Resilient Architecture part 1 Flashcards

1
Q

A small business specializing in video processing wants to prototype cloud storage in order to lower its costs. However, management is wary of storing its client files in the cloud rather than on premises. They are focused on cost savings and experimenting with the cloud at this time. What is the best solution for their prototype?
A) Install a VPN, set up an S3 bucket for their files created within the last month, and set up an additional S3-IA bucket for older files. Create a lifecycle policy in S3 to move files older than 30 days into the S3-IA bucket nightly.
B) Install an AWS storage gateway using stored volumes.
C) Set up a Direct Connect and back all local hard drives up to S3 over the Direct Connect nightly.
D)Install an AWS storage gateway using cached volumes.

A

<p>B. Anytime the primary consideration is storage with a local data presence—where data must be stored or seen to be stored locally—a storage gateway gives you the best option. This reduces the choices to B and D. B will store the files in S3 and provide local cached copies, while D will store the files locally and push them to S3 as a backup. Since management is concerned about storage in the cloud of primary files, B is the best choice; local files are the primary source of data, while still allowing the company to experiment with cloud storage without “risking” its data being stored primarily in the cloud.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
<p>For which of the following HTTP methods does S3 have eventual consistency? (Choose two.)
PUTs of new objects
UPDATEs
DELETEs
PUTs that overwrite existing objects</p>
A

<p>C, D. PUTs of new objects have a read after write consistency. DELETEs and overwrite PUTs have eventual consistency across S3.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
<p>What is the smallest file size that can be stored on standard class S3?
1 byte
1 MB
0 bytes
1 KB</p>
A

<p>C. First, note that “on standard class S3” is a red herring, and irrelevant to the question. Second, objects on S3 can be 0 bytes. This is equivalent to using touch on a file and then uploading that 0-byte file to S3.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

<p>You’ve just created a new S3 bucket named ytmProfilePictures in the US East 2 region and created a folder at the root level of the bucket called images/. You’ve turned on website hosting and asked your content team to upload images into the images/ folder. At what URL will these images be available through a web browser?

https: //s3-us-east-2.amazonaws.com/ytmProfilePictures/images
https: //s3-website-us-east-2.amazonaws.com/ytmProfilePictures/images
https: //ytmProfilePictures.s3-website-us-east-2.amazonaws.com/images
https: //ytmProfilePictures.s3-website.us-east-2.amazonaws.com/images</p>

A

<p>You’ve just created a new S3 bucket named ytmProfilePictures in the US East 2 region and created a folder at the root level of the bucket called images/. You’ve turned on website hosting and asked your content team to upload images into the images/ folder. At what URL will these images be available through a web browser?https://s3-us-east-2.amazonaws.com/ytmProfilePictures/imageshttps://s3-website-us-east-2.amazonaws.com/ytmProfilePictures/imageshttps://ytmProfilePictures.s3-website-us-east-2.amazonaws.com/imageshttps://ytmProfilePictures.s3-website.us-east-2.amazonaws.com/images</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

<p>Which of the following statements is not true?
Standard S3, S3-IA, and S3 One Zone-IA all are equally durable.
The availability of S3-IA and S3 One Zone-IA are identical.
Standard S3, S3-IA, and S3 One Zone-IA all have different availabilities.
S3 One Zone-IA is as durable as standard S3.</p>

A

<p>B. This is an important distinction when understanding S3 classes. Standard S3, S3-IA, and S3 One Zone-IA all are equally durable, although in One Zone-IA, data will be lost if the availability zone is destroyed. Each class has different availability, though: S3 is 99.99, S3-IA is 99.9, and S3 One Zone-IA is 99.5. Therefore, it is false that all have the same availability (B).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
<p>Which of the following AWS services appear in the AWS console across all regions? (Choose two.)
S3
EC2
IAM
RDS</p>
A

<p>A, C. The wording of this question is critical. S3 buckets are created within a region, but the AWS console and your account will show you all S3 buckets at all times. While a bucket is created in a specific region, names of buckets are also global. IAM permissions are also global and affect all regions. RDS and EC2 instances are region specific, and only appear in the regions in which they were created in the AWS console.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
<p>You have an S3 bucket and are working on cost estimates for your customer. She has asked you about pricing of objects stored in S3. There are currently objects in the buckets ranging from 0 bytes to over 1 GB. In this situation, what is the smallest file size that S3-IA will charge you for?
1 byte
1 MB
0 bytes
128 KB</p>
A

<p>D. This is a bit of a trick question if you’re not careful. While S3 allows for 0-byte objects, and charges as such, S3-IA charges all objects as if they are at least 128 KB in size. So while you can store a smaller object in S3-IA, it will be considered 128 KB for pricing and charging purposes.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

<p>Which of the following would you use for setting up AMIs from which new instances are created in an Auto Scaling policy?
The Auto Scaling policy itself
The security group for the Auto Scaling policy
The Auto Scaling group used by the Auto Scaling policy
The launch configuration used by the Auto Scaling policy</p>

A

<p>D. Launch configurations are where details are specified for creating (launching) new instances (option D). Security groups have to do more with what traffic is allowed into and out of the launched instances. The remaining two options—A and C—don’t make sense in this context.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

<p>You terminate an EC2 instance and find that the EBS root volume that was attached to the instance was also deleted. How can you correct this?
You can’t. A root volume is always deleted when the EC2 instance attached to that volume is deleted.
Take a snapshot of the EBS volume while the EC2 instance is running. Then, when the EC2 instance is terminated, you can restore the EBS volume from the snapshot.
Remove termination protection from the EC2 instance.
Use the AWS CLS to change the DeleteOnTermination attribute for the EBS volume to “false.”</p>

A

<p>D. By default, EBS root volumes are terminated when the associated instance is terminated. However, this is only the default value; therefore A is not correct. Option B is not directly addressing the question; the EBS volume would still be deleted even if you take a snapshot. Option C is not relevant, but option D is: You can use the AWS CLI (or the console) to set the root volume to persist after instance termination.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

<p>Can you attach an EBS volume to more than one EC2 instance at the same time?
Yes, as long as the volume is not the root volume.
No, EBS volumes cannot be attached to more than one instance at the same time.
Yes, as long as the volume is one of the SSD classes and not magnetic storage.
Yes, as long as at least one of the instances uses the volume as its root volume.</p>

A

<p>B. EBS volumes can only attach to a single instance at one time. The other options are all simply to distract.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
<p>How does AWS allow you to add metadata to your EC2 instances? (Choose two.)
Certificates
Tags
Policies
Labels</p>
A

<p>A, B. All instances and most services in AWS provide tagging for metadata. Certificates are related to SSL and help define the identity of a site or transmission, policies are related to permissions and roles, and labels are not (currently) an AWS construct.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
<p>Which of the following can be deployed across availability zones?
Cluster placement groups
Placement groups
Spread placement groups
Cross-region placement groups</p>
A

<p>C. Spread placement groups—which are relatively new to AWS—can be placed across multiple availability zones. Cluster placement groups cannot, and placement groups generally refers to cluster placement groups. Cross-region placement groups is a made-up term.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
<p>You are tasked with recommending a storage solution for a large company with a capital investment in an NFS-based backup system. The company wants to investigate cloud-based storage but doesn’t want to lose its software investment either. Which type of storage gateway would you recommend?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>
A

<p>A. Each of the options is a valid configuration for a storage gateway. Of the options, file gateway provides an NFS-style protocol for transferring data to and from the gateway and therefore is the best option.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
<p>You are tasked with prototyping a cloud-based storage solution for a small business. The business’s chief concern is low network latency, as its systems need near-instant access to all of its datasets. Which storage gateway would you recommend?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>
A

<p>C. A stored volume gateway stores data at the on-premises data store and backs up to S3 asynchronously to support disaster recovery. Most important, though, is that by storing data locally, network latency is minimal. Of the available options, only a stored volume gateway provides local data with this speed of access across an entire dataset.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
<p>You are the solutions architect for a mapping division that has inherited a massive geospatial dataset from a recent acquisition. The data is all on local disk drives, and you want to transition the data to AWS. With datasets of over 10 TB, what is the best approach to getting this data into AWS?
S3 with Transfer Acceleration
Cached volume gateway
Snowball
Shipping the drives to AWS</p>
A

<p>C. Anytime very large data needs to be moved into AWS, consider Snowball. Snowball is a physical device that allows for data to be physically sent to AWS rather than transferred over a network. It is the only solution that will not potentially cause disruptive network outages or slowdowns.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

<p>Which of the following are not reasons to use a cached volumes storage gateway? (Choose two.)
You want low-latency access to your entire dataset.
You want to reduce the cost of on-site storage.
You want to support iSCSI storage volumes.
You want low-latency access to your most commonly accessed data.</p>

A

<p>A, C. A cached volume gateway stores the most commonly accessed data locally (option D) while keeping the entire dataset in S3. This has the effect of reducing the cost of storage on-site, because you need less (option B). Since both of these are true, you need to select the other two options as reasons to not use a cached volumes gateway: A and C.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
<p>Which of the following storage gateway options is best for traditional backup applications?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>
A

<p>A. Be careful here. While it might seem at a glance that a tape gateway is best, most backup solutions do not employ tape backups. They use NFS mounts and file-based backups, which is exactly what a file gateway is best used for.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
<p>Which of the following storage gateway options is best for applications where latency of your entire dataset is the priority?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>
A

<p>C. If the entire dataset is needed, then a stored volume gateway is a better choice than a cached volume gateway. The stored volume stores the entire dataset on premises and therefore is very fast for all data access.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
<p>Which of the following storage gateway options is best for reducing the costs associated with an off-site disaster recovery solution?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>
A

<p>D. A tape gateway is ideal for replacing off-site tape directories. The gateway is a virtual tape directory and avoids the costs of transporting actual tapes to an expensive off-site location.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
<p>For which of the following storage classes do you need to specify an availability zone?
S3
S3-IA
S3 One Zone-IA
None of the above</p>
A

<p>D. While S3 does use availability zones to store objects in buckets, you do not choose the availability zone yourself. Even S3 One Zone-IA does not allow you to specify the AZ for use.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

<p>creases)? (Choose two.)
S3 will scale to handle the load if you have Auto Scaling set up.
S3 will scale automatically to ensure your service is not interrupted.
Scale spreads evenly across AWS network to minimize the effect of a spike.
A few instances are scaled up dramatically to minimize the effect of the spike.</p>

A

<p>B, C. S3 is built to automatically scale in times of heavy application usage. There is no requirement to enable Auto Scaling (A); rather, this happens automatically (so B is correct). Further, S3 tends to scale evenly across the AWS network (C). Option D is the opposite of what AWS intends.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

<p>You have been tasked with helping a company migrate its expensive off-premises storage to AWS. It will still primarily back up files from its on-premises location to a local NAS. These files then need to be stored off-site (in AWS rather than the original off-site location). The company is concerned with durability and cost and wants to retain quick access to its files. What should you recommend?
Copying files from the NAS to an S3 standard class bucket
Copying files from the NAS to an S3 One Zone-IA class bucket
Copying the files from the NAS to EBS volumes with provisioned IOPS
Copying the files from the NAS to Amazon Glacier</p>

A

<p>B. When evaluating S3 storage, all storage classes have the same durability. For cost, though, S3 One Zone-IA is the clear winner. Only Glacier is potentially less expensive but does not provide the same quick file access that S3 One Zone-IA does.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
<p>How many S3 buckets can you create per AWS account, by default?
25
50
100
There is not a default limit.</p>
A

<p>C. By default, all AWS accounts can create up to 100 buckets. However, this limit can easily be raised by AWS if you request an upgrade.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

<p>How are objects uploaded to S3 by default?
In parts
In a single operation
You must configure this option for each S3 bucket explicitly.
Via the REST API</p>

A

<p>B. S3 uploads are, by default, done via a single operation, usually via a single PUT operation. AWS suggests that you can upload objects up to 100 MB before changing to Multipart Upload.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

<p>Which of the following are the ways you should consider using Multipart Upload?
For uploading large objects over a stable high-bandwidth network to maximize bandwidth
For uploading large objects to reduce the cost of ingress related to those objects
For uploading any size files over a spotty network to increase resiliency
For uploading files that must be appended to existing files</p>

A

<p>A, C. Multipart Upload is, as should be the easiest answer, ideal for large objects on stable networks (A). But it also helps handle less-reliable networks as smaller parts can fail while others get through, reducing the overall failure rate (C). There is no cost associated with data ingress (B), and D doesn’t make much sense at all!</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

<p>How is a presigned URL different from a normal URL? (Choose two.)
A presigned URL has permissions associated with certain objects provided by the creator of the URL.
A presigned URL has permissions associated with certain objects provided by the user of the URL.
A presigned URL allows access to private S3 buckets without requiring AWS credentials.
A presigned URL includes encrypted credentials as part of the URL.</p>

A

<p>A, C. Presigned URLs are created to allow users without AWS credentials to access specific resources (option C). And it’s the creator of the URL (option A) that assigns these permissions, rather than the user (option B). Finally, these credentials are associated with the URL but are not encrypted into the URL itself.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
<p>How long is a presigned URL valid?
60 seconds
60 minutes
24 hours
As long as it is configured to last</p>
A

<p>D. A presigned URL is always configured at creation for a valid Time to Live (often referred to as TTL). This time can be very short, or quite long.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

<p>Which of the following behaviors is consistent with how S3 handles object operations on a bucket?
A process writes a new object to Amazon S3 and immediately lists keys within its bucket. The new object does not appear in the list of keys.
A process deletes an object, attempts to immediately read the deleted object, and S3 still returns the deleted data.
A process deletes an object and immediately lists the keys in the bucket. S3 returns a list with the deleted object in the list.
All of the above</p>

A

<p>D. These are all consistent with S3 behavior. Option A could occur as the new object is being propagated to additional S3 buckets. B and C could occur as a result of eventual consistency, where a DELETE operation does not immediately appear.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
<p>Which of the following storage media are object based? (Choose two.)
S3-IA
EBS
EFS
S3 standard</p>
A

<p>A, D. All S3 storage classes are object-based, while EBS and EFS are block-based.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
<p>How many PUTs per second does S3 support?
100
1500
3500
5000</p>
A

<p>C. This is important because it reflects a recent change by AWS. Until 2018, there was a hard limit on S3 of 100 PUTs per second, but that limit has now been raised to 3500 PUTs per second.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
<p>What unique domain name do S3 buckets created in US East (N. Virginia) have, as compared to other regions?
s3.amazonaws.com
s3-us-east-1.amazonaws.com
s3-us-east.amazonaws.com
s3-amazonaws.com</p>
A

<p>A. S3 buckets have names based upon the S3 identifier (s3), the region (us-east-1 in this case), and the amazonaws.com domain. Then, the bucket name appears after the domain. That results in a URL like https://s3-us-east-1.amazonaws.com/prototypeBucket32. However, buckets in US East are a special case and should use the special, unique endpoint s3.amazonaws.com (option A).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

<p>Which of the following are valid domain names for S3 buckets? (Choose two.)s3.us-east-1.amazonaws.com
s3-us-west-2.amazonaws.com
s3.amazonaws.com
s3-jp-west-2.amazonaws.com</p>

A

<p>B, C. Option A is not the correct format; s3 should be separated from the region with a dash (-). Option B is valid, and option C is the correct unique URL for US East (N. Virginia). Option D is the right format, but jp-west-2 is not an AWS region.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
<p>What are the two styles of URLs that AWS supports for S3 bucket access? (Choose two.)
Virtual-hosted-style URLs
Domain-hosted-style URLs
Apex zone record URLs
Path-style URLs</p>
A

<p>A, D. S3 supports two styles of bucket URLs: virtual-hosted-style and path-style URLs. Virtual-hosted-style URLs are of the form http://bucket.s3-aws-region.amazonaws.com, and path-style URLs are the traditional URLs you’ve seen: https://s3-aws-region.amazonaws.com/bucket-name.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

<p>Which of the following are not true about S3? (Choose two.)
Buckets are created in specific regions.
Bucket names exist in a per-region namespace.
Buckets are object-based.
Each S3 bucket stores up to 5 TB of object data.</p>

A

<p>B, D. While S3 buckets are created in a specific region (A), the names of buckets are global and must exist in a global namespace (so B is untrue). Buckets are object-based (so C is true), and while a single object is limited at 5 TB, the buckets are unlimited in total storage capacity (so D is false).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

<p>Which of the following is the best approach to ensuring that objects in your S3 buckets are not accidentally deleted?
Restrictive bucket permissions
Enabling versioning on buckets
Enabling MFA Delete on buckets
All of these options are equally useful.</p>

A

<p>C. MFA Delete is the absolute best means of ensuring that objects are not accidentally deleted. MFA—Multi-Factor Authentication—ensures that any object deletion requires multiple forms of authentication.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
<p>What HTTP request header is used by MFA Delete requests?
x-delete
x-amz-mfa
x-aws-mfa
x-amz-delete</p>
A

<p>B. All Amazon-specific request headers begin with x-amz. This is important to remember as it will help eliminate lots of incorrect answers. This leaves only x-amz-mfa.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

<p>Which of the following operations will take advantage of MFA Delete, if it is enabled? (Choose two.)
Deleting an S3 bucket
Changing the versioning state of a bucket
Permanently deleting an object version
Deleting an object’s metadata</p>

A

<p>B, C. MFA Delete applies to deleting objects, not buckets (so option A is incorrect). It affects changing the versioning state of a bucket or permanently deleting any object (or a version of that object); this makes B and C correct. Deleting an object’s metadata while leaving the object intact does not require MFA Delete.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

<p>When using an MFA Delete–enabled bucket to delete an object, from where does the authentication code come?
A hardware or virtual MFA device
The token section of the AWS console
The AWS REST API under delete-codes in a bucket’s metadata
None of these</p>

A

<p>A. This answer simply has to be memorized. MFA Delete authentication codes are pulled from hardware or virtual MFA devices, like Google Authenticator on an iPhone.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

<p>Who can enable versioning on an S3 bucket?
All authorized IAM users of the bucket
A, C, and D
The bucket owner
The root account that owns the bucket</p>

A

<p>B. The bucket owner, root account, and all authorized IAM users of a bucket are allowed to enable versioning.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
<p>Which of the following exist and are attached to an object stored in S3? (Choose two.)
Metadata
Data
Authentication ID
Version history</p>
A

<p>A, B. Each object in S3 has a name, value (data), version ID, and metadata. The version history of an object won’t exist unless versioning is turned on, so it’s not always a valid answer.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

<p>CloudFront is a web service for distributing what type of content? (Choose two.)
Object-based storage
Static files
Script-generated or programmatically generated dynamic content
All of the above</p>

A

<p>B, C. CloudFront is intended to cache and deliver static files from your origin servers to users or clients. Dynamic content is also servable through CloudFront from EC2 or other web servers. Object-based storage doesn’t make sense in this context, as CloudFront is a distribution mechanism, not a storage facility.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q
<p>What are the sources of information that CloudFront serves data from called?
Service providers
Source servers
Static servers
Origin servers</p>
A

<p>D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q
<p>Which of the following are typical origin servers for a CloudFront distribution? (Choose two.)
EC2 instances
Amazon Glacier archives
API Gateway
S3 buckets</p>
A

<p>A, D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content (options A and D).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q
<p>Which of the following are not origin servers for a CloudFront distribution? (Choose two.)
Docker containers running on ECS
MySQL ResultSet
S3 buckets
Redshift workloads</p>
A

<p>B, D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content (meaning option C is valid). Containers can also be used in place of EC2 instances, making option A valid as well. This leaves B and D as invalid origin servers.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q
<p>Which of the following are not origin servers for a CloudFront distribution? (Choose two.)
Elastic load balancer
Route 53 recordsets
SQS subscription endpoint
SNS topic retrieval endpoint</p>
A

<p>C, D. CloudFront is able to distribute content from an ELB, rather than directly interfacing with S3, and can do the same with a Route 53 recordset. These allow the content to come from multiple instances. This means that options C and D are invalid origin servers and therefore the correct answers.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q
<p>What is a collection of edge locations called?
Region
Availability zone
CloudFront
Distribution</p>
A

<p>D. A CloudFront distribution is a collection of edge locations across the world.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q
<p>Which of the following store content that is served to users in a CloudFront-enabled web application? (Choose two.)
Availability zones
Edge locations
Route 53
EC2 instances</p>
A

<p>B, D. Availability zones are not content storage devices; they are virtual data centers. Edge locations are used by CloudFront distributions to store cached content (so correct). Route 53 is the Amazon DNS service. EC2 instances can serve content from processes (so also correct).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

<p>You support a web application that uses a CloudFront distribution. A banner ad that was posted the previous night at midnight has an error in it, and you’ve been tasked with removing the ad so that users don’t see the error. What steps should you take? (Choose two.)
Delete the banner image from S3.
Remove the ad from the website.
Wait for 24 hours and the edge locations will automatically expire the ad from their caches.
Clear the cached object manually.</p>

A

<p>B, D. You must perform both steps B and D, and you must perform B before D or the banner ad could get re-cached. Also note that expiring a cached object manually incurs a cost.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q
<p>By default, how long do edge locations cache objects?
12 hours
24 hours
48 hours
360 minutes</p>
A

<p>B. The default TTL for edge locations is 24 hours.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

<p>How are datasets utilized by stored volumes backed up to S3?
Asynchronously
Synchronously
The backup method is specified by the user at configuration time.
Synchronously unless the backup takes more than 2 seconds; then the backup switches to asynchronous</p>

A

<p>A. All data is backed up to S3 asynchronously when a stored volume is used. This ensures that no lag is incurred by clients that interact with the stored volumes on-site.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

<p>When should you use AWS Direct Connect instead of Snowball?
AWS Direct Connect is usually a better option than Snowball.
AWS Direct Connect is almost never a better option than Snowball.
If you have more than 50 TB of data to transfer, use Snowball.
If you have less than 50 TB of data to transfer, use Snowball.</p>

A

<p>A. AWS Direct Connect is a dedicated high-speed connection between your on-premises network and AWS. Because of this, a direct connect is almost always a better choice than shipping out a Snowball, loading data to it, and then shipping it back.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q
<p>Which of the following AWS services can be used to store large objects? (Choose two.)
Redshift
S3
Oracle
EC2</p>
A

<p>B, C. This is a little tricky. S3 is an obvious choice. Redshift is suited for analysis data, so probably not large objects. EC2 is compute, which leaves Oracle. It is possible—without any better answers—to use Oracle (via RDS or installed on EC2) to store large objects in a BLOB-type field.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

<p>You have created a static website and posted an HTML page as home.html in the root level of your S3 bucket. The bucket is named californiaroll and is located in US West 2. At what URL can you access the HTML page?

http: //californiaroll.s3-website.us-west-1.amazonaws.com/home.html
http: //s3-website-us-west-1.amazonaws.com/californiaroll/home.html
http: //californiaroll.s3-website-us-west-2.amazonaws.com/public_html/home.html
http: //californiaroll.s3-website-us-west-1.amazonaws.com/home.html</p>

A

<p>D. First, ensure that the domain name is correct. Option A incorrectly separates s3-website from the region, and C has the wrong region. B does not have the bucket name in the URL, which it should for website hosting. This leaves D, the correct answer.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

<p>You have a variety of images with names like image-001.jpg and image-002.jpg in an S3 bucket named phoneboothPhotos created in the EU West 1 region. You have enabled website hosting on this bucket. Which URL would allow access to the photos?
http://phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ phoneboothPhotos/image-001.jpg

http: //phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ phoneboothphotos/image-001.jpg
http: //phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ public_html/phoneboothPhotos/image-001.jpg
http: //phoneboothPhotos.s3-website.eu-west-1.amazonaws.com/ phoneboothPhotos/image-001.jpg</p>

A

<p>A. First, eliminate option D; the domain is incorrect, adding a separator between s3-website and the region. Then, eliminate option C, as it adds a public_html to the portion of the URL after the domain, which is also incorrect. This leaves A and B. Here, you need to realize that the portion of a URL after the domain is case sensitive and compare the two directories to the question. A is correct, using the correct capitalization of phoneboothPhotos.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q
<p>You have your own custom domain and want to host a static website on that domain. You also want to minimize compute costs. Which of the following AWS services would you use to host your website on your custom domain? (Choose two.)
S3
EC2
Lambda
Route 53</p>
A

<p>A, D. To minimize compute resources, you should avoid EC2 and Lambda. Enabling static website hosting on an S3 bucket is a better option. To use a custom domain, you’d need to also use Route 53 to direct traffic from your custom domain to the S3 bucket.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q
<p>Which of the following does Elastic Beanstalk provide? (Choose two.)
Deployment of code
Security
Capacity provisioning
Cost optimization</p>
A

<p>A, C. Elastic Beanstalk is focused on code deployment. It provides that, and in the process, load balancing, Auto Scaling, health monitoring, and capacity provisioning (C).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q
<p>Which of the following does Elastic Beanstalk not provide? (Choose two.)
Deployment of code
Security hardening
Application health monitoring
Log inspection and backup</p>
A

<p>B, D. Elastic Beanstalk is focused on code deployment (A). It provides that, and in the process, load balancing, Auto Scaling, health monitoring (C), and capacity provisioning. It does not provide security or log inspection.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q
<p>Which of the following does Elastic Beanstalk support? (Choose two.)
Docker
C++
Scala
Node.js</p>
A

<p>A, D. This is a little far off the beaten AWS path, but you should know which languages and technologies are commonly used and cited by AWS and which are not. In general, Docker and containers are always supported; and Node.js, JavaScript, Java, PHP, and Perl are commonly supported. C++ and Scala are not in that list.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q
<p>Which AWS service allows you to run code without provisioning any of the underlying resources required by that code?
EC2
ECS
DynamoDB
Lambda</p>
A

<p>D. EC2 and ECS are compute services but require knowledge and working with the required resources. DynamoDB is a database and cannot run code. Lambda is correct: It runs code without needing an underlying set of compute resources that are user managed.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q
<p>Which of the following AWS services allow you to run code without worrying about provisioning specific resources for that code? (Choose two.)
Elastic Beanstalk
ECS
DynamoDB
Lambda</p>
A

<p>A, D. Elastic Beanstalk and Lambda are very different services, but in this context, both are valid answers. Elastic Beanstalk is a sort of “code deployment wizard,” and Lambda allows for serverless code deployment. Both handle provisioning of the environment without user intervention.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q
<p>Which of the following languages work on Lambda? (Choose two.)
JavaScript
Node.js
Scala
C++</p>
A

<p>A, B. You should know which languages and technologies are commonly used and cited by AWS and which are not. In general, Node.js, JavaScript, Java, PHP, and Perl are pretty commonly supported. C++ and Scala are not in that list.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q
<p>What AWS service is ideal for gathering business intelligence from multiple data sources?
Lightsail
QuickSight
CloudTrail
RDS</p>
A

<p>B. QuickSight is a cloud-powered business analytics service. It provides visualizations and analysis from multiple data sources.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q
<p>Which service would you use to create a single-sign on system for a user base that already has credentials they want to use outside of AWS?
Cognito
Kinesis
SWF
IAM</p>
A

<p>A. AWS Cognito allows you to add user sign-up, sign-in, and access control to web applications, as well as single sign-on. It also allows identity providers such as Facebook and Google to be used.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q
<p>What type of services are associated with S3 lifecycle management?
Storage services
Database services
Compute services
Networking services</p>
A

<p>A. Anything related to S3 is going to be storage-related. In this case, lifecycle management handles transitioning data from one S3 storage class to another.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q
<p>What type of services are associated with Amazon Lightsail?
Storage services
Networking services
Compute services
All of the above</p>
A

<p>D. Amazon Lightsail is a compute solution for web applications and involves compute, storage, and networking as well as database storage when needed. It launches servers and configures them with the needed services for web hosting. Note that while AWS considers Lightsail a compute service, it absolutely interfaces and controls additional resources.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q
<p>What type of services are associated with Elastic Beanstalk?
Storage services
Networking services
Compute services
All of the above</p>
A

<p>C. Elastic Beanstalk is an Amazon service that spins up and manages a number of other services, in particular, compute. Even though you can configure other services, though, Beanstalk is considered to primarily be a code deployment tool and therefore is focused on compute services.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q
<p>What type of services are associated with Redshift?
Storage services
Networking services
Database services
All of the above</p>
A

<p>C. Redshift is one of AWS’s OLAP (online analytics processing) tools and is a database service. While it does processing, it is primarily intended to receive large amounts of data and operate upon that data, as a database would (in loose terms).</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q
<p>What type of services are associated with CloudFront?
Storage services
Networking services
Compute services
Both B and C</p>
A

<p>B. CloudFront is AWS’s distribution network. It’s a content caching system that is ultimately a networking component of your AWS buildout.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q
<p>What type of services are associated with EMR?
Storage services
Analytic services
Compute services
Networking services</p>
A

<p>B. EMR is Elastic MapReduce and provides data processing and analysis of large datasets.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q
<p>What type of services are associated with Cloud9?
Storage services
Analytic services
Developer services
Networking services</p>
A

<p>C. Cloud9 is a developer environment, intended as an IDE for AWS developers.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q
<p>What type of services are associated with Direct Connect?
Storage services
Analytic services
Developer services
Networking services</p>
A

<p>D. Direct Connect is an AWS service for creating a high-speed connection between an on-premises site and AWS.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q
<p>What type of services are associated with Workspaces?
Mobile services
Analytic services
Developer services
Desktop services</p>
A

<p>D. Amazon Workspaces allows you to provide a desktop service via the cloud. The service allows people throughout the world to take advantage of scalable desktop provisioning.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q
<p>What type of services are associated with Kinesis?
Mobile services
Analytic services
Developer services
Desktop services</p>
A

<p>B. Kinesis is a data analytic service capable of handling large data streams and providing real-time insights.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q
<p>What type of services are associated with OpsWorks?
Mobile services
Analytic services
Media services
Management services</p>
A

<p>D. OpsWorks is an operational management service, which AWS often classifies as “management tools” (especially in the AWS console). It allows integration with tools like Puppet and Chef.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

<p>Which of the following statements are true about availability zones? (Choose two.)
An elastic IP is always tied to one specific availability zone.
A region always contains two availability zones.
An availability zone’s name (for example, us-east-1a) may change across AWS accounts.
You can specify an availability zone in which to launch your instance when creating the instance.</p>

A

<p>C, D. Elastic IPs are assigned to an instance in a specific availability zone, but in the event of a failure, that elastic IP can be remapped to another AZ, making A false. B is false because regions will contain at least two availability zones, not exactly two. C is true, as different accounts may remap AZs to different names to ensure better resource distribution, and D is correct, even though many users simply accept the defaults and don’t pick a specific AZ.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q
<p>Which of the following are actual region identifiers within AWS? (Choose two.)
us-east-2
jp-south-2
ap-south-1
uk-west-1</p>
A

<p>A, C. This is admittedly a tough question, but worth working through. You need to have at least a familiarity with AWS regions and know that there are several major regions: US, EU, and AP. There are a few others (CA, SA, for example), but the major ones are US, EU, and AP. Knowing those, you can spot that A and C are likely valid. JP (presumably for Japan) isn’t correct, and UK you should recognize should be EU. There is no UK-specific region.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q
<p>Which of the following is a valid availability zone identifier within AWS?
us-east-2b
eu-west-1
us-west-az-1
az-sa-east-1a</p>
A

<p>A. An availability zone identifier is the region identifier with a letter appended on the end. A region identifier is the region name, which is usually the country or area (eu, us, etc.), then the geographical area (southeast, west, east, etc.), then a number.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q
<p>Which AWS service functions like a NAS in the cloud?
EBS
Tape gateway
EFS
DynamoDB</p>
A

<p>C. EFS, Elastic File System, provides scalable storage accessible from multiple compute instances. EBS is Elastic Block Storage and is tied to one instance at a time and therefore not like a NAS (network attached storage). DynamoDB is a NoSQL database, and tape gateway is a client device for interacting with S3, but locally rather than in the cloud.</p>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

Which of the following is a caching engine?

ElastiCache
DynamoDB
memcached
IAM

A

C. EFS, Elastic File System, provides scalable storage accessible from multiple compute instances. EBS is Elastic Block Storage and is tied to one instance at a time and therefore not like a NAS (network attached storage). DynamoDB is a NoSQL database, and tape gateway is a client device for interacting with S3, but locally rather than in the cloud.

80
Q

Which of the following is true about RDS? (Choose two.)

Reserved instances can be used for Multi-AZ deployments.
Automated backups are turned off by default.
Every database supported by RDS can also be installed directly on EC2 instances.
All RDS databases support SQL as an interface.

A

A, D. RDS supports Multi-AZ deployments. Automated backups are turned on by default. Some RDS databases—notably Maria and Aurora—are only supported through a managed service like RDS. And all RDS databases provide a SQL interface

81
Q

When AWS uses the term OLAP, what does that acronym stand for?

Online analytics processing
Offline analytic processing
Online aggregation processing
Offline activity and payment

A

A. OLAP is online analytics processing, often associated with business intelligence. AWS services like Redshift are ideal for OLAP.

82
Q

When AWS uses the term OLTP, what does that acronym stand for?

Offline training and practice
Offline transaction processing
Online traffic provisioning
Online transaction processing

A

D. OLTP is online transaction processing and is generally the domain of relational databases in AWS.

83
Q

Which of the following is most suitable for OLAP?

Redshift
ElastiCache
DynamoDB
Aurora

A

A. Redshift is the prime example of AWS providing an OLAP service.

84
Q

Which of the following is most suitable for OLTP?

Redshift
ElastiCache
DynamoDB
Aurora

A

D. Aurora, as a managed service via RDS, is a relational database, and relational databases are generally the best answer for OLTP in AWS.

85
Q

Which of the following are most suitable for OLTP? (Choose two.)

memcached
Oracle
DynamoDB
SQL Server

A

B, D. In OLTP questions, look for the relational databases. In this question, those are Oracle and SQL Server, and therefore the answers. memcache is one of the engines for ElastiCache and DynamoDB is a NoSQL database.

86
Q

Which of the following is best suited for big data processing?

EMR
QuickSight
ElastiCache
Athena

A

A. EMR, Elastic MapReduce, is ideal for big data processing. Is uses the Hadoop and Spark frameworks and is a managed service for processing very large datasets.

87
Q

Which of the following is best suited for real-time analytics?

EMR
QuickSight
Kinesis
Athena

A

C. This is a little trickier. The best way to remember how to answer a question like this is to associate Kinesis with streaming data, which implies real-time analysis. Kinesis can take in streams of data and do immediate processing on that.

88
Q

Which of the following is best suited for interactive analytics?

EMR
QuickSight
Kinesis
Athena

A

D. This is another tough question, especially if both Kinesis and Athena appear in the answer choices. Kinesis handles streams of data and does real-time analytics; Athena is more on the interactive side. Athena analyzes data but allows standard SQL queries. That’s why it’s a better choice than Kinesis with this question.

89
Q

What are the most common frameworks used with Amazon EMR? (Choose two.)

Scala
Hadoop
Java
Spark

A

B, D. EMR, or Elastic MapReduce, is most commonly used with Hadoop and Spark. Unfortunately, this simply has to be memorized; there’s no good way to get at this unless you already know that Hadoop and Spark are ideal for data processing.

90
Q

How many copies of data does Aurora store by default?

One
Three
Four
Six

A

D. Aurora actually stores a whopping six copies of your data, across three availability zones, to ensure failover and disaster recovery.

91
Q

In an RDS, managed service capacity, which of the following databases is generally fastest?

PostgreSQL
MySQL
Aurora
They are all equivalent.

A

C. Aurora, under the RDS managed service, is about five times as fast as MySQL and three times as fast as PostgreSQL. Still, there’s an easier way to remember this: Anytime an AWS exam asks you about speed or performance, it’s generally the case that the AWS offering is the right answer. AWS won’t ask you to choose MySQL or Oracle as a faster option than one of its own databases!

92
Q

In an RDS, managed service capacity, which of the following databases is most resistant to disaster by default?

Aurora
Oracle
MySQL
They are all equivalent.

A

A. Aurora, under the RDS managed service, stores six copies of your data by default, across three availability zones. Additionally, there’s an easier way to remember this: Anytime an AWS exam asks you about resilience, it’s generally the case that the AWS offering is the right answer.

93
Q

Which of the following databases can Aurora interact with seamlessly? (Choose two.)

DynamoDB
PostgreSQL
MySQL
HyperionDB

A

B, C. Aurora is compatible with both PostgreSQL and MySQL. These are also easier to choose because they are both relational databases, also managed through RDS.

94
Q

Which of the following is allowed on your RDS instance? (Choose two.)

SSH
SQL queries
RDP
HTTP-accessible APIs

A

B, D. RDS provides for SQL interaction as well as access through the RDS web APIs. RDS instances do not allow access via SSH or RDP.

95
Q

What is the maximum backup retention period allowed by RDS, in days?

15 days
30 days
35 days
45 days

A

C. RDS allows backup retention periods up to 35 days.

96
Q

If you install Oracle on an EC2 instance, what should you use for storage for that database?

EBS
S3
EFS
RDS

A

A. You can’t use RDS because the question explicitly says you are installing Oracle on EC2 rather than using the managed service. In this case, then, you want the fastest disk space available, which will be EBS, Elastic Block Storage.

97
Q

Which of the following are suitable for OLTP? (Choose two.)

EBS
Aurora
DynamoDB
MariaDB

A

B, D. Anytime OLTP comes up, simply look for options that are RDS-supported databases, and if that fails, look for relational databases. In this question, the answers that fit these criteria are MariaDB and Aurora.

98
Q

Which of the following are not suitable for OLTP? (Choose two.)

Kinesis
PostgreSQL
Redshift
SQL Server

A

A, C. Anytime OLTP comes up, simply look for options that are RDS-supported databases, and if that fails, look for relational databases. In this question, the answers that fit these criteria are PostgreSQL and SQL Server. Since the question asks which are not suitable options, the correct selections are Kinesis (A) and Redshift (C).

99
Q

Which of the following does a Multi-AZ RDS setup address? (Choose two.)

Disaster recovery
Read performance
Data redundancy
Network latency

A

A, C. A Multi-AZ setup provides disaster recovery options through a secondary database. This also implicitly provides data redundancy.

100
Q

Which of the following does a read replica RDS setup address? (Choose two.)

Disaster recovery
Read performance
Offline backup
Network latency

A

B, D. A read replica setup is intended to reduce the load on a single database instance by providing additional databases from which to read. This also has the “side effect” of reducing network latency via spreading out traffic across multiple instances.

101
Q

Which of the following does a read replica support? (Choose two.)

Reads from applications
Writes to applications
Writes from the primary instance
Writes from applications using the RDS API

A

A, C. A read replica setup is intended to reduce the load on a single database instance by providing additional databases from which to read. Applications can read from the replica (A) but not write to it (B). Only the primary instance—through RDS and AWS—can “write” changes to the replica (C).

102
Q

Which of the following does a Multi-AZ setup not provide?

Disaster recovery
Data redundancy
Improved performance
Access to all RDS databases

A

C. Multi-AZ setups provide disaster recovery through a secondary instance (A and B), and all RDS databases support Multi-AZ (D). This just leaves C, which is not provided (and is the correct answer). Because only the primary instance is accessible, it is not any more performant than a standard RDS setup.

103
Q

Which of the following does a Multi-AZ setup provide?

Decreased network latency
Synchronous replication
Asynchronous replication
Multiple read sources for applications

A

B. Multi-AZ setups use synchronous replication (B) to back up data to the secondary instance for the purposes of disaster recovery.

104
Q

Which of the following does a read replica provide?

Increased network latency
Synchronous replication
Disaster recovery
Asynchronous replication

A

D. Read replicas use asynchronous replication (D), pushing data to the read replicas whenever possible, for improved read performance.

105
Q

Which of the following is associated with read replicas?

High scalability
Primary and secondary instances
High durability
Automatic failover

A

A. Read replicas are intended to provide scalability for your application by adding additional instances for increased reads from applications.

106
Q

Which of the following is associated with Multi-AZ RDS?

Manual backup configuration
Independent database upgrades
High durability
More than two database instances

A

C. A Multi-AZ setup is about disaster recovery, and therefore durability. They provide automatic backups (so not A), upgrades happen on the primary database and then are replicated (so not B), and there is a primary and usually a single secondary instance (so not D). That leaves C: durability.

107
Q

How many read replicas are supported in a read replica setup?

Three
Five
Seven
Unlimited (although cost applies for each replica)

A

B. AWS provides up to five read replicas for a single database instance, configurable via the AWS console.

108
Q

Which of the following are supported consistency models for DynamoDB? (Choose two.)

Eventually consistent reads
Strongly consistent writes
Immediately consistent reads
Strongly consistent reads

A

A, D. DynamoDB uses eventually consistent reads by default, meaning a read might not immediately reflect the results of a very recent write. It also offers a strongly consistent reads model, always reflecting the most recent write operations.

109
Q

You are a solutions architect for a data-driven company using DynamoDB. They want to ensure always-accurate responses, so they have enabled strongly consistent reads. However, API calls to read data sometimes do not immediately return, and sometimes fail. What possible causes could there be? (Choose two.)

A recent write was made and is not yet complete. As a result, a read operation is delayed waiting on the write operation to complete.
A recent write was made and is replicating to the secondary instance. Until that replication completes, the read operation will lag.
A network outage has interrupted a recent read, and subsequent reads of that data are delayed as a result.
A network outage has interrupted a recent write, and subsequent reads of that data are delayed as a result.

A

A, D. Delays occur in a strongly consistent read model when recently written data cannot be returned. Since a strongly consistent read model guarantees the latest data is returned, until that data is available, no response can be sent. This is the situation described in both option A and D. Option B involves replication, which is not relevant in this context, and C involves previous reads rather than writes.

110
Q

Which of the following are assigned to an EC2 instance in a default VPC? (Choose two.)

A private IP address
An elastic IP address
An internal AWS-only IP address
A public IP address

A

A, D. All instances in the default VPC get a public and private IP address by default at launch time.

111
Q

Which of the following offers the largest range of IP addresses?

/16
/20
/24
/28

A

A. A /16 offers 65,536 IP addresses. The lower the number, the larger the pool of IP addresses when using CIDR notation.

112
Q

What does the SWF in Amazon SWF stand for?

Simple Workflow
Simple Workflow Formation
Simple Web Forms
Simple Working Automation

A

A. SWF stands for Simple Workflow, and Amazon SWF is the Amazon Simple Workflow Service.

113
Q

What languages can you use with SWF?

Java, Node.js, JavaScript, and Ruby
Java, Node.js, and JavaScript
Perl, PHP, Node.js, and JavaScript
All of the above

A

D. SWF places no language restraints on your workflow, as long as interactions can be managed via HTTP requests and responses.

114
Q

How are requests and responses to SWF sent and received?

Via the AWS-specific API using application keys
Via HTTP request and response codes
Via web-accessible language-specific endpoints
All of the above

A

B. SWF provides an API, but it is neither the AWS-specific API nor language specific. Instead, SWF supports standard HTTP requests and responses.

115
Q

Which of the following is a good use case for SWF?

Managing single-sign on
Managing authentication and identification
Managing logging and auditing of VPC interactions
Managing tasks across multiple components

A

D. SWF stands for Simple Workflow, an AWS managed service. That should be a clue that the key factor here is workflow management. Tasks are handled and coordinated across application components with SWF.

116
Q

How does SWF communicate?

Synchronously
Asynchronously
Both A and B
Neither A nor B

A

C. SWF is typically thought of as an asynchronous service, but it also supports synchronous tasking when needed.

117
Q

Which of the following terms are associated with SWF? (Choose two.)

Single delivery
Tasks
Multi-delivery
Messages

A

A, B. SWF is associated with tasks and is distinct from (for example) SQS, because it guarantees a single delivery of all tasks.

118
Q

Which of the following terms are associated with SNS? (Choose two.)

Subscription
Topic
Message
Queue

A

B, C. SNS is a push-based service (C) that pushes notifications (B) to anything subscribed to an appropriate topic.

119
Q

Which of the following terms are associated with SNS? (Choose two.)

Subscription
Topic
Message
Queue

A

A, B. SNS provides topics that can be subscribed to; then notifications related to that topic are pushed to all the topic subscribers.

120
Q

How many times are tasks assigned in SWF?

Once and only once
Once in general, but a task can be reassigned if it fails
Up to three times within the set polling period
A and C are both valid, depending upon the workflow configuration.

A

A. SWF tasks are assigned once and only once.

121
Q

How are topics represented in SNS?

By a linked list
By an Amazon Resource Name
By an IAM role
By a named message

A

B. This is a bit esoteric, but even if you’re unsure, you should be able to reason this one out. A topic is simply a name or “category” to which subscribers can attach and receive notifications. Therefore, a linked list and a named message don’t make much sense. (They’re also constructs that are never seen in AWS documentation for the most part.) An IAM role is an AWS construct, but roles are related to permissions. This leaves only B, an Amazon Resource Name, which is correct.

122
Q

How many times are messages delivered in SQS?

Once and only once
Up to a single time
Up to three times within the set polling period
At least once

A

D. SQS will guarantee that a message is delivered at least once, but that message may be redelivered.

123
Q

What is a collection of related SWF workflows called?

A group
A policy
A domain
A cluster

A

C. A SWF domain is a collection of related workflows.

124
Q

How are messages arranged in an SQS queue by default?

FIFO
LIFO
In reverse order, that is, the last message received is the first available, as much as is possible
In the order in which they were received, as much as is possible

A

D. SQS queues only make an “attempt” to deliver messages in order (more or less a FIFO approach) but do not guarantee FIFO. If strict FIFO is needed, that option can be selected.

125
Q

The company at which you have been hired as an architect is using Amazon SQS. The company’s applications process orders out of the queue as they are received, ensuring that earlier orders get any limited items that may run out of stock over time. However, some early orders are skipped, and later orders actually get the limited items. How would you correct this problem?

Move from SQS to SWF to ensure single delivery of messages.
Configure the SQS queue as FIFO to guarantee the order of message delivery.
Move from SQS to SNS and implement a queue in the application code.
Turn on order locking in the SQS queue.

A

B. SQS queues only make an “attempt” to deliver messages in order (more or less a FIFO approach) but do not guarantee FIFO. If strict FIFO is needed, that option can be selected. Option B will ensure that orders are processed in the order in which they were received.

126
Q

You have a hub-and-spoke network model, with VPC C at the center of the hub. There are six spokes, VPCs A, B, D, E, F, and G. Which VPCs can communicate with VPC C directly? (Choose two.)

VPCs A and B
VPCs D and E
VPCs F and G
Options A and

A

C, D. Other than the slightly odd answer choices (which sometimes comes up!), all VPCs can communicate with the hub, so C and D cover all the options.

127
Q

You have a hub-and-spoke network model, with VPC C at the center of the hub. There are six spokes, VPCs A, B, D, E, F, and G. Which VPCs can communicate with VPC A directly? (Choose two.)

VPCs A and B
VPC C
VPC A
Any additional VPCs peered directly with VPC A

A

B, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B), as well as any other peered VPCs (option D).

128
Q

You have a hub-and-spoke network model, with VPC G at the center of the hub. There are six spokes, VPCs A, B, C, D, E, and F. Which of the following are true? (Choose two.)

VPCs A and B can communicate with each other directly.
VPCs G and B can communicate with each other directly.
VPCs A and C cannot communicate with each other directly.
VPCs G and D cannot communicate with each other directly.

A

B, C. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B is true, while A is false). And the hub (VPC G) can communicate with all spokes (so C is true, but D is false).

129
Q

You have a hub-and-spoke network model, with VPC B at the center of the hub. There are three spokes, VPCs A, C, and E. Which of the following are not true? (Choose two.)

VPCs A and B can communicate with each other directly.
VPCs C and B can communicate with each other directly.
VPCs A and C can communicate with each other directly.
VPCs C and E can communicate with each other directly.

A

C, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub. This makes A and B true and C and D false; so the right answers are C and D.

130
Q

Select the statement that is true.

Security groups are stateless and NACLs are stateful.
Security groups are stateful and NACLs are stateless.
Both security groups and NACLs are stateless.
Both security groups and NACLs are stateful.

A

B. NACLs are stateless—rules and must exist for inbound and outbound. Security groups are stateful—anything allowed in is allowed back out automatically.

131
Q

Select the statement that is true.

In a NACL, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out.
In a security group, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out.
In both NACLs and security groups, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out.
Neither NACLs nor security groups require both inbound and outbound explicit rules for the same piece of traffic.

A

A. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically.

132
Q

Select the statement that is true.

In a NACL, traffic that is allowed in is automatically allowed back out.
In a security group, traffic that is allowed in is automatically allowed back out.
In both NACLs and security groups, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out.
Neither NACLs nor security groups require both inbound and outbound explicit rules for the same piece of traffic.

A

B. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically.

133
Q

Into how many subnets must an ALB be deployed (at a minimum)?

One
Two
Three
Five

A

B. ALBs are redundant across at least two subnets.

134
Q

Which of the following are created automatically when you create a new custom VPC? (Choose two.)

Security group
NAT gateway
Subnet
Route table

A

A, D. This is a little tricky. While the default VPC automatically creates a subnet, additional VPCs do not. You do automatically get a security group, route table, and NACL, so in this case, you’d want to choose options A and D.

135
Q

Which of the following are created automatically as part of the default VPC? (Choose two.)

NAT instance
NAT gateway
Subnet
Route table

A

C, D. The key here is “default VPC.” While subnets are not created in additional custom VPCs, the default VPC does get a subnet automatically (as well as an internet gateway). And all new VPCs get route tables, NACLs, and security groups.

136
Q

Which of the following are created automatically as part of the default VPC? (Choose two.)

Internet gateway
NAT gateway
NACL
IAM role

A

A, C. The key here is “default VPC.” While subnets are not created in additional custom VPCs, the default VPC does get an internet gateway automatically (as well as a subnet). And all new VPCs get route tables, NACLs, and security groups.

137
Q

What is the size of the default subnet in each availability zone within the default VPC?

/20
/16
/28
/24

A

A. This is really tough and requires pure memorization. The default VPC has a CIDR block of /16, but the default subnet in each AZ is a /20.

138
Q

What is the size of the CIDR block created in the default VPC?

/20
/16
/28
/24

A

B. This is a case of rote memorization. Default VPCs get a /16 CIDR block assigned to them.

139
Q

What is the size of the CIDR block created in a custom VPC?

/20
/16
/28
You must select a size at VPC creation.

A

D. There is no default CIDR block for custom VPCs. While the default VPC has a /16 CIDR block, custom VPCs must have this entered in.

140
Q

Which of the following offers the most available IP addresses?

/20
/16
/28
/18

A

B. In general, the smaller the number after the slash, the larger the CIDR block. /16 is the largest valid block. A /16 offers 65,536 IPv4 addresses.

141
Q

Which of the following are not created as part of the default VPC? (Choose two.)

Internet gateway
Security group
NAT gateway
Bastion host

A

C, D. Default VPCs have a default subnet, along with a NACL, security group, and internet gateway, and a route table as well.

142
Q

Is the default VPC created by AWS public?

Only if you set it to be public at creation time
Yes
Only for traffic over port 80
No

A

B. The default VPC has an internet gateway, and instances are given public IP addresses, so option B is correct. You do not create the default VPC (A), and security groups control specific access, not the public or private nature of the VPC and instances within it (C).

143
Q

Which of the following statements are true? (Choose two.)

The default VPC has an internet gateway attached by default.
Custom VPCs do not have internet gateways attached by default.
The default VPC does not have an internet gateway attached by default.
Custom VPCs have internet gateways attached by default.

A

A, B. The default VPC does have an internet gateway attached to it, but custom VPCs do not. This is an important exam topic!

144
Q

Which of the following statements are true? (Choose two.)

The default VPC has a NACL created by default.
All incoming traffic is allowed by the default security group on a VPC.
All outgoing traffic is allowed by the default security group on a VPC.
The default security group for the default VPC allows inbound HTTP traffic.

A

A, C. Option A is true for both the default and custom VPCs: All VPCs have NACLs automatically created. While all outgoing traffic is allowed out by default (C), incoming traffic is restricted by default (B)—this includes inbound HTTP traffic (D).

145
Q

Which of the following statements are true about both the default VPC and custom VPCs? (Choose two.)

They have NACLs automatically created.
They have internet gateways automatically created.
They have subnets automatically created.
They have security groups automatically created.

A

A, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well.

146
Q

Which of the following are created automatically for the default VPC but not for custom VPCs? (Choose two.)

A route table
A subnet
A security group allowing outbound traffic
An internet gateway

A

B, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well, different from the custom VPC.

147
Q

All EC2 instances in the default VPC have which of the following by default? (Choose two.)

An elastic IP address
A public IP address
A private IP address
HTTP access for incoming requests

A

B, C. All EC2 instances in the default VPC have both a public and private IP address. They do not have an elastic IP address, and the security group that is created by default does not allow any inbound traffic (until changed manually).

148
Q

You created a new instance in the default VPC. You want this instance to be publicly available and serve web content. What steps do you need to take? (Choose two.)

Create an private IP for the instance.
Create a public IP for the instance.
Neither A nor B, these are done automatically.
Update the security group to allow traffic over HTTP and HTTPS to the instance.

A

C, D. All EC2 instances in the default VPC have both a public and private IP address. Therefore, the only addition to serve web content would be to allow the web traffic in via security group.

149
Q

You created a new instance in a custom VPC. You want this instance to be publicly available and serve web content. What steps do you need to take? (Choose two.)

Create an elastic IP for the instance.
Create an internet gateway for the VPC.
Update the security group to allow traffic over HTTP and HTTPS to the instance.
Both A and B

A

C, D. Instances in any non-default VPCs need to be made public via an elastic or public IP (A), and the VPC itself needs an internet gateway (B). Further, you need to allow in web traffic via the security group (C). So this is an “All of the above” situation, translating into options C and D.

150
Q

Why would you use a VPC endpoint to connect your VPC to S3 storage? (Choose two.)

To reduce the number of public IP addresses required by your VPC
To avoid leaving the AWS network when traffic flows between the VPC and S3
To increase security of the VPC-to-S3 traffic
To increase the speed as compared to using a NAT instance

A

B, C. A VPC endpoint provides a connection over the Amazon network between your VPC and a service, such as S3 (B). This avoids leaving the network and routing over the public Internet, which inherently provides greater security for the traffic involved (C).

151
Q

Which of the following does a VPC endpoint require?

Internet gateway
NAT instance
VPN connection
None of the above

A

D. A VPC endpoint does not require any of these to connect; it is a private connection outside of these constructs altogether, which is part of why it is an attractive solution for internal AWS communication.

152
Q

Which of the following statements about a VPC endpoint are true? (Choose two.)

It is a hardware device.
It is a virtual device.
It is automatically redundant.
It scales vertically.

A

B, C. A VPC endpoint is a virtual device that provides redundancy via AWS (and automatically). This makes options B and C correct, and A wrong. VPC endpoints scale horizontally, not vertically.

153
Q

Which of the following statements about a VPC endpoint are true? (Choose two.)

It requires a VPN connection.
It can connect to DynamoDB.
The VPC it is attached to must have an internet gateway.
It never routes traffic over the public Internet.

A

B, D. A VPC endpoint can connect to S3 and DynamoDB, as well as a host of additional AWS services, so B is true. It does not require an internet gateway or a VPN connection and does not route traffic over the public Internet (D).

154
Q

Which of these are types of VPC endpoints? (Choose two.)

Interface endpoint
Peering endpoint
Gateway endpoint
Service endpoint

A

A, C. A VPC endpoint comes in two flavors: an interface endpoint, which provides an elastic network interface and a private IP address, and a gateway endpoint, targeted for a specific route in your route table.

155
Q

Which of the following can a VPC gateway endpoint connect to? (Choose two.)

S3
Route 53
A Kinesis data stream
DynamoDB

A

A, D. This is pretty tough and is arguably right at the boundary of what the CSA Associate exam might ask. A gateway endpoint handles all traffic for a supported AWS service. Further, it’s not a specific portion of that service, so you can rule out a particular Kinesis data stream (C). That leaves A, B, and D. A and D make sense, while routing private traffic to Route 53 does not.

156
Q

Which of the following can a VPC interface endpoint connect to? (Choose two.)

An API gateway
A VPN
A Kinesis data stream
DynamoDB

A

A, C. This is another tough question. An interface endpoint provides a private IP address for connecting to a specific entry point for a specific AWS service. Anything that’s more general—like DynamoDB—isn’t a valid candidate. Additionally, a VPN (B) doesn’t make sense, as a VPN is a different type of connection altogether. In this case, that leaves a specific API gateway and a specific Kinesis data stream (A and C).

157
Q

Which of the following is true about instances in a VPC using a VPC endpoint to connect to S3 storage? (Choose two.)

They must have a public IP.
They must route traffic through a NAT instance to get to the endpoint.
They do not send their traffic over the public Internet to reach the VPC endpoint.
They must have routes to the VPC endpoint in the VPC routing table.

A

C, D. Instances that take advantage of a VPC endpoint do not need to have a public IP address or use a NAT instance. Instead, assuming they have a route to the endpoint (D), they send traffic over the AWS network to the connected service (C).

158
Q

At what level do security groups operate?

The subnet level
The VPC level
The instance level
All of the above

A

C. The best way to remember this is to consider the process for creating an instance: you must select the security group for every instance. So security groups operate at the instance level (C).

159
Q

Which types of rules do security groups allow?

Allow rules only
Allow and deny rules
Deny rules only
Allow, deny, and permit rules

A

A. Security groups only provide for allow rules (A). All other traffic is automatically denied, so allow rules are the only means of allowing traffic in.

160
Q

Security groups use which models for traffic? (Choose two.)

Traffic is denied by default.
Traffic is allowed by default.
Traffic is only allowed if there are specific allow rules.
Traffic is only denied if there are specific deny rules.

A

A, C. Security groups disallow all traffic unless there are specific allow rules for the traffic in the security group.

161
Q

Which of the following is true about security groups?

They evaluate all rules before deciding whether to allow traffic.
They evaluate rules from top to bottom before deciding whether to allow traffic.
They evaluate rules in numeric order before deciding whether to allow traffic.
They evaluate orders from high to low before deciding whether to allow traffic.

A

A. Security groups evaluate all the rules on the group before deciding how to handle traffic.

162
Q

In which order are rules evaluated when a security group decides if traffic is allowed?

Top to bottom
High to low numeric order
Low to high numeric order
All rules are evaluated before a decision is made.

A

D. Security groups evaluate all the rules on the group before deciding how to handle traffic.

163
Q

How many VPCs can you create in a single AWS region by default?

3
5
10
20

A

B. Five VPCs are allowed per region, per account, unless you contact AWS to raise this default limit.

164
Q

Which of the following is true about a new subnet created in a custom VPC that was set up with the default configuration?

It needs a custom route table created.
It can communicate with other subnets across availability zones.
It will not have a NACL.
It will have an internet gateway attached.

A

B. All custom VPCs have a route table (so A is false) and a NACL (so C is false) and will not have an internet gateway (D is false). This leaves B, which is true: subnets can communicate with each other across availability zones by default.

165
Q

Which of these allow you to SSH into an EC2 instance within a private subnet?

A NAT gateway
An internet gateway
A NAT instance
A bastion host

A

D. Only a bastion host (D) makes SSH available to private instances. You can use a NAT gateway or NAT instance to route traffic from these instances out, but a bastion host allows for SSH into private instances.

166
Q

Which of the following allow a private instance to communicate with the Internet? (Choose two.)

A NAT gateway
An internet gateway
A NAT instance
A bastion host

A

A, C. Both a NAT instance and a NAT gateway provide for outgoing traffic to route to the Internet from instances within a private subnet.

167
Q

How many internet gateways can each VPC have?

One
Two
Three
One for each AZ in which the VPC exists

A

A. A VPC can only have a single internet gateway.

168
Q

You are attempting to create a VPC in an AWS account and getting an error. When you look at the console, you see that the region you’re trying to create the VPC in already has five VPCs. What step should you take to create the VPC you need?

You can’t. Each region can only have five VPCs.
Configure the VPC to be peered with an existing VPC to get around the five-VPC per-region limit.
Contact AWS and explain your need for a higher number of VPCs in the region.
Create the VPC in a different region.

A

C. A single region can only have five VPCs by default, but this limit can be raised by contacting AWS.

169
Q

What benefit does adding a second internet gateway to your VPC provide?

Increased network throughput via two channels into the VPC
The second VPC can be used to facilitate VPC endpoints with S3 and DynamoDB.
You can’t add a second internet gateway to a single VPC.
You can’t have two internet gateways within the same region.

A

C. A single VPC can have a single internet gateway. This limit isn’t based on region (D) but on VPC (C).

170
Q

You have created a custom VPC, created instances within that VPC, and stood up web servers on those instances. What are the simplest steps you might need to perform to serve this web content to the public Internet? (Choose two.)

Add an internet gateway to the VPC.
Create a NAT gateway for the instances.
Create an ALB and point it at the instances.
Set a public IP for the instances.

A

A, D. First, realize it’s possible that almost any of these answers could be a part of a larger solution. However, the question asks for the simplest—or most direct—solutions. Given that, the solutions that are best are giving the instances public IP addresses (D) and adding an internet gateway to the VPC. You also will likely need routes in and out, security groups, etc.

171
Q

You have created a custom VPC, created instances within that VPC, attached an internet gateway to the VPC, and stood up web servers on those instances. However, users are unable to access the web content. What might be the problem? (Choose two.)

The security group doesn’t allow outbound HTTP traffic.
The security group doesn’t allow inbound HTTP traffic.
The instances don’t have elastic IP addresses.
The NACL for the VPC’s subnet allows all inbound traffic.

A

B, C. Given the internet gateway, the most likely issues are the instances being accessible via IP (which C addresses) and traffic for web/HTTP being disallowed (B).

172
Q

Which of the following statements is false?

One VPC can have a single internet gateway.
One VPC can have multiple subnets.
A single instance retains its public IP within a VPC when stopped and restarted.
A single instance does not retain its public IP within a VPC when stopped and restarted.

A

D. VPCs can have a single internet gateway and multiple subnets. However, instances within a VPC with a public address have that address released when it is stopped and are reassigned a new IP when restarted.

173
Q

Which of the following statements is false?

A subnet cannot span multiple availability zones.
A VPC can peer with no more than two other VPCs.
A VPC can peer with VPCs in other AWS accounts.
A subnet can be public or private if a VPC has an internet gateway attached.

A

B. A VPC can peer with unlimited other VPCs, so B is false. A subnet cannot span AZs, a VPC can peer with VPCs in other accounts, and a VPC having an internet gateway has no bearing on the public or private status of subnets within it.

174
Q

Why would you choose a NAT instance over a NAT gateway?

NAT instances are faster than NAT gateways.
NAT instances auto-size to accommodate traffic increases, while NAT gateways do not.
NAT instances are automatically kept updated with patches by AWS, while NAT gateways are not.
You wouldn’t; NAT gateways are, in general, a better solution than NAT instances.

A

D. All of the statements about NAT instances are false in A through C. Further, a NAT gateway is preferable to a NAT instance because it is managed by AWS rather than you, the architect.

175
Q

How do you change a VPC that is set to use dedicated hosting tenancy to use default tenancy?

You can change the hosting tenancy of the VPC without affecting the running instances.
Stop all instances in the VPC, and then you can change the VPC’s hosting tenancy.
Remove all instances in the VPC, and then you can change the VPC’s hosting tenancy.
You can’t; you must re-create the VPC.

A

D. A VPC cannot be changed from dedicated hosting tenancy to default hosting. You have to re-create the VPC.

176
Q

How quickly are changes made to the security group within a custom VPC applied?

Immediately
Within 60–90 seconds
The next time each instance restarts, or within 24 hours if the instance does not restart
Security groups aren’t associated with VPCs.

A

A. Changes to a security group take place immediately. As a note, option D is a bit misleading. While security groups operate at various levels, they absolutely affect VPCs, so D is false.

177
Q

You have a custom VPC with a public subnet. The VPC has an internet gateway attached to it. What else should you do to ensure that instances within the subnet can reach the Internet?

Add a route to the route table that directs traffic directed at the public Internet to go through the internet gateway.
Add a rule to the security group allowing outbound traffic out via HTTP.
Ensure that each instance has a public IP address.
The instances should have public access with this configuration already.

A

A. This is a routing question. Instances need to have their outbound traffic directed to the internet gateway on the VPC, and then that traffic can flow outward to the Internet.

178
Q

Which types of content can CloudFront cache?

Static and dynamic content
Static content, but not dynamic content
Dynamic content, but not static content
CloudFront is not a caching mechanism.

A

A. CloudFront supports both static and dynamic content.

179
Q

You have web applications that are serving up content via a large RDS instance. You are seeing heavy database utilization and want to improve performance. What might you suggest? (Choose two.)

Increase the instance size of the database.
Increase the instance size of the web application servers.
Set up CloudFront to handle dynamic content as well as static content.
Add an additional fleet of EC2 instances to serve the web content.

A

A, C. With only the information presented, the best options are to focus on the database and the dynamic content; the web application servers (from the question’s limited information) are not the issue. That means look at the database instance size (A) and caching dynamic content (C). B and D focus on the web app instances, which would not appear to be the issue.

180
Q

You are tasked with creating a new VPC for a large company, hosting a fleet of instances within the VPC, and ensuring that they can write to the company’s S3 buckets and also be accessed via a REST API that they each host. Which of the following would be part of your proposed solution? (Choose two.)

A customer gateway
An internet gateway
A VPC endpoint
A new NACL

A

B, C. An internet gateway is required to handle Internet traffic, and a VPC endpoint is ideal for connecting the instances to S3. A customer gateway is used in setting up a VPN or site-to-site connection, and if NACL changes are required, you’d make them to the existing NACL, not a new one.

181
Q

You are tasked with hosting a fleet of instances within the default VPC of a company’s AWS account and ensuring that the instances can write to the company’s S3 buckets and also be accessed via a REST API that they each host. Which of the following would be part of your proposed solution? (Choose two.)

A customer gateway
An internet gateway
A VPC endpoint
An updated set of rules for the NACL

A

C, D. The key here is recalling that the default VPC already has an internet gateway attached, so you wouldn’t need one (B). A customer gateway is for a VPN or direct connection. This leaves C, a VPC endpoint for communication with S3, and D, updated NACL rules for the endpoint and the gateway (potentially).

182
Q

You have been asked to troubleshoot a Direct Connect connection between your company’s on-site data center and a subnet within a public VPC. You have confirmed that you can reach the instances in the VPC from your data center, but those instances cannot reach back to your data center. What would you investigate? (Choose two.)

The VPC subnet’s routing table
The on-site storage gateway
The NAT instance in your VPC
The virtual private gateway configuration

A

A, D. The most likely culprits are the routing table of the VPC subnet and the virtual private gateway. A storage gateway (B) is not part of a Direct Connect solution, nor is a NAT instance (C).

183
Q

What is route propagation with respect to a virtual private gateway?

It copies all routes from an on-site network to an AWS VPC’s subnets routing tables.
It helps avoid manually entering VPN routes into your VPC routing tables.
It automatically allows inbound traffic from your on-premises connection.
It enables storage-based traffic from a customer’s storage gateway.

A

B. Route propagation is a routing option that automatically propagates routes to the route tables so you don’t need to manually enter VPN routes. It’s most common in a Direct Connect setup. A is too broad a statement—not all routes are automatically copied. C is incorrect, and in D, a storage gateway is not part of a Direct Connect solution (it can be, but isn’t required).

184
Q

What URL provides you with the public and private IP addresses of running EC2 instances?

http: //169.254.169.254/meta-data/
http: //169.254.169.254/latest/meta-data/
http: //169.254.169.254/instance-data/
http: //169.254.169.254/latest/instance-data/

A

B. This is a matter of rote memorization. All metadata for instances is available at http://169.254.169.254, at /latest/meta-data. /latest/instance-data is actually not a URL that is responsive to requests.

185
Q

Which of the following is a highly durable key-value store?

S3
EFS
EBS
ElastiCache

A

A. S3 is highly durable and stores data as key-value pairs.

186
Q

Which of the following is a valid Glacier use case?

Storing insurance documents accessed once or twice a day by mobile clients
Storing medical records in case of annual audits
Storing patient images used in the scheduling department’s web-based software
Storing X-rays used in teaching exercises at the local college

A

B. B is the only answer that doesn’t presume at least semi-frequent access. Glacier is best for files that are rarely accessed and do not require quick access times.

187
Q

You have been called in to mitigate a disastrous loss of data on S3 at a bioethics company. After investigating, it is determined that the data was deleted accidentally by a developer. The company wants to ensure that data cannot be accidentally deleted like this in the future. What would you suggest? (Choose two.)

Enable S3 versioning on all S3 buckets.
Create an IAM policy that disallows developers from deleting data in S3.
Replace the current access pattern with signed URLs.
Enable MFA Delete on the buckets.

A

A, D. The best answer here is to enable MFA Delete (D). However, to do this, you’ll also need versioning (A). It is not practical to disallow developers from all delete access (B), and signed URLs do not help the issue.

188
Q

How many instances can you launch in a given AWS region?

20
40
20, but this is a soft limit and can be increased by AWS
40, but this is a soft limit and can be increased by AWS

A

C. For all new AWS accounts, 20 instances are allowed per region. However, you can increase this limit by requesting it via AWS support.

189
Q

You are using a NAT instance inside of a VPC to support routing out to the public Internet from private instances within that VPC. As traffic has increased, the performance of any operations involving the outbound Internet traffic has degraded to unacceptable levels. How would you mitigate this problem?

Add an additional internet gateway so the NAT instance can split outbound traffic over two gateways.
Add an additional elastic IP to the NAT instance to increase throughput.
Increase the instance size of the NAT instance by one or more instance size classes.
All of these are valid solutions.

A

C. The only one of these that makes sense is C, increasing the size of the NAT instance. It is impossible to add an additional internet gateway to a VPC that already has one (A), and adding an additional elastic IP requires using a newer EC2 instance, and it will not affect performance in this case (B).

190
Q

What is the simplest way to reduce frequent scaling in an application? For example, if an application is showing that it’s scaling up and down multiple times in an hour, how would you reduce the number of “ups and downs” you are seeing?

Set up scheduled times with proactive cycling for the scaling so that it is not occurring all the time.
Increase the cooldown timers so that scaling down requires greater thresholds of change in your triggers.
Update CloudWatch to use a FIFO termination policy, only terminating the oldest instances in a scaledown.
None of these will improve the issue.

A

B. If instances are scaling up and down quickly, this means that the thresholds for adding and removing instances are being met frequently. Since you don’t want to reduce the scaling up to meet demand, you should increase what it takes for the system to scale down; that’s what B suggests. Proactive cycling (A) won’t help the situation and C is completely made up.

191
Q

Which of these steps are required to get a NAT instance working? (Choose two.)

Update the routing table for EC2 instances accessing the public Internet to go through the NAT instance.
Locate the NAT instance within the private subnet that it will be serving.
Disable source/destination checks on your instance.
Set the NAT instance to allow port forwarding from the private subnet.

A

A, C. Routing is one of the most important steps (A); you must set the route to the public Internet to go to the NAT instance. Additionally, you need to disable source/destination checks, a commonly forgotten step (C). The NAT instance cannot be in a private subnet (B), and D doesn’t make sense in this context.

192
Q

Which of these is not a default CloudWatch metric?

Disk read operations
Memory usage
CPU usage
Inbound network traffic

A

B. This is a tough one because it must simply be memorized. CloudWatch provides disk read operations, CPU usage, and inbound network traffic but does not provide memory usage by default.

193
Q

You have an existing fleet of EC2 instances in a public subnet of your VPC. You launch an additional instance from the same AMI as the existing instances, into the same public subnet. What steps might you need to take to ensure that this instance can reach the public Internet? (Choose two.)

Assign an elastic IP address to the instance.
Add the instance to the ELB serving the existing instances.
Add the instance into a private subnet.
Ensure that the instance has a route out to the Internet.

A

A, B. The instance will need an elastic IP for public communication (A) and should be behind the same ELB as the other instances (B). Adding it into a private subnet (C) will remove its ability to communicate with the public Internet. D looks good, but if the instance is in the same subnet as the other instances, it automatically gets their routes; routing tables apply to the subnet, not a specific instance.

194
Q

Which of the following is the destination address for the public Internet?

  1. 168.1.255/0
  2. 0.0.0/16
  3. 254.169.254/0
  4. 0.0.0/0
A

D. The public Internet is addressed via 0.0.0.0/0.

195
Q

Which of the following would you use to route traffic from your subnet to the public Internet?

Destination: 0.0.0.0/0 ➢ Target: your internet gateway
Destination: 0.0.0.0/16 ➢ Target: your internet gateway
Destination: your internet gateway ➢ Target: 0.0.0.0/0
Destination: 0.0.0.0/0 ➢ Target: your virtual private gateway

A

A. The public Internet is addressed via 0.0.0.0/0, so if that’s the destination, the target should be the internet gateway within the VPC.