’t impact the main production RDS database.
You would like to ensure you have a replica of your database available in another AWS Region if a disaster happens to your main AWS Region. Which database do you recommend to implement this easily?
- RDS Read Replicas
- RDS Multi-AZ
- Aurora Read Replicas
- Aurora Global Database
Aurora Global Database
Aurora Global Databases allows you to have an Aurora Replica in another AWS Region, with up to 5 secondary regions.
How can you enhance the security of your ElastiCache Redis Cluster by allowing users to access your ElastiCache Redis Cluster using their IAM Identities (e.g., Users, Roles)?
- Using Redis Authentication
- Using IAM Authentication
- Use Security Groups
Using IAM Authentication
Your company has a production Node.js application that is using RDS MySQL 5.6 as its database. A new application programmed in Java will perform some heavy analytics workload to create a dashboard on a regular hourly basis. What is the most cost-effective solution you can implement to minimize disruption for the main application?
- Enable Multi-AZ for the RDS database and run the analytics workload on the standby database
- Create a Read Replica in a different AZ and run the analytics on the replica database
- Create a Read Replica in a different AZ and run the analytics workload on the source database
Create a Read Replica in a different AZ and run the analytics on the replica database
You would like to create a disaster recovery strategy for your RDS PostgreSQL database so that in case of a regional outage the database can be quickly made available for both read and write workloads in another AWS Region. The DR database must be highly available. What do you recommend?
- Create a Read Replica in the same region and enable Multi-AZ on the main database
- Create a Read Replica in a different region and enable Multi-AZ on the Read Replica
- Create a Read Replica in the same region and enable Multi-AZ on the Read Replica
- Enable Multi-Region option on the main database
Create a Read Replica in a different region and enable Multi-AZ on the Read Replica
You have migrated the MySQL database from on-premises to RDS. You have a lot of applications and developers interacting with your database. Each developer has an IAM user in the company’s AWS account. What is a suitable approach to give access to developers to the MySQL RDS DB instance instead of creating a DB user for each one?
- By default IAM users have access to your RDS database
- Use Amazon Cognito
- Enable IAM Database Authentication
Enable IAM Database Authentication
Which of the following statement is true regarding replication in both RDS Read Replicas and Multi-AZ?
- Read Replica uses Asynchronous Replication and Multi-AZ uses Asynchronous Replication
- Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication
- Read Replica uses Synchronous Replication and Multi-AZ uses Synchronous Replication
- Read Replica uses Synchronous Replication and Multi-AZ uses Asynchronous Replication
Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication
How do you encrypt an unencrypted RDS DB instance?
- Do it straight from AWS Console, select your RDS DB instance, choose Actions then Encrypt using KMS
- Do it straight from AWS Console, after stopping the RDS DB instance
- Create a snapshot of the unencrypted RDS DS instance, copy the snapshot and tick “Enable encryption”, then restore the RDS DB instance from the encrypted snapshot
Create a snapshot of the unencrypted RDS DS instance, copy the snapshot and tick “Enable encryption”, then restore the RDS DB instance from the encrypted snapshot
For your RDS database, you can have up to ………… Read Replicas.
- 5
- 15
- 7
15
Which RDS database technology does NOT support IAM Database Authentication?
- Oracle
- PostgreSQL
- MySQL
Oracle
You have an un-encrypted RDS DB instance and you want to create Read Replicas. Can you configure the RDS Read Replicas to be encrypted?
- No
- Yes
No
You can not create encrypted Read Replicas from an unencrypted RDS DB instance.
An application running in production is using an Aurora Cluster as its database. Your development team would like to run a version of the application in a scaled-down application with the ability to perform some heavy workload on a need-basis. Most of the time, the application will be unused. Your CIO has tasked you with helping the team to achieve this while minimizing costs. What do you suggest?
- Use an Aurora Global Database
- Use an RDS Database
- Use Aurora Serverless
- Run Aurora on EC2, and write script to shut down the EC2 instance at night
Use Aurora Serverless
How many Aurora Read Replicas can you have in a single Aurora DB Cluster?
- 5
- 10
- 15
15
Amazon Aurora supports both …………………….. databases.
- MySQL and MariaDB
- MySQL and PostgreSQL
- Oracle and MariaDB
- Oracle and MS SQL Server
MySQL and PostgreSQL
You work as a Solutions Architect for a gaming company. One of the games mandates that players are ranked in real-time based on their score. Your boss asked you to design then implement an effective and highly available solution to create a gaming leaderboard. What should you use?
- Use RDS for MySQL
- Use Amazon Aurora
- Use ElastiCache for Memcached
- Use ElastiCache for Redis - Sorted Sets
Use ElastiCache for Redis - Sorted Sets
You need full customization of an Oracle Database on AWS. You would like to benefit from using the AWS services. What do you recommend?
- RDS for Oracle
- RDS Custom for Oracle
- Deploy Oracle on EC2
RDS Custom for Oracle
You need to store long-term backups for your Aurora database for disaster recovery and audit purposes. What do you recommend?
- Enable Automated Backups
- Perform On Demand Backups
- Use Aurora Database Cloning
Perform On Demand Backups
Your development team would like to perform a suite of read and write tests against your production Aurora database because they need access to production data as soon as possible. What do you advise?
- Create an Aurora Read Replica for them
- Do the test against the production database
- Make a DB Snapshot and Restore it into a new database
- Use the Aurora Cloning Feature
Use the Aurora Cloning Feature
You have 100 EC2 instances connected to your RDS database and you see that upon a maintenance of the database, all your applications take a lot of time to reconnect to RDS, due to poor application logic. How do you improve this?
- Fix all the applications
- Disable Multi-AZ
- Enable Multi-AZ
- Use an RDS Proxy
Use an RDS Proxy
This reduces the failover time by up to 66% and keeps connection actives for your applications
You have purchased mycoolcompany.com on Amazon Route 53 Registrar and would like the domain to point to your Elastic Load Balancer my-elb-1234567890.us-west-2.elb.amazonaws.com. Which Route 53 Record type must you use here?
- CNAME
- Alias
Alias
You have deployed a new Elastic Beanstalk environment and would like to direct 5% of your production traffic to this new environment. This allows you to monitor for CloudWatch metrics and ensuring that there’re no bugs exist with your new environment. Which Route 53 Record type allows you to do so?
- Simple
- Weighted
- Latency
- Failover
Weighted
Weighted Routing Policy allows you to redirect part of the traffic based on weight (e.g., percentage). It’s a common use case to send part of traffic to a new version of your application.
You have updated a Route 53 Record’s myapp.mydomain.com value to point to a new Elastic Load Balancer, but it looks like users are still redirected to the old ELB. What is a possible cause for this behavior?
- Because of the Alias record
- Because of the CNAME record
- Because of the TTL
- Because of Route 53 Health Checks
Because of the TTL
Each DNS record has a TTL (Time To Live) which orders clients for how long to cache these values and not overload the DNS Resolver with DNS requests. The TTL value should be set to strike a balance between how long the value should be cached vs. how many requests should go to the DNS Resolver.
You have an application that’s hosted in two different AWS Regions us-west-1 and eu-west-2. You want your users to get the best possible user experience by minimizing the response time from application servers to your users. Which Route 53 Routing Policy should you choose?
- Multi Value
- Weighted
- Latency
- Geolocation
Latency
Latency Routing Policy will evaluate the latency between your users and AWS Regions, and help them get a DNS response that will minimize their latency (e.g. response time)
You have a legal requirement that people in any country but France should NOT be able to access your website. Which Route 53 Routing Policy helps you in achieving this?
- Latency
- Simple
- Multi Value
- Geolocation
Geolocation
You have purchased a domain on GoDaddy and would like to use Route 53 as the DNS Service Provider. What should you do to make this work?
- Request for a domain transfer
- Create a Private Hosted Zone and update the 3rd party Registrar NS records
- Create a Public Hosted Zone and update the Route 53 NS records
- Create a Public Hosted Zone and update the 3rd party Registrar NS records
Create a Public Hosted Zone and update the 3rd party Registrar NS records
Public Hosted Zones are meant to be used for people requesting your website through the Internet. Finally, NS records must be updated on the 3rd party Registrar.
Which of the following are NOT valid Route 53 Health Checks?
- Health Check that monitors a SQS Queue
- Health Check that monitors an Endpoint
- Health Check that monitors other Health Checks
- Health Check that monitors CloudWatch Alarms
Health Check that monitors a SQS Queue
Your website TriangleSunglasses.com is hosted on a fleet of EC2 instances managed by an Auto Scaling Group and fronted by an Application Load Balancer. Your ASG has been configured to scale on-demand based on the traffic going to your website. To reduce costs, you have configured the ASG to scale based on the traffic going through the ALB. To make the solution highly available, you have updated your ASG and set the minimum capacity to 2. How can you further reduce the costs while respecting the requirements?
- Remove the ALB and use an Elastic IP Instead
- Reserve two EC2 Instances
- Reduce the minimum capacity to 1
- Reduce the minimum capacity to 0
Reserve two EC2 Instances
This is the way to save further costs as we will run 2 EC2 instances no matter what.
Which of the following will NOT help us while designing a STATELESS application tier?
- Store session data in Amazon RDS
- Store session data in Amazon ElastiCache
- Store session data in the client HTTP cookies
- Store session data on EBS Volumes
Store session data on EBS Volumes
EBS volumes are created in a specific AZ and can only be attached to one EC2 instance at a time.
You want to install software updates on 100s of Linux EC2 instances that you manage. You want to store these updates on shared storage which should be dynamically loaded on the EC2 instances and shouldn’t require heavy operations. What do you suggest?
- Store the software updates on EBS and sync them using data replication software from one master in each AZ
- Store the software updates on EFS and mount EFS as a network drive at startup
- Package the software updates as an EBS snapshot and create EBS volumes for each new software update
- Store the software updates on Amazon RDS
Store the software updates on EFS and mount EFS as a network drive at startup
EFS is a network file system (NFS) that allows you to mount the same file system to 100s of EC2 instances. Storing software updates on an EFS allows each EC2 instance to access them.
As a Solutions Architect, you’re planning to migrate a complex ERP software suite to AWS Cloud. You’re planning to host the software on a set of Linux EC2 instances managed by an Auto Scaling Group. The software traditionally takes over an hour to set up on a Linux machine. How do you recommend you speed up the installation process when there’s a scale-out event?
- Use a Golden AMI
- Bootstrap using EC2 User Data
- Store the application in Amazon RDS
- Retrieve the application setup files from RDS
Use a Golden AMI
Golden AMI is an image that contains all your software installed and configured so that future EC2 instances can boot up quickly from that AMI.
You’re developing an application and would like to deploy it to Elastic Beanstalk with minimal cost. You should run it in ………………
- Single Instance Mode
- High Availability Mode
Single Instance Mode
The question mentions that you’re still in the development stage and you want to reduce costs. Single Instance Mode will create one EC2 instance and one Elastic IP.
You’re deploying your application to an Elastic Beanstalk environment but you notice that the deployment process is painfully slow. After reviewing the logs, you found that your dependencies are resolved on each EC2 instance each time you deploy. How can you speed up the deployment process with minimal impact?
- Remove some dependencies in your code
- Place the dependencies in Amazon EFS
- Create a Golden AMI that contains the depedencies and use that image to launch the EC2 instances
Create a Golden AMI that contains the depedencies and use that image to launch the EC2 instances
Golden AMI is an image that contains all your software, dependencies, and configurations, so that future EC2 instances can boot up quickly from that AMI.
You have a 25 GB file that you’re trying to upload to S3 but you’re getting errors. What is a possible solution for this?
- The file size limit on S3 is 5GB
- Update your bucket policy to allow the larger file
- Use Multi-Part upload when uploading files larger than 5GB
- Encrypt the file
Use Multi-Part upload when uploading files larger than 5GB
Multi-Part Upload is recommended as soon as the file is over 100 MB.
You’re getting errors while trying to create a new S3 bucket named “dev”. You’re using a new AWS Account with no S3 buckets created before. What is a possible cause for this?
- You’re missing IAM permissions to create an S3 bucket
- S3 bucket names must be globally unique and “dev” is already taken
S3 bucket names must be globally unique and “dev” is already taken
You have enabled versioning in your S3 bucket which already contains a lot of files. Which version will the existing files have?
- 1
- 0
- -1
- null
null
You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform a PutObject API call. What is a possible cause for this?
- The S3 bucket policy must be wrong
- The user is lacking permissions
- The IAM user must have an explicit DENY in the attached IAM Policy
- You need to contact AWS Support to lift this limit
The IAM user must have an explicit DENY in the attached IAM Policy
Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.
You want the content of an S3 bucket to be fully available in different AWS Regions. That will help your team perform data analysis at the lowest latency and cost possible. What S3 feature should you use?
- Amazon Cloudfront Distributions
- S3 Versioning
- S3 Static Website Hosting
- S3 Replication
S3 Replication
S3 Replication allows you to replicate data from an S3 bucket to another in the same/different AWS Region.
You have 3 S3 buckets. One source bucket A, and two destination buckets B and C in different AWS Regions. You want to replicate objects from bucket A to both bucket B and C. How would you achieve this?
- Configure replication from bucket A to bucket B, then from bucket A to bucket C
- Configure replication from bucket A to bucket B, then from bucket B to bucket C
- Configure replication from bucket A to bucket C, then from bucket C to bucket B
Configure replication from bucket A to bucket B, then from bucket A to bucket C
Which of the following is NOT a Glacier Deep Archive retrieval mode?
- Expedited (1-5 minutes)
- Standard (12 hours)
- Bulk (48hs)
Expedited (1-5 minutes)
Which of the following is NOT a Glacier Flexible retrieval mode?
- Instant (10 seconds)
- Expedited (1-5 minutes)
- Standard (3-5 hours)
- Bulk (5-12 hours)
Instant (10 seconds)
How can you be notified when there’s an object uploaded to your S3 bucket?
- S3 Select
- S3 Access Logs
- S3 Event Notifications
- S3 Analytics
S3 Event Notifications
You have an S3 bucket that has S3 Versioning enabled. This S3 bucket has a lot of objects, and you would like to remove old object versions to reduce costs. What’s the best approach to automate the deletion of these old object versions?
- S3 Lifecycle Rules - Transition Actions
- S3 Lifecycle Rules - Expiration Actions
- S3 Access Logs
S3 Lifecycle Rules - Expiration Actions
How can you automate the transition of S3 objects between their different tiers?
- AWS Lambda
- CloudWatch Events
- S3 Lifecycle Rules
S3 Lifecycle Rules
While you’re uploading large files to an S3 bucket using Multi-part Upload, there are a lot of unfinished parts stored in the S3 bucket due to network issues. You are not using these unfinished parts and they cost you money. What is the best approach to remove these unfinished parts?
- Use AWS Lambda to loop on each old/unfinished part and delete them
- Request AWS Support to help you delete old/unfinished parts
- Use an S3 Lifecycle Policy to automate old/unfinished parts deletion
Use an S3 Lifecycle Policy to automate old/unfinished parts deletion
You are looking to get recommendations for S3 Lifecycle Rules. How can you analyze the optimal number of days to move objects between different storage tiers?
- S3 Inventory
- S3 Analytics
- S3 Lifecycle Rules Advisor
S3 Analytics
You are looking to build an index of your files in S3, using Amazon RDS PostgreSQL. To build this index, it is necessary to read the first 250 bytes of each object in S3, which contains some metadata about the content of the file itself. There are over 100,000 files in your S3 bucket, amounting to 50 TB of data. How can you build this index efficiently?
- Use RDS Import feature to load the data form S3 to PostgreSQL, and run a SQL query to build the index
- Create an application that will traverse the S3 bucket, read all the files one by one, extract the first 250 bytes, and store that information in RDS
- Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS
- Create an application that will traverse the S3 bucket, use S3 Select to get the first 250 bytes, and store that information in RDS
Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS
You have a large dataset stored on-premises that you want to upload to the S3 bucket. The dataset is divided into 10 GB files. You have good bandwidth but your Internet connection isn’t stable. What is the best way to upload this dataset to S3 and ensure that the process is fast and avoid any problems with the Internet connection?
- Use Multi-part Upload Only
- Use S3 Select & Use S3 Transfer Acceleration
- Use S3 Multi-part Upload & S3 Transfer Acceleration
Use S3 Multi-part Upload & S3 Transfer Acceleration
You would like to retrieve a subset of your dataset stored in S3 with the .csv format. You would like to retrieve a month of data and only 3 columns out of 10, to minimize compute and network costs. What should you use?
- S3 Analytics
- S3 Access Logs
- S3 Select
- S3 Inventory
S3 Select
A company is preparing for compliance and regulatory review on its infrastructure on AWS. Currently, they have their files stored on S3 buckets that are not encrypted, which must be encrypted as required for compliance and regulatory review. Which S3 feature allows them to encrypt all files in their S3 buckets in the most efficient and cost-effective way?
- S3 Access Points
- S3 Cross-Region Replication
- S3 Batch Operations
- S3 Lifecycle Rules
S3 Batch Operations
Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use ……………………….
- SSE-S3
- SSE-KMS
- SSE-C
- Client-Side Encryption
SSE-C
With SSE-C, the encryption happens in AWS and you have full control over the encryption keys.
A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use ………………..
- SSE-S3
- SSE-KMS
- SSE-C
- Client-Side Encryption
SSE-KMS
With SSE-KMS, the encryption happens in AWS, and the encryption keys are managed by AWS but you have full control over the rotation policy of the encryption key. Encryption keys stored in AWS.
Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use ………………..
- SSE-S3
- SSE-KMS
- SSE-C
- Client-Side Encryption
Client-Side Encryption
With Client-Side Encryption, you have to do the encryption yourself and you have full control over the encryption keys. You perform the encryption yourself and send the encrypted data to AWS. AWS does not know your encryption keys and cannot decrypt your data.
You have a website that loads files from an S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when a website with a different domain tries to load these files it doesn’t. What’s the problem?
- The Bucket policy is wrong
- The IAM policy is wrong
- CORS is wrong
- Encryption is wrong
CORS is wrong
Cross-Origin Resource Sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. To learn more about CORS, go here: https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html
An e-commerce company has its customers and orders data stored in an S3 bucket. The company’s CEO wants to generate a report to show the list of customers and the revenue for each customer. Customer data stored in files on the S3 bucket has sensitive information that we don’t want to expose in the report. How do you recommend the report can be created without exposing sensitive information?
- Use S3 Object Lambda to change the objects before they are retrieved by the report generator application
- Create another S3 bucket. Create a lambda function to process each file, remove the sensitive information, and then move them to the new S3 bucket
- Use S3 Object Lock to lock the sensitive information from being fetched by the report generator application
Use S3 Object Lambda to change the objects before they are retrieved by the report generator application
You suspect that some of your employees try to access files in an S3 bucket that they don’t have access to. How can you verify this is indeed the case without them noticing?
- Enable S3 Access Logs and analyze them using Athena
- Restrict their IAM policies and look at CloudTrail logs
- Use a bucket policy
Enable S3 Access Logs and analyze them using Athena
S3 Access Logs log all the requests made to S3 buckets and Amazon Athena can then be used to run serverless analytics on top of the log files.
You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?
- S3 CORS
- S3 Pre-Signed URL
- S3 Bucket Policies
S3 Pre-Signed URL
S3 Pre-Signed URLs are temporary URLs that you generate to grant time-limited access to some actions in your S3 bucket.
For compliance reasons, your company has a policy mandate that database backups must be retained for 4 years. It shouldn’t be possible to erase them. What do you recommend?
- Glacier Vaults with Vault Lock Policies
- EFS network drives with restrictive Linux Permissions
- S3 with Bucket Policies
Glacier Vaults with Vault Lock Policies
You would like all your files in an S3 bucket to be encrypted by default. What is the optimal way of achieving this?
- Use a bucket policy that forces HTTPS connections
- Do nothing, Amazon S3 automatically encrypts new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)
- Enable Versioning
Do nothing, Amazon S3 automatically encrypts new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)
You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions?
- Use a bucket policy
- Enable MFA Delete
- Encrypt the files
- Disable Versioning
Enable MFA Delete
MFA Delete forces users to use MFA codes before deleting S3 objects. It’s an extra level of security to prevent accidental deletions.
A company has its data and files stored on some S3 buckets. Some of these files need to be kept for a predefined period of time and protected from being overwritten and deletion according to company compliance policy. Which S3 feature helps you in doing this?
- S3 Object Lock - Retention Governance Mode
- S3 Versioning
- S3 Object Lock - Retention Compliance Mode
- S3 Glacier Vault Lock
S3 Object Lock - Retention Compliance Mode
Which of the following S3 Object Lock configuration allows you to prevent an object or its versions from being overwritten or deleted indefinitely and gives you the ability to remove it manually?
- Retention Governance Mode
- Retention Compliance Mode
- Legal Hold
Legal Hold
You have a CloudFront Distribution that serves your website hosted on a fleet of EC2 instances behind an Application Load Balancer. All your clients are from the United States, but you found that some malicious requests are coming from other countries. What should you do to only allow users from the US and block other countries?
- Use CloudFront Geo Restriction
- Use Origin Access Control
- Set up a security group and attach it to your CloudFront Distribution
- Use a Route 53 Latency record and attach it to CloudFront
Use CloudFront Geo Restriction
You have a static website hosted on an S3 bucket. You have created a CloudFront Distribution that points to your S3 bucket to better serve your requests and improve performance. After a while, you noticed that users can still access your website directly from the S3 bucket. You want to enforce users to access the website only through CloudFront. How would you achieve that?
- Send an email to your clients and tell them not to use the S3 endpoint
- Configure your Cloudfront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution
- Use S3 Access Points to redirect clients to CloudFront
Configure your Cloudfront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution
What does this S3 bucket policy do?
{
"Version": "2012-10-17",
"Id": "Mystery policy",
"Statement": [{
"Sid": "What could it be?",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/EDFDVBD6EXAMPLE"
}
}
}]
}
- Forces
GetObjectrequest to be encrypted if coming from CloudFront - Only allows the S3 bucket content to be accessed from your CloudFront Distribution
- Only allows
GetObjecttype of request on the S3 bucket from anybody
Only allows the S3 bucket content to be accessed from your CloudFront Distribution
A WordPress website is hosted in a set of EC2 instances in an EC2 Auto Scaling Group and fronted by a CloudFront Distribution which is configured to cache the content for 3 days. You have released a new version of the website and want to release it immediately to production without waiting for 3 days for the cached content to be expired. What is the easiest and most efficient way to solve this?
- Open a support ticket with AWS Support to remove the CloudFront Cache
- CloudFront Cache Invalidation
- EC2 Cache Invalidation
CloudFront Cache Invalidation
A company is deploying a media-sharing website to AWS. They are going to use CloudFront to deliver the content with low latency to their customers where they are located in both US and Europe only. After a while there a huge costs for CloudFront. Which CloudFront feature allows you to decrease costs by targeting only US and Europe?
- CloudFront Cache Invalidation
- CloudFront Price Classes
- CloudFront Cache Behavior
- Origin Access Control
CloudFront Price Classes
A company is migrating a web application to AWS Cloud and they are going to use a set of EC2 instances in an EC2 Auto Scaling Group. The web application is made of multiple components so they will need a host-based routing feature to route to specific web application components. This web application is used by many customers and therefore the web application must have a static IP address so it can be whitelisted by the customers’ firewalls. As the customers are distributed around the world, the web application must also provide low latency to all customers. Which AWS service can help you to assign a static IP address and provide low latency across the globe?
- AWS Global Accelerator + Application Load Balancer
- Amazon CloudFront
- Network Load Balancer
- Application Load Balancer
AWS Global Accelerator + Application Load Balancer
You need to move hundreds of Terabytes into Amazon S3, then process the data using a fleet of EC2 instances. You have a 1 Gbit/s broadband. You would like to move the data faster and possibly processing it while in transit. What do you recommend?
- Use your network
- Use Snowcone
- Use AWS Data Migration
- Use Snowball Edge
Use Snowball Edge
Snowball Edge is the right answer as it comes with computing capabilities and allows you to pre-process the data while it’s being moved into Snowball.
You want to expose virtually infinite storage for your tape backups. You want to keep the same software you’re using and want an iSCSI compatible interface. What do you use?
- AWS Snowball
- AWS Storage Gateway - Tape Gateway
- AWS Storage Gateway - Volume Gateway
- AWS Storage Gateway - S3 File Gateway
AWS Storage Gateway - Tape Gateway
Your EC2 Windows Servers need to share some data by having a Network File System mounted on them which respects the Windows security mechanisms and has integration with Microsoft Active Directory. What do you recommend?
- Amazon FSx for Windows (File Server)
- Amazon EFS
- Amazon FSx for Lustre
- S3 File Gateway
Amazon FSx for Windows (File Server)
You have hundreds of Terabytes that you want to migrate to AWS S3 as soon as possible. You tried to use your network bandwidth and it will take around 3 weeks to complete the upload process. What is the recommended approach to using in this situation?
- AWS Storage Gateway - Volume Gateway
- S3 Multi-part Upload
- AWS Snowball Edge
- AWS Data Migration Service
AWS Snowball Edge
You have a large dataset stored in S3 that you want to access from on-premises servers using the NFS or SMB protocol. Also, you want to authenticate access to these files through on-premises Microsoft AD. What would you use?
- AWS Storage Gateway - Volume Gateway
- AWS Storage Gateway - S3 File Gateway
- AWS Storage Gateway - Tape Gateway
- AWS Data Migration Service
AWS Storage Gateway - S3 File Gateway
You are planning to migrate your company’s infrastructure from on-premises to AWS Cloud. You have an on-premises Microsoft Windows File Server that you want to migrate. What is the most suitable AWS service you can use?
- Amazon FSx for Windows (File Server)
- AWS Storage Gateway - S3 File Gateway
- AWS Managed Microsoft AD
Amazon FSx for Windows (File Server)
You would like to have a distributed POSIX compliant file system that will allow you to maximize the IOPS in order to perform some High-Performance Computing (HPC) and genomics computational research. This file system has to easily scale to millions of IOPS. What do you recommend?
- EFS with Max. IO enabled
- Amazon FSx for Lustre
- Amazon S3 mounted on the EC2 instances
- EC2 Instance Store
Amazon FSx for Lustre
Which deployment option in the FSx file system provides you with long-term storage that’s replicated within AZ?
- Scratch File System
- Persistent File System
Persistent File System
Provides long-term storage where data is replicated within the same AZ. Failed files were replaced within minutes.
Which of the following protocols is NOT supported by AWS Transfer Family?
- File Transfer Protocol (FTP)
- File Transfer Protocol over SSL (FTPS)
- Transport Layer Security (SSL)
- Secure File Transfer Protocol (SFTP)
Transport Layer Security (SSL)
AWS Transfer Family is a managed service for file transfers into and out of S3 or EFS using the FTP protocol, thus TLS is not supported.
A company uses a lot of files and data which is stored in an FSx for Windows File Server storage on AWS. Those files are currently used by the resources hosted on AWS. There’s a requirement for those files to be accessed on-premises with low latency. Which AWS service can help you achieve this?
- S3 File Gateway
- FSx for Windows File Server On-Premises
- FSx File Gateway
- Volume Gateway
FSx File Gateway
A Solutions Architect is working on planning the migration of a startup company from on-premises to AWS. Currently, their infrastructure consists of many servers and 30 TB of data hosted on a shared NFS storage. He has decided to use Amazon S3 to host the data. Which AWS service can efficiently migrate the data from on-premises to S3?
- AWS Storage Tape Gateway
- Amazon EBS
- AWS Transfer Family
- AWS DataSync
AWS DataSync
Which AWS service is best suited to migrate a large amount of data from an S3 bucket to an EFS file system?
- AWS Snowball
- AWS DataSync
- AWS Transfer Family
- AWS Backup
AWS DataSync
A Machine Learning company is working on a set of datasets that are hosted on S3 buckets. The company decided to release those datasets to the public to be useful for others in their research, but they don’t want to configure the S3 bucket to be public. And those datasets should be exposed over the FTP protocol. What can they do to do the requirement efficiently and with the least effort?
- Use AWS Transfer Family
- Create an EC2 instance with an FTP server installed then copy the data from the S3 to the EC2 instance
- Use AWS Storage Gateway
- Copy the data from S3 to an EFS file system, then expose them over the FTP protocol
Use AWS Transfer Family
Amazon FSx for NetApp ONTAP is compatible with the following protocols, EXCEPT ………………
- NFS
- SMB
- FTP
- iSCI
FTP
Which AWS service is best suited when migrating from an on-premises ZFS file system to AWS?
- Amazon FSx for OpenZFS
- Amazon FSx for NetApp ONTAP
- Amazon FSx for Windows File Server
- Amazon FSx for Luster
Amazon FSx for OpenZFS
A company is running Amazon S3 File Gateway to host their data on S3 buckets and is able to mount them on-premises using SMB. The data currently is hosted on S3 Standard storage class and there is a requirement to reduce the costs for S3. So, they have decided to migrate some of those data to S3 Glacier. What is the most efficient way they can use to move the data to S3 Glacier automatically?
- Create a Lambda function to migrate data to S3 Glacier and periodically trigger it every day using Amazon EventBridge
- Use S3 Batch Operations to loop through S3 files and move them to S3 Glacier every day
- Use S3 Lifecycle Policy
- Use AWS DataSync to replicate data to Glacier every day
- Configure S3 File Gateway to send the data to S3 Glacier directly
Use S3 Lifecycle Policy
You have on-premises sensitive files and documents that you want to regularly synchronize to AWS to keep another copy. Which AWS service can help you with that?
- AWS Database Migration Service
- Amazon EFS
- AWS DataSync
AWS DataSync
AWS DataSync is an online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services.
You have an e-commerce website and you are preparing for Black Friday which is the biggest sale of the year. You expect that your traffic will increase by 100x. Your website already using an SQS Standard Queue, and you’re running a fleet of EC2 instances in an Auto Scaling Group to consume SQS messages. What should you do to prepare your SQS Queue?
- Contact AWS Support to pre-warm your SQS Standard Queue
- Enable Auto Scaling in your SQS Queue
- Increase the capacity of the SQS Queue
- Do nothing, SQS Scales automatically
Do nothing, SQS Scales automatically
You have an SQS Queue where each consumer polls 10 messages at a time and finishes processing them in 1 minute. After a while, you noticed that the same SQS messages are received by different consumers resulting in your messages being processed more than once. What should you do to resolve this issue?
- Enable Long Polling
- Add DelaySeconds parameter to the messages while being produced
- Increase the Visibility Timeout
- Decrease the Visibility Timeout
Increase the Visibility Timeout
SQS Visibility Timeout is a period of time during which Amazon SQS prevents other consumers from receiving and processing the message again. In Visibility Timeout, a message is hidden only after it is consumed from the queue. Increasing the Visibility Timeout gives more time to the consumer to process the message and prevent duplicate reading of the message. (default: 30 sec., min.: 0 sec., max.: 12 hours)
Which SQS Queue type allows your messages to be processed exactly once and in order?
- SQS Standard Queue
- SQS Dead Letter Queue
- SQS Delay Queue
- SQS FIFO Queue
SQS FIFO Queue
SQS FIFO (First-In-First-Out) Queues have all the capabilities of the SQS Standard Queue, plus the following two features. First, The order in which messages are sent and received are strictly preserved and a message is delivered once and remains available until a consumer process and deletes it. Second, duplicated messages are not introduced into the queue.
You have 3 different applications that you’d like to send them the same message. All 3 applications are using SQS. What is the best approach would you choose?
- Use SQS Replication Feature
- Use SNS + SQS Fan Out Pattern
- Send messages individually to 3 SQS queues
Use SNS + SQS Fan Out Pattern
This is a common pattern where only one message is sent to the SNS topic and then “fan-out” to multiple SQS queues. This approach has the following features: it’s fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.
You have a Kinesis data stream with 6 shards provisioned. This data stream usually receiving 5 MB/s of data and sending out 8 MB/s. Occasionally, your traffic spikes up to 2x and you get a ProvisionedThroughputExceeded exception. What should you do to resolve the issue?
- Add more Shards
- Enable Kinesis Replication
- Use SQS as a buffer to Kinesis
Add more Shards
The capacity limits of a Kinesis data stream are defined by the number of shards within the data stream. The limits can be exceeded by either data throughput or the number of reading data calls. Each shard allows for 1 MB/s incoming data and 2 MB/s outgoing data. You should increase the number of shards within your data stream to provide enough capacity.
You have a website where you want to analyze clickstream data such as the sequence of clicks a user makes, the amount of time a user spends, and where the navigation begins and how it ends. You decided to use Amazon Kinesis, so you have configured the website to send these clickstream data all the way to a Kinesis data stream. While you checking the data sent to your Kinesis data stream, you found that the users’ data is not ordered and the data for one individual user is spread across many shards. How would you fix this problem?
- There are too many shards, you should use only 1 shard
- You shouldn’t use multiple consumers, only one and it should re-order data
- For each record sent to Kinesis add a partition key that represents the identity of the user
For each record sent to Kinesis add a partition key that represents the identity of the user
Kinesis Data Stream uses the partition key associated with each data record to determine which shard a given data record belongs to. When you use the identity of each user as the partition key, this ensures the data for each user is ordered hence sent to the same shard.
You are running an application that produces a large amount of real-time data that you want to load into S3 and Redshift. Also, these data need to be transformed before being delivered to their destination. What is the best architecture would you choose?
- SQS + AWS Lambda
- SNS + HTTP Endpoint
- Kinesis Data Streams + Kinesis Data Firehose
Kinesis Data Streams + Kinesis Data Firehose
This is a perfect combo of technology for loading data near real-time data into S3 and Redshift. Kinesis Data Firehose supports custom data transformations using AWS Lambda.
Which of the following is NOT a supported subscriber for AWS SNS?
- Amazon Kinesis Data Streams
- Amazon SQS
- HTTP(S) Endpoint
- AWS Lambda
Amazon Kinesis Data Streams
Note: Kinesis Data Firehose is now supported, but not Kinesis Data Streams.
Which AWS service helps you when you want to send email notifications to your users?
- Amazon SQS with AWS Lambda
- Amazon SNS
- Amazon Kinesis
Amazon SNS
You’re running many micro-services applications on-premises and they communicate using a message broker that supports MQTT protocol. You’re planning to migrate these applications to AWS without re-engineering the applications and modifying the code. Which AWS service allows you to get a managed message broker that supports the MQTT protocol?
- Amazon SQS
- Amazon SNS
- Amazon Kinesis
- Amazon MQ
Amazon MQ
Amazon MQ supports industry-standard APIs such as JMS and NMS, and protocols for messaging, including AMQP, STOMP, MQTT, and WebSocket.
An e-commerce company is preparing for a big marketing promotion that will bring millions of transactions. Their website is hosted on EC2 instances in an Auto Scaling Group and they are using Amazon Aurora as their database. The Aurora database has a bottleneck and a lot of transactions have been failed in the last promotion they have made as they had a lot of transaction and the Aurora database wasn’t prepared to handle these too many transactions. What do you recommend to handle those transactions and prevent any failed transactions?
- Use SQS as a buffer to write to Aurora
- Host the website in AWS Fargate instead of EC2 instances
- Migrate Aurora to RDS for SQL Server
Use SQS as a buffer to write to Aurora
A company is using Amazon Kinesis Data Streams to ingest clickstream data and then do some analytical processes on it. There is a campaign in the next few days and the traffic is unpredictable which might grow up to 100x. What Kinesis Data Stream capacity mode do you recommend?
- Provisioned Mode
- On-demand Mode
On-demand Mode
You have multiple Docker-based applications hosted on-premises that you want to migrate to AWS. You don’t want to provision or manage any infrastructure; you just want to run your containers on AWS. Which AWS service should you choose?
- Elastic Container Service (ECS) in EC2 Launch Mode
- Elastic Container Registry (ECR)
- AWS Fargate on ECS
AWS Fargate on ECS
AWS Fargate allows you to run your containers on AWS without managing any servers.
Amazon Elastic Container Service (ECS) has two Launch Types: ……………… and ………………
- Amazon EC2 Launch Type and Fargate Launch Type
- Amazon EC2 Launch Type and EKS Launch Type
- Fargate Launch Type and EKS Launch Type
Amazon EC2 Launch Type and Fargate Launch Type
You have an application hosted on an ECS Cluster (EC2 Launch Type) where you want your ECS tasks to upload files to an S3 bucket. Which IAM Role for your ECS Tasks should you modify?
- EC2 Instance Profile
- ECS Task Role
ECS Task Role
ECS Task Role is the IAM Role used by the ECS task itself. Use when your container wants to call other AWS services like S3, SQS, etc.
You’re planning to migrate a WordPress website running on Docker containers from on-premises to AWS. You have decided to run the application in an ECS Cluster, but you want your docker containers to access the same WordPress website content such as website files, images, videos, etc. What do you recommend to achieve this?
- Mount an EFS Volume
- Mount an EBS Volume
- Use an EC2 Instance Store
Mount an EFS Volume
EFS volume can be shared between different EC2 instances and different ECS Tasks. It can be used as a persistent multi-AZ shared storage for your containers.
You are deploying an application on an ECS Cluster made of EC2 instances. Currently, the cluster is hosting one application that is issuing API calls to DynamoDB successfully. Upon adding a second application, which issues API calls to S3, you are getting authorization issues. What should you do to resolve the problem and ensure proper security?
- Edit the EC2 instance role to add permissions to S3
- Create an IAM task for the new application
- Enable the Fargate mode
- Edit the S3 bucket policy to allow the ECS task
Create an IAM task for the new application
You are migrating your on-premises Docker-based applications to Amazon ECS. You were using Docker Hub Container Image Library as your container image repository. Which is an alternative AWS service which is fully integrated with Amazon ECS?
- AWS Fargate
- Elastic Container Registry (ECR)
- Elastic Kubernetes Service (EKS)
- Amazon EC2
Elastic Container Registry (ECR)
Amazon EKS supports the following node types, EXCEPT ………………..
- Managed Node Groups
- Self-Managed Nodes
- AWS Fargate
- AWS Lambda
AWS Lambda
A developer has a running website and APIs on his local machine using containers and he wants to deploy both of them on AWS. The developer is new to AWS and doesn’t know much about different AWS services. Which of the following AWS services allows the developer to build and deploy the website and the APIs in the easiest way according to AWS best practices?
- AWS App Runner
- EC2 Instances + Application Load Balancer
- Amazon ECS
- AWS Fargate
AWS App Runner
You have created a Lambda function that typically will take around 1 hour to process some data. The code works fine when you run it locally on your machine, but when you invoke the Lambda function it fails with a “timeout” error after 3 seconds. What should you do?
- Configure your Lambda’s timeout to 25 minutes
- Configure your Lambda’s memory to 10 GB
- Run your code somewhere else (e.g. EC2 instance)
Run your code somewhere else (e.g. EC2 instance)
Lambda’s maximum execution time is 15 minutes. You can run your code somewhere else such as an EC2 instance or use Amazon ECS.
Before you create a DynamoDB table, you need to provision the EC2 instance the DynamoDB table will be running on.
- True
- False
False
DynamoDB is serverless with no servers to provision, patch, or manage and no software to install, maintain or operate. It automatically scales tables up and down to adjust for capacity and maintain performance. It provides both provisioned (specify RCU & WCU) and on-demand (pay for what you use) capacity modes.
You have provisioned a DynamoDB table with 10 RCUs and 10 WCUs. A month later you want to increase the RCU to handle more read traffic. What should you do?
- Increase RCU and keep WCU the same
- You need to increase both RCU and WCU
- Increase RCU and decrease WCU
Increase RCU and keep WCU the same
RCU and WCU are decoupled, so you can increase/decrease each value separately.
You have an e-commerce website where you are using DynamoDB as your database. You are about to enter the Christmas sale and you have a few items which are very popular and you expect that they will be read often. Unfortunately, last year due to the huge traffic you had the ProvisionedThroughputExceededException exception. What would you do to prevent this error from happening again?
- Increase the RCU to a very high value
- Create a DAX Cluster
- Migrate the database away from DynamoDB for the time of the sale
Create a DAX Cluster
DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x performance improvement. It caches the most frequently used data, thus offloading the heavy reads on hot keys off your DynamoDB table, hence preventing the “ProvisionedThroughputExceededException” exception.
You have developed a mobile application that uses DynamoDB as its datastore. You want to automate sending welcome emails to new users after they sign up. What is the most efficient way to achieve this?
- Schedule a Lambda function to run every minute using CloudWatch Events, scan the entire table looking for new users
- Enable SNS and DynamoDB integration
- Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails
Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails
DynamoDB Streams allows you to capture a time-ordered sequence of item-level modifications in a DynamoDB table. It’s integrated with AWS Lambda so that you create triggers that automatically respond to events in real-time.
To create a serverless API, you should integrate Amazon API Gateway with ………………….
- EC2 Instance
- Elastic Load Balancing
- AWS Lambda
AWS Lambda
When you are using an Edge-Optimized API Gateway, your API Gateway lives in CloudFront Edge Locations across all AWS Regions.
- False
- True
False
An Edge-Optimized API Gateway is best for geographically distributed clients. API requests are routed to the nearest CloudFront Edge Location which improves latency. The API Gateway still lives in one AWS Region.
You are running an application in production that is leveraging DynamoDB as its datastore and is experiencing smooth sustained usage. There is a need to make the application run in development mode as well, where it will experience the unpredictable volume of requests. What is the most cost-effective solution that you recommend?
- Use Provisioned Capacity Mode with Auto Scaling enabled for both development and production
- Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development
- Use Provisioned Capacity Mode with Auto Scaling enabled for development and use On-Demand Capacity Mode for production
- Use On-Demand Capacity Mode for both Development and Production
Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development
You have an application that is served globally using CloudFront Distribution. You want to authenticate users at the CloudFront Edge Locations instead of authentication requests go all the way to your origins. What should you use to satisfy this requirement?
- Lambda@Edge
- API Gateway
- DynamoDB
- AWS Global Accelerator
Lambda@Edge
Lambda@Edge is a feature of CloudFront that lets you run code closer to your users, which improves performance and reduces latency.
The maximum size of an item in a DynamoDB table is ……………….
- 1MB
- 400KB
- 500KB
- 400MB
400KB
Which AWS service allows you to build Serverless workflows using AWS services (e.g., Lambda) and supports human approval?
- AWS Lambda
- Amazon ECS
- AWS Step Functions
- AWS Storage Gateway
AWS Step Functions
A company has a serverless application on AWS which consists of Lambda, DynamoDB, and Step Functions. In the last month, there are an increase in the number of requests against the application which results in an increase in DynamoDB costs, and requests started to be throttled. After further investigation, it shows that the majority of requests are read requests against some queries in the DynamoDB table. What do you recommend to prevent throttles and reduce costs efficiently?
- Use an EC2 Instance with Redis installed and place it between the Lambda function and the DynamoDB table
- Migrate from DynamoDB to Aurora and use ElastiCache to cache the most requested read data
- Migrate from DynamoDB to S3 and use Cloudfront to cache the most requested read data
- Use DynamoDB Accelerator (DAX) to cache the most requested read data
Use DynamoDB Accelerator (DAX) to cache the most requested read data
You are a DevOps engineer in a football company that has a website that is backed by a DynamoDB table. The table stores viewers’ feedback for football matches. You have been tasked to work with the analytics team to generate reports on the viewers’ feedback. The analytics team wants the data in DynamoDB in json format and hosted in an S3 bucket to start working on it and create the reports. What is the best and most cost-effective way to convert DynamoDB data to json files?
- Select DynamoDB and then select export to S3
- Create a Lambda function to read DynamoDB data, convert them to json files, then store the files in S3 bucket
- Use AWS Transfer Family
- Use AWS DataSync
Select DynamoDB and then select export to S3
A website is currently in the development process and it is going to be hosted on AWS. There is a requirement to store user sessions for users logged in to the website with an automatic expiry and deletion of expired user sessions. Which of the following AWS services are best suited for this use case?
- Store users’ sessions in an S3 bucket and enable S3 Lifecycle Policy
- Store users’ sessions locally in an EC2 instance
- Store users’ sessions in a DynamoDB table and enable TTL
- Store users’ sessions in an EFS File System
Store users’ sessions in a DynamoDB table and enable TTL
You have a mobile application and would like to give your users access to their own personal space in the S3 bucket. How do you achieve that?
- Generate IAM user credentials for each of your application’s users
- Use Amazon Cognito Identity Federation
- Use SAML Identity Federation
- Use a Bucket Policy to make your bucket public
Use Amazon Cognito Identity Federation
Amazon Cognito can be used to federate mobile user accounts and provide them with their own IAM permissions, so they can be able to access their own personal space in the S3 bucket.
You are developing a new web and mobile application that will be hosted on AWS and currently, you are working on developing the login and signup page. The application backend is serverless and you are using Lambda, DynamoDB, and API Gateway. Which of the following is the best and easiest approach to configure the authentication for your backend?
- Store users’ credentials in a DynamoDB table encrypted using KMS
- Store users’ credentials in a S3 bucket encrypted using KMS
- Use Cognito User Pools
- Store users’ credentials in AWS Secrets Manager
Use Cognito User Pools
You are running a mobile application where you want each registered user to upload/download images to/from his own folder in the S3 bucket. Also, you want to give your users to sign-up and sign in using their social media accounts (e.g., Facebook). Which AWS service should you choose?
- AWS Identity and Access Management (IAM)
- AWS IAM Identity center
- Amazon Cognito
- Amazon CloudFront
Amazon Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.
A startup company plans to run its application on AWS. As a solutions architect, the company hired you to design and implement a fully Serverless REST API. Which technology stack do you recommend?
- API Gateway + AWS Lambda
- Application Load Balancer + EC2
- Elastic Container Service (ECS) + Elastic Block Store
- Amazon CloudFront + S3
API Gateway + AWS Lambda
The following AWS services have an out of the box caching feature, EXCEPT ……………..
- API Gateway
- Lambda
- DynamoDB
Lambda
You have a lot of static files stored in an S3 bucket that you want to distribute globally to your users. Which AWS service should you use?
- S3 Cross-Region Replication
- Amazon CloudFront
- Amazon Route 53
- API Gateway
Amazon CloudFront
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. This is a perfect use case for Amazon CloudFront.
You have created a DynamoDB table in ap-northeast-1 and would like to make it available in eu-west-1, so you decided to create a DynamoDB Global Table. What needs to be enabled first before you create a DynamoDB Global Table?
- DynamoDB Streams
- DynamoDB DAX
- DynamoDB Versioning
- DynamoDB Backups
DynamoDB Streams
DynamoDB Streams enable DynamoDB to get a changelog and use that changelog to replicate data across replica tables in other AWS Regions.
You have configured a Lambda function to run each time an item is added to a DynamoDB table using DynamoDB Streams. The function is meant to insert messages into the SQS queue for further long processing jobs. Each time the Lambda function is invoked, it seems able to read from the DynamoDB Stream but it isn’t able to insert the messages into the SQS queue. What do you think the problem is?
- Lambda can’t be used to insert messages into the SQS queue, use an EC2 instance instead
- The Lambda Execution IAM Role is missing permissions
- The Lambda security group must allow outbound access to SQS
- The SQS security group must be edited to allow AWS Lambda
The Lambda Execution IAM Role is missing permissions
You would like to create an architecture for a micro-services application whose sole purpose is to encode videos stored in an S3 bucket and store the encoded videos back into an S3 bucket. You would like to make this micro-services application reliable and has the ability to retry upon failures. Each video may take over 25 minutes to be processed. The services used in the architecture should be asynchronous and should have the capability to be stopped for a day and resume the next day from the videos that haven’t been encoded yet. Which of the following AWS services would you recommend in this scenario?
- Amazon S3 + AWS Lambda
- Amazon SNS + Amazon EC2
- Amazon SQS + Amazon EC2
- Amazon SQS + AWS Lambda
Amazon SQS + Amazon EC2
Amazon SQS allows you to retain messages for days and process them later, while we can take down our EC2 instances.
You are running a photo-sharing website where your images are downloaded from all over the world. Every month you publish a master pack of beautiful mountain images that are over 15 GB in size. The content is currently hosted on an Elastic File System (EFS) file system and distributed by an Application Load Balancer and a set of EC2 instances. Each month, you are experiencing very high traffic which increases the load on your EC2 instances and increases network costs. What do you recommend to reduce EC2 load and network costs without refactoring your website?
- Hosts the master pack into S3
- Enable Application Load Balancer Caching
- Scale up the EC2 instances
- Create a CloudFront Distribution
Create a CloudFront Distribution
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. Amazon CloudFront can be used in front of an Application Load Balancer.
Which database helps you store relational datasets, with SQL language compatibility and the capability of processing transactions such as insert, update, and delete?
- Amazon DocumentDB
- Amazon RDS
- Amazon DynamoDB
- Amazon ElastiCache
Amazon RDS
Which AWS service provides you with caching capability that is compatible with Redis API?
- Amazon RDS
- Amazon DynamoDB
- Amazon OpenSearch
- Amazon ElastiCache
Amazon ElastiCache
Amazon ElastiCache is a fully managed in-memory data store, compatible with Redis or Memcached.
You want to migrate an on-premises MongoDB NoSQL database to AWS. You don’t want to manage any database servers, so you want to use a managed NoSQL Serverless database, that provides you with high availability, durability, and reliability, and the capability to take your database global. Which database should you choose?
- Amazon RDS
- Amazon DynamoDB
- Amazon DocumentDB
- Amazon Aurora
Amazon DynamoDB
Amazon DynamoDB is a key-value, document, NoSQL database.
You are looking to perform Online Transaction Processing (OLTP). You would like to use a database that has built-in auto-scaling capabilities and provides you with the maximum number of replicas for its underlying storage. What AWS service do you recommend?
- Amazon ElastiCache
- Amazon Neptune
- Amazon Aurora
- Amazon RDS
Amazon Aurora
Amazon Aurora is a MySQL and PostgreSQL-compatible relational database. It features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across 3 AZs.
As a Solutions Architect, a startup company asked you for help as they are working on an architecture for a social media website where users can be friends with each other, and like each other’s posts. The company plan on performing some complicated queries such as “What are the number of likes on the posts that have been posted by the friends of Mike?”. Which database do you recommend?
- Amazon RDS
- Amazon QLDB
- Amazon Neptune
- Amazon OpenSearch
Amazon Neptune
Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
You have a set of files, 100MB each, that you want to store in a reliable and durable key-value store. Which AWS service do you recommend?
- Amazon Aurora
- Amazon S3
- Amazon DynamoDB
- Amazon ElastiCache
Amazon S3
A company has an on-premises website that uses ReactJS as its frontend, NodeJS as its backend, and MongoDB for the database. There are some issues with the self-hosted MongoDB database as there is a lot of maintenance required and they don’t have and can’t afford the resources or experience to handle those issues. So, a decision was made to migrate the website to AWS. They have decided to host the frontend ReactJS application in an S3 bucket and the NodeJS backend on a set of EC2 instances. Which AWS service can they use to migrate the MongoDB database that provides them with high scalability and availability without making any code changes?
- Amazon ElastiCache
- Amazon DocumentDB
- Amazon RDS for MongoDB
- Amazon Neptune
Amazon DocumentDB
A company using a self-hosted on-premises Apache Cassandra database which they want to migrate to AWS. Which AWS service can they use which provides them with a fully managed, highly available, and scalable Apache Cassandra database?
- Amazon DocumentDB
- Amazon DynamoDB
- Amazon Timestream
- Amazon Keyspaces
Amazon Keyspaces
An online payment company is using AWS to host its infrastructure. Due to the application’s nature, they have a strict requirement to store an accurate record of financial transactions such as credit and debit transactions. Those transactions must be stored in secured, immutable, encrypted storage which can be cryptographically verified. Which AWS service is best suited for this use case?
- Amazon DocumentDB
- Amazon Aurora
- Amazon QLDB
- Amazon Neptune
Amazon QLDB
A startup is working on developing a new project to reduce forest fires due to climate change. The startup is developing sensors that will be spread across the entire forest to make some readings such as temperature, humidity, and pressures which will help detect the forest fires before it happens. They are going to have thousands of sensors that are going to store a lot of readings each second. There is a requirement to store those readings and do fast analytics so they can predict if there is a fire. Which AWS service can they use to store those readings?
- Amazon Timestream
- Amazon Neptune
- Amazon S3
- Amazon ElastiCache
Amazon Timestream
You would like to have a database that is efficient at performing analytical queries on large sets of columnar data. You would like to connect to this Data Warehouse using a reporting and dashboard tool such as Amazon QuickSight. Which AWS technology do you recommend?
- Amazon RDS
- Amazon S3
- Amazon Redshift
- Amazon Neptune
Amazon Redshift
You have a lot of log files stored in an S3 bucket that you want to perform a quick analysis, if possible Serverless, to filter the logs and find users that attempted to make an unauthorized action. Which AWS service allows you to do so?
- Amazon DynamoDB
- Amazon Redshift
- S3 Glacier
- Amazon Athena
Amazon Athena
As a Solutions Architect, you have been instructed you to prepare a disaster recovery plan for a Redshift cluster. What should you do?
- Enable Multi-AZ
- Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region
- Take a snapshot then restore to a Redshift Global Cluster
Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region
Which feature in Redshift forces all COPY and UNLOAD traffic moving between your cluster and data repositories through your VPCs?
- Enhanced VPC Routing
- Improved VPC Routing
- Redshift Spectrum
Enhanced VPC Routing
You are running a gaming website that is using DynamoDB as its data store. Users have been asking for a search feature to find other gamers by name, with partial matches if possible. Which AWS technology do you recommend to implement this feature?
- Amazon DynamoDB
- Amazon Redshift
- Amazon OpenSearch Service
- Amazon Neptune
Amazon OpenSearch Service
An AWS service allows you to create, run, and monitor ETL (extract, transform, and load) jobs in a few clicks.
- AWS Glue
- Amazon Redshift
- Amazon RDS
- Amazon DynamoDB
AWS Glue
A company is using AWS to host its public websites and internal applications. Those different websites and applications generate a lot of logs and traces. There is a requirement to centrally store those logs and efficiently search and analyze those logs in real-time for detection of any errors and if there is a threat. Which AWS service can help them efficiently store and analyze logs?
- Amazon S3
- Amazon OpenSearch Service
- Amazon ElastiCache
- Amazon QLDB
Amazon OpenSearch Service
……………………….. makes it easy and cost-effective for data engineers and analysts to run applications built using open source big data frameworks such as Apache Spark, Hive, or Presto without having to operate or manage clusters.
- AWS Lambda
- Amazon EMR
- Amazon Athena
- Amazon OpenSearch Service
Amazon EMR
An e-commerce company has all its historical data such as orders, customers, revenues, and sales for the previous years hosted on a Redshift cluster. There is a requirement to generate some dashboards and reports indicating the revenues from the previous years and the total sales, so it will be easy to define the requirements for the next year. The DevOps team is assigned to find an AWS service that can help define those dashboards and have native integration with Redshift. Which AWS service is best suited?
- Amazon OpenSearch Service
- Amazon Athena
- Amazon QuickSight
- Amazon EMR
Amazon QuickSight
Which AWS Glue feature allows you to save and track the data that has already been processed during a previous run of a Glue ETL job?
- Glue Job Bookmarks
- Glue Elastic Views
- Glue Streaming ETL
- Glue DataBrew
Glue Job Bookmarks
You are a DevOps engineer in a machine learning company with 3 TB of JSON files stored in an S3 bucket. There’s a requirement to do some analytics on those files using Amazon Athena and you have been tasked to find a way to convert those files’ format from JSON to Apache Parquet. Which AWS service is best suited?
- S3 Object Versioning
- Kinesis Data Streams
- Amazon MSK
- AWS Glue
AWS Glue
You have an on-premises application that is used together with an on-premises Apache Kafka to receive a stream of clickstream events from multiple websites. You have been tasked to migrate this application as soon as possible without any code changes. You decided to host the application on an EC2 instance. What is the best option you recommend to migrate Apache Kafka?
- Kinesis Data Streams
- AWS Glue
- Amazon MSK
- Kinesis Data Analytics
Amazon MSK
You have data stored in RDS, S3 buckets and you are using AWS Lake Formation as a data lake to collect, move and catalog data so you can do some analytics. You have a lot of big data and ML engineers in the company and you want to control access to part of the data as it might contain sensitive information. What can you use?
- Lake Formation Fine-grained Access Control
- Amazon Cognito
- AWS Shield
- S3 Object Lock
Lake Formation Fine-grained Access Control
Which AWS service is most appropriate when you want to perform real-time analytics on streams of data?
- Amazon SQS
- Amazon SNS
- Amazon Kinesis Data Analytics
- Amazon Kinesis Data Firehose
Amazon Kinesis Data Analytics
Use Kinesis Data Analytics with Kinesis Data Streams as the underlying source of data.
You should use Amazon Transcribe to turn text into lifelike speech using deep learning.
- True
- False
False
Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text. Amazon Polly is a service that turns text into lifelike speech.
A company would like to implement a chatbot that will convert speech-to-text and recognize the customers’ intentions. What service should it use?
- Transcribe
- Rekognition
- Connect
- Lex
Lex
Amazon Lex is a service for building conversational interfaces into any application using voice and text. Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions.
Which fully managed service can deliver highly accurate forecasts?
- Personalize
- SageMaker
- Lex
- Forecast
Forecast
Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate forecasts.
You would like to find objects, people, text, or scenes in images and videos. What AWS service should you use?
- Rekognition
- Polly
- Kendra
- Lex
Rekognition
Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use.
A start-up would like to rapidly create customized user experiences. Which AWS service can help?
- Personalize
- Kendra
- Connect
Personalize
Amazon Personalize is a machine learning service that makes it easy for developers to create individualized recommendations for customers using their applications.
A research team would like to group articles by topics using Natural Language Processing (NLP). Which service should they use?
- Translate
- Comprehend
- Lex
- Rekognition
Comprehend
Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find meaning and insights in text.
A company would like to convert its documents into different languages, with natural and accurate wording. What should they use?
- Transcribe
- Polly
- Translate
- WordTranslator
Translate
Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable language translation.
A developer would like to build, train, and deploy a machine learning model quickly. Which service can he use?
- SageMaker
- Polly
- Comprehend
- Personalize
SageMaker
Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. SageMaker removes the heavy lifting from each step of the machine learning process to make it easier to develop high quality models.
Which AWS service makes it easy to convert speech-to-text?
- Connect
- Translate
- Transcribe
- Polly
Transcribe
Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text.
Which of the following services is a document search service powered by machine learning?
- Forecast
- Kendra
- Comprehend
- Polly
Kendra
Amazon Kendra is a highly accurate and easy to use enterprise search service that’s powered by machine learning.
A company is managing an image and video sharing platform which is used by customers around the globe. The platform is running on AWS using an S3 bucket to host both images and videos and using CloudFront as the CDN to deliver content to customers all over the world with low latency. In the last couple of months, a lot of customers have complained that they have started to see inappropriate content on the platform which started to increase in the last week. It will be very expensive and time-consuming to manually approve those images and videos by employees before its published on the platform. There is a requirement to find a solution that can automatically detect inappropriate and offensive images and videos and give you the ability to set a minimum confidence threshold for items that will be flagged and allows for manual review. Which AWS service can fit the requirement?
- Amazon Polly
- Amazon Translate
- Amazon Lex
- Amazon Rekognition
Amazon Rekognition
An online medical company that allows you to book an appointment with doctors using through a phone call is using AWS to host their infrastructure. They are using Amazon Connect and Amazon Lex to receive calls and create a workflow, book an appointment, and pay. According to the company’s policy, all calls must be recorded for review. But, there is a requirement to remove any Personally Identifiable Information (PII) from the call before it’s saved. What do you recommend to use which helps in removing PII from calls?
- Amazon Polly
- Amazon Transcribe
- Amazon Rekognition
- Amazon Forecast
Amazon Transcribe
Amazon Polly allows you to turn text into speech. It has two important features. First is ……………….. which allows you to customize the pronunciation of words (e.g., “Amazon EC2” will be “Amazon Elastic Compute Cloud”). The second is ……………….. which allows you to emphasize words, including breathing sounds, whispering, and more.
- Speech Synthesis Markup Language (SSML), Pronunciation Lexicons
- Pronunciation Lexicons, Security Assertion Markup Language (SAML)
- Pronunciation Lexicons, Speech Synthesis Markup Language (SSML)
- Security Assertion Markup Language (SAML), Pronunciation Lexicons
Pronunciation Lexicons, Speech Synthesis Markup Language (SSML)
A medical company is in the process of implementing a solution to detect, extract, and analyze information from unstructured medical text like doctors’ notes, clinical trial reports, and radiology reports. Those documents are uploaded and stored on S3 buckets. According to the company’s regulations, the solution must be designed and implemented to keep patients’ privacy by identifying Protected Health Information (PHI) so the solution will be eligible with HIPAA. Which AWS service should you use?
- Amazon Comprehend Medical
- Amazon Rekognition
- Amazon Polly
- Amazon Translate
Amazon Comprehend Medical
You have an RDS DB instance that’s configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there’s an Error found in the logs. How would you do that?
- Create a scheduled CloudWatch Event that triggers an AWS Lambda every 1 hour, scans the logs, and notify you through SNS topic
- Create a CloudWatch Logs Metric Filter that filters the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter
- Create an AWS Config Rule that monitors Error in your database logs and notify you through SNS topic
Create a CloudWatch Logs Metric Filter that filters the logs for the keyword Error, then create a CloudWatch Alarm based on that Metric Filter
You have an application hosted on a fleet of EC2 instances managed by an Auto Scaling Group that you configured its minimum capacity to 2. Also, you have created a CloudWatch Alarm that is configured to scale in your ASG when CPU Utilization is below 60%. Currently, your application runs on 2 EC2 instances and has low traffic and the CloudWatch Alarm is in the ALARM state. What will happen?
- One EC2 instance will be terminated and the ASG desired and minimum capacity will go to 1
- The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 Instances in the ASG
- The CloudWatch Alarm will be detached from my ASG
- The CloudWatch Alarm will go in OK state
The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 Instances in the ASG
The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.
How would you monitor your EC2 instance memory usage in CloudWatch?
- Enable EC2 Detailed Monitoring
- By default, the EC2 instance pushed memory usage to CloudWatch
- Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch
Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch
You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use?
- Amazon CloudWatch
- AWS CloudTrail
Amazon CloudWatch
Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications’ performance and metrics.
Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when?
- CloudWatch Metrics
- CloudWatch Alarms
- CloudWatch Events
- AWS CloudTrail
AWS CloudTrail
AWS CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. It provides the event history of your AWS account activity, audit API calls made through the AWS Management Console, AWS SDKs, AWS CLI. So, the EC2 instance termination API call will appear here. You can use CloudTrail to detect unusual activity in your AWS accounts.
You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account?
- CloudTrail Data Events
- CloudTrail Insights
- CloudTrail Management Events
CloudTrail Insights
One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don’t know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this?
- Use CloudTrail Event History in CloudTrail Console
- Analyze CloudTrail logs in S3 bucket using Amazon Athena
Analyze CloudTrail logs in S3 bucket using Amazon Athena
You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.
You are running a website on a fleet of EC2 instances with OS that has a known vulnerability on port 84. You want to continuously monitor your EC2 instances if they have port 84 exposed. How should you do this?
- Setup CloudWatch Metrics
- Setup CloudTrail Trails
- Setup Config Rules
- Schedule a CloudWatch Event to trigger a Lambda function to scan your EC2 instances
Setup Config Rules
You would like to evaluate the compliance of your resource’s configurations over time. Which AWS service will you choose?
- AWS Config
- Amazon CloudWatch
- AWS CloudTrail
AWS Config
Someone changed the configuration of a resource and made it non-compliant. Which AWS service is responsible for logging who made modifications to resources?
- Amazon CloudWatch
- AWS CloudTrail
- AWS Config
AWS CloudTrail
You have enabled AWS Config to monitor Security Groups if there’s unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state?
- AWS Config Remediations
- AWS Config Rules
- AWS Config Notifications
AWS Config Remediations
You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances’ Security Group. Which AWS Config feature helps you do this?
- AWS Config Remediations
- AWS Config Rules
- AWS Config Notifications
AWS Config Notifications
…………………………. is a CloudWatch feature that allows you to send CloudWatch metrics in near real-time to S3 bucket (through Kinesis Data Firehose) and 3rd party destinations (e.g., Splunk, Datadog, …).
- CloudWatch Metric Stream
- CloudWatch Log Stream
- CloudWatch Metric Filter
- CloudWatch Log Group
CloudWatch Metric Stream
A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs?
- CloudWatch Metric Stream
- CloudWatch Alarm
- CloudWatch Contributor Insights
- CloudWatch Metric Filter
CloudWatch Contributor Insights
A company is developing a Serverless application on AWS using Lambda, DynamoDB, and Cognito. A junior developer joined a few weeks ago and accidentally deleted one of the DynamoDB tables in the dev AWS account which contained important data. The CTO asks you to prevent this from happening again and there must be a notification system to monitor if there is an attempt to make such deletion actions for the DynamoDB tables. What would you do?
- Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through S3 and send a notification using KMS
- Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS
- Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through S3 and send a notification using SNS
Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any DeleteTable API calls through CloudTrail and send a notification using SNS
A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later?
- Use EventBridge Archive and Replay feature
- Create a Lambda function to store the EventBridge events in an S3 bucket for later usage
- Configure EventBridge to store events in a DynamoDB Table
Use EventBridge Archive and Replay feature
You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up?
- Provide the Dev team with a completely independent AWS account
- Apply a global IAM policy on your Prod account
- Create an AWS Organization and create two Prod and Dev OUs, then Apply a SCP on the Prod OU
- Create an AWS Config Rule
Create an AWS Organization and create two Prod and Dev OUs, then Apply a SCP on the Prod OU
You are managing the AWS account for your company, and you want to give one of the developers access to read files from an S3 bucket. You have updated the bucket policy to this, but he still can’t access the files in the bucket. What is the problem?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowsRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::static-files-bucket-xxx"
}]
}
- Everything is okay, he just needs to logout and login again
- The bucket does not contain any files yet
- You should change the resource to
arn:aws:s3:::static-files-bucket-xxx/*, because this is an object-level permission
You should change the resource to arn:aws:s3:::static-files-bucket-xxx/*, because this is an object-level permission
You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that?
- Using IAM Roles
- Using AWS Organizations SCP
- Using AWS Config
Using AWS Organizations SCP
Which of the following IAM condition keys can you use to only allow API calls to a specified AWS region?
- aws:RequiredRegion
- aws:SourceRegion
- aws:InitialRegion
- aws:RequestedRegion
aws:RequestedRegion
When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use …………………..
- Identity-Based Policy, Resource-based Policy
- Resource-based Policy, Identity-Based Policy
- Identity-Based Policy, Identity-Based Policy
- Resource-based Policy, Resource-based Policy
Resource-based Policy, Identity-Based Policy
To enable In-flight Encryption (In-Transit Encryption), we need to have ……………………
- an HTTP endpoint with an SSL certificate
- an HTTPS endpoint with an SSL certificate
- a TCP endpoiont
an HTTPS endpoint with an SSL certificate
In-flight Encryption = HTTPS, and HTTPS can not be enabled without an SSL certificate.
Server-Side Encryption means that the data is sent encrypted to the server.
- True
- False
False
Server-Side Encryption means the server will encrypt the data for us. We don’t need to encrypt it beforehand.
In Server-Side Encryption, where do the encryption and decryption happen?
- Both Encryption and Decryption happen on the server
- Both Encryption and Decryption happen on the client
- Encryption happens on the server and Decryption happens on the client
- Encryption happens on the client and Decryption happens on the server
Both Encryption and Decryption happen on the server
In Server-Side Encryption, we can’t do encryption/decryption ourselves as we don’t have access to the corresponding encryption key.
In Client-Side Encryption, the server must know our encryption scheme before we can upload the data.
- False
- True
False
With Client-Side Encryption, the server doesn’t need to know any information about the encryption scheme being used, as the server will not perform any encryption or decryption operations.
You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS …
- True
- False
False
You can use the AWS Managed Service keys in KMS, therefore we don’t need to create our own KMS keys.
AWS KMS supports both symmetric and asymmetric KMS keys.
- True
- False
True
KMS keys can be symmetric or asymmetric. A symmetric KMS key represents a 256-bit key used for encryption and decryption. An asymmetric KMS key represents an RSA key pair used for encryption and decryption or signing and verification, but not both. Or it represents an elliptic curve (ECC) key pair used for signing and verification.
When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ……………..
- 90 days
- 1 year
- 2 years
- 3 years
1 year
You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can’t use it. How would you solve this problem?
- The other AWS account needs to logout and login again to refresh its credentials
- You need to share the KMS CMK used to encrypt the AMI with the other AWS account
- You can’t share the AMI that has an encrypted EBS snapshot
You need to share the KMS CMK used to encrypt the AMI with the other AWS account
You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 3 months. What should you do?
- Re-configure your KMS CMK and enable Automatic Rotation, in the “Period” select 3 months
- Use AWS Managed Keys as they are automatically rotated by AWS every 3 months
- Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data
Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data
What should you use to control access to your KMS CMKs?
- KMS Key Policies
- KMS IAM Policy
- AWS GuardDuty
- KMS Access Control List (KMS ACL)
KMS Key Policies
You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure?
- Embed it in the code
- Have it as a plaintext environment variable
- Have it as an encrypted environment variable and decrypt it at runtime
Have it as an encrypted environment variable and decrypt it at runtime
This is the most secure solution amongst these options.
You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use?
- AWS KMS Versioning feature
- SSM Parameter Store
- Amazon S3
SSM Parameter Store
SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter’s history.
AWS Shield Advanced
You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What’s the best place to store them to maintain control and version history?
- Amazon DynamoDB
- Amazon S3
- Amazon EBS
- SSM Parameter Store
SSM Parameter Store
AWS GuardDuty scans the following data sources, EXCEPT …………….
- CloudTrail Logs
- VPC Flow Logs
- DNS Logs
- CloudWatch Logs
CloudWatch Logs
You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)?
- AWS Shield
- AWS WAF
- AWS Security Hub
- AWS GuardDuty
AWS WAF
You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use?
- AWS Shield
- Amazon GuardDuty
- Amazon Inspector
- AWS Config
Amazon Inspector
What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation?
- AWS Secrets Manager
- AWS KMS
- AWS SSM Parameter Store
AWS Secrets Manager
Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization?
- AWS Shield
- AWS GuardDuty
- AWS Config
- AWS Firewall Manager
AWS Firewall Manager
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.
Which AWS service helps you protect your sensitive data stored in S3 buckets?
- Amazon GuardDuty
- Amazon Shield
- Amazon Macie
- AWS KMS
Amazon Macie
Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).
An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature is required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this?
- Using Aurora Client-side Encryption and KMS Multi-region Keys
- Using Lambda Client-side Encryption and KMS Multi-region Keys
- Using Aurora Client-side Encryption and CloudHSM
- Using Lambda Client-side Encryption and CloudHSM
Using Aurora Client-side Encryption and KMS Multi-region Keys
You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work?
- This is not a supported feature
- You have to raise a support ticket for AWS to start this replication process for you
- You have to configure permissions for both Source KMS Key kms:Decrypt and Target KMS Key kms:Encrypt to be used by the S3 Replication Service
- The source KMS Key and the target KMS key must be the same
You have to configure permissions for both Source KMS Key kms:Decrypt and Target KMS Key kms:Encrypt to be used by the S3 Replication Service
You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one?
- Configure ACM to send notifications by linking it to 3rd party certificate provides LetsEncrypt
- Configure EventBridge for Daily Expiration Events for ACM to invoke SNS notifications to your email
- Configure EventBridge Monthly Expiration Events from ACM to invoke SNS notifications to your email
- Configure CloudWatch Alarms for Daily Expiration Events from ACM to invoke SNS notifications to your email
Configure EventBridge for Daily Expiration Events for ACM to invoke SNS notifications to your email
You have created the main Edge-Optimized API Gateway in us-west-2 AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in ap-southeast-1. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in?
- us-east-1
- us-west-2
- ap-southeast-1
- Both us-east-1 and us-west-2 works
us-east-1
As the Edge-Optimized API Gateway is using a custom AWS managed CloudFront distribution behind the scene to route requests across the globe through CloudFront Edge locations, the ACM certificate must be created in us-east-1.
You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so?
- AWS GuardDuty
- Amazon Shield
- Amazon Inspector
- AWS Firewall Manager
AWS Firewall Manager
What does this CIDR 10.0.4.0/28 correspond to?
- 10.0.4.0 to 10.0.4.15
- 10.0.4.0 to 10.0.32.0
- 10.0.4.0 to 10.0.4.28
- 10.0.0.0 to 10.0.16.0
10.0.4.0 to 10.0.4.15
/28 means 16 IPs (=2^(32-28) = 2^4), means only the last digit can change.
You have a corporate network of size 10.0.0.0/8 and a satellite office of size 192.168.0.0/16. Which CIDR is acceptable for your AWS VPC if you plan on connecting your networks later on?
- 172.16.0.0/12
- 172.16.0.0/16
- 10.0.16.0/16
- 192.168.4.0/18
172.16.0.0/16
CIDR not should overlap, and the max CIDR size in AWS is /16.
You plan on creating a subnet and want it to have at least capacity for 28 EC2 instances. What’s the minimum size you need to have for your subnet?
- /28
- /27
- /26
- /25
/26
Perfect size, 64 IPs.
Security Groups operate at the …………….. level while NACLs operate at the …………….. level.
- EC2 instance, Subnet
- Subnet, EC2 instance
EC2 instance, Subnet
You have attached an Internet Gateway to your VPC, but your EC2 instances still don’t have access to the internet. What is NOT a possible issue?
- Route Tables are missing entries
- The EC2 instances don’t have public IPs
- The Security Group does not allow traffic in
- The NACL does not allow network traffic out
The Security Group does not allow traffic in
Security groups are stateful and if traffic can go out, then it can go back in.
You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?
- NAT Instances with Source/Destination Check flag off
- Egress Only Internet Gateway
- NAT Gateway
NAT Gateway
VPC Peering has been enabled between VPC A and VPC B, and the route tables have been updated for VPC A. But, the EC2 instances cannot communicate. What is the likely issue?
- Check the NACL
- Check the Route Tables in VPC B
- Check the EC2 instance attached Security Groups
- Check if DNS Resolution is enabled
Check the Route Tables in VPC B
Route tables must be updated in both VPCs that are peered.
You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do?
- Enable VPC Peering
- Use a Customer Gateway
- Use a Direct Connect Gateway
- Set up a NAT Gateway
Use a Direct Connect Gateway
This is the main use case of Direct Connect Gateways.
When using VPC Endpoints, what are the only two AWS services that have a Gateway Endpoint available?
- Amazon S3 & Amazon SQS
- Amazon SQS & DynamoDB
- Amazon S3 & DynamoDB
Amazon S3 & DynamoDB
These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).
AWS reserves 5 IP addresses each time you create a new subnet in a VPC. When you create a subnet with CIDR 10.0.0.0/24, the following IP addresses are reserved, EXCEPT ………………..
- 10.0.0.1
- 10.0.0.2
- 10.0.0.3
- 10.0.0.4
10.0.0.4
You have 3 VPCs A, B, and C. You want to establish a VPC Peering connection between all the 3 VPCs. What should you do?
- As VPC Peering supports Transitive Peering, you need to establish 2 VPC Peering connections (A-B, B-C)
- Establish 3 VPC Peering connections (A-B, A-C, B-C)
Establish 3 VPC Peering connections (A-B, A-C, B-C)
How can you capture information about IP traffic inside your VPCs?
- Enable VPC Flow Logs
- Enable VPC Traffic Mirroring
- Enable CloudWatch Traffic Logs
Enable VPC Flow Logs
VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a ……………… connection.
- Dedicated
- Hosted
Hosted
Hosted Direct Connect connection supports 50Mbps, 500Mbps, up to 10Gbps.
When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection?
- Customer Gateway and NAT Gateway
- Internet Gateway and Customer Gateway
- Virtual Private Gateway and Internet Gateway
- Virtual Private Gateway and Customer Gateway
Virtual Private Gateway and Customer Gateway
Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend?
- VPC Peering
- AWS VPC CloudHub
- Direct Connect
- AWS PrivateLink
AWS VPC CloudHub
AWS VPN CloudHub allows you to securely communicate with multiple sites using AWS VPN. It operates on a simple hub-and-spoke model that you can use with or without a VPC.
You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?
- Site-to-Site VPN
- AWS PrivateLink
- AWS Direct Connect
- Amazon EventBridge
AWS Direct Connect
Using a Direct Connect connection, you can access both public and private AWS resources.
- True
- False
True
You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What should you do?
- Use 2 Virtual Private Gateways
- Use Direct Connect Gateway
- Use Transit Gateway
Use Transit Gateway
You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?
- Modify your VPC to run in IPv6 mode only
- Modify your VPC to run in IPv4 mode only
- Add an additional IPv4 CIDR to your VPC
Add an additional IPv4 CIDR to your VPC
A web application backend is hosted on EC2 instances in private subnets fronted by an Application Load Balancer in public subnets. There is a requirement to give some of the developers access to the backend EC2 instances but without exposing the backend EC2 instances to the Internet. You have created a bastion host EC2 instance in the public subnet and configured the backend EC2 instances Security Group to allow traffic from the bastion host. Which of the following is the best configuration for bastion host Security Group to make it secure?
- Allow traffic only on port 80 from the company’s public CIDR
- Allow traffic only on port 22 from the company’s public CIDR
- Allow traffic only on port 22 from the company’s private CIDR
- Allow traffic only on port 80 from the company’s private CIDR
Allow traffic only on port 22 from the company’s public CIDR
A company has set up a Direct Connect connection between their corporate data center to AWS. There is a requirement to prepare a cost-effective secure backup connection in case there are issues with this Direct Connect connection. What is the most cost effective and secure solution you recommend?
- Setup another Direct Connect connection to the same AWS region
- Setup another Direct Connect connection to a different AWS region
- Setup a Site-to-Site VPN connection as a backup
Setup a Site-to-Site VPN connection as a backup
Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7?
- AWS Network Firewall
- Amazon Guard Duty
- Amazon Inspector
- Amazon Shield
AWS Network Firewall
A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR 192.168.0.0/18. How do you configure the EC2 instances’ security group to ensure only the ALB can access them on port 80?
- Add an Inbound Rule with port 80 and 0.0.0.0/0 as the source
- Add an Inbound Rule with port 80 and 192.168.0.0/18 as the source
- Add an Inbound Rule with port 80 and ALB’s Security Group as the source
- Load an SSL certificate on the ALB
Add an Inbound Rule with port 80 and ALB’s Security Group as the source
This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it.
As part of your Disaster Recovery plan, you would like to have only the critical infrastructure up and running in AWS. You don’t mind a longer Recovery Time Objective (RTO). Which DR strategy do you recommend?
- Backup and Restore
- Pilot Light
- Warm Standby
- Multi-Site
Pilot Light
If you’re interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html
You would like to get the Disaster Recovery strategy with the lowest Recovery Time Objective (RTO) and Recovery Point Objective (RPO), regardless of the cost. Which DR should you choose?
- Backup and Restore
- Pilot Light
- Warm Standby
- Multi-Site
Multi-Site
If you’re interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html
Which of the following Disaster Recovery strategies has a potentially high Recovery Point Objective (RPO) and Recovery Time Objective (RTO)?
- Backup and Restore
- Pilot Light
- Warm Standby
- Multi-Site
Backup and Restore
If you’re interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html
You want to make a Disaster Recovery plan where you have a scaled-down version of your system up and running, and when a disaster happens, it scales up quickly. Which DR strategy should you choose?
- Backup and Restore
- Pilot Light
- Warm Standby
- Multi-Site
Warm Standby
If you’re interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html
You have an on-premises Oracle database that you want to migrate to AWS, specifically to Amazon Aurora. How would you do the migration?
- Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data
- Use AWS Database Migration Service (AWS DMS) to convert the database schema, then use AWS Schema Conversion Tool (AWS SCT) to migrate the data
Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data
AWS DataSync supports the following locations, EXCEPT ………………..
- Amazon S3
- Amazon EBS
- Amazon EFS
- Amazon FSx for Windows File Server
Amazon EBS
You are running many resources in AWS such as EC2 instances, EBS volumes, DynamoDB tables… You want an easy way to manage backups across all these AWS services from a single place. Which AWS offering makes this process easy?
- Amazon S3
- AWS Storage Gateway
- AWS Backup
- EC2 Snapshots
AWS Backup
AWS Backup enables you to centralize and automate data protection across AWS services. It helps you support your regulatory compliance or business policies for data protection.
A company planning to migrate its existing websites, applications, servers, virtual machines, and data to AWS. They want to do a lift-and-shift migration with minimum downtime and reduced costs. Which AWS service can help in this scenario?
- AWS Database Migration Service
- AWS Application Migration Service
- AWS Backup
- AWS Schema Conversion Tool
AWS Application Migration Service
A company is using VMware on its on-premises data center to manage its infrastructure. There is a requirement to extend their data center and infrastructure to AWS but keep using the technology stack they are using which is VMware. Which AWS service can they use?
- VMware Cloud on AWS
- AWS DataSync
- AWS Application Migration Service
- AWS Application Discovery Service
VMware Cloud on AWS
A company is using RDS for MySQL as their main database but, lately they have been facing issues in managing the database, performance issues, and the scalability. And they have decided to use Aurora for MySQL instead for better performance, less complexity and less administrative tasks required. What is the best way and most cost-effective way to migrate from RDS for MySQL to Aurora for MySQL?
- Raise an AWS support ticket to do the migration as it is not supported
- Create a database dump from RDS for MySQL, store it in a S3 bucket, then restore it to Aurora for MySQL
- You can not migrate directly to Aurora for MySQL, you have to create a custom application to insert the data manually
- Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL
Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL
Which AWS service can you use to automate the backup across different AWS services such as RDS, DynamoDB, Aurora, and EFS file systems, and EBS volumes?
- Amazon S3 Lifecycle Policy
- AWS DataSync
- AWS Backup
- Amazon Glacier
AWS Backup
You are working on a Serverless application where you want to process objects uploaded to an S3 bucket. You have configured S3 Events on your S3 bucket to invoke a Lambda function every time an object has been uploaded. You want to ensure that events that can’t be processed are sent to a Dead Letter Queue (DLQ) for further processing. Which AWS service should you use to set up the DLQ?
- S3 Events
- SNS Topic
- Lambda Function
Lambda Function
The Lambda function’s invocation is “asynchronous”, so the DLQ has to be set on the Lambda function side.
As a Solutions Architect, you have created an architecture for a company that includes the following AWS services: CloudFront, Web Application Firewall (AWS WAF), AWS Shield, Application Load Balancer, and EC2 instances managed by an Auto Scaling Group. Sometimes the company receives malicious requests and wants to block these IP addresses. According to your architecture, Where should you do it?
- CloudFront
- AWS WAF
- AWS Shield
- ALB Security Group
- EC2 Security Group
- NACL
AWS WAF
Your EC2 instances are deployed in Cluster Placement Group in order to perform High-Performance Computing (HPC). You would like to maximize network performance between your EC2 instances. What should you use?
- Elastic Fabric Adapter
- Elastic Network Interface
- Elastic Network Adapter
- FSx for Lustre
Elastic Fabric Adapter
Which AWS Service analyzes your AWS account and gives recommendations for cost optimization, performance, security, fault tolerance, and service limits?
- AWS Trusted Advisor
- AWS CloudTrail
- AWS Identity Access Manager (IAM)
- AWS CloudFormation
AWS Trusted Advisor
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. It evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
