Quizzes #2 Flashcards by Santiago Ferraris

What is a proper definition of an IAM Role?
- IAM Users in multiple User Groups
- An IAM entity that defines a password policy for IAM Users
- An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS Service
- Permissions assigned to IAM Users to perform actions

An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS Service

Some AWS services need to perform actions on your behalf. To do so, you assign permissions to AWS services with IAM Roles.

How well did you know this?

Not at all

Perfectly

Which of the following is an IAM Security Tool?
- IAM Credentials Report
- IAM Root Account Manager
- IAM Services Report
- IAM Security Advisor

IAM Credentials Report

IAM Credentials Report lists all your AWS Account’s IAM Users and the status of their various credentials.

How well did you know this?

Not at all

Perfectly

Which answer is INCORRECT regarding IAM Users?
- IAM Users can belong to multiple User Groups
- IAM Users don’t have to belong to a User Group
- IAM Policies can be attached directly to IAM Users
- IAM Users access AWS Services using root account credentials

IAM Users access AWS Services using root account credentials

IAM Users access AWS services using their own credentials (username & password or Access Keys).

How well did you know this?

Not at all

Perfectly

Which of the following is an IAM best practice?
- Create several IAM Users for one physical person
- Don’t use the root user account
- Share your AWS account credentials with your colleague, so (s)he can perform a task for you
- Do not enable MFA for easier access

Don’t use the root user account

Use the root account only to create your first IAM User and a few account/service management tasks. For everyday tasks, use an IAM User.

How well did you know this?

Not at all

Perfectly

What are IAM Policies?
- A set of policies that defines how AWS accounts interact with each other
- JSON document that defines a set of permissions for making requests to AWS services, and can be used by AWS Users, User Groups, and IAM Roles
- A set of policies that define a password for IAM Users
- A set of policies defined by AWS that show how customers interact with AWS

JSON document that defines a set of permissions for making requests to AWS services, and can be used by AWS Users, User Groups, and IAM Roles

How well did you know this?

Not at all

Perfectly

Which principle should you apply regarding IAM Permissions?
- Grant most privilege
- Grant more permissions if your employee asks you to
- Grant least privilege
- Restrict root account permissions

Grant least privilege

Don’t give more permissions than the user needs.

How well did you know this?

Not at all

Perfectly

What should you do to increase your root account security?
- Remove permissions from the root account
- Only access AWS services through AWS Command Line Interface (CLI)
- Don’t create IAM Users, only access your AWS account using the root account
- Enable Multi-Factor Authentication (MFA)

Enable Multi-Factor Authentication (MFA)

When you enable MFA, this adds another layer of security. Even if your password is stolen, lost, or hacked your account is not compromised.

How well did you know this?

Not at all

Perfectly

IAM User Groups can contain IAM Users and other User Groups
- True
- False

False

IAM User Groups can contain only IAM Users.

How well did you know this?

Not at all

Perfectly

An IAM policy consists of one or more statements. A statement in IAM Policy consists of the following, EXCEPT:
- Effect
- Principal
- Version
- Action
- Resource

Version

A statement in an IAM Policy consists of Sid, Effect, Principal, Action, Resource, and Condition. Version is part of the IAM Policy itself, not the statement.

How well did you know this?

Not at all

Perfectly

Which EC2 Purchasing Option can provide you the biggest discount, but it is not suitable for critical jobs or databases?
- Convertible Reserved Instances
- Dedicated Hosts
- Spot Instances

Spot Instances

Spot Instances are good for short workloads and this is the cheapest EC2 Purchasing Option. But, they are less reliable because you can lose your EC2 instance.

How well did you know this?

Not at all

Perfectly

What should you use to control traffic in and out of EC2 instances?
- Network Access Control List (NACL)
- Security Groups
- IAM Policies

Security Groups

Security Groups operate at the EC2 instance level and can control traffic.

How well did you know this?

Not at all

Perfectly

How long can you reserve an EC2 Reserved Instance?
- 1 or 3 years
- 2 or 4 years
- 6 months or 1 year
- Anytime between 1 and 3 years

1 or 3 years

EC2 Reserved Instances can be reserved for 1 or 3 years only.

How well did you know this?

Not at all

Perfectly

You would like to deploy a High-Performance Computing (HPC) application on EC2 instances. Which EC2 instance type should you choose?
- Storage Optimized
- Compute Optimized
- Memory Optimized
- General Purpose

Compute Optimized

Compute Optimized EC2 instances are great for compute-intensive workloads requiring high-performance processors (e.g., batch processing, media transcoding, high-performance computing, scientific modeling & machine learning, and dedicated gaming servers).

How well did you know this?

Not at all

Perfectly

Which EC2 Purchasing Option should you use for an application you plan to run on a server continuously for 1 year?
- Reserved Instances
- Spot Instances
- On-Demand Instances

Reserved Instances

Reserved Instances are good for long workloads. You can reserve EC2 instances for 1 or 3 years.

How well did you know this?

Not at all

Perfectly

You are preparing to launch an application that will be hosted on a set of EC2 instances. This application needs some software installation and some OS packages need to be updated during the first launch. What is the best way to achieve this when you launch the EC2 instances?
- Connect to each EC2 instance using SSH, then install the required software and update your OS packages manually
- Write a bash script that installs the required software and updates to your OS, then contact AWS Support and provice them with the script. They will run it on your EC2 instances at launch
- Write a bash script that installs the required software and updates to your OS, then use this script in EC2 User Data when you launch your EC2 instances

Write a bash script that installs the required software and updates to your OS, then use this script in EC2 User Data when you launch your EC2 instances

EC2 User Data is used to bootstrap your EC2 instances using a bash script. This script can contain commands such as installing software/packages, download files from the Internet, or anything you want.

How well did you know this?

Not at all

Perfectly

Which EC2 Instance Type should you choose for a critical application that uses an in-memory database?
- Compute Optimized
- Storage Optimized
- Memory Optimized
- General Purpose

Memory Optimized

Memory Optimized EC2 instances are great for workloads requiring large data sets in memory.

How well did you know this?

Not at all

Perfectly

Security Groups can be attached to only one EC2 instance.
- True
- False

False

Security Groups can be attached to multiple EC2 instances within the same AWS Region/VPC.

How well did you know this?

Not at all

Perfectly

You have an e-commerce application with an OLTP database hosted on-premises. This application has popularity which results in its database having thousands of requests per second. You want to migrate the database to an EC2 instance. Which EC2 Instance Type should you choose to handle this high-frequency OLTP database?
- Compute Optimized
- Storage Optimized
- Memory Optimized
- General Purpose

Storage Optimized

Storage Optimized EC2 instances are great for workloads requiring high, sequential read/write access to large data sets on local storage.

How well did you know this?

Not at all

Perfectly

You’re planning to migrate on-premises applications to AWS. Your company has strict compliance requirements that require your applications to run on dedicated servers. You also need to use your own server-bound software license to reduce costs. Which EC2 Purchasing Option is suitable for you?
- Convertible Reserved Instances
- Dedicated Hosts
- Spot Instances

Dedicated Hosts

Dedicated Hosts are good for companies with strong compliance needs or for software that have complicated licensing models. This is the most expensive EC2 Purchasing Option available.

How well did you know this?

Not at all

Perfectly

You would like to deploy a database technology on an EC2 instance and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 Purchasing Option allows you to get visibility into them?
- Spot Instances
- On-Demand
- Dedicated Hosts
- Reserved Instances

Dedicated Hosts

How well did you know this?

Not at all

Perfectly

Spot Fleet is a set of Spot Instances and optionally ……………
- Reserved Instances
- On-Demand Instances
- Dedicated Hosts
- Dedicated Instances

On-Demand Instances

Spot Fleet is a set of Spot Instances and optionally On-demand Instances. It allows you to automatically request Spot Instances with the lowest price.

How well did you know this?

Not at all

Perfectly

You have launched an EC2 instance that will host a NodeJS application. After installing all the required software and configured your application, you noted down the EC2 instance public IPv4 so you can access it. Then, you stopped and then started your EC2 instance to complete the application configuration. After restart, you can’t access the EC2 instance, and you found that the EC2 instance public IPv4 has been changed. What should you do to assign a fixed public IPv4 to your EC2 instance?
- Allocate an Elastic IP and assign it to your EC2 instance
- From inside your EC2 instance OS, change network configuration from DHCP to static and assign a public IPv4
- Contact AWS Support and request a fixed public IPv4 to your EC2 instance
- This can’t be done, you can only assign a fixed private IPv4 to your EC2 instance

Allocate an Elastic IP and assign it to your EC2 instance

Elastic IP is a public IPv4 that you own as long as you want and you can attach it to one EC2 instance at a time.

How well did you know this?

Not at all

Perfectly

You have an application performing big data analysis hosted on a fleet of EC2 instances. You want to ensure your EC2 instances have the highest networking performance while communicating with each other. Which EC2 Placement Group should you choose?
- Spread Placement Group
- Cluster Placement Group
- Partition Placement Group

Cluster Placement Group

Cluster Placement Groups place your EC2 instances next to each other which gives you high-performance computing and networking.

How well did you know this?

Not at all

Perfectly

You have a critical application hosted on a fleet of EC2 instances in which you want to achieve maximum availability when there’s an AZ failure. Which EC2 Placement Group should you choose?
- Spread Placement Group
- Cluster Placement Group
- Partition Placement Group

Spread Placement Group

Spread Placement Group places your EC2 instances on different physical hardware across different AZs.

How well did you know this?

Not at all

Perfectly

Elastic Network Interface (ENI) can be attached to EC2 instances in another AZ. - True - False

False ## Footnote Elastic Network Interfaces (ENIs) are bounded to a specific AZ. You can not attach an ENI to an EC2 instance in a different AZ.

The following are true regarding EC2 Hibernate, **EXCEPT**: - EC2 Instance Root Volume must be an Instance Store Volume - Supports On-Demand and Reserved Instances - EC2 Instance RAM must be less than 150GB - EC2 Instance Root Volume type must be an EBS Volume

EC2 Instance Root Volume must be an Instance Store Volume ## Footnote To enable EC2 Hibernate, the EC2 Instance Root Volume type must be an EBS volume and must be encrypted to ensure the protection of sensitive content.

You have just terminated an EC2 instance in `us-east-1a`, and its attached EBS volume is now available. Your teammate tries to attach it to an EC2 instance in `us-east-1b` but he can't. What is a possible cause for this? - He's missing IAM permissions - EBS volumes are locked to an AWS Region - EBS volumes are locked to an Availability Zone

EBS volumes are locked to an Availability Zone ## Footnote EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZs using EBS Snapshots.

You have launched an EC2 instance with two EBS volumes, Root volume type and the other EBS volume type to store the data. A month later you are planning to terminate the EC2 instance. What's the default behavior that will happen to each EBS volume? - Both the Root volume type and the EBS volume type will be deleted - The Root volume type will be deleted and the EBS volume type will not be deleted - The Root volume type will not be deleted and the EBS volume type will be deleted - Both the Root volume type and the EBS volume type will not be deleted

The Root volume type will be deleted and the EBS volume type will not be deleted ## Footnote By default, the Root volume type will be deleted as its "Delete On Termination" attribute checked by default. Any other EBS volume types will not be deleted as its "Delete On Termination" attribute disabled by default.

You can use an AMI in N.Virginia Region `us-east-1` to launch an EC2 instance in any AWS Region. - True - False

False ## Footnote AMIs are built for a specific AWS Region, they're unique for each AWS Region. You can't launch an EC2 instance using an AMI in another AWS Region, but you can copy the AMI to the target AWS Region and then use it to create your EC2 instances.

Which of the following EBS volume types can be used as boot volumes when you create EC2 instances? - `gp2`, `gp3`, `st1`, `sc1` - `gp2`, `gp3`, `io1`, `io2` - `io1`, `io2` `st1`, `sc1`

gp2, gp3, io1, io2 ## Footnote When creating EC2 instances, you can only use the following EBS volume types as boot volumes: gp2, gp3, io1, io2, and Magnetic (Standard).

What is EBS Multi-Attach? - Attach the same EBS volume to multiple EC2 instances in multiple AZs - Attach multiple EBS volumes in the same AZ to the same EC2 instance - Attach the same EBS volume to multiple EC2 instances in the same AZ - Attach multiple EBS volumes in multiple AZs to the same EC2 instance

Attach the same EBS volume to multiple EC2 instances in the same AZ ## Footnote Using EBS Multi-Attach, you can attach the same EBS volume to multiple EC2 instances in the same AZ. Each EC2 instance has full read/write permissions.

You would like to encrypt an unencrypted EBS volume attached to your EC2 instance. What should you do? - Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume - Select your EBS volume, choose Edit Attributes, then tick the Encrypt using KMS option - Create a new encrypted EBS volume, then copy data from your unencrypted EBS volume to the new EBS volume - Submit a request to AWS Support to encrypt your EBS volume

Create an EBS snapshot of your EBS volume. Copy the snapshot and tick the option to encrypt the copied snapshot. Then, use the encrypted snapshot to create a new EBS volume

You have a fleet of EC2 instances distributes across AZs that process a large data set. What do you recommend to make the same data to be accessible as an NFS drive to all of your EC2 instances? - Use EBS - Use EFS - Use an Instance Store

Use EFS ## Footnote EFS is a network file system (NFS) that allows you to mount the same file system on EC2 instances that are in different AZs.

You would like to have a high-performance local cache for your application hosted on an EC2 instance. You don't mind losing the cache upon the termination of your EC2 instance. Which storage mechanism do you recommend as a Solutions Architect? - EBS - EFS - Instance Store

Instance Store ## Footnote EC2 Instance Store provides the best disk I/O performance.

You are running a high-performance database that requires an IOPS of 310,000 for its underlying storage. What do you recommend? - Use an EBS `gp2` drive - Use an EBS `io1` drive - Use an EC2 Instance Store - Use an EBS `io2` Block Express drive

Use an EC2 Instance Store ## Footnote You can run a database on an EC2 instance that uses an Instance Store, but you'll have a problem that the data will be lost if the EC2 instance is stopped (it can be restarted without problems). One solution is that you can set up a replication mechanism on another EC2 instance with an Instance Store to have a standby copy. Another solution is to set up backup mechanisms for your data. It's all up to you how you want to set up your architecture to validate your requirements. In this use case, it's around IOPS, so we have to choose an EC2 Instance Store.

Scaling an EC2 instance from ` r4.large` to `r4.4xlarge` is called ..................... - Horizontal Scalability - Vertical Scalability

Vertical Scalability

Running an application on an Auto Scaling Group that scales the number of EC2 instances in and out is called ..................... - Horizontal Scalability - Vertical Scalability

Horizontal Scalability

Elastic Load Balancers provide a ....................... - static IPv4 we can use in our application - static DNS name we can use in our application - static IPv6 we can use in our application

static DNS name we can use in our application ## Footnote Only Network Load Balancer provides both static DNS name and static IP. While, Application Load Balancer provides a static DNS name but it does NOT provide a static IP. The reason being that AWS wants your Elastic Load Balancer to be accessible using a static endpoint, even if the underlying infrastructure that AWS manages changes.

You are running a website on 10 EC2 instances fronted by an Elastic Load Balancer. Your users are complaining about the fact that the website always asks them to re-authenticate when they are moving between website pages. You are puzzled because it's working just fine on your machine and in the Dev environment with 1 EC2 instance. What could be the reason? - Your website must have an issue when hosted on multiple EC2 instances - The EC2 instances log out users as they can't see their IP addresses, instead, they receive ELB IP addresses - The Elastic Load Balancer does not have Sticky Sessions enabled

The Elastic Load Balancer does not have Sticky Sessions enabled ## Footnote ELB Sticky Session feature ensures traffic for the same client is always redirected to the same target (e.g., EC2 instance). This helps that the client does not lose his session data.

You are using an Application Load Balancer to distribute traffic to your website hosted on EC2 instances. It turns out that your website only sees traffic coming from private IPv4 addresses which are in fact your Application Load Balancer's IP addresses. What should you do to get the IP address of clients connected to your website? - Modify your website's frontend so that users send their IP in every request - Modify your website's backend to get the client IP address from the X-Forwarded-For header - Modify your website's backend to get the client IP address from the X-Forwarded-Port header - Modify your website's backend to get the client IP address from the X-Forwarded-Proto header

Modify your website's backend to get the client IP address from the X-Forwarded-For header ## Footnote When using an Application Load Balancer to distribute traffic to your EC2 instances, the IP address you'll receive requests from will be the ALB's private IP addresses. To get the client's IP address, ALB adds an additional header called "X-Forwarded-For" contains the client's IP address.

You hosted an application on a set of EC2 instances fronted by an Elastic Load Balancer. A week later, users begin complaining that sometimes the application just doesn't work. You investigate the issue and found that some EC2 instances crash from time to time. What should you do to protect users from connecting to the EC2 instances that are crashing? - Enable ELB Health Checks - Enable ELB Stickiness - Enable SSL Termination - Enable Cross-Zone Load Balancing

Enable ELB Health Checks ## Footnote When you enable ELB Health Checks, your ELB won't send traffic to unhealthy (crashed) EC2 instances.

You are working as a Solutions Architect for a company and you are required to design an architecture for a high-performance, low-latency application that will receive millions of requests per second. Which type of Elastic Load Balancer should you choose? - Application Load Balancer - Classic Load Balancer - Network Load Balancer

Network Load Balancer ## Footnote Network Load Balancer provides the highest performance and lowest latency if your application needs it.

Application Load Balancers support the following protocols, **EXCEPT**: - HTTP - HTTPS - TCP - WebSocket

TCP ## Footnote Application Load Balancers support HTTP, HTTPS and WebSocket.

Application Load Balancers can route traffic to different Target Groups based on the following, **EXCEPT**: - Client's Location (Geography) - Hostname - Request URL Path - Source IP Address

Client's Location (Geography) ## Footnote ALBs can route traffic to different Target Groups based on URL Path, Hostname, HTTP Headers, and Query Strings.

Registered targets in a Target Groups for an Application Load Balancer can be one of the following, **EXCEPT**: - EC2 Instances - Network Load Balancer - Private IP Addresses - Lambda Functions

Network Load Balancer

For compliance purposes, you would like to expose a fixed static IP address to your end-users so that they can write firewall rules that will be stable and approved by regulators. What type of Elastic Load Balancer would you choose? - Application Load Balancer with an Elastic IP attached to it - Network Load Balancer - Classic Load Balancer

Network Load Balancer ## Footnote Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it. Application Load Balancers and Classic Load Balancers have a static DNS name.

You want to create a custom application-based cookie in your Application Load Balancer. Which of the following you can use as a cookie name? - AWSALBAPP - APPUSERC - AWSALBTG - AWSALB

APPUSERC ## Footnote The following cookie names are reserved by the ELB (AWSALB, AWSALBAPP, AWSALBTG).

You have a Network Load Balancer that distributes traffic across a set of EC2 instances in `us-east-1`. You have 2 EC2 instances in `us-east-1b` AZ and 5 EC2 instances in `us-east-1e` AZ. You have noticed that the CPU utilization is higher in the EC2 instances in `us-east-1b` AZ. After more investigation, you noticed that the traffic is equally distributed across the two AZs. How would you solve this problem? - Enable Cross-Zone Load Balancing - Enable Sticky Sessions - Enable ELB Health Checks - Enable SSL Termination

Enable Cross-Zone Load Balancing ## Footnote When Cross-Zone Load Balancing is enabled, ELB distributes traffic evenly across all registered EC2 instances in all AZs.

Which feature in both Application Load Balancers and Network Load Balancers allows you to load multiple SSL certificates on one listener? - TLS Termination - Server Name Indication (SNI) - SSL Security Policies - Host Headers

Server Name Indication (SNI)

You have an Application Load Balancer that is configured to redirect traffic to 3 Target Groups based on the following hostnames: **users.example.com**, **api.external.example.com**, and **checkout.example.com**. You would like to configure HTTPS for each of these hostnames. How do you configure the ALB to make this work? - Use an HTTP to HTTPS redirect rule - Use a security group SSL certificate - Use Server Name Indication (SNI)

Use Server Name Indication (SNI) ## Footnote Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

You have an application hosted on a set of EC2 instances managed by an Auto Scaling Group that you configured both desired and maximum capacity to 3. Also, you have created a CloudWatch Alarm that is configured to scale out your ASG when CPU Utilization reaches 60%. Your application suddenly received huge traffic and is now running at 80% CPU Utilization. What will happen? - Nothing - The desired capacity will go up to 4 and the maximum capacity will stay at 3 - The desired capacity will go up to 4 and the maximum capacity will stay at 4

Nothing ## Footnote The Auto Scaling Group can't go over the maximum capacity (you configured) during scale-out events.

You have an Auto Scaling Group fronted by an Application Load Balancer. You have configured the ASG to use ALB Health Checks, then one EC2 instance has just been reported unhealthy. What will happen to the EC2 instance? - The ASG will keep the instance running and re-start the application - The ASG will detach the EC2 instance and leave it running - The ASG will terminate the EC2 instance

The ASG will terminate the EC2 instance ## Footnote You can configure the Auto Scaling Group to determine the EC2 instances' health based on Application Load Balancer Health Checks instead of EC2 Status Checks (default). When an EC2 instance fails the ALB Health Checks, it is marked unhealthy and will be terminated while the ASG launches a new EC2 instance.

Your boss asked you to scale your Auto Scaling Group based on the **number of requests per minute** your application makes to your database. What should you do? - Create a CloudWatch custom metric then create a Cloudwatch Alarm on this metric to scale your ASG - You politelly tell him it's impossible - Enable Detailed Monitoring then create a CloudWatch alarm to scale your ASG

Create a CloudWatch custom metric then create a Cloudwatch Alarm on this metric to scale your ASG ## Footnote There's no CloudWatch Metric for "requests per minute" for backend-to-database connections. You need to create a CloudWatch Custom Metric, then create a CloudWatch Alarm.

An application is deployed with an Application Load Balancer and an Auto Scaling Group. Currently, you manually scale the ASG and you would like to define a Scaling Policy that will ensure the average number of connections to your EC2 instances is around 1000. Which Scaling Policy should you use? - Simple Scaling Policy - Step Scaling Policy - Target Tracking Policy - Scheduled Scaling Policy

Target Tracking Policy

You have an ASG and a Network Load Balancer. The application on your ASG supports the HTTP protocol and is integrated with the Load Balancer health checks. You are currently using the TCP health checks. You would like to migrate to using HTTP health checks, what do you do? - Migrate to an Application Load Balancer - Migrate to health check to HTTP

Migrate to health check to HTTP ## Footnote the NLB supports HTTP health checks as well as TCP and HTTPS

You have a website hosted in EC2 instances in an Auto Scaling Group fronted by an Application Load Balancer. Currently, the website is served over HTTP, and you have been tasked to configure it to use HTTPS. You have created a certificate in ACM and attached it to the Application Load Balancer. What you can do to force users to access the website using HTTPS instead of HTTP? - Send an email to all customers to use HTTPS instead of HTTP - Configure the Application Load Balancer to redirect HTTP to HTTPS - Configure the DNS record to redirect HTTP to HTTPS

Configure the Application Load Balancer to redirect HTTP to HTTPS

Amazon RDS supports the following databases, **EXCEPT**: - MongoDB - MySQL - MariaDB - Microsoft SQL Server

MongoDB ## Footnote RDS supports MySQL, PostgreSQL, MariaDB, Oracle, MS SQL Server, and Amazon Aurora.

You're planning for a new solution that requires a MySQL database that must be available even in case of a disaster in one of the Availability Zones. What should you use? - Create Read Replicas - Enable Encryption - Enable Multi-AZ

Enable Multi-AZ ## Footnote Multi-AZ helps when you plan a disaster recovery for an entire AZ going down. If you plan against an entire AWS Region going down, you should use backups and replication across AWS Regions.

We have an RDS database that struggles to keep up with the demand of requests from our website. Our million users mostly read news, and we don't post news very often. Which solution is **NOT** adapted to this problem? - An ElastiCache Cluster - RDS Multi-AZ - RDS Read Replicas

RDS Multi-AZ ## Footnote ElastiCache and RDS Read Replicas do indeed help with scaling reads.

You have set up read replicas on your RDS database, but users are complaining that upon updating their social media posts, they do not see their updated posts right away. What is a possible cause for this? - There must be a bug in your application - Read Replicas have Asynchronous Replication, therefore it's likely your users will only read Eventual Consistency - You should have setup Multi-AZ instead

Read Replicas have Asynchronous Replication, therefore it's likely your users will only read Eventual Consistency

Which RDS **(NOT Aurora)** feature when used does not require you to change the SQL connection string? - Multi-AZ - Read Replicas

Multi-AZ ## Footnote Multi-AZ keeps the same connection string regardless of which database is up.

Your application running on a fleet of EC2 instances managed by an Auto Scaling Group behind an Application Load Balancer. Users have to constantly log back in and you don't want to enable Sticky Sessions on your ALB as you fear it will overload some EC2 instances. What should you do? - Use your own custom Load Balancer on EC2 instances instead of using ALB - Store session data in RDS - Store session data in ElastiCache - Store session data in a shared EBS volume

Store session data in ElastiCache ## Footnote Storing Session Data in ElastiCache is a common pattern to ensuring different EC2 instances can retrieve your user's state if needed.

An analytics application is currently performing its queries against your main production RDS database. These queries run at any time of the day and slow down the RDS database which impacts your users' experience. What should you do to improve the users' experience? - Setup a Read Replica - Setup Multi-AZ - Run the analytics queries at night

Setup a Read Replica ## Footnote Read Replicas will help as your analytics application can now perform queries against it, and these queries won't impact the main production RDS database.

You would like to ensure you have a replica of your database available in another AWS Region if a disaster happens to your main AWS Region. Which database do you recommend to implement this easily? - RDS Read Replicas - RDS Multi-AZ - Aurora Read Replicas - Aurora Global Database

Aurora Global Database ## Footnote Aurora Global Databases allows you to have an Aurora Replica in another AWS Region, with up to 5 secondary regions.

How can you enhance the security of your ElastiCache Redis Cluster by allowing users to access your ElastiCache Redis Cluster using their IAM Identities (e.g., Users, Roles)? - Using Redis Authentication - Using IAM Authentication - Use Security Groups

Using IAM Authentication

Your company has a production Node.js application that is using RDS MySQL 5.6 as its database. A new application programmed in Java will perform some heavy analytics workload to create a dashboard on a regular hourly basis. What is the most cost-effective solution you can implement to minimize disruption for the main application? - Enable Multi-AZ for the RDS database and run the analytics workload on the standby database - Create a Read Replica in a different AZ and run the analytics on the replica database - Create a Read Replica in a different AZ and run the analytics workload on the source database

Create a Read Replica in a different AZ and run the analytics on the replica database

You would like to create a disaster recovery strategy for your RDS PostgreSQL database so that in case of a regional outage the database can be quickly made available for both read and write workloads in another AWS Region. The DR database must be highly available. What do you recommend? - Create a Read Replica in the same region and enable Multi-AZ on the main database - Create a Read Replica in a different region and enable Multi-AZ on the Read Replica - Create a Read Replica in the same region and enable Multi-AZ on the Read Replica - Enable Multi-Region option on the main database

Create a Read Replica in a different region and enable Multi-AZ on the Read Replica

You have migrated the MySQL database from on-premises to RDS. You have a lot of applications and developers interacting with your database. Each developer has an IAM user in the company's AWS account. What is a suitable approach to give access to developers to the MySQL RDS DB instance instead of creating a DB user for each one? - By default IAM users have access to your RDS database - Use Amazon Cognito - Enable IAM Database Authentication

Enable IAM Database Authentication

Which of the following statement is true regarding replication in both RDS Read Replicas and Multi-AZ? - Read Replica uses Asynchronous Replication and Multi-AZ uses Asynchronous Replication - Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication - Read Replica uses Synchronous Replication and Multi-AZ uses Synchronous Replication - Read Replica uses Synchronous Replication and Multi-AZ uses Asynchronous Replication

Read Replica uses Asynchronous Replication and Multi-AZ uses Synchronous Replication

How do you encrypt an unencrypted RDS DB instance? - Do it straight from AWS Console, select your RDS DB instance, choose Actions then Encrypt using KMS - Do it straight from AWS Console, after stopping the RDS DB instance - Create a snapshot of the unencrypted RDS DS instance, copy the snapshot and tick "Enable encryption", then restore the RDS DB instance from the encrypted snapshot

Create a snapshot of the unencrypted RDS DS instance, copy the snapshot and tick "Enable encryption", then restore the RDS DB instance from the encrypted snapshot

For your RDS database, you can have up to ............ Read Replicas. - 5 - 15 - 7

Which RDS database technology does **NOT** support IAM Database Authentication? - Oracle - PostgreSQL - MySQL

Oracle

You have an un-encrypted RDS DB instance and you want to create Read Replicas. Can you configure the RDS Read Replicas to be encrypted? - No - Yes

No ## Footnote You can not create encrypted Read Replicas from an unencrypted RDS DB instance.

An application running in production is using an Aurora Cluster as its database. Your development team would like to run a version of the application in a scaled-down application with the ability to perform some heavy workload on a need-basis. Most of the time, the application will be unused. Your CIO has tasked you with helping the team to achieve this while minimizing costs. What do you suggest? - Use an Aurora Global Database - Use an RDS Database - Use Aurora Serverless - Run Aurora on EC2, and write script to shut down the EC2 instance at night

Use Aurora Serverless

How many Aurora Read Replicas can you have in a single Aurora DB Cluster? - 5 - 10 - 15

Amazon Aurora supports both .......................... databases. - MySQL and MariaDB - MySQL and PostgreSQL - Oracle and MariaDB - Oracle and MS SQL Server

MySQL and PostgreSQL

You work as a Solutions Architect for a gaming company. One of the games mandates that players are ranked in real-time based on their score. Your boss asked you to design then implement an effective and highly available solution to create a gaming leaderboard. What should you use? - Use RDS for MySQL - Use Amazon Aurora - Use ElastiCache for Memcached - Use ElastiCache for Redis - Sorted Sets

Use ElastiCache for Redis - Sorted Sets

You need full customization of an Oracle Database on AWS. You would like to benefit from using the AWS services. What do you recommend? - RDS for Oracle - RDS Custom for Oracle - Deploy Oracle on EC2

RDS Custom for Oracle

You need to store long-term backups for your Aurora database for disaster recovery and audit purposes. What do you recommend? - Enable Automated Backups - Perform On Demand Backups - Use Aurora Database Cloning

Perform On Demand Backups

Your development team would like to perform a suite of read and write tests against your production Aurora database because they need access to production data as soon as possible. What do you advise? - Create an Aurora Read Replica for them - Do the test against the production database - Make a DB Snapshot and Restore it into a new database - Use the Aurora Cloning Feature

Use the Aurora Cloning Feature

You have 100 EC2 instances connected to your RDS database and you see that upon a maintenance of the database, all your applications take a lot of time to reconnect to RDS, due to poor application logic. How do you improve this? - Fix all the applications - Disable Multi-AZ - Enable Multi-AZ - Use an RDS Proxy

Use an RDS Proxy ## Footnote This reduces the failover time by up to 66% and keeps connection actives for your applications

You have purchased **mycoolcompany.com** on Amazon Route 53 Registrar and would like the domain to point to your Elastic Load Balancer **my-elb-1234567890.us-west-2.elb.amazonaws.com**. Which Route 53 Record type must you use here? - CNAME - Alias

Alias

You have deployed a new Elastic Beanstalk environment and would like to direct 5% of your production traffic to this new environment. This allows you to monitor for CloudWatch metrics and ensuring that there're no bugs exist with your new environment. Which Route 53 Record type allows you to do so? - Simple - Weighted - Latency - Failover

Weighted ## Footnote Weighted Routing Policy allows you to redirect part of the traffic based on weight (e.g., percentage). It's a common use case to send part of traffic to a new version of your application.

You have updated a Route 53 Record's myapp.mydomain.com value to point to a new Elastic Load Balancer, but it looks like users are still redirected to the old ELB. What is a possible cause for this behavior? - Because of the Alias record - Because of the CNAME record - Because of the TTL - Because of Route 53 Health Checks

Because of the TTL ## Footnote Each DNS record has a TTL (Time To Live) which orders clients for how long to cache these values and not overload the DNS Resolver with DNS requests. The TTL value should be set to strike a balance between how long the value should be cached vs. how many requests should go to the DNS Resolver.

You have an application that's hosted in two different AWS Regions `us-west-1` and `eu-west-2`. You want your users to get the best possible user experience by minimizing the response time from application servers to your users. Which Route 53 Routing Policy should you choose? - Multi Value - Weighted - Latency - Geolocation

Latency ## Footnote Latency Routing Policy will evaluate the latency between your users and AWS Regions, and help them get a DNS response that will minimize their latency (e.g. response time)

You have a legal requirement that people in any country but France should **NOT** be able to access your website. Which Route 53 Routing Policy helps you in achieving this? - Latency - Simple - Multi Value - Geolocation

Geolocation

You have purchased a domain on GoDaddy and would like to use Route 53 as the DNS Service Provider. What should you do to make this work? - Request for a domain transfer - Create a Private Hosted Zone and update the 3rd party Registrar NS records - Create a Public Hosted Zone and update the Route 53 NS records - Create a Public Hosted Zone and update the 3rd party Registrar NS records

Create a Public Hosted Zone and update the 3rd party Registrar NS records ## Footnote Public Hosted Zones are meant to be used for people requesting your website through the Internet. Finally, NS records must be updated on the 3rd party Registrar.

Which of the following are NOT valid Route 53 Health Checks? - Health Check that monitors a SQS Queue - Health Check that monitors an Endpoint - Health Check that monitors other Health Checks - Health Check that monitors CloudWatch Alarms

Health Check that monitors a SQS Queue

Your website **TriangleSunglasses.com** is hosted on a fleet of EC2 instances managed by an Auto Scaling Group and fronted by an Application Load Balancer. Your ASG has been configured to scale on-demand based on the traffic going to your website. To reduce costs, you have configured the ASG to scale based on the traffic going through the ALB. To make the solution highly available, you have updated your ASG and set the minimum capacity to 2. How can you further reduce the costs while respecting the requirements? - Remove the ALB and use an Elastic IP Instead - Reserve two EC2 Instances - Reduce the minimum capacity to 1 - Reduce the minimum capacity to 0

Reserve two EC2 Instances ## Footnote This is the way to save further costs as we will run 2 EC2 instances no matter what.

Which of the following will **NOT** help us while designing a **STATELESS** application tier? - Store session data in Amazon RDS - Store session data in Amazon ElastiCache - Store session data in the client HTTP cookies - Store session data on EBS Volumes

Store session data on EBS Volumes ## Footnote EBS volumes are created in a specific AZ and can only be attached to one EC2 instance at a time.

You want to install software updates on 100s of Linux EC2 instances that you manage. You want to store these updates on shared storage which should be dynamically loaded on the EC2 instances and shouldn't require heavy operations. What do you suggest? - Store the software updates on EBS and sync them using data replication software from one master in each AZ - Store the software updates on EFS and mount EFS as a network drive at startup - Package the software updates as an EBS snapshot and create EBS volumes for each new software update - Store the software updates on Amazon RDS

Store the software updates on EFS and mount EFS as a network drive at startup ## Footnote EFS is a network file system (NFS) that allows you to mount the same file system to 100s of EC2 instances. Storing software updates on an EFS allows each EC2 instance to access them.

As a Solutions Architect, you're planning to migrate a complex ERP software suite to AWS Cloud. You're planning to host the software on a set of Linux EC2 instances managed by an Auto Scaling Group. The software traditionally takes over an hour to set up on a Linux machine. How do you recommend you speed up the installation process when there's a scale-out event? - Use a Golden AMI - Bootstrap using EC2 User Data - Store the application in Amazon RDS - Retrieve the application setup files from RDS

Use a Golden AMI ## Footnote Golden AMI is an image that contains all your software installed and configured so that future EC2 instances can boot up quickly from that AMI.

You're developing an application and would like to deploy it to Elastic Beanstalk with minimal cost. You should run it in .................. - Single Instance Mode - High Availability Mode

Single Instance Mode ## Footnote The question mentions that you're still in the development stage and you want to reduce costs. Single Instance Mode will create one EC2 instance and one Elastic IP.

You're deploying your application to an Elastic Beanstalk environment but you notice that the deployment process is painfully slow. After reviewing the logs, you found that your dependencies are resolved on each EC2 instance each time you deploy. How can you speed up the deployment process with minimal impact? - Remove some dependencies in your code - Place the dependencies in Amazon EFS - Create a Golden AMI that contains the depedencies and use that image to launch the EC2 instances

Create a Golden AMI that contains the depedencies and use that image to launch the EC2 instances ## Footnote Golden AMI is an image that contains all your software, dependencies, and configurations, so that future EC2 instances can boot up quickly from that AMI.

You have a 25 GB file that you're trying to upload to S3 but you're getting errors. What is a possible solution for this? - The file size limit on S3 is 5GB - Update your bucket policy to allow the larger file - Use Multi-Part upload when uploading files larger than 5GB - Encrypt the file

Use Multi-Part upload when uploading files larger than 5GB ## Footnote Multi-Part Upload is recommended as soon as the file is over 100 MB.

You're getting errors while trying to create a new S3 bucket named **"dev"**. You're using a new AWS Account with no S3 buckets created before. What is a possible cause for this? - You're missing IAM permissions to create an S3 bucket - S3 bucket names must be globally unique and "dev" is already taken

S3 bucket names must be globally unique and "dev" is already taken

You have enabled versioning in your S3 bucket which already contains a lot of files. Which version will the existing files have? - 1 - 0 - -1 - null

null

You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can't perform a `PutObject` API call. What is a possible cause for this? - The S3 bucket policy must be wrong - The user is lacking permissions - The IAM user must have an explicit DENY in the attached IAM Policy - You need to contact AWS Support to lift this limit

The IAM user must have an explicit DENY in the attached IAM Policy ## Footnote Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.

You want the content of an S3 bucket to be fully available in different AWS Regions. That will help your team perform data analysis at the lowest latency and cost possible. What S3 feature should you use? - Amazon Cloudfront Distributions - S3 Versioning - S3 Static Website Hosting - S3 Replication

S3 Replication ## Footnote S3 Replication allows you to replicate data from an S3 bucket to another in the same/different AWS Region.

You have 3 S3 buckets. One source bucket A, and two destination buckets B and C in different AWS Regions. You want to replicate objects from bucket A to both bucket B and C. How would you achieve this? - Configure replication from bucket A to bucket B, then from bucket A to bucket C - Configure replication from bucket A to bucket B, then from bucket B to bucket C - Configure replication from bucket A to bucket C, then from bucket C to bucket B

Configure replication from bucket A to bucket B, then from bucket A to bucket C

Which of the following is **NOT** a Glacier Deep Archive retrieval mode? - Expedited (1-5 minutes) - Standard (12 hours) - Bulk (48hs)

Expedited (1-5 minutes)

Which of the following is **NOT** a Glacier Flexible retrieval mode? - Instant (10 seconds) - Expedited (1-5 minutes) - Standard (3-5 hours) - Bulk (5-12 hours)

Instant (10 seconds)

How can you be notified when there's an object uploaded to your S3 bucket? - S3 Select - S3 Access Logs - S3 Event Notifications - S3 Analytics

S3 Event Notifications

You have an S3 bucket that has S3 Versioning enabled. This S3 bucket has a lot of objects, and you would like to remove old object versions to reduce costs. What's the best approach to automate the deletion of these old object versions? - S3 Lifecycle Rules - Transition Actions - S3 Lifecycle Rules - Expiration Actions - S3 Access Logs

S3 Lifecycle Rules - Expiration Actions

How can you automate the transition of S3 objects between their different tiers? - AWS Lambda - CloudWatch Events - S3 Lifecycle Rules

S3 Lifecycle Rules

While you're uploading large files to an S3 bucket using Multi-part Upload, there are a lot of unfinished parts stored in the S3 bucket due to network issues. You are not using these unfinished parts and they cost you money. What is the best approach to remove these unfinished parts? - Use AWS Lambda to loop on each old/unfinished part and delete them - Request AWS Support to help you delete old/unfinished parts - Use an S3 Lifecycle Policy to automate old/unfinished parts deletion

Use an S3 Lifecycle Policy to automate old/unfinished parts deletion

You are looking to get recommendations for S3 Lifecycle Rules. How can you analyze the optimal number of days to move objects between different storage tiers? - S3 Inventory - S3 Analytics - S3 Lifecycle Rules Advisor

S3 Analytics

You are looking to build an index of your files in S3, using Amazon RDS PostgreSQL. To build this index, it is necessary to read the first 250 bytes of each object in S3, which contains some metadata about the content of the file itself. There are over 100,000 files in your S3 bucket, amounting to 50 TB of data. How can you build this index efficiently? - Use RDS Import feature to load the data form S3 to PostgreSQL, and run a SQL query to build the index - Create an application that will traverse the S3 bucket, read all the files one by one, extract the first 250 bytes, and store that information in RDS - Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS - Create an application that will traverse the S3 bucket, use S3 Select to get the first 250 bytes, and store that information in RDS

Create an application that will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS

You have a large dataset stored on-premises that you want to upload to the S3 bucket. The dataset is divided into 10 GB files. You have good bandwidth but your Internet connection isn't stable. What is the best way to upload this dataset to S3 and ensure that the process is fast and avoid any problems with the Internet connection? - Use Multi-part Upload Only - Use S3 Select & Use S3 Transfer Acceleration - Use S3 Multi-part Upload & S3 Transfer Acceleration

Use S3 Multi-part Upload & S3 Transfer Acceleration

You would like to retrieve a subset of your dataset stored in S3 with the `.csv` format. You would like to retrieve a month of data and only 3 columns out of 10, to minimize compute and network costs. What should you use? - S3 Analytics - S3 Access Logs - S3 Select - S3 Inventory

S3 Select

A company is preparing for compliance and regulatory review on its infrastructure on AWS. Currently, they have their files stored on S3 buckets that are not encrypted, which must be encrypted as required for compliance and regulatory review. Which S3 feature allows them to encrypt all files in their S3 buckets in the most efficient and cost-effective way? - S3 Access Points - S3 Cross-Region Replication - S3 Batch Operations - S3 Lifecycle Rules

S3 Batch Operations

Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use ............................ - SSE-S3 - SSE-KMS - SSE-C - Client-Side Encryption

SSE-C ## Footnote With SSE-C, the encryption happens in AWS and you have full control over the encryption keys.

A company you're working for wants their data stored in S3 to be encrypted. They don't mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use .................... - SSE-S3 - SSE-KMS - SSE-C - Client-Side Encryption

SSE-KMS ## Footnote With SSE-KMS, the encryption happens in AWS, and the encryption keys are managed by AWS but you have full control over the rotation policy of the encryption key. Encryption keys stored in AWS.

Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use .................... - SSE-S3 - SSE-KMS - SSE-C - Client-Side Encryption

Client-Side Encryption ## Footnote With Client-Side Encryption, you have to do the encryption yourself and you have full control over the encryption keys. You perform the encryption yourself and send the encrypted data to AWS. AWS does not know your encryption keys and cannot decrypt your data.

You have a website that loads files from an S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when a website with a different domain tries to load these files it doesn't. What's the problem? - The Bucket policy is wrong - The IAM policy is wrong - CORS is wrong - Encryption is wrong

CORS is wrong ## Footnote Cross-Origin Resource Sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. To learn more about CORS, go here: https://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html

An e-commerce company has its customers and orders data stored in an S3 bucket. The company’s CEO wants to generate a report to show the list of customers and the revenue for each customer. Customer data stored in files on the S3 bucket has sensitive information that we don’t want to expose in the report. How do you recommend the report can be created without exposing sensitive information? - Use S3 Object Lambda to change the objects before they are retrieved by the report generator application - Create another S3 bucket. Create a lambda function to process each file, remove the sensitive information, and then move them to the new S3 bucket - Use S3 Object Lock to lock the sensitive information from being fetched by the report generator application

Use S3 Object Lambda to change the objects before they are retrieved by the report generator application

You suspect that some of your employees try to access files in an S3 bucket that they don't have access to. How can you verify this is indeed the case without them noticing? - Enable S3 Access Logs and analyze them using Athena - Restrict their IAM policies and look at CloudTrail logs - Use a bucket policy

Enable S3 Access Logs and analyze them using Athena ## Footnote S3 Access Logs log all the requests made to S3 buckets and Amazon Athena can then be used to run serverless analytics on top of the log files.

You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use? - S3 CORS - S3 Pre-Signed URL - S3 Bucket Policies

S3 Pre-Signed URL ## Footnote S3 Pre-Signed URLs are temporary URLs that you generate to grant time-limited access to some actions in your S3 bucket.

For compliance reasons, your company has a policy mandate that database backups must be retained for 4 years. It shouldn't be possible to erase them. What do you recommend? - Glacier Vaults with Vault Lock Policies - EFS network drives with restrictive Linux Permissions - S3 with Bucket Policies

Glacier Vaults with Vault Lock Policies

You would like all your files in an S3 bucket to be encrypted by default. What is the optimal way of achieving this? - Use a bucket policy that forces HTTPS connections - Do nothing, Amazon S3 automatically encrypts new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3) - Enable Versioning

Do nothing, Amazon S3 automatically encrypts new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)

You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions? - Use a bucket policy - Enable MFA Delete - Encrypt the files - Disable Versioning

Enable MFA Delete ## Footnote MFA Delete forces users to use MFA codes before deleting S3 objects. It's an extra level of security to prevent accidental deletions.

A company has its data and files stored on some S3 buckets. Some of these files need to be kept for a predefined period of time and protected from being overwritten and deletion according to company compliance policy. Which S3 feature helps you in doing this? - S3 Object Lock - Retention Governance Mode - S3 Versioning - S3 Object Lock - Retention Compliance Mode - S3 Glacier Vault Lock

S3 Object Lock - Retention Compliance Mode

Which of the following S3 Object Lock configuration allows you to prevent an object or its versions from being overwritten or deleted indefinitely and gives you the ability to remove it manually? - Retention Governance Mode - Retention Compliance Mode - Legal Hold

Legal Hold

You have a CloudFront Distribution that serves your website hosted on a fleet of EC2 instances behind an Application Load Balancer. All your clients are from the United States, but you found that some malicious requests are coming from other countries. What should you do to only allow users from the US and block other countries? - Use CloudFront Geo Restriction - Use Origin Access Control - Set up a security group and attach it to your CloudFront Distribution - Use a Route 53 Latency record and attach it to CloudFront

Use CloudFront Geo Restriction

You have a static website hosted on an S3 bucket. You have created a CloudFront Distribution that points to your S3 bucket to better serve your requests and improve performance. After a while, you noticed that users can still access your website directly from the S3 bucket. You want to enforce users to access the website only through CloudFront. How would you achieve that? - Send an email to your clients and tell them not to use the S3 endpoint - Configure your Cloudfront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution - Use S3 Access Points to redirect clients to CloudFront

Configure your Cloudfront Distribution and create an Origin Access Control (OAC), then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution

What does this S3 bucket policy do? ``` { "Version": "2012-10-17", "Id": "Mystery policy", "Statement": [{ "Sid": "What could it be?", "Effect": "Allow", "Principal": { "Service": "cloudfront.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "StringEquals": { "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/EDFDVBD6EXAMPLE" } } }] } ``` - Forces `GetObject` request to be encrypted if coming from CloudFront - Only allows the S3 bucket content to be accessed from your CloudFront Distribution - Only allows `GetObject` type of request on the S3 bucket from anybody

Only allows the S3 bucket content to be accessed from your CloudFront Distribution

A WordPress website is hosted in a set of EC2 instances in an EC2 Auto Scaling Group and fronted by a CloudFront Distribution which is configured to cache the content for 3 days. You have released a new version of the website and want to release it immediately to production without waiting for 3 days for the cached content to be expired. What is the easiest and most efficient way to solve this? - Open a support ticket with AWS Support to remove the CloudFront Cache - CloudFront Cache Invalidation - EC2 Cache Invalidation

CloudFront Cache Invalidation

A company is deploying a media-sharing website to AWS. They are going to use CloudFront to deliver the content with low latency to their customers where they are located in both US and Europe only. After a while there a huge costs for CloudFront. Which CloudFront feature allows you to decrease costs by targeting only US and Europe? - CloudFront Cache Invalidation - CloudFront Price Classes - CloudFront Cache Behavior - Origin Access Control

CloudFront Price Classes

A company is migrating a web application to AWS Cloud and they are going to use a set of EC2 instances in an EC2 Auto Scaling Group. The web application is made of multiple components so they will need a host-based routing feature to route to specific web application components. This web application is used by many customers and therefore the web application must have a static IP address so it can be whitelisted by the customers’ firewalls. As the customers are distributed around the world, the web application must also provide low latency to all customers. Which AWS service can help you to assign a static IP address and provide low latency across the globe? - AWS Global Accelerator + Application Load Balancer - Amazon CloudFront - Network Load Balancer - Application Load Balancer

AWS Global Accelerator + Application Load Balancer

You need to move hundreds of Terabytes into Amazon S3, then process the data using a fleet of EC2 instances. You have a 1 Gbit/s broadband. You would like to move the data faster and possibly processing it while in transit. What do you recommend? - Use your network - Use Snowcone - Use AWS Data Migration - Use Snowball Edge

Use Snowball Edge ## Footnote Snowball Edge is the right answer as it comes with computing capabilities and allows you to pre-process the data while it's being moved into Snowball.

You want to expose virtually infinite storage for your tape backups. You want to keep the same software you're using and want an iSCSI compatible interface. What do you use? - AWS Snowball - AWS Storage Gateway - Tape Gateway - AWS Storage Gateway - Volume Gateway - AWS Storage Gateway - S3 File Gateway

AWS Storage Gateway - Tape Gateway

Your EC2 Windows Servers need to share some data by having a Network File System mounted on them which respects the Windows security mechanisms and has integration with Microsoft Active Directory. What do you recommend? - Amazon FSx for Windows (File Server) - Amazon EFS - Amazon FSx for Lustre - S3 File Gateway

Amazon FSx for Windows (File Server)

You have hundreds of Terabytes that you want to migrate to AWS S3 as soon as possible. You tried to use your network bandwidth and it will take around 3 weeks to complete the upload process. What is the recommended approach to using in this situation? - AWS Storage Gateway - Volume Gateway - S3 Multi-part Upload - AWS Snowball Edge - AWS Data Migration Service

AWS Snowball Edge

You have a large dataset stored in S3 that you want to access from on-premises servers using the NFS or SMB protocol. Also, you want to authenticate access to these files through on-premises Microsoft AD. What would you use? - AWS Storage Gateway - Volume Gateway - AWS Storage Gateway - S3 File Gateway - AWS Storage Gateway - Tape Gateway - AWS Data Migration Service

AWS Storage Gateway - S3 File Gateway

You are planning to migrate your company's infrastructure from on-premises to AWS Cloud. You have an on-premises Microsoft Windows File Server that you want to migrate. What is the most suitable AWS service you can use? - Amazon FSx for Windows (File Server) - AWS Storage Gateway - S3 File Gateway - AWS Managed Microsoft AD

Amazon FSx for Windows (File Server)

You would like to have a distributed POSIX compliant file system that will allow you to maximize the IOPS in order to perform some High-Performance Computing (HPC) and genomics computational research. This file system has to easily scale to millions of IOPS. What do you recommend? - EFS with Max. IO enabled - Amazon FSx for Lustre - Amazon S3 mounted on the EC2 instances - EC2 Instance Store

Amazon FSx for Lustre

Which deployment option in the FSx file system provides you with long-term storage that's replicated within AZ? - Scratch File System - Persistent File System

Persistent File System ## Footnote Provides long-term storage where data is replicated within the same AZ. Failed files were replaced within minutes.

Which of the following protocols is **NOT** supported by AWS Transfer Family? - File Transfer Protocol (FTP) - File Transfer Protocol over SSL (FTPS) - Transport Layer Security (SSL) - Secure File Transfer Protocol (SFTP)

Transport Layer Security (SSL) ## Footnote AWS Transfer Family is a managed service for file transfers into and out of S3 or EFS using the FTP protocol, thus TLS is not supported.

A company uses a lot of files and data which is stored in an FSx for Windows File Server storage on AWS. Those files are currently used by the resources hosted on AWS. There’s a requirement for those files to be accessed on-premises with low latency. Which AWS service can help you achieve this? - S3 File Gateway - FSx for Windows File Server On-Premises - FSx File Gateway - Volume Gateway

FSx File Gateway

A Solutions Architect is working on planning the migration of a startup company from on-premises to AWS. Currently, their infrastructure consists of many servers and 30 TB of data hosted on a shared NFS storage. He has decided to use Amazon S3 to host the data. Which AWS service can efficiently migrate the data from on-premises to S3? - AWS Storage Tape Gateway - Amazon EBS - AWS Transfer Family - AWS DataSync

AWS DataSync

Which AWS service is best suited to migrate a large amount of data from an S3 bucket to an EFS file system? - AWS Snowball - AWS DataSync - AWS Transfer Family - AWS Backup

AWS DataSync

A Machine Learning company is working on a set of datasets that are hosted on S3 buckets. The company decided to release those datasets to the public to be useful for others in their research, but they don’t want to configure the S3 bucket to be public. And those datasets should be exposed over the FTP protocol. What can they do to do the requirement efficiently and with the least effort? - Use AWS Transfer Family - Create an EC2 instance with an FTP server installed then copy the data from the S3 to the EC2 instance - Use AWS Storage Gateway - Copy the data from S3 to an EFS file system, then expose them over the FTP protocol

Use AWS Transfer Family

Amazon FSx for NetApp ONTAP is compatible with the following protocols, EXCEPT ……………… - NFS - SMB - FTP - iSCI

FTP

Which AWS service is best suited when migrating from an on-premises ZFS file system to AWS? - Amazon FSx for OpenZFS - Amazon FSx for NetApp ONTAP - Amazon FSx for Windows File Server - Amazon FSx for Luster

Amazon FSx for OpenZFS

A company is running Amazon S3 File Gateway to host their data on S3 buckets and is able to mount them on-premises using SMB. The data currently is hosted on S3 Standard storage class and there is a requirement to reduce the costs for S3. So, they have decided to migrate some of those data to S3 Glacier. What is the most efficient way they can use to move the data to S3 Glacier automatically? - Create a Lambda function to migrate data to S3 Glacier and periodically trigger it every day using Amazon EventBridge - Use S3 Batch Operations to loop through S3 files and move them to S3 Glacier every day - Use S3 Lifecycle Policy - Use AWS DataSync to replicate data to Glacier every day - Configure S3 File Gateway to send the data to S3 Glacier directly

Use S3 Lifecycle Policy

You have on-premises sensitive files and documents that you want to regularly synchronize to AWS to keep another copy. Which AWS service can help you with that? - AWS Database Migration Service - Amazon EFS - AWS DataSync

AWS DataSync ## Footnote AWS DataSync is an online data transfer service that simplifies, automates, and accelerates moving data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services.

You have an e-commerce website and you are preparing for Black Friday which is the biggest sale of the year. You expect that your traffic will increase by 100x. Your website already using an SQS Standard Queue, and you're running a fleet of EC2 instances in an Auto Scaling Group to consume SQS messages. What should you do to prepare your SQS Queue? - Contact AWS Support to pre-warm your SQS Standard Queue - Enable Auto Scaling in your SQS Queue - Increase the capacity of the SQS Queue - Do nothing, SQS Scales automatically

Do nothing, SQS Scales automatically

You have an SQS Queue where each consumer polls 10 messages at a time and finishes processing them in 1 minute. After a while, you noticed that the same SQS messages are received by different consumers resulting in your messages being processed more than once. What should you do to resolve this issue? - Enable Long Polling - Add `DelaySeconds` parameter to the messages while being produced - Increase the Visibility Timeout - Decrease the Visibility Timeout

Increase the Visibility Timeout ## Footnote SQS Visibility Timeout is a period of time during which Amazon SQS prevents other consumers from receiving and processing the message again. In Visibility Timeout, a message is hidden only after it is consumed from the queue. Increasing the Visibility Timeout gives more time to the consumer to process the message and prevent duplicate reading of the message. (default: 30 sec., min.: 0 sec., max.: 12 hours)

Which SQS Queue type allows your messages to be processed exactly once and in order? - SQS Standard Queue - SQS Dead Letter Queue - SQS Delay Queue - SQS FIFO Queue

SQS FIFO Queue ## Footnote SQS FIFO (First-In-First-Out) Queues have all the capabilities of the SQS Standard Queue, plus the following two features. First, The order in which messages are sent and received are strictly preserved and a message is delivered once and remains available until a consumer process and deletes it. Second, duplicated messages are not introduced into the queue.

You have 3 different applications that you'd like to send them the same message. All 3 applications are using SQS. What is the best approach would you choose? - Use SQS Replication Feature - Use SNS + SQS Fan Out Pattern - Send messages individually to 3 SQS queues

Use SNS + SQS Fan Out Pattern ## Footnote This is a common pattern where only one message is sent to the SNS topic and then "fan-out" to multiple SQS queues. This approach has the following features: it's fully decoupled, no data loss, and you have the ability to add more SQS queues (more applications) over time.

You have a Kinesis data stream with 6 shards provisioned. This data stream usually receiving 5 MB/s of data and sending out 8 MB/s. Occasionally, your traffic spikes up to 2x and you get a `ProvisionedThroughputExceeded` exception. What should you do to resolve the issue? - Add more Shards - Enable Kinesis Replication - Use SQS as a buffer to Kinesis

Add more Shards ## Footnote The capacity limits of a Kinesis data stream are defined by the number of shards within the data stream. The limits can be exceeded by either data throughput or the number of reading data calls. Each shard allows for 1 MB/s incoming data and 2 MB/s outgoing data. You should increase the number of shards within your data stream to provide enough capacity.

You have a website where you want to analyze clickstream data such as the sequence of clicks a user makes, the amount of time a user spends, and where the navigation begins and how it ends. You decided to use Amazon Kinesis, so you have configured the website to send these clickstream data all the way to a Kinesis data stream. While you checking the data sent to your Kinesis data stream, you found that the users' data is not ordered and the data for one individual user is spread across many shards. How would you fix this problem? - There are too many shards, you should use only 1 shard - You shouldn't use multiple consumers, only one and it should re-order data - For each record sent to Kinesis add a partition key that represents the identity of the user

For each record sent to Kinesis add a partition key that represents the identity of the user ## Footnote Kinesis Data Stream uses the partition key associated with each data record to determine which shard a given data record belongs to. When you use the identity of each user as the partition key, this ensures the data for each user is ordered hence sent to the same shard.

You are running an application that produces a large amount of real-time data that you want to load into S3 and Redshift. Also, these data need to be transformed before being delivered to their destination. What is the best architecture would you choose? - SQS + AWS Lambda - SNS + HTTP Endpoint - Kinesis Data Streams + Kinesis Data Firehose

Kinesis Data Streams + Kinesis Data Firehose ## Footnote This is a perfect combo of technology for loading data near real-time data into S3 and Redshift. Kinesis Data Firehose supports custom data transformations using AWS Lambda.

Which of the following is **NOT** a supported subscriber for AWS SNS? - Amazon Kinesis Data Streams - Amazon SQS - HTTP(S) Endpoint - AWS Lambda

Amazon Kinesis Data Streams ## Footnote Note: Kinesis Data Firehose is now supported, but not Kinesis Data Streams.

Which AWS service helps you when you want to send email notifications to your users? - Amazon SQS with AWS Lambda - Amazon SNS - Amazon Kinesis

Amazon SNS

You're running many micro-services applications on-premises and they communicate using a message broker that supports MQTT protocol. You're planning to migrate these applications to AWS without re-engineering the applications and modifying the code. Which AWS service allows you to get a managed message broker that supports the MQTT protocol? - Amazon SQS - Amazon SNS - Amazon Kinesis - Amazon MQ

Amazon MQ ## Footnote Amazon MQ supports industry-standard APIs such as JMS and NMS, and protocols for messaging, including AMQP, STOMP, MQTT, and WebSocket.

An e-commerce company is preparing for a big marketing promotion that will bring millions of transactions. Their website is hosted on EC2 instances in an Auto Scaling Group and they are using Amazon Aurora as their database. The Aurora database has a bottleneck and a lot of transactions have been failed in the last promotion they have made as they had a lot of transaction and the Aurora database wasn’t prepared to handle these too many transactions. What do you recommend to handle those transactions and prevent any failed transactions? - Use SQS as a buffer to write to Aurora - Host the website in AWS Fargate instead of EC2 instances - Migrate Aurora to RDS for SQL Server

Use SQS as a buffer to write to Aurora

A company is using Amazon Kinesis Data Streams to ingest clickstream data and then do some analytical processes on it. There is a campaign in the next few days and the traffic is unpredictable which might grow up to 100x. What Kinesis Data Stream capacity mode do you recommend? - Provisioned Mode - On-demand Mode

On-demand Mode

You have multiple Docker-based applications hosted on-premises that you want to migrate to AWS. You don't want to provision or manage any infrastructure; you just want to run your containers on AWS. Which AWS service should you choose? - Elastic Container Service (ECS) in EC2 Launch Mode - Elastic Container Registry (ECR) - AWS Fargate on ECS

AWS Fargate on ECS ## Footnote AWS Fargate allows you to run your containers on AWS without managing any servers.

Amazon Elastic Container Service (ECS) has two Launch Types: .................. and .................. - Amazon EC2 Launch Type and Fargate Launch Type - Amazon EC2 Launch Type and EKS Launch Type - Fargate Launch Type and EKS Launch Type

Amazon EC2 Launch Type and Fargate Launch Type

You have an application hosted on an ECS Cluster (EC2 Launch Type) where you want your ECS tasks to upload files to an S3 bucket. Which IAM Role for your ECS Tasks should you modify? - EC2 Instance Profile - ECS Task Role

ECS Task Role ## Footnote ECS Task Role is the IAM Role used by the ECS task itself. Use when your container wants to call other AWS services like S3, SQS, etc.

You're planning to migrate a WordPress website running on Docker containers from on-premises to AWS. You have decided to run the application in an ECS Cluster, but you want your docker containers to access the same WordPress website content such as website files, images, videos, etc. What do you recommend to achieve this? - Mount an EFS Volume - Mount an EBS Volume - Use an EC2 Instance Store

Mount an EFS Volume ## Footnote EFS volume can be shared between different EC2 instances and different ECS Tasks. It can be used as a persistent multi-AZ shared storage for your containers.

You are deploying an application on an ECS Cluster made of EC2 instances. Currently, the cluster is hosting one application that is issuing API calls to DynamoDB successfully. Upon adding a second application, which issues API calls to S3, you are getting authorization issues. What should you do to resolve the problem and ensure proper security? - Edit the EC2 instance role to add permissions to S3 - Create an IAM task for the new application - Enable the Fargate mode - Edit the S3 bucket policy to allow the ECS task

Create an IAM task for the new application

You are migrating your on-premises Docker-based applications to Amazon ECS. You were using Docker Hub Container Image Library as your container image repository. Which is an alternative AWS service which is fully integrated with Amazon ECS? - AWS Fargate - Elastic Container Registry (ECR) - Elastic Kubernetes Service (EKS) - Amazon EC2

Elastic Container Registry (ECR)

Amazon EKS supports the following node types, EXCEPT ……………….. - Managed Node Groups - Self-Managed Nodes - AWS Fargate - AWS Lambda

AWS Lambda

A developer has a running website and APIs on his local machine using containers and he wants to deploy both of them on AWS. The developer is new to AWS and doesn’t know much about different AWS services. Which of the following AWS services allows the developer to build and deploy the website and the APIs in the easiest way according to AWS best practices? - AWS App Runner - EC2 Instances + Application Load Balancer - Amazon ECS - AWS Fargate

AWS App Runner

You have created a Lambda function that typically will take around 1 hour to process some data. The code works fine when you run it locally on your machine, but when you invoke the Lambda function it fails with a **"timeout"** error after 3 seconds. What should you do? - Configure your Lambda's timeout to 25 minutes - Configure your Lambda's memory to 10 GB - Run your code somewhere else (e.g. EC2 instance)

Run your code somewhere else (e.g. EC2 instance) ## Footnote Lambda's maximum execution time is 15 minutes. You can run your code somewhere else such as an EC2 instance or use Amazon ECS.

Before you create a DynamoDB table, you need to provision the EC2 instance the DynamoDB table will be running on. - True - False

False ## Footnote DynamoDB is serverless with no servers to provision, patch, or manage and no software to install, maintain or operate. It automatically scales tables up and down to adjust for capacity and maintain performance. It provides both provisioned (specify RCU & WCU) and on-demand (pay for what you use) capacity modes.

You have provisioned a DynamoDB table with 10 RCUs and 10 WCUs. A month later you want to increase the RCU to handle more read traffic. What should you do? - Increase RCU and keep WCU the same - You need to increase both RCU and WCU - Increase RCU and decrease WCU

Increase RCU and keep WCU the same ## Footnote RCU and WCU are decoupled, so you can increase/decrease each value separately.

You have an e-commerce website where you are using DynamoDB as your database. You are about to enter the Christmas sale and you have a few items which are very popular and you expect that they will be read often. Unfortunately, last year due to the huge traffic you had the `ProvisionedThroughputExceededException` exception. What would you do to prevent this error from happening again? - Increase the RCU to a very high value - Create a DAX Cluster - Migrate the database away from DynamoDB for the time of the sale

Create a DAX Cluster ## Footnote DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to 10x performance improvement. It caches the most frequently used data, thus offloading the heavy reads on hot keys off your DynamoDB table, hence preventing the "ProvisionedThroughputExceededException" exception.

You have developed a mobile application that uses DynamoDB as its datastore. You want to automate sending welcome emails to new users after they sign up. What is the most efficient way to achieve this? - Schedule a Lambda function to run every minute using CloudWatch Events, scan the entire table looking for new users - Enable SNS and DynamoDB integration - Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails

Enable DynamoDB Streams and configure it to invoke a Lambda function to send emails ## Footnote DynamoDB Streams allows you to capture a time-ordered sequence of item-level modifications in a DynamoDB table. It's integrated with AWS Lambda so that you create triggers that automatically respond to events in real-time.

To create a serverless API, you should integrate Amazon API Gateway with ...................... - EC2 Instance - Elastic Load Balancing - AWS Lambda

AWS Lambda

When you are using an Edge-Optimized API Gateway, your API Gateway lives in CloudFront Edge Locations across all AWS Regions. - False - True

False ## Footnote An Edge-Optimized API Gateway is best for geographically distributed clients. API requests are routed to the nearest CloudFront Edge Location which improves latency. The API Gateway still lives in one AWS Region.

You are running an application in production that is leveraging DynamoDB as its datastore and is experiencing smooth sustained usage. There is a need to make the application run in development mode as well, where it will experience the unpredictable volume of requests. What is the most cost-effective solution that you recommend? - Use Provisioned Capacity Mode with Auto Scaling enabled for both development and production - Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development - Use Provisioned Capacity Mode with Auto Scaling enabled for development and use On-Demand Capacity Mode for production - Use On-Demand Capacity Mode for both Development and Production

Use Provisioned Capacity Mode with Auto Scaling enabled for production and use On-Demand Capacity Mode for development

You have an application that is served globally using CloudFront Distribution. You want to authenticate users at the CloudFront Edge Locations instead of authentication requests go all the way to your origins. What should you use to satisfy this requirement? - Lambda@Edge - API Gateway - DynamoDB - AWS Global Accelerator

Lambda@Edge ## Footnote Lambda@Edge is a feature of CloudFront that lets you run code closer to your users, which improves performance and reduces latency.

The maximum size of an item in a DynamoDB table is ................... - 1MB - 400KB - 500KB - 400MB

400KB

Which AWS service allows you to build Serverless workflows using AWS services (e.g., Lambda) and supports human approval? - AWS Lambda - Amazon ECS - AWS Step Functions - AWS Storage Gateway

AWS Step Functions

A company has a serverless application on AWS which consists of Lambda, DynamoDB, and Step Functions. In the last month, there are an increase in the number of requests against the application which results in an increase in DynamoDB costs, and requests started to be throttled. After further investigation, it shows that the majority of requests are read requests against some queries in the DynamoDB table. What do you recommend to prevent throttles and reduce costs efficiently? - Use an EC2 Instance with Redis installed and place it between the Lambda function and the DynamoDB table - Migrate from DynamoDB to Aurora and use ElastiCache to cache the most requested read data - Migrate from DynamoDB to S3 and use Cloudfront to cache the most requested read data - Use DynamoDB Accelerator (DAX) to cache the most requested read data

Use DynamoDB Accelerator (DAX) to cache the most requested read data

You are a DevOps engineer in a football company that has a website that is backed by a DynamoDB table. The table stores viewers’ feedback for football matches. You have been tasked to work with the analytics team to generate reports on the viewers’ feedback. The analytics team wants the data in DynamoDB in `json` format and hosted in an S3 bucket to start working on it and create the reports. What is the best and most cost-effective way to convert DynamoDB data to `json` files? - Select DynamoDB and then select export to S3 - Create a Lambda function to read DynamoDB data, convert them to `json` files, then store the files in S3 bucket - Use AWS Transfer Family - Use AWS DataSync

Select DynamoDB and then select export to S3

A website is currently in the development process and it is going to be hosted on AWS. There is a requirement to store user sessions for users logged in to the website with an automatic expiry and deletion of expired user sessions. Which of the following AWS services are best suited for this use case? - Store users' sessions in an S3 bucket and enable S3 Lifecycle Policy - Store users' sessions locally in an EC2 instance - Store users' sessions in a DynamoDB table and enable TTL - Store users' sessions in an EFS File System

Store users' sessions in a DynamoDB table and enable TTL

You have a mobile application and would like to give your users access to their own personal space in the S3 bucket. How do you achieve that? - Generate IAM user credentials for each of your application's users - Use Amazon Cognito Identity Federation - Use SAML Identity Federation - Use a Bucket Policy to make your bucket public

Use Amazon Cognito Identity Federation ## Footnote Amazon Cognito can be used to federate mobile user accounts and provide them with their own IAM permissions, so they can be able to access their own personal space in the S3 bucket.

You are developing a new web and mobile application that will be hosted on AWS and currently, you are working on developing the login and signup page. The application backend is serverless and you are using Lambda, DynamoDB, and API Gateway. Which of the following is the best and easiest approach to configure the authentication for your backend? - Store users' credentials in a DynamoDB table encrypted using KMS - Store users' credentials in a S3 bucket encrypted using KMS - Use Cognito User Pools - Store users' credentials in AWS Secrets Manager

Use Cognito User Pools

You are running a mobile application where you want each registered user to upload/download images to/from his own folder in the S3 bucket. Also, you want to give your users to sign-up and sign in using their social media accounts (e.g., Facebook). Which AWS service should you choose? - AWS Identity and Access Management (IAM) - AWS IAM Identity center - Amazon Cognito - Amazon CloudFront

Amazon Cognito ## Footnote Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

A startup company plans to run its application on AWS. As a solutions architect, the company hired you to design and implement a fully Serverless REST API. Which technology stack do you recommend? - API Gateway + AWS Lambda - Application Load Balancer + EC2 - Elastic Container Service (ECS) + Elastic Block Store - Amazon CloudFront + S3

API Gateway + AWS Lambda

The following AWS services have an out of the box caching feature, **EXCEPT** ................. - API Gateway - Lambda - DynamoDB

Lambda

You have a lot of static files stored in an S3 bucket that you want to distribute globally to your users. Which AWS service should you use? - S3 Cross-Region Replication - Amazon CloudFront - Amazon Route 53 - API Gateway

Amazon CloudFront ## Footnote Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. This is a perfect use case for Amazon CloudFront.

You have created a DynamoDB table in `ap-northeast-1` and would like to make it available in `eu-west-1`, so you decided to create a DynamoDB Global Table. What needs to be enabled first before you create a DynamoDB Global Table? - DynamoDB Streams - DynamoDB DAX - DynamoDB Versioning - DynamoDB Backups

DynamoDB Streams ## Footnote DynamoDB Streams enable DynamoDB to get a changelog and use that changelog to replicate data across replica tables in other AWS Regions.

You have configured a Lambda function to run each time an item is added to a DynamoDB table using DynamoDB Streams. The function is meant to insert messages into the SQS queue for further long processing jobs. Each time the Lambda function is invoked, it seems able to read from the DynamoDB Stream but it isn't able to insert the messages into the SQS queue. What do you think the problem is? - Lambda can't be used to insert messages into the SQS queue, use an EC2 instance instead - The Lambda Execution IAM Role is missing permissions - The Lambda security group must allow outbound access to SQS - The SQS security group must be edited to allow AWS Lambda

The Lambda Execution IAM Role is missing permissions

You would like to create an architecture for a micro-services application whose sole purpose is to encode videos stored in an S3 bucket and store the encoded videos back into an S3 bucket. You would like to make this micro-services application reliable and has the ability to retry upon failures. Each video may take over 25 minutes to be processed. The services used in the architecture should be asynchronous and should have the capability to be stopped for a day and resume the next day from the videos that haven't been encoded yet. Which of the following AWS services would you recommend in this scenario? - Amazon S3 + AWS Lambda - Amazon SNS + Amazon EC2 - Amazon SQS + Amazon EC2 - Amazon SQS + AWS Lambda

Amazon SQS + Amazon EC2 ## Footnote Amazon SQS allows you to retain messages for days and process them later, while we can take down our EC2 instances.

You are running a photo-sharing website where your images are downloaded from all over the world. Every month you publish a master pack of beautiful mountain images that are over 15 GB in size. The content is currently hosted on an Elastic File System (EFS) file system and distributed by an Application Load Balancer and a set of EC2 instances. Each month, you are experiencing very high traffic which increases the load on your EC2 instances and increases network costs. What do you recommend to reduce EC2 load and network costs without refactoring your website? - Hosts the master pack into S3 - Enable Application Load Balancer Caching - Scale up the EC2 instances - Create a CloudFront Distribution

Create a CloudFront Distribution ## Footnote Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds. Amazon CloudFront can be used in front of an Application Load Balancer.

Which database helps you store relational datasets, with SQL language compatibility and the capability of processing transactions such as insert, update, and delete? - Amazon DocumentDB - Amazon RDS - Amazon DynamoDB - Amazon ElastiCache

Amazon RDS

Which AWS service provides you with caching capability that is compatible with Redis API? - Amazon RDS - Amazon DynamoDB - Amazon OpenSearch - Amazon ElastiCache

Amazon ElastiCache ## Footnote Amazon ElastiCache is a fully managed in-memory data store, compatible with Redis or Memcached.

You want to migrate an on-premises MongoDB NoSQL database to AWS. You don't want to manage any database servers, so you want to use a managed NoSQL Serverless database, that provides you with high availability, durability, and reliability, and the capability to take your database global. Which database should you choose? - Amazon RDS - Amazon DynamoDB - Amazon DocumentDB - Amazon Aurora

Amazon DynamoDB ## Footnote Amazon DynamoDB is a key-value, document, NoSQL database.

You are looking to perform Online Transaction Processing (OLTP). You would like to use a database that has built-in auto-scaling capabilities and provides you with the maximum number of replicas for its underlying storage. What AWS service do you recommend? - Amazon ElastiCache - Amazon Neptune - Amazon Aurora - Amazon RDS

Amazon Aurora ## Footnote Amazon Aurora is a MySQL and PostgreSQL-compatible relational database. It features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across 3 AZs.

As a Solutions Architect, a startup company asked you for help as they are working on an architecture for a social media website where users can be friends with each other, and like each other's posts. The company plan on performing some complicated queries such as *"What are the number of likes on the posts that have been posted by the friends of Mike?"*. Which database do you recommend? - Amazon RDS - Amazon QLDB - Amazon Neptune - Amazon OpenSearch

Amazon Neptune ## Footnote Amazon Neptune is a fast, reliable, fully-managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

You have a set of files, 100MB each, that you want to store in a reliable and durable key-value store. Which AWS service do you recommend? - Amazon Aurora - Amazon S3 - Amazon DynamoDB - Amazon ElastiCache

Amazon S3

A company has an on-premises website that uses ReactJS as its frontend, NodeJS as its backend, and MongoDB for the database. There are some issues with the self-hosted MongoDB database as there is a lot of maintenance required and they don’t have and can’t afford the resources or experience to handle those issues. So, a decision was made to migrate the website to AWS. They have decided to host the frontend ReactJS application in an S3 bucket and the NodeJS backend on a set of EC2 instances. Which AWS service can they use to migrate the MongoDB database that provides them with high scalability and availability without making any code changes? - Amazon ElastiCache - Amazon DocumentDB - Amazon RDS for MongoDB - Amazon Neptune

Amazon DocumentDB

A company using a self-hosted on-premises Apache Cassandra database which they want to migrate to AWS. Which AWS service can they use which provides them with a fully managed, highly available, and scalable Apache Cassandra database? - Amazon DocumentDB - Amazon DynamoDB - Amazon Timestream - Amazon Keyspaces

Amazon Keyspaces

An online payment company is using AWS to host its infrastructure. Due to the application’s nature, they have a strict requirement to store an accurate record of financial transactions such as credit and debit transactions. Those transactions must be stored in secured, immutable, encrypted storage which can be cryptographically verified. Which AWS service is best suited for this use case? - Amazon DocumentDB - Amazon Aurora - Amazon QLDB - Amazon Neptune

Amazon QLDB

A startup is working on developing a new project to reduce forest fires due to climate change. The startup is developing sensors that will be spread across the entire forest to make some readings such as temperature, humidity, and pressures which will help detect the forest fires before it happens. They are going to have thousands of sensors that are going to store a lot of readings each second. There is a requirement to store those readings and do fast analytics so they can predict if there is a fire. Which AWS service can they use to store those readings? - Amazon Timestream - Amazon Neptune - Amazon S3 - Amazon ElastiCache

Amazon Timestream

You would like to have a database that is efficient at performing analytical queries on large sets of columnar data. You would like to connect to this Data Warehouse using a reporting and dashboard tool such as Amazon QuickSight. Which AWS technology do you recommend? - Amazon RDS - Amazon S3 - Amazon Redshift - Amazon Neptune

Amazon Redshift

You have a lot of log files stored in an S3 bucket that you want to perform a quick analysis, if possible Serverless, to filter the logs and find users that attempted to make an unauthorized action. Which AWS service allows you to do so? - Amazon DynamoDB - Amazon Redshift - S3 Glacier - Amazon Athena

Amazon Athena

As a Solutions Architect, you have been instructed you to prepare a disaster recovery plan for a Redshift cluster. What should you do? - Enable Multi-AZ - Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region - Take a snapshot then restore to a Redshift Global Cluster

Enable Automated Snapshots, then configure your Redshift cluster to automatically copy snapshots to another AWS region

Which feature in Redshift forces all **COPY** and **UNLOAD** traffic moving between your cluster and data repositories through your VPCs? - Enhanced VPC Routing - Improved VPC Routing - Redshift Spectrum

Enhanced VPC Routing

You are running a gaming website that is using DynamoDB as its data store. Users have been asking for a search feature to find other gamers by name, with partial matches if possible. Which AWS technology do you recommend to implement this feature? - Amazon DynamoDB - Amazon Redshift - Amazon OpenSearch Service - Amazon Neptune

Amazon OpenSearch Service

An AWS service allows you to create, run, and monitor ETL (extract, transform, and load) jobs in a few clicks. - AWS Glue - Amazon Redshift - Amazon RDS - Amazon DynamoDB

AWS Glue

A company is using AWS to host its public websites and internal applications. Those different websites and applications generate a lot of logs and traces. There is a requirement to centrally store those logs and efficiently search and analyze those logs in real-time for detection of any errors and if there is a threat. Which AWS service can help them efficiently store and analyze logs? - Amazon S3 - Amazon OpenSearch Service - Amazon ElastiCache - Amazon QLDB

Amazon OpenSearch Service

……………………….. makes it easy and cost-effective for data engineers and analysts to run applications built using open source big data frameworks such as Apache Spark, Hive, or Presto without having to operate or manage clusters. - AWS Lambda - Amazon EMR - Amazon Athena - Amazon OpenSearch Service

Amazon EMR

An e-commerce company has all its historical data such as orders, customers, revenues, and sales for the previous years hosted on a Redshift cluster. There is a requirement to generate some dashboards and reports indicating the revenues from the previous years and the total sales, so it will be easy to define the requirements for the next year. The DevOps team is assigned to find an AWS service that can help define those dashboards and have native integration with Redshift. Which AWS service is best suited? - Amazon OpenSearch Service - Amazon Athena - Amazon QuickSight - Amazon EMR

Amazon QuickSight

Which AWS Glue feature allows you to save and track the data that has already been processed during a previous run of a Glue ETL job? - Glue Job Bookmarks - Glue Elastic Views - Glue Streaming ETL - Glue DataBrew

Glue Job Bookmarks

You are a DevOps engineer in a machine learning company with 3 TB of JSON files stored in an S3 bucket. There’s a requirement to do some analytics on those files using Amazon Athena and you have been tasked to find a way to convert those files’ format from JSON to Apache Parquet. Which AWS service is best suited? - S3 Object Versioning - Kinesis Data Streams - Amazon MSK - AWS Glue

AWS Glue

You have an on-premises application that is used together with an on-premises Apache Kafka to receive a stream of clickstream events from multiple websites. You have been tasked to migrate this application as soon as possible without any code changes. You decided to host the application on an EC2 instance. What is the best option you recommend to migrate Apache Kafka? - Kinesis Data Streams - AWS Glue - Amazon MSK - Kinesis Data Analytics

Amazon MSK

You have data stored in RDS, S3 buckets and you are using AWS Lake Formation as a data lake to collect, move and catalog data so you can do some analytics. You have a lot of big data and ML engineers in the company and you want to control access to part of the data as it might contain sensitive information. What can you use? - Lake Formation Fine-grained Access Control - Amazon Cognito - AWS Shield - S3 Object Lock

Lake Formation Fine-grained Access Control

Which AWS service is most appropriate when you want to perform real-time analytics on streams of data? - Amazon SQS - Amazon SNS - Amazon Kinesis Data Analytics - Amazon Kinesis Data Firehose

Amazon Kinesis Data Analytics ## Footnote Use Kinesis Data Analytics with Kinesis Data Streams as the underlying source of data.

You should use Amazon Transcribe to turn text into lifelike speech using deep learning. - True - False

False ## Footnote Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text. Amazon Polly is a service that turns text into lifelike speech.

A company would like to implement a chatbot that will convert speech-to-text and recognize the customers' intentions. What service should it use? - Transcribe - Rekognition - Connect - Lex

Lex ## Footnote Amazon Lex is a service for building conversational interfaces into any application using voice and text. Lex provides the advanced deep learning functionalities of automatic speech recognition (ASR) for converting speech to text, and natural language understanding (NLU) to recognize the intent of the text, to enable you to build applications with highly engaging user experiences and lifelike conversational interactions.

Which fully managed service can deliver highly accurate forecasts? - Personalize - SageMaker - Lex - Forecast

Forecast ## Footnote Amazon Forecast is a fully managed service that uses machine learning to deliver highly accurate forecasts.

You would like to find objects, people, text, or scenes in images and videos. What AWS service should you use? - Rekognition - Polly - Kendra - Lex

Rekognition ## Footnote Amazon Rekognition makes it easy to add image and video analysis to your applications using proven, highly scalable, deep learning technology that requires no machine learning expertise to use.

A start-up would like to rapidly create customized user experiences. Which AWS service can help? - Personalize - Kendra - Connect

Personalize ## Footnote Amazon Personalize is a machine learning service that makes it easy for developers to create individualized recommendations for customers using their applications.

A research team would like to group articles by topics using Natural Language Processing (NLP). Which service should they use? - Translate - Comprehend - Lex - Rekognition

Comprehend ## Footnote Amazon Comprehend is a natural language processing (NLP) service that uses machine learning to find meaning and insights in text.

A company would like to convert its documents into different languages, with natural and accurate wording. What should they use? - Transcribe - Polly - Translate - WordTranslator

Translate ## Footnote Amazon Translate is a neural machine translation service that delivers fast, high-quality, and affordable language translation.

A developer would like to build, train, and deploy a machine learning model quickly. Which service can he use? - SageMaker - Polly - Comprehend - Personalize

SageMaker ## Footnote Amazon SageMaker is a fully managed service that provides every developer and data scientist with the ability to build, train, and deploy machine learning (ML) models quickly. SageMaker removes the heavy lifting from each step of the machine learning process to make it easier to develop high quality models.

Which AWS service makes it easy to convert speech-to-text? - Connect - Translate - Transcribe - Polly

Transcribe ## Footnote Amazon Transcribe is an AWS service that makes it easy for customers to convert speech-to-text.

Which of the following services is a document search service powered by machine learning? - Forecast - Kendra - Comprehend - Polly

Kendra ## Footnote Amazon Kendra is a highly accurate and easy to use enterprise search service that’s powered by machine learning.

A company is managing an image and video sharing platform which is used by customers around the globe. The platform is running on AWS using an S3 bucket to host both images and videos and using CloudFront as the CDN to deliver content to customers all over the world with low latency. In the last couple of months, a lot of customers have complained that they have started to see inappropriate content on the platform which started to increase in the last week. It will be very expensive and time-consuming to manually approve those images and videos by employees before its published on the platform. There is a requirement to find a solution that can automatically detect inappropriate and offensive images and videos and give you the ability to set a minimum confidence threshold for items that will be flagged and allows for manual review. Which AWS service can fit the requirement? - Amazon Polly - Amazon Translate - Amazon Lex - Amazon Rekognition

Amazon Rekognition

An online medical company that allows you to book an appointment with doctors using through a phone call is using AWS to host their infrastructure. They are using Amazon Connect and Amazon Lex to receive calls and create a workflow, book an appointment, and pay. According to the company’s policy, all calls must be recorded for review. But, there is a requirement to remove any Personally Identifiable Information (PII) from the call before it's saved. What do you recommend to use which helps in removing PII from calls? - Amazon Polly - Amazon Transcribe - Amazon Rekognition - Amazon Forecast

Amazon Transcribe

Amazon Polly allows you to turn text into speech. It has two important features. First is ……………….. which allows you to customize the pronunciation of words (e.g., “Amazon EC2” will be “Amazon Elastic Compute Cloud”). The second is ……………….. which allows you to emphasize words, including breathing sounds, whispering, and more. - Speech Synthesis Markup Language (SSML), Pronunciation Lexicons - Pronunciation Lexicons, Security Assertion Markup Language (SAML) - Pronunciation Lexicons, Speech Synthesis Markup Language (SSML) - Security Assertion Markup Language (SAML), Pronunciation Lexicons

Pronunciation Lexicons, Speech Synthesis Markup Language (SSML)

A medical company is in the process of implementing a solution to detect, extract, and analyze information from unstructured medical text like doctors’ notes, clinical trial reports, and radiology reports. Those documents are uploaded and stored on S3 buckets. According to the company’s regulations, the solution must be designed and implemented to keep patients’ privacy by identifying Protected Health Information (PHI) so the solution will be eligible with HIPAA. Which AWS service should you use? - Amazon Comprehend Medical - Amazon Rekognition - Amazon Polly - Amazon Translate

Amazon Comprehend Medical

You have an RDS DB instance that's configured to push its database logs to CloudWatch. You want to create a CloudWatch alarm if there's an `Error` found in the logs. How would you do that? - Create a scheduled CloudWatch Event that triggers an AWS Lambda every 1 hour, scans the logs, and notify you through SNS topic - Create a CloudWatch Logs Metric Filter that filters the logs for the keyword `Error`, then create a CloudWatch Alarm based on that Metric Filter - Create an AWS Config Rule that monitors `Error` in your database logs and notify you through SNS topic

Create a CloudWatch Logs Metric Filter that filters the logs for the keyword `Error`, then create a CloudWatch Alarm based on that Metric Filter

You have an application hosted on a fleet of EC2 instances managed by an Auto Scaling Group that you configured its minimum capacity to 2. Also, you have created a CloudWatch Alarm that is configured to scale in your ASG when CPU Utilization is below 60%. Currently, your application runs on 2 EC2 instances and has low traffic and the CloudWatch Alarm is in the **ALARM** state. What will happen? - One EC2 instance will be terminated and the ASG desired and minimum capacity will go to 1 - The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 Instances in the ASG - The CloudWatch Alarm will be detached from my ASG - The CloudWatch Alarm will go in OK state

The CloudWatch Alarm will remain in ALARM state but never decrease the number of EC2 Instances in the ASG ## Footnote The number of EC2 instances in an ASG can not go below the minimum capacity, even if the CloudWatch alarm would in theory trigger an EC2 instance termination.

How would you monitor your EC2 instance memory usage in CloudWatch? - Enable EC2 Detailed Monitoring - By default, the EC2 instance pushed memory usage to CloudWatch - Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch

Use the Unified CloudWatch Agent to push memory usage as a custom metric to CloudWatch

You have made a configuration change and would like to evaluate the impact of it on the performance of your application. Which AWS service should you use? - Amazon CloudWatch - AWS CloudTrail

Amazon CloudWatch ## Footnote Amazon CloudWatch is a monitoring service that allows you to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. It is used to monitor your applications' performance and metrics.

Someone has terminated an EC2 instance in your AWS account last week, which was hosting a critical database that contains sensitive data. Which AWS service helps you find who did that and when? - CloudWatch Metrics - CloudWatch Alarms - CloudWatch Events - AWS CloudTrail

AWS CloudTrail ## Footnote AWS CloudTrail allows you to log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. It provides the event history of your AWS account activity, audit API calls made through the AWS Management Console, AWS SDKs, AWS CLI. So, the EC2 instance termination API call will appear here. You can use CloudTrail to detect unusual activity in your AWS accounts.

You have CloudTrail enabled for your AWS Account in all AWS Regions. What should you use to detect unusual activity in your AWS Account? - CloudTrail Data Events - CloudTrail Insights - CloudTrail Management Events

CloudTrail Insights

One of your teammates terminated an EC2 instance 4 months ago which has critical data. You don't know who made this so you are going to review all API calls within this period using CloudTrail. You already have CloudTrail set up and configured to send logs to the S3 bucket. What should you do to find out who made this? - Use CloudTrail Event History in CloudTrail Console - Analyze CloudTrail logs in S3 bucket using Amazon Athena

Analyze CloudTrail logs in S3 bucket using Amazon Athena ## Footnote You can use the CloudTrail Console to view the last 90 days of recorded API activity. For events older than 90 days, use Athena to analyze CloudTrail logs stored in S3.

You are running a website on a fleet of EC2 instances with OS that has a known vulnerability on port 84. You want to continuously monitor your EC2 instances if they have port 84 exposed. How should you do this? - Setup CloudWatch Metrics - Setup CloudTrail Trails - Setup Config Rules - Schedule a CloudWatch Event to trigger a Lambda function to scan your EC2 instances

Setup Config Rules

You would like to evaluate the compliance of your resource's configurations over time. Which AWS service will you choose? - AWS Config - Amazon CloudWatch - AWS CloudTrail

AWS Config

Someone changed the configuration of a resource and made it non-compliant. Which AWS service is responsible for logging who made modifications to resources? - Amazon CloudWatch - AWS CloudTrail - AWS Config

AWS CloudTrail

You have enabled AWS Config to monitor Security Groups if there's unrestricted SSH access to any of your EC2 instances. Which AWS Config feature can you use to automatically re-configure your Security Groups to their correct state? - AWS Config Remediations - AWS Config Rules - AWS Config Notifications

AWS Config Remediations

You are running a critical website on a set of EC2 instances with a tightened Security Group that has restricted SSH access. You have enabled AWS Config in your AWS Region and you want to be notified via email when someone modified your EC2 instances' Security Group. Which AWS Config feature helps you do this? - AWS Config Remediations - AWS Config Rules - AWS Config Notifications

AWS Config Notifications

…………………………. is a CloudWatch feature that allows you to send CloudWatch metrics in near real-time to S3 bucket (through Kinesis Data Firehose) and 3rd party destinations (e.g., Splunk, Datadog, …). - CloudWatch Metric Stream - CloudWatch Log Stream - CloudWatch Metric Filter - CloudWatch Log Group

CloudWatch Metric Stream

A DevOps engineer is working for a company and managing its infrastructure and resources on AWS. There was a sudden spike in traffic for the main application for the company which was not normal in this period of the year. The application is hosted on a couple of EC2 instances in private subnets and is fronted by an Application Load Balancer in a public subnet. To detect if this is normal traffic or an attack, the DevOps engineer enabled the VPC Flow Logs for the subnets and stored those logs in CloudWatch Log Group. The DevOps wants to analyze those logs and find out the top IP addresses making requests against the website to check if there is an attack. Which of the following can help the DevOps engineer to analyze those logs? - CloudWatch Metric Stream - CloudWatch Alarm - CloudWatch Contributor Insights - CloudWatch Metric Filter

CloudWatch Contributor Insights

A company is developing a Serverless application on AWS using Lambda, DynamoDB, and Cognito. A junior developer joined a few weeks ago and accidentally deleted one of the DynamoDB tables in the dev AWS account which contained important data. The CTO asks you to prevent this from happening again and there must be a notification system to monitor if there is an attempt to make such deletion actions for the DynamoDB tables. What would you do? - Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any `DeleteTable` API calls through S3 and send a notification using KMS - Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any `DeleteTable` API calls through CloudTrail and send a notification using SNS - Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any `DeleteTable` API calls through S3 and send a notification using SNS

Assign developers to a certain IAM group which prevents deletion of DynamoDB tables. Configure EventBridge to capture any `DeleteTable` API calls through CloudTrail and send a notification using SNS

A company has a running Serverless application on AWS which uses EventBridge as an inter-communication channel between different services within the application. There is a requirement to use the events in the prod environment in the dev environment to make some tests. The tests will be done every 6 months, so the events need to be stored and used later on. What is the most efficient and cost-effective way to store EventBridge events and use them later? - Use EventBridge Archive and Replay feature - Create a Lambda function to store the EventBridge events in an S3 bucket for later usage - Configure EventBridge to store events in a DynamoDB Table

Use EventBridge Archive and Replay feature

You have strong regulatory requirements to only allow fully internally audited AWS services in production. You still want to allow your teams to experiment in a development environment while services are being audited. How can you best set this up? - Provide the Dev team with a completely independent AWS account - Apply a global IAM policy on your Prod account - Create an AWS Organization and create two Prod and Dev OUs, then Apply a SCP on the Prod OU - Create an AWS Config Rule

Create an AWS Organization and create two Prod and Dev OUs, then Apply a SCP on the Prod OU

You are managing the AWS account for your company, and you want to give one of the developers access to read files from an S3 bucket. You have updated the bucket policy to this, but he still can't access the files in the bucket. What is the problem? ``` { "Version": "2012-10-17", "Statement": [{ "Sid": "AllowsRead", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Dave" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::static-files-bucket-xxx" }] } ``` - Everything is okay, he just needs to logout and login again - The bucket does not contain any files yet - You should change the resource to `arn:aws:s3:::static-files-bucket-xxx/*`, because this is an object-level permission

You should change the resource to `arn:aws:s3:::static-files-bucket-xxx/*`, because this is an object-level permission

You have 5 AWS Accounts that you manage using AWS Organizations. You want to restrict access to certain AWS services in each account. How should you do that? - Using IAM Roles - Using AWS Organizations SCP - Using AWS Config

Using AWS Organizations SCP

Which of the following IAM condition keys can you use to only allow API calls to a specified AWS region? - aws:RequiredRegion - aws:SourceRegion - aws:InitialRegion - aws:RequestedRegion

aws:RequestedRegion

When configuring permissions for EventBridge to configure a Lambda function as a target you should use ………………….. but when you want to configure a Kinesis Data Streams as a target you should use ………………….. - Identity-Based Policy, Resource-based Policy - Resource-based Policy, Identity-Based Policy - Identity-Based Policy, Identity-Based Policy - Resource-based Policy, Resource-based Policy

Resource-based Policy, Identity-Based Policy

To enable In-flight Encryption (In-Transit Encryption), we need to have ........................ - an HTTP endpoint with an SSL certificate - an HTTPS endpoint with an SSL certificate - a TCP endpoiont

an HTTPS endpoint with an SSL certificate ## Footnote In-flight Encryption = HTTPS, and HTTPS can not be enabled without an SSL certificate.

Server-Side Encryption means that the data is sent encrypted to the server. - True - False

False ## Footnote Server-Side Encryption means the server will encrypt the data for us. We don't need to encrypt it beforehand.

In Server-Side Encryption, where do the encryption and decryption happen? - Both Encryption and Decryption happen on the server - Both Encryption and Decryption happen on the client - Encryption happens on the server and Decryption happens on the client - Encryption happens on the client and Decryption happens on the server

Both Encryption and Decryption happen on the server ## Footnote In Server-Side Encryption, we can't do encryption/decryption ourselves as we don't have access to the corresponding encryption key.

In Client-Side Encryption, the server must know our encryption scheme before we can upload the data. - False - True

False ## Footnote With Client-Side Encryption, the server doesn't need to know any information about the encryption scheme being used, as the server will not perform any encryption or decryption operations.

You need to create KMS Keys in AWS KMS before you are able to use the encryption features for EBS, S3, RDS ... - True - False

False ## Footnote You can use the AWS Managed Service keys in KMS, therefore we don't need to create our own KMS keys.

AWS KMS supports both symmetric and asymmetric KMS keys. - True - False

True ## Footnote KMS keys can be symmetric or asymmetric. A symmetric KMS key represents a 256-bit key used for encryption and decryption. An asymmetric KMS key represents an RSA key pair used for encryption and decryption or signing and verification, but not both. Or it represents an elliptic curve (ECC) key pair used for signing and verification.

When you enable Automatic Rotation on your KMS Key, the backing key is rotated every ................. - 90 days - 1 year - 2 years - 3 years

1 year

You have an AMI that has an encrypted EBS snapshot using KMS CMK. You want to share this AMI with another AWS account. You have shared the AMI with the desired AWS account, but the other AWS account still can't use it. How would you solve this problem? - The other AWS account needs to logout and login again to refresh its credentials - You need to share the KMS CMK used to encrypt the AMI with the other AWS account - You can't share the AMI that has an encrypted EBS snapshot

You need to share the KMS CMK used to encrypt the AMI with the other AWS account

You have created a Customer-managed CMK in KMS that you use to encrypt both S3 buckets and EBS snapshots. Your company policy mandates that your encryption keys be rotated every 3 months. What should you do? - Re-configure your KMS CMK and enable Automatic Rotation, in the "Period" select 3 months - Use AWS Managed Keys as they are automatically rotated by AWS every 3 months - Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

Rotate the KMS CMK manually. Create a new KMS CMK and use Key Aliases to reference the new KMS CMK. Keep the old KMS CMK so you can decrypt the old data

What should you use to control access to your KMS CMKs? - KMS Key Policies - KMS IAM Policy - AWS GuardDuty - KMS Access Control List (KMS ACL)

KMS Key Policies

You have a Lambda function used to process some data in the database. You would like to give your Lambda function access to the database password. Which of the following options is the most secure? - Embed it in the code - Have it as a plaintext environment variable - Have it as an encrypted environment variable and decrypt it at runtime

Have it as an encrypted environment variable and decrypt it at runtime ## Footnote This is the most secure solution amongst these options.

You have a secret value that you use for encryption purposes, and you want to store and track the values of this secret over time. Which AWS service should you use? - AWS KMS Versioning feature - SSM Parameter Store - Amazon S3

SSM Parameter Store ## Footnote SSM Parameters Store can be used to store secrets and has built-in version tracking capability. Each time you edit the value of a parameter, SSM Parameter Store creates a new version of the parameter and retains the previous versions. You can view the details, including the values, of all versions in a parameter's history.

# [](http://) Your user-facing website is a high-risk target for DDoS attacks and you would like to get 24/7 support in case they happen and AWS bill reimbursement for the incurred costs during the attack. What AWS service should you use? - AWS WAF - AWS Shield Advanced - AWS Shield - AWS DDoS OpsTeam

AWS Shield Advanced

You would like to externally maintain the configuration values of your main database, to be picked up at runtime by your application. What's the best place to store them to maintain control and version history? - Amazon DynamoDB - Amazon S3 - Amazon EBS - SSM Parameter Store

SSM Parameter Store

AWS GuardDuty scans the following data sources, **EXCEPT** ................ - CloudTrail Logs - VPC Flow Logs - DNS Logs - CloudWatch Logs

CloudWatch Logs

You have a website hosted on a fleet of EC2 instances fronted by an Application Load Balancer. What should you use to protect your website from common web application attacks (e.g., SQL Injection)? - AWS Shield - AWS WAF - AWS Security Hub - AWS GuardDuty

AWS WAF

You would like to analyze OS vulnerabilities from within EC2 instances. You need these analyses to occur weekly and provide you with concrete recommendations in case vulnerabilities are found. Which AWS service should you use? - AWS Shield - Amazon GuardDuty - Amazon Inspector - AWS Config

Amazon Inspector

What is the most suitable AWS service for storing RDS DB passwords which also provides you automatic rotation? - AWS Secrets Manager - AWS KMS - AWS SSM Parameter Store

AWS Secrets Manager

Which AWS service allows you to centrally manage EC2 Security Groups and AWS Shield Advanced across all AWS accounts in your AWS Organization? - AWS Shield - AWS GuardDuty - AWS Config - AWS Firewall Manager

AWS Firewall Manager ## Footnote AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. It is integrated with AWS Organizations so you can enable AWS WAF rules, AWS Shield Advanced protection, security groups, AWS Network Firewall rules, and Amazon Route 53 Resolver DNS Firewall rules.

Which AWS service helps you protect your sensitive data stored in S3 buckets? - Amazon GuardDuty - Amazon Shield - Amazon Macie - AWS KMS

Amazon Macie ## Footnote Amazon Macie is a fully managed data security service that uses Machine Learning to discover and protect your sensitive data stored in S3 buckets. It automatically provides an inventory of S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with other AWS accounts. It allows you to identify and alert you to sensitive data, such as Personally Identifiable Information (PII).

An online-payment company is using AWS to host its infrastructure. The frontend is created using VueJS and is hosted on an S3 bucket and the backend is developed using PHP and is hosted on EC2 instances in an Auto Scaling Group. As their customers are worldwide, they use both CloudFront and Aurora Global database to implement multi-region deployments to provide the lowest latency and provide availability, and resiliency. A new feature is required which gives customers the ability to store data encrypted on the database and this data must not be disclosed even by the company admins. The data should be encrypted on the client side and stored in an encrypted format. What do you recommend to implement this? - Using Aurora Client-side Encryption and KMS Multi-region Keys - Using Lambda Client-side Encryption and KMS Multi-region Keys - Using Aurora Client-side Encryption and CloudHSM - Using Lambda Client-side Encryption and CloudHSM

Using Aurora Client-side Encryption and KMS Multi-region Keys

You have an S3 bucket that is encrypted with SSE-KMS. You have been tasked to replicate the objects to a target bucket in the same AWS region but with a different KMS Key. You have configured the S3 replication, the target bucket, and the target KMS key and it is still not working. What is missing to make the S3 replication work? - This is not a supported feature - You have to raise a support ticket for AWS to start this replication process for you - You have to configure permissions for both Source KMS Key `kms:Decrypt` and Target KMS Key `kms:Encrypt` to be used by the S3 Replication Service - The source KMS Key and the target KMS key must be the same

You have to configure permissions for both Source KMS Key `kms:Decrypt` and Target KMS Key `kms:Encrypt` to be used by the S3 Replication Service

You have generated a public certificate using LetsEncrypt and uploaded it to the ACM so you can use and attach to an Application Load Balancer that forwards traffic to EC2 instances. As this certificate is generated outside of AWS, it does not support the automatic renewal feature. How would you be notified 30 days before this certificate expires so you can manually generate a new one? - Configure ACM to send notifications by linking it to 3rd party certificate provides LetsEncrypt - Configure EventBridge for Daily Expiration Events for ACM to invoke SNS notifications to your email - Configure EventBridge Monthly Expiration Events from ACM to invoke SNS notifications to your email - Configure CloudWatch Alarms for Daily Expiration Events from ACM to invoke SNS notifications to your email

Configure EventBridge for Daily Expiration Events for ACM to invoke SNS notifications to your email

You have created the main Edge-Optimized API Gateway in `us-west-2` AWS region. This main Edge-Optimized API Gateway forwards traffic to the second level API Gateway in `ap-southeast-1`. You want to secure the main API Gateway by attaching an ACM certificate to it. Which AWS region are you going to create the ACM certificate in? - `us-east-1` - `us-west-2` - `ap-southeast-1` - Both `us-east-1` and `us-west-2 works`

`us-east-1` ## Footnote As the Edge-Optimized API Gateway is using a custom AWS managed CloudFront distribution behind the scene to route requests across the globe through CloudFront Edge locations, the ACM certificate must be created in us-east-1.

You are managing an AWS Organization with multiple AWS accounts. Each account has a separate application with different resources. You want an easy way to manage Security Groups and WAF Rules across those accounts as there was a security incident the last week and you want to tighten up your resources. Which AWS service can help you to do so? - AWS GuardDuty - Amazon Shield - Amazon Inspector - AWS Firewall Manager

AWS Firewall Manager

What does this CIDR `10.0.4.0/28` correspond to? - `10.0.4.0` to `10.0.4.15` - `10.0.4.0` to `10.0.32.0` - `10.0.4.0` to `10.0.4.28` - `10.0.0.0` to `10.0.16.0`

`10.0.4.0` to `10.0.4.15` ## Footnote /28 means 16 IPs (=2^(32-28) = 2^4), means only the last digit can change.

You have a corporate network of size `10.0.0.0/8` and a satellite office of size `192.168.0.0/16`. Which CIDR is acceptable for your AWS VPC if you plan on connecting your networks later on? - `172.16.0.0/12` - `172.16.0.0/16` - `10.0.16.0/16` - `192.168.4.0/18`

`172.16.0.0/16` ## Footnote CIDR not should overlap, and the max CIDR size in AWS is /16.

You plan on creating a subnet and want it to have at least capacity for 28 EC2 instances. What's the minimum size you need to have for your subnet? - /28 - /27 - /26 - /25

/26 ## Footnote Perfect size, 64 IPs.

Security Groups operate at the ................. level while NACLs operate at the ................. level. - EC2 instance, Subnet - Subnet, EC2 instance

EC2 instance, Subnet

You have attached an Internet Gateway to your VPC, but your EC2 instances still don't have access to the internet. What is **NOT** a possible issue? - Route Tables are missing entries - The EC2 instances don't have public IPs - The Security Group does not allow traffic in - The NACL does not allow network traffic out

The Security Group does not allow traffic in ## Footnote Security groups are stateful and if traffic can go out, then it can go back in.

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use? - NAT Instances with Source/Destination Check flag off - Egress Only Internet Gateway - NAT Gateway

NAT Gateway

VPC Peering has been enabled between VPC A and VPC B, and the route tables have been updated for VPC A. But, the EC2 instances cannot communicate. What is the likely issue? - Check the NACL - Check the Route Tables in VPC B - Check the EC2 instance attached Security Groups - Check if DNS Resolution is enabled

Check the Route Tables in VPC B ## Footnote Route tables must be updated in both VPCs that are peered.

You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do? - Enable VPC Peering - Use a Customer Gateway - Use a Direct Connect Gateway - Set up a NAT Gateway

Use a Direct Connect Gateway ## Footnote This is the main use case of Direct Connect Gateways.

When using VPC Endpoints, what are the only two AWS services that have a Gateway Endpoint available? - Amazon S3 & Amazon SQS - Amazon SQS & DynamoDB - Amazon S3 & DynamoDB

Amazon S3 & DynamoDB ## Footnote These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).

AWS reserves 5 IP addresses each time you create a new subnet in a VPC. When you create a subnet with CIDR `10.0.0.0/24`, the following IP addresses are reserved, **EXCEPT** .................... - `10.0.0.1` - `10.0.0.2` - `10.0.0.3` - `10.0.0.4`

`10.0.0.4`

You have 3 VPCs A, B, and C. You want to establish a VPC Peering connection between all the 3 VPCs. What should you do? - As VPC Peering supports Transitive Peering, you need to establish 2 VPC Peering connections (A-B, B-C) - Establish 3 VPC Peering connections (A-B, A-C, B-C)

Establish 3 VPC Peering connections (A-B, A-C, B-C)

How can you capture information about IP traffic inside your VPCs? - Enable VPC Flow Logs - Enable VPC Traffic Mirroring - Enable CloudWatch Traffic Logs

Enable VPC Flow Logs ## Footnote VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a .................. connection. - Dedicated - Hosted

Hosted ## Footnote Hosted Direct Connect connection supports 50Mbps, 500Mbps, up to 10Gbps.

When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection? - Customer Gateway and NAT Gateway - Internet Gateway and Customer Gateway - Virtual Private Gateway and Internet Gateway - Virtual Private Gateway and Customer Gateway

Virtual Private Gateway and Customer Gateway

Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend? - VPC Peering - AWS VPC CloudHub - Direct Connect - AWS PrivateLink

AWS VPC CloudHub ## Footnote AWS VPN CloudHub allows you to securely communicate with multiple sites using AWS VPN. It operates on a simple hub-and-spoke model that you can use with or without a VPC.

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use? - Site-to-Site VPN - AWS PrivateLink - AWS Direct Connect - Amazon EventBridge

AWS Direct Connect

Using a Direct Connect connection, you can access both public and private AWS resources. - True - False

True

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel's maximum limit of 1.25 Gbps. What should you do? - Use 2 Virtual Private Gateways - Use Direct Connect Gateway - Use Transit Gateway

Use Transit Gateway

You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do? - Modify your VPC to run in IPv6 mode only - Modify your VPC to run in IPv4 mode only - Add an additional IPv4 CIDR to your VPC

Add an additional IPv4 CIDR to your VPC

A web application backend is hosted on EC2 instances in private subnets fronted by an Application Load Balancer in public subnets. There is a requirement to give some of the developers access to the backend EC2 instances but without exposing the backend EC2 instances to the Internet. You have created a bastion host EC2 instance in the public subnet and configured the backend EC2 instances Security Group to allow traffic from the bastion host. Which of the following is the best configuration for bastion host Security Group to make it secure? - Allow traffic only on port 80 from the company's public CIDR - Allow traffic only on port 22 from the company's public CIDR - Allow traffic only on port 22 from the company's private CIDR - Allow traffic only on port 80 from the company's private CIDR

Allow traffic only on port 22 from the company's public CIDR

A company has set up a Direct Connect connection between their corporate data center to AWS. There is a requirement to prepare a cost-effective secure backup connection in case there are issues with this Direct Connect connection. What is the most cost effective and secure solution you recommend? - Setup another Direct Connect connection to the same AWS region - Setup another Direct Connect connection to a different AWS region - Setup a Site-to-Site VPN connection as a backup

Setup a Site-to-Site VPN connection as a backup

Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7? - AWS Network Firewall - Amazon Guard Duty - Amazon Inspector - Amazon Shield

AWS Network Firewall

A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR `192.168.0.0/18`. How do you configure the EC2 instances' security group to ensure only the ALB can access them on port `80`? - Add an Inbound Rule with port `80` and `0.0.0.0/0` as the source - Add an Inbound Rule with port `80` and `192.168.0.0/18` as the source - Add an Inbound Rule with port `80` and ALB's Security Group as the source - Load an SSL certificate on the ALB

Add an Inbound Rule with port `80` and ALB's Security Group as the source ## Footnote This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it.

As part of your Disaster Recovery plan, you would like to have only the critical infrastructure up and running in AWS. You don't mind a longer Recovery Time Objective (RTO). Which DR strategy do you recommend? - Backup and Restore - Pilot Light - Warm Standby - Multi-Site

Pilot Light ## Footnote If you're interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

You would like to get the Disaster Recovery strategy with the lowest Recovery Time Objective (RTO) and Recovery Point Objective (RPO), regardless of the cost. Which DR should you choose? - Backup and Restore - Pilot Light - Warm Standby - Multi-Site

Multi-Site ## Footnote If you're interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

Which of the following Disaster Recovery strategies has a potentially high Recovery Point Objective (RPO) and Recovery Time Objective (RTO)? - Backup and Restore - Pilot Light - Warm Standby - Multi-Site

Backup and Restore ## Footnote If you're interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

You want to make a Disaster Recovery plan where you have a scaled-down version of your system up and running, and when a disaster happens, it scales up quickly. Which DR strategy should you choose? - Backup and Restore - Pilot Light - Warm Standby - Multi-Site

Warm Standby ## Footnote If you're interested, read more about Disaster Recovery options in AWS here: https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

You have an on-premises Oracle database that you want to migrate to AWS, specifically to Amazon Aurora. How would you do the migration? - Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data - Use AWS Database Migration Service (AWS DMS) to convert the database schema, then use AWS Schema Conversion Tool (AWS SCT) to migrate the data

Use AWS Schema Conversion Tool (AWS SCT) to convert the database schema, then use AWS Database Migration Service (AWS DMS) to migrate the data

AWS DataSync supports the following locations, **EXCEPT** .................... - Amazon S3 - Amazon EBS - Amazon EFS - Amazon FSx for Windows File Server

Amazon EBS

You are running many resources in AWS such as EC2 instances, EBS volumes, DynamoDB tables... You want an easy way to manage backups across all these AWS services from a single place. Which AWS offering makes this process easy? - Amazon S3 - AWS Storage Gateway - AWS Backup - EC2 Snapshots

AWS Backup ## Footnote AWS Backup enables you to centralize and automate data protection across AWS services. It helps you support your regulatory compliance or business policies for data protection.

A company planning to migrate its existing websites, applications, servers, virtual machines, and data to AWS. They want to do a lift-and-shift migration with minimum downtime and reduced costs. Which AWS service can help in this scenario? - AWS Database Migration Service - AWS Application Migration Service - AWS Backup - AWS Schema Conversion Tool

AWS Application Migration Service

A company is using VMware on its on-premises data center to manage its infrastructure. There is a requirement to extend their data center and infrastructure to AWS but keep using the technology stack they are using which is VMware. Which AWS service can they use? - VMware Cloud on AWS - AWS DataSync - AWS Application Migration Service - AWS Application Discovery Service

VMware Cloud on AWS

A company is using RDS for MySQL as their main database but, lately they have been facing issues in managing the database, performance issues, and the scalability. And they have decided to use Aurora for MySQL instead for better performance, less complexity and less administrative tasks required. What is the best way and most cost-effective way to migrate from RDS for MySQL to Aurora for MySQL? - Raise an AWS support ticket to do the migration as it is not supported - Create a database dump from RDS for MySQL, store it in a S3 bucket, then restore it to Aurora for MySQL - You can not migrate directly to Aurora for MySQL, you have to create a custom application to insert the data manually - Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL

Create a snapshot from RDS for MySQL and restore it to Aurora for MySQL

Which AWS service can you use to automate the backup across different AWS services such as RDS, DynamoDB, Aurora, and EFS file systems, and EBS volumes? - Amazon S3 Lifecycle Policy - AWS DataSync - AWS Backup - Amazon Glacier

AWS Backup

You are working on a Serverless application where you want to process objects uploaded to an S3 bucket. You have configured S3 Events on your S3 bucket to invoke a Lambda function every time an object has been uploaded. You want to ensure that events that can't be processed are sent to a Dead Letter Queue (DLQ) for further processing. Which AWS service should you use to set up the DLQ? - S3 Events - SNS Topic - Lambda Function

Lambda Function ## Footnote The Lambda function's invocation is "asynchronous", so the DLQ has to be set on the Lambda function side.

As a Solutions Architect, you have created an architecture for a company that includes the following AWS services: CloudFront, Web Application Firewall (AWS WAF), AWS Shield, Application Load Balancer, and EC2 instances managed by an Auto Scaling Group. Sometimes the company receives malicious requests and wants to block these IP addresses. According to your architecture, Where should you do it? - CloudFront - AWS WAF - AWS Shield - ALB Security Group - EC2 Security Group - NACL

AWS WAF

Your EC2 instances are deployed in Cluster Placement Group in order to perform High-Performance Computing (HPC). You would like to maximize network performance between your EC2 instances. What should you use? - Elastic Fabric Adapter - Elastic Network Interface - Elastic Network Adapter - FSx for Lustre

Elastic Fabric Adapter

Which AWS Service analyzes your AWS account and gives recommendations for cost optimization, performance, security, fault tolerance, and service limits? - AWS Trusted Advisor - AWS CloudTrail - AWS Identity Access Manager (IAM) - AWS CloudFormation

AWS Trusted Advisor ## Footnote AWS Trusted Advisor provides recommendations that help you follow AWS best practices. It evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.