Resilient Architecture part 1 Flashcards

Question 1

Q

A small business specializing in video processing wants to prototype cloud storage in order to lower its costs. However, management is wary of storing its client files in the cloud rather than on premises. They are focused on cost savings and experimenting with the cloud at this time. What is the best solution for their prototype?
A) Install a VPN, set up an S3 bucket for their files created within the last month, and set up an additional S3-IA bucket for older files. Create a lifecycle policy in S3 to move files older than 30 days into the S3-IA bucket nightly.
B) Install an AWS storage gateway using stored volumes.
C) Set up a Direct Connect and back all local hard drives up to S3 over the Direct Connect nightly.
D)Install an AWS storage gateway using cached volumes.

Answer

A

B. Anytime the primary consideration is storage with a local data presence—where data must be stored or seen to be stored locally—a storage gateway gives you the best option. This reduces the choices to B and D. B will store the files in S3 and provide local cached copies, while D will store the files locally and push them to S3 as a backup. Since management is concerned about storage in the cloud of primary files, B is the best choice; local files are the primary source of data, while still allowing the company to experiment with cloud storage without “risking” its data being stored primarily in the cloud.

Question 2

Q

<p>For which of the following HTTP methods does S3 have eventual consistency? (Choose two.)
PUTs of new objects
UPDATEs
DELETEs
PUTs that overwrite existing objects</p>

Answer

A

C, D. PUTs of new objects have a read after write consistency. DELETEs and overwrite PUTs have eventual consistency across S3.

Question 3

Q

<p>What is the smallest file size that can be stored on standard class S3?
1 byte
1 MB
0 bytes
1 KB</p>

Answer

A

C. First, note that “on standard class S3” is a red herring, and irrelevant to the question. Second, objects on S3 can be 0 bytes. This is equivalent to using touch on a file and then uploading that 0-byte file to S3.

Question 4

Q

You’ve just created a new S3 bucket named ytmProfilePictures in the US East 2 region and created a folder at the root level of the bucket called images/. You’ve turned on website hosting and asked your content team to upload images into the images/ folder. At what URL will these images be available through a web browser?

https: //s3-us-east-2.amazonaws.com/ytmProfilePictures/images
https: //s3-website-us-east-2.amazonaws.com/ytmProfilePictures/images
https: //ytmProfilePictures.s3-website-us-east-2.amazonaws.com/images
https: //ytmProfilePictures.s3-website.us-east-2.amazonaws.com/images

Answer

A

You’ve just created a new S3 bucket named ytmProfilePictures in the US East 2 region and created a folder at the root level of the bucket called images/. You’ve turned on website hosting and asked your content team to upload images into the images/ folder. At what URL will these images be available through a web browser?https://s3-us-east-2.amazonaws.com/ytmProfilePictures/imageshttps://s3-website-us-east-2.amazonaws.com/ytmProfilePictures/imageshttps://ytmProfilePictures.s3-website-us-east-2.amazonaws.com/imageshttps://ytmProfilePictures.s3-website.us-east-2.amazonaws.com/images

Question 5

Q

Which of the following statements is not true?
Standard S3, S3-IA, and S3 One Zone-IA all are equally durable.
The availability of S3-IA and S3 One Zone-IA are identical.
Standard S3, S3-IA, and S3 One Zone-IA all have different availabilities.
S3 One Zone-IA is as durable as standard S3.

Answer

A

B. This is an important distinction when understanding S3 classes. Standard S3, S3-IA, and S3 One Zone-IA all are equally durable, although in One Zone-IA, data will be lost if the availability zone is destroyed. Each class has different availability, though: S3 is 99.99, S3-IA is 99.9, and S3 One Zone-IA is 99.5. Therefore, it is false that all have the same availability (B).

Question 6

Q

<p>Which of the following AWS services appear in the AWS console across all regions? (Choose two.)
S3
EC2
IAM
RDS</p>

Answer

A

A, C. The wording of this question is critical. S3 buckets are created within a region, but the AWS console and your account will show you all S3 buckets at all times. While a bucket is created in a specific region, names of buckets are also global. IAM permissions are also global and affect all regions. RDS and EC2 instances are region specific, and only appear in the regions in which they were created in the AWS console.

Question 7

Q

<p>You have an S3 bucket and are working on cost estimates for your customer. She has asked you about pricing of objects stored in S3. There are currently objects in the buckets ranging from 0 bytes to over 1 GB. In this situation, what is the smallest file size that S3-IA will charge you for?
1 byte
1 MB
0 bytes
128 KB</p>

Answer

A

D. This is a bit of a trick question if you’re not careful. While S3 allows for 0-byte objects, and charges as such, S3-IA charges all objects as if they are at least 128 KB in size. So while you can store a smaller object in S3-IA, it will be considered 128 KB for pricing and charging purposes.

Question 8

Q

Which of the following would you use for setting up AMIs from which new instances are created in an Auto Scaling policy?
The Auto Scaling policy itself
The security group for the Auto Scaling policy
The Auto Scaling group used by the Auto Scaling policy
The launch configuration used by the Auto Scaling policy

Answer

A

D. Launch configurations are where details are specified for creating (launching) new instances (option D). Security groups have to do more with what traffic is allowed into and out of the launched instances. The remaining two options—A and C—don’t make sense in this context.

Question 9

Q

You terminate an EC2 instance and find that the EBS root volume that was attached to the instance was also deleted. How can you correct this?
You can’t. A root volume is always deleted when the EC2 instance attached to that volume is deleted.
Take a snapshot of the EBS volume while the EC2 instance is running. Then, when the EC2 instance is terminated, you can restore the EBS volume from the snapshot.
Remove termination protection from the EC2 instance.
Use the AWS CLS to change the DeleteOnTermination attribute for the EBS volume to “false.”

Answer

A

D. By default, EBS root volumes are terminated when the associated instance is terminated. However, this is only the default value; therefore A is not correct. Option B is not directly addressing the question; the EBS volume would still be deleted even if you take a snapshot. Option C is not relevant, but option D is: You can use the AWS CLI (or the console) to set the root volume to persist after instance termination.

Question 10

Q

Can you attach an EBS volume to more than one EC2 instance at the same time?
Yes, as long as the volume is not the root volume.
No, EBS volumes cannot be attached to more than one instance at the same time.
Yes, as long as the volume is one of the SSD classes and not magnetic storage.
Yes, as long as at least one of the instances uses the volume as its root volume.

Answer

A

B. EBS volumes can only attach to a single instance at one time. The other options are all simply to distract.

Question 11

Q

<p>How does AWS allow you to add metadata to your EC2 instances? (Choose two.)
Certificates
Tags
Policies
Labels</p>

Answer

A

A, B. All instances and most services in AWS provide tagging for metadata. Certificates are related to SSL and help define the identity of a site or transmission, policies are related to permissions and roles, and labels are not (currently) an AWS construct.

Question 12

Q

<p>Which of the following can be deployed across availability zones?
Cluster placement groups
Placement groups
Spread placement groups
Cross-region placement groups</p>

Answer

A

C. Spread placement groups—which are relatively new to AWS—can be placed across multiple availability zones. Cluster placement groups cannot, and placement groups generally refers to cluster placement groups. Cross-region placement groups is a made-up term.

Question 13

Q

<p>You are tasked with recommending a storage solution for a large company with a capital investment in an NFS-based backup system. The company wants to investigate cloud-based storage but doesn’t want to lose its software investment either. Which type of storage gateway would you recommend?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>

Answer

A

A. Each of the options is a valid configuration for a storage gateway. Of the options, file gateway provides an NFS-style protocol for transferring data to and from the gateway and therefore is the best option.

Question 14

Q

<p>You are tasked with prototyping a cloud-based storage solution for a small business. The business’s chief concern is low network latency, as its systems need near-instant access to all of its datasets. Which storage gateway would you recommend?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>

Answer

A

C. A stored volume gateway stores data at the on-premises data store and backs up to S3 asynchronously to support disaster recovery. Most important, though, is that by storing data locally, network latency is minimal. Of the available options, only a stored volume gateway provides local data with this speed of access across an entire dataset.

Question 15

Q

<p>You are the solutions architect for a mapping division that has inherited a massive geospatial dataset from a recent acquisition. The data is all on local disk drives, and you want to transition the data to AWS. With datasets of over 10 TB, what is the best approach to getting this data into AWS?
S3 with Transfer Acceleration
Cached volume gateway
Snowball
Shipping the drives to AWS</p>

Answer

A

C. Anytime very large data needs to be moved into AWS, consider Snowball. Snowball is a physical device that allows for data to be physically sent to AWS rather than transferred over a network. It is the only solution that will not potentially cause disruptive network outages or slowdowns.

Question 16

Q

Which of the following are not reasons to use a cached volumes storage gateway? (Choose two.)
You want low-latency access to your entire dataset.
You want to reduce the cost of on-site storage.
You want to support iSCSI storage volumes.
You want low-latency access to your most commonly accessed data.

Answer

A

A, C. A cached volume gateway stores the most commonly accessed data locally (option D) while keeping the entire dataset in S3. This has the effect of reducing the cost of storage on-site, because you need less (option B). Since both of these are true, you need to select the other two options as reasons to not use a cached volumes gateway: A and C.

Question 17

Q

<p>Which of the following storage gateway options is best for traditional backup applications?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>

Answer

A

A. Be careful here. While it might seem at a glance that a tape gateway is best, most backup solutions do not employ tape backups. They use NFS mounts and file-based backups, which is exactly what a file gateway is best used for.

Question 18

Q

<p>Which of the following storage gateway options is best for applications where latency of your entire dataset is the priority?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>

Answer

A

C. If the entire dataset is needed, then a stored volume gateway is a better choice than a cached volume gateway. The stored volume stores the entire dataset on premises and therefore is very fast for all data access.

Question 19

Q

<p>Which of the following storage gateway options is best for reducing the costs associated with an off-site disaster recovery solution?
File gateway
Cached volume gateway
Stored volume gateway
Tape gateway</p>

Answer

A

D. A tape gateway is ideal for replacing off-site tape directories. The gateway is a virtual tape directory and avoids the costs of transporting actual tapes to an expensive off-site location.

Question 20

Q

<p>For which of the following storage classes do you need to specify an availability zone?
S3
S3-IA
S3 One Zone-IA
None of the above</p>

Answer

A

D. While S3 does use availability zones to store objects in buckets, you do not choose the availability zone yourself. Even S3 One Zone-IA does not allow you to specify the AZ for use.

Question 21

Q

creases)? (Choose two.)
S3 will scale to handle the load if you have Auto Scaling set up.
S3 will scale automatically to ensure your service is not interrupted.
Scale spreads evenly across AWS network to minimize the effect of a spike.
A few instances are scaled up dramatically to minimize the effect of the spike.

Answer

A

B, C. S3 is built to automatically scale in times of heavy application usage. There is no requirement to enable Auto Scaling (A); rather, this happens automatically (so B is correct). Further, S3 tends to scale evenly across the AWS network (C). Option D is the opposite of what AWS intends.

Question 22

Q

You have been tasked with helping a company migrate its expensive off-premises storage to AWS. It will still primarily back up files from its on-premises location to a local NAS. These files then need to be stored off-site (in AWS rather than the original off-site location). The company is concerned with durability and cost and wants to retain quick access to its files. What should you recommend?
Copying files from the NAS to an S3 standard class bucket
Copying files from the NAS to an S3 One Zone-IA class bucket
Copying the files from the NAS to EBS volumes with provisioned IOPS
Copying the files from the NAS to Amazon Glacier

Answer

A

B. When evaluating S3 storage, all storage classes have the same durability. For cost, though, S3 One Zone-IA is the clear winner. Only Glacier is potentially less expensive but does not provide the same quick file access that S3 One Zone-IA does.

Question 23

Q

<p>How many S3 buckets can you create per AWS account, by default?
25
50
100
There is not a default limit.</p>

Answer

A

C. By default, all AWS accounts can create up to 100 buckets. However, this limit can easily be raised by AWS if you request an upgrade.

Question 24

Q

How are objects uploaded to S3 by default?
In parts
In a single operation
You must configure this option for each S3 bucket explicitly.
Via the REST API

Answer

A

B. S3 uploads are, by default, done via a single operation, usually via a single PUT operation. AWS suggests that you can upload objects up to 100 MB before changing to Multipart Upload.

Question 25

Q

Which of the following are the ways you should consider using Multipart Upload?
For uploading large objects over a stable high-bandwidth network to maximize bandwidth
For uploading large objects to reduce the cost of ingress related to those objects
For uploading any size files over a spotty network to increase resiliency
For uploading files that must be appended to existing files

Answer

A

A, C. Multipart Upload is, as should be the easiest answer, ideal for large objects on stable networks (A). But it also helps handle less-reliable networks as smaller parts can fail while others get through, reducing the overall failure rate (C). There is no cost associated with data ingress (B), and D doesn’t make much sense at all!

Question 26

Q

How is a presigned URL different from a normal URL? (Choose two.)
A presigned URL has permissions associated with certain objects provided by the creator of the URL.
A presigned URL has permissions associated with certain objects provided by the user of the URL.
A presigned URL allows access to private S3 buckets without requiring AWS credentials.
A presigned URL includes encrypted credentials as part of the URL.

Answer

A

A, C. Presigned URLs are created to allow users without AWS credentials to access specific resources (option C). And it’s the creator of the URL (option A) that assigns these permissions, rather than the user (option B). Finally, these credentials are associated with the URL but are not encrypted into the URL itself.

Question 27

Q

<p>How long is a presigned URL valid?
60 seconds
60 minutes
24 hours
As long as it is configured to last</p>

Answer

A

D. A presigned URL is always configured at creation for a valid Time to Live (often referred to as TTL). This time can be very short, or quite long.

Question 28

Q

Which of the following behaviors is consistent with how S3 handles object operations on a bucket?
A process writes a new object to Amazon S3 and immediately lists keys within its bucket. The new object does not appear in the list of keys.
A process deletes an object, attempts to immediately read the deleted object, and S3 still returns the deleted data.
A process deletes an object and immediately lists the keys in the bucket. S3 returns a list with the deleted object in the list.
All of the above

Answer

A

D. These are all consistent with S3 behavior. Option A could occur as the new object is being propagated to additional S3 buckets. B and C could occur as a result of eventual consistency, where a DELETE operation does not immediately appear.

Question 29

Q

<p>Which of the following storage media are object based? (Choose two.)
S3-IA
EBS
EFS
S3 standard</p>

Answer

A

A, D. All S3 storage classes are object-based, while EBS and EFS are block-based.

Question 30

Q

<p>How many PUTs per second does S3 support?
100
1500
3500
5000</p>

Answer

A

C. This is important because it reflects a recent change by AWS. Until 2018, there was a hard limit on S3 of 100 PUTs per second, but that limit has now been raised to 3500 PUTs per second.

Question 31

Q

<p>What unique domain name do S3 buckets created in US East (N. Virginia) have, as compared to other regions?
s3.amazonaws.com
s3-us-east-1.amazonaws.com
s3-us-east.amazonaws.com
s3-amazonaws.com</p>

Answer

A

A. S3 buckets have names based upon the S3 identifier (s3), the region (us-east-1 in this case), and the amazonaws.com domain. Then, the bucket name appears after the domain. That results in a URL like https://s3-us-east-1.amazonaws.com/prototypeBucket32. However, buckets in US East are a special case and should use the special, unique endpoint s3.amazonaws.com (option A).

Question 32

Q

Which of the following are valid domain names for S3 buckets? (Choose two.)s3.us-east-1.amazonaws.com
s3-us-west-2.amazonaws.com
s3.amazonaws.com
s3-jp-west-2.amazonaws.com

Answer

A

B, C. Option A is not the correct format; s3 should be separated from the region with a dash (-). Option B is valid, and option C is the correct unique URL for US East (N. Virginia). Option D is the right format, but jp-west-2 is not an AWS region.

Question 33

Q

<p>What are the two styles of URLs that AWS supports for S3 bucket access? (Choose two.)
Virtual-hosted-style URLs
Domain-hosted-style URLs
Apex zone record URLs
Path-style URLs</p>

Answer

A

A, D. S3 supports two styles of bucket URLs: virtual-hosted-style and path-style URLs. Virtual-hosted-style URLs are of the form http://bucket.s3-aws-region.amazonaws.com, and path-style URLs are the traditional URLs you’ve seen: https://s3-aws-region.amazonaws.com/bucket-name.

Question 34

Q

Which of the following are not true about S3? (Choose two.)
Buckets are created in specific regions.
Bucket names exist in a per-region namespace.
Buckets are object-based.
Each S3 bucket stores up to 5 TB of object data.

Answer

A

B, D. While S3 buckets are created in a specific region (A), the names of buckets are global and must exist in a global namespace (so B is untrue). Buckets are object-based (so C is true), and while a single object is limited at 5 TB, the buckets are unlimited in total storage capacity (so D is false).

Question 35

Q

Which of the following is the best approach to ensuring that objects in your S3 buckets are not accidentally deleted?
Restrictive bucket permissions
Enabling versioning on buckets
Enabling MFA Delete on buckets
All of these options are equally useful.

Answer

A

C. MFA Delete is the absolute best means of ensuring that objects are not accidentally deleted. MFA—Multi-Factor Authentication—ensures that any object deletion requires multiple forms of authentication.

Question 36

Q

<p>What HTTP request header is used by MFA Delete requests?
x-delete
x-amz-mfa
x-aws-mfa
x-amz-delete</p>

Answer

A

B. All Amazon-specific request headers begin with x-amz. This is important to remember as it will help eliminate lots of incorrect answers. This leaves only x-amz-mfa.

Question 37

Q

Which of the following operations will take advantage of MFA Delete, if it is enabled? (Choose two.)
Deleting an S3 bucket
Changing the versioning state of a bucket
Permanently deleting an object version
Deleting an object’s metadata

Answer

A

B, C. MFA Delete applies to deleting objects, not buckets (so option A is incorrect). It affects changing the versioning state of a bucket or permanently deleting any object (or a version of that object); this makes B and C correct. Deleting an object’s metadata while leaving the object intact does not require MFA Delete.

Question 38

Q

When using an MFA Delete–enabled bucket to delete an object, from where does the authentication code come?
A hardware or virtual MFA device
The token section of the AWS console
The AWS REST API under delete-codes in a bucket’s metadata
None of these

Answer

A

A. This answer simply has to be memorized. MFA Delete authentication codes are pulled from hardware or virtual MFA devices, like Google Authenticator on an iPhone.

Question 39

Q

Who can enable versioning on an S3 bucket?
All authorized IAM users of the bucket
A, C, and D
The bucket owner
The root account that owns the bucket

Answer

A

B. The bucket owner, root account, and all authorized IAM users of a bucket are allowed to enable versioning.

Question 40

Q

<p>Which of the following exist and are attached to an object stored in S3? (Choose two.)
Metadata
Data
Authentication ID
Version history</p>

Answer

A

A, B. Each object in S3 has a name, value (data), version ID, and metadata. The version history of an object won’t exist unless versioning is turned on, so it’s not always a valid answer.

Question 41

Q

CloudFront is a web service for distributing what type of content? (Choose two.)
Object-based storage
Static files
Script-generated or programmatically generated dynamic content
All of the above

Answer

A

B, C. CloudFront is intended to cache and deliver static files from your origin servers to users or clients. Dynamic content is also servable through CloudFront from EC2 or other web servers. Object-based storage doesn’t make sense in this context, as CloudFront is a distribution mechanism, not a storage facility.

Question 42

Q

<p>What are the sources of information that CloudFront serves data from called?
Service providers
Source servers
Static servers
Origin servers</p>

Answer

A

D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content.

Question 43

Q

<p>Which of the following are typical origin servers for a CloudFront distribution? (Choose two.)
EC2 instances
Amazon Glacier archives
API Gateway
S3 buckets</p>

Answer

A

A, D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content (options A and D).

Question 44

Q

<p>Which of the following are not origin servers for a CloudFront distribution? (Choose two.)
Docker containers running on ECS
MySQL ResultSet
S3 buckets
Redshift workloads</p>

Answer

A

B, D. CloudFront serves content from origin servers, usually static files and dynamic responses. These origin servers are often S3 buckets for static content and EC2 instances for dynamic content (meaning option C is valid). Containers can also be used in place of EC2 instances, making option A valid as well. This leaves B and D as invalid origin servers.

Question 45

Q

<p>Which of the following are not origin servers for a CloudFront distribution? (Choose two.)
Elastic load balancer
Route 53 recordsets
SQS subscription endpoint
SNS topic retrieval endpoint</p>

Answer

A

C, D. CloudFront is able to distribute content from an ELB, rather than directly interfacing with S3, and can do the same with a Route 53 recordset. These allow the content to come from multiple instances. This means that options C and D are invalid origin servers and therefore the correct answers.

Question 46

Q

<p>What is a collection of edge locations called?
Region
Availability zone
CloudFront
Distribution</p>

Answer

A

D. A CloudFront distribution is a collection of edge locations across the world.

Question 47

Q

<p>Which of the following store content that is served to users in a CloudFront-enabled web application? (Choose two.)
Availability zones
Edge locations
Route 53
EC2 instances</p>

Answer

A

B, D. Availability zones are not content storage devices; they are virtual data centers. Edge locations are used by CloudFront distributions to store cached content (so correct). Route 53 is the Amazon DNS service. EC2 instances can serve content from processes (so also correct).

Question 48

Q

You support a web application that uses a CloudFront distribution. A banner ad that was posted the previous night at midnight has an error in it, and you’ve been tasked with removing the ad so that users don’t see the error. What steps should you take? (Choose two.)
Delete the banner image from S3.
Remove the ad from the website.
Wait for 24 hours and the edge locations will automatically expire the ad from their caches.
Clear the cached object manually.

Answer

A

B, D. You must perform both steps B and D, and you must perform B before D or the banner ad could get re-cached. Also note that expiring a cached object manually incurs a cost.

Question 49

Q

<p>By default, how long do edge locations cache objects?
12 hours
24 hours
48 hours
360 minutes</p>

Answer

A

B. The default TTL for edge locations is 24 hours.

Question 50

Q

How are datasets utilized by stored volumes backed up to S3?
Asynchronously
Synchronously
The backup method is specified by the user at configuration time.
Synchronously unless the backup takes more than 2 seconds; then the backup switches to asynchronous

Answer

A

A. All data is backed up to S3 asynchronously when a stored volume is used. This ensures that no lag is incurred by clients that interact with the stored volumes on-site.

Question 51

Q

When should you use AWS Direct Connect instead of Snowball?
AWS Direct Connect is usually a better option than Snowball.
AWS Direct Connect is almost never a better option than Snowball.
If you have more than 50 TB of data to transfer, use Snowball.
If you have less than 50 TB of data to transfer, use Snowball.

Answer

A

A. AWS Direct Connect is a dedicated high-speed connection between your on-premises network and AWS. Because of this, a direct connect is almost always a better choice than shipping out a Snowball, loading data to it, and then shipping it back.

Question 52

Q

<p>Which of the following AWS services can be used to store large objects? (Choose two.)
Redshift
S3
Oracle
EC2</p>

Answer

A

B, C. This is a little tricky. S3 is an obvious choice. Redshift is suited for analysis data, so probably not large objects. EC2 is compute, which leaves Oracle. It is possible—without any better answers—to use Oracle (via RDS or installed on EC2) to store large objects in a BLOB-type field.

Question 53

Q

You have created a static website and posted an HTML page as home.html in the root level of your S3 bucket. The bucket is named californiaroll and is located in US West 2. At what URL can you access the HTML page?

http: //californiaroll.s3-website.us-west-1.amazonaws.com/home.html
http: //s3-website-us-west-1.amazonaws.com/californiaroll/home.html
http: //californiaroll.s3-website-us-west-2.amazonaws.com/public_html/home.html
http: //californiaroll.s3-website-us-west-1.amazonaws.com/home.html

Answer

A

D. First, ensure that the domain name is correct. Option A incorrectly separates s3-website from the region, and C has the wrong region. B does not have the bucket name in the URL, which it should for website hosting. This leaves D, the correct answer.

Question 54

Q

You have a variety of images with names like image-001.jpg and image-002.jpg in an S3 bucket named phoneboothPhotos created in the EU West 1 region. You have enabled website hosting on this bucket. Which URL would allow access to the photos?
http://phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ phoneboothPhotos/image-001.jpg

http: //phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ phoneboothphotos/image-001.jpg
http: //phoneboothPhotos.s3-website-eu-west-1.amazonaws.com/ public_html/phoneboothPhotos/image-001.jpg
http: //phoneboothPhotos.s3-website.eu-west-1.amazonaws.com/ phoneboothPhotos/image-001.jpg

Answer

A

A. First, eliminate option D; the domain is incorrect, adding a separator between s3-website and the region. Then, eliminate option C, as it adds a public_html to the portion of the URL after the domain, which is also incorrect. This leaves A and B. Here, you need to realize that the portion of a URL after the domain is case sensitive and compare the two directories to the question. A is correct, using the correct capitalization of phoneboothPhotos.

Question 55

Q

<p>You have your own custom domain and want to host a static website on that domain. You also want to minimize compute costs. Which of the following AWS services would you use to host your website on your custom domain? (Choose two.)
S3
EC2
Lambda
Route 53</p>

Answer

A

A, D. To minimize compute resources, you should avoid EC2 and Lambda. Enabling static website hosting on an S3 bucket is a better option. To use a custom domain, you’d need to also use Route 53 to direct traffic from your custom domain to the S3 bucket.

Question 56

Q

<p>Which of the following does Elastic Beanstalk provide? (Choose two.)
Deployment of code
Security
Capacity provisioning
Cost optimization</p>

Answer

A

A, C. Elastic Beanstalk is focused on code deployment. It provides that, and in the process, load balancing, Auto Scaling, health monitoring, and capacity provisioning (C).

Question 57

Q

<p>Which of the following does Elastic Beanstalk not provide? (Choose two.)
Deployment of code
Security hardening
Application health monitoring
Log inspection and backup</p>

Answer

A

B, D. Elastic Beanstalk is focused on code deployment (A). It provides that, and in the process, load balancing, Auto Scaling, health monitoring (C), and capacity provisioning. It does not provide security or log inspection.

Question 58

Q

<p>Which of the following does Elastic Beanstalk support? (Choose two.)
Docker
C++
Scala
Node.js</p>

Answer

A

A, D. This is a little far off the beaten AWS path, but you should know which languages and technologies are commonly used and cited by AWS and which are not. In general, Docker and containers are always supported; and Node.js, JavaScript, Java, PHP, and Perl are commonly supported. C++ and Scala are not in that list.

Question 59

Q

<p>Which AWS service allows you to run code without provisioning any of the underlying resources required by that code?
EC2
ECS
DynamoDB
Lambda</p>

Answer

A

D. EC2 and ECS are compute services but require knowledge and working with the required resources. DynamoDB is a database and cannot run code. Lambda is correct: It runs code without needing an underlying set of compute resources that are user managed.

Question 60

Q

<p>Which of the following AWS services allow you to run code without worrying about provisioning specific resources for that code? (Choose two.)
Elastic Beanstalk
ECS
DynamoDB
Lambda</p>

Answer

A

A, D. Elastic Beanstalk and Lambda are very different services, but in this context, both are valid answers. Elastic Beanstalk is a sort of “code deployment wizard,” and Lambda allows for serverless code deployment. Both handle provisioning of the environment without user intervention.

Question 61

Q

<p>Which of the following languages work on Lambda? (Choose two.)
JavaScript
Node.js
Scala
C++</p>

Answer

A

A, B. You should know which languages and technologies are commonly used and cited by AWS and which are not. In general, Node.js, JavaScript, Java, PHP, and Perl are pretty commonly supported. C++ and Scala are not in that list.

Question 62

Q

<p>What AWS service is ideal for gathering business intelligence from multiple data sources?
Lightsail
QuickSight
CloudTrail
RDS</p>

Answer

A

B. QuickSight is a cloud-powered business analytics service. It provides visualizations and analysis from multiple data sources.

Question 63

Q

<p>Which service would you use to create a single-sign on system for a user base that already has credentials they want to use outside of AWS?
Cognito
Kinesis
SWF
IAM</p>

Answer

A

A. AWS Cognito allows you to add user sign-up, sign-in, and access control to web applications, as well as single sign-on. It also allows identity providers such as Facebook and Google to be used.

Question 64

Q

<p>What type of services are associated with S3 lifecycle management?
Storage services
Database services
Compute services
Networking services</p>

Answer

A

A. Anything related to S3 is going to be storage-related. In this case, lifecycle management handles transitioning data from one S3 storage class to another.

Answer 65

A

D. Amazon Lightsail is a compute solution for web applications and involves compute, storage, and networking as well as database storage when needed. It launches servers and configures them with the needed services for web hosting. Note that while AWS considers Lightsail a compute service, it absolutely interfaces and controls additional resources.

Answer 66

A

C. Elastic Beanstalk is an Amazon service that spins up and manages a number of other services, in particular, compute. Even though you can configure other services, though, Beanstalk is considered to primarily be a code deployment tool and therefore is focused on compute services.

Answer 67

A

C. Redshift is one of AWS’s OLAP (online analytics processing) tools and is a database service. While it does processing, it is primarily intended to receive large amounts of data and operate upon that data, as a database would (in loose terms).

Answer 68

A

B. CloudFront is AWS’s distribution network. It’s a content caching system that is ultimately a networking component of your AWS buildout.

Answer 69

A

B. EMR is Elastic MapReduce and provides data processing and analysis of large datasets.

Answer 70

A

C. Cloud9 is a developer environment, intended as an IDE for AWS developers.

Answer 71

A

D. Direct Connect is an AWS service for creating a high-speed connection between an on-premises site and AWS.

Answer 72

A

D. Amazon Workspaces allows you to provide a desktop service via the cloud. The service allows people throughout the world to take advantage of scalable desktop provisioning.

Answer 73

A

B. Kinesis is a data analytic service capable of handling large data streams and providing real-time insights.

Answer 74

A

D. OpsWorks is an operational management service, which AWS often classifies as “management tools” (especially in the AWS console). It allows integration with tools like Puppet and Chef.

Answer 75

A

C, D. Elastic IPs are assigned to an instance in a specific availability zone, but in the event of a failure, that elastic IP can be remapped to another AZ, making A false. B is false because regions will contain at least two availability zones, not exactly two. C is true, as different accounts may remap AZs to different names to ensure better resource distribution, and D is correct, even though many users simply accept the defaults and don’t pick a specific AZ.

Answer 76

A

A, C. This is admittedly a tough question, but worth working through. You need to have at least a familiarity with AWS regions and know that there are several major regions: US, EU, and AP. There are a few others (CA, SA, for example), but the major ones are US, EU, and AP. Knowing those, you can spot that A and C are likely valid. JP (presumably for Japan) isn’t correct, and UK you should recognize should be EU. There is no UK-specific region.

Answer 77

A

A. An availability zone identifier is the region identifier with a letter appended on the end. A region identifier is the region name, which is usually the country or area (eu, us, etc.), then the geographical area (southeast, west, east, etc.), then a number.

Answer 78

A

C. EFS, Elastic File System, provides scalable storage accessible from multiple compute instances. EBS is Elastic Block Storage and is tied to one instance at a time and therefore not like a NAS (network attached storage). DynamoDB is a NoSQL database, and tape gateway is a client device for interacting with S3, but locally rather than in the cloud.

Answer 79

A

C. EFS, Elastic File System, provides scalable storage accessible from multiple compute instances. EBS is Elastic Block Storage and is tied to one instance at a time and therefore not like a NAS (network attached storage). DynamoDB is a NoSQL database, and tape gateway is a client device for interacting with S3, but locally rather than in the cloud.

Answer 80

A

A, D. RDS supports Multi-AZ deployments. Automated backups are turned on by default. Some RDS databases—notably Maria and Aurora—are only supported through a managed service like RDS. And all RDS databases provide a SQL interface

Answer 81

A

A. OLAP is online analytics processing, often associated with business intelligence. AWS services like Redshift are ideal for OLAP.

Answer 82

A

D. OLTP is online transaction processing and is generally the domain of relational databases in AWS.

Answer 83

A

A. Redshift is the prime example of AWS providing an OLAP service.

Answer 84

A

D. Aurora, as a managed service via RDS, is a relational database, and relational databases are generally the best answer for OLTP in AWS.

Answer 85

A

B, D. In OLTP questions, look for the relational databases. In this question, those are Oracle and SQL Server, and therefore the answers. memcache is one of the engines for ElastiCache and DynamoDB is a NoSQL database.

Answer 86

A

A. EMR, Elastic MapReduce, is ideal for big data processing. Is uses the Hadoop and Spark frameworks and is a managed service for processing very large datasets.

Answer 87

A

C. This is a little trickier. The best way to remember how to answer a question like this is to associate Kinesis with streaming data, which implies real-time analysis. Kinesis can take in streams of data and do immediate processing on that.

Answer 88

A

D. This is another tough question, especially if both Kinesis and Athena appear in the answer choices. Kinesis handles streams of data and does real-time analytics; Athena is more on the interactive side. Athena analyzes data but allows standard SQL queries. That’s why it’s a better choice than Kinesis with this question.

Answer 89

A

B, D. EMR, or Elastic MapReduce, is most commonly used with Hadoop and Spark. Unfortunately, this simply has to be memorized; there’s no good way to get at this unless you already know that Hadoop and Spark are ideal for data processing.

Answer 90

A

D. Aurora actually stores a whopping six copies of your data, across three availability zones, to ensure failover and disaster recovery.

Answer 91

A

C. Aurora, under the RDS managed service, is about five times as fast as MySQL and three times as fast as PostgreSQL. Still, there’s an easier way to remember this: Anytime an AWS exam asks you about speed or performance, it’s generally the case that the AWS offering is the right answer. AWS won’t ask you to choose MySQL or Oracle as a faster option than one of its own databases!

Answer 92

A

A. Aurora, under the RDS managed service, stores six copies of your data by default, across three availability zones. Additionally, there’s an easier way to remember this: Anytime an AWS exam asks you about resilience, it’s generally the case that the AWS offering is the right answer.

Answer 93

A

B, C. Aurora is compatible with both PostgreSQL and MySQL. These are also easier to choose because they are both relational databases, also managed through RDS.

Answer 94

A

B, D. RDS provides for SQL interaction as well as access through the RDS web APIs. RDS instances do not allow access via SSH or RDP.

Answer 95

A

C. RDS allows backup retention periods up to 35 days.

Answer 96

A

A. You can’t use RDS because the question explicitly says you are installing Oracle on EC2 rather than using the managed service. In this case, then, you want the fastest disk space available, which will be EBS, Elastic Block Storage.

Answer 97

A

B, D. Anytime OLTP comes up, simply look for options that are RDS-supported databases, and if that fails, look for relational databases. In this question, the answers that fit these criteria are MariaDB and Aurora.

Answer 98

A

A, C. Anytime OLTP comes up, simply look for options that are RDS-supported databases, and if that fails, look for relational databases. In this question, the answers that fit these criteria are PostgreSQL and SQL Server. Since the question asks which are not suitable options, the correct selections are Kinesis (A) and Redshift (C).

Answer 99

A

A, C. A Multi-AZ setup provides disaster recovery options through a secondary database. This also implicitly provides data redundancy.

Answer 100

A

B, D. A read replica setup is intended to reduce the load on a single database instance by providing additional databases from which to read. This also has the “side effect” of reducing network latency via spreading out traffic across multiple instances.

Answer 101

A

A, C. A read replica setup is intended to reduce the load on a single database instance by providing additional databases from which to read. Applications can read from the replica (A) but not write to it (B). Only the primary instance—through RDS and AWS—can “write” changes to the replica (C).

Answer 102

A

C. Multi-AZ setups provide disaster recovery through a secondary instance (A and B), and all RDS databases support Multi-AZ (D). This just leaves C, which is not provided (and is the correct answer). Because only the primary instance is accessible, it is not any more performant than a standard RDS setup.

Answer 103

A

B. Multi-AZ setups use synchronous replication (B) to back up data to the secondary instance for the purposes of disaster recovery.

Answer 104

A

D. Read replicas use asynchronous replication (D), pushing data to the read replicas whenever possible, for improved read performance.

Answer 105

A

A. Read replicas are intended to provide scalability for your application by adding additional instances for increased reads from applications.

Answer 106

A

C. A Multi-AZ setup is about disaster recovery, and therefore durability. They provide automatic backups (so not A), upgrades happen on the primary database and then are replicated (so not B), and there is a primary and usually a single secondary instance (so not D). That leaves C: durability.

Answer 107

A

B. AWS provides up to five read replicas for a single database instance, configurable via the AWS console.

Answer 108

A

A, D. DynamoDB uses eventually consistent reads by default, meaning a read might not immediately reflect the results of a very recent write. It also offers a strongly consistent reads model, always reflecting the most recent write operations.

Answer 109

A

A, D. Delays occur in a strongly consistent read model when recently written data cannot be returned. Since a strongly consistent read model guarantees the latest data is returned, until that data is available, no response can be sent. This is the situation described in both option A and D. Option B involves replication, which is not relevant in this context, and C involves previous reads rather than writes.

Answer 110

A

A, D. All instances in the default VPC get a public and private IP address by default at launch time.

Answer 111

A

A. A /16 offers 65,536 IP addresses. The lower the number, the larger the pool of IP addresses when using CIDR notation.

Answer 112

A

A. SWF stands for Simple Workflow, and Amazon SWF is the Amazon Simple Workflow Service.

Answer 113

A

D. SWF places no language restraints on your workflow, as long as interactions can be managed via HTTP requests and responses.

Answer 114

A

B. SWF provides an API, but it is neither the AWS-specific API nor language specific. Instead, SWF supports standard HTTP requests and responses.

Answer 115

A

D. SWF stands for Simple Workflow, an AWS managed service. That should be a clue that the key factor here is workflow management. Tasks are handled and coordinated across application components with SWF.

Answer 116

A

C. SWF is typically thought of as an asynchronous service, but it also supports synchronous tasking when needed.

Answer 117

A

A, B. SWF is associated with tasks and is distinct from (for example) SQS, because it guarantees a single delivery of all tasks.

Answer 118

A

B, C. SNS is a push-based service (C) that pushes notifications (B) to anything subscribed to an appropriate topic.

Answer 119

A

A, B. SNS provides topics that can be subscribed to; then notifications related to that topic are pushed to all the topic subscribers.

Answer 120

A

A. SWF tasks are assigned once and only once.

Answer 121

A

B. This is a bit esoteric, but even if you’re unsure, you should be able to reason this one out. A topic is simply a name or “category” to which subscribers can attach and receive notifications. Therefore, a linked list and a named message don’t make much sense. (They’re also constructs that are never seen in AWS documentation for the most part.) An IAM role is an AWS construct, but roles are related to permissions. This leaves only B, an Amazon Resource Name, which is correct.

Answer 122

A

D. SQS will guarantee that a message is delivered at least once, but that message may be redelivered.

Answer 123

A

C. A SWF domain is a collection of related workflows.

Answer 124

A

D. SQS queues only make an “attempt” to deliver messages in order (more or less a FIFO approach) but do not guarantee FIFO. If strict FIFO is needed, that option can be selected.

Answer 125

A

B. SQS queues only make an “attempt” to deliver messages in order (more or less a FIFO approach) but do not guarantee FIFO. If strict FIFO is needed, that option can be selected. Option B will ensure that orders are processed in the order in which they were received.

Answer 126

A

C, D. Other than the slightly odd answer choices (which sometimes comes up!), all VPCs can communicate with the hub, so C and D cover all the options.

Answer 127

A

B, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B), as well as any other peered VPCs (option D).

Answer 128

A

B, C. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B is true, while A is false). And the hub (VPC G) can communicate with all spokes (so C is true, but D is false).

Answer 129

A

C, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub. This makes A and B true and C and D false; so the right answers are C and D.

Answer 130

A

B. NACLs are stateless—rules and must exist for inbound and outbound. Security groups are stateful—anything allowed in is allowed back out automatically.

Answer 131

A

A. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically.

Answer 132

A

B. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically.

Answer 133

A

B. ALBs are redundant across at least two subnets.

Answer 134

A

A, D. This is a little tricky. While the default VPC automatically creates a subnet, additional VPCs do not. You do automatically get a security group, route table, and NACL, so in this case, you’d want to choose options A and D.

Answer 135

A

C, D. The key here is “default VPC.” While subnets are not created in additional custom VPCs, the default VPC does get a subnet automatically (as well as an internet gateway). And all new VPCs get route tables, NACLs, and security groups.

Answer 136

A

A, C. The key here is “default VPC.” While subnets are not created in additional custom VPCs, the default VPC does get an internet gateway automatically (as well as a subnet). And all new VPCs get route tables, NACLs, and security groups.

Answer 137

A

A. This is really tough and requires pure memorization. The default VPC has a CIDR block of /16, but the default subnet in each AZ is a /20.

Answer 138

A

B. This is a case of rote memorization. Default VPCs get a /16 CIDR block assigned to them.

Answer 139

A

D. There is no default CIDR block for custom VPCs. While the default VPC has a /16 CIDR block, custom VPCs must have this entered in.

Answer 140

A

B. In general, the smaller the number after the slash, the larger the CIDR block. /16 is the largest valid block. A /16 offers 65,536 IPv4 addresses.

Answer 141

A

C, D. Default VPCs have a default subnet, along with a NACL, security group, and internet gateway, and a route table as well.

Answer 142

A

B. The default VPC has an internet gateway, and instances are given public IP addresses, so option B is correct. You do not create the default VPC (A), and security groups control specific access, not the public or private nature of the VPC and instances within it (C).

Answer 143

A

A, B. The default VPC does have an internet gateway attached to it, but custom VPCs do not. This is an important exam topic!

Answer 144

A

A, C. Option A is true for both the default and custom VPCs: All VPCs have NACLs automatically created. While all outgoing traffic is allowed out by default (C), incoming traffic is restricted by default (B)—this includes inbound HTTP traffic (D).

Answer 145

A

A, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well.

Answer 146

A

B, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well, different from the custom VPC.

Answer 147

A

B, C. All EC2 instances in the default VPC have both a public and private IP address. They do not have an elastic IP address, and the security group that is created by default does not allow any inbound traffic (until changed manually).

Answer 148

A

C, D. All EC2 instances in the default VPC have both a public and private IP address. Therefore, the only addition to serve web content would be to allow the web traffic in via security group.

Answer 149

A

C, D. Instances in any non-default VPCs need to be made public via an elastic or public IP (A), and the VPC itself needs an internet gateway (B). Further, you need to allow in web traffic via the security group (C). So this is an “All of the above” situation, translating into options C and D.

Answer 150

A

B, C. A VPC endpoint provides a connection over the Amazon network between your VPC and a service, such as S3 (B). This avoids leaving the network and routing over the public Internet, which inherently provides greater security for the traffic involved (C).

Answer 151

A

D. A VPC endpoint does not require any of these to connect; it is a private connection outside of these constructs altogether, which is part of why it is an attractive solution for internal AWS communication.

Answer 152

A

B, C. A VPC endpoint is a virtual device that provides redundancy via AWS (and automatically). This makes options B and C correct, and A wrong. VPC endpoints scale horizontally, not vertically.

Answer 153

A

B, D. A VPC endpoint can connect to S3 and DynamoDB, as well as a host of additional AWS services, so B is true. It does not require an internet gateway or a VPN connection and does not route traffic over the public Internet (D).

Answer 154

A

A, C. A VPC endpoint comes in two flavors: an interface endpoint, which provides an elastic network interface and a private IP address, and a gateway endpoint, targeted for a specific route in your route table.

Answer 155

A

A, D. This is pretty tough and is arguably right at the boundary of what the CSA Associate exam might ask. A gateway endpoint handles all traffic for a supported AWS service. Further, it’s not a specific portion of that service, so you can rule out a particular Kinesis data stream (C). That leaves A, B, and D. A and D make sense, while routing private traffic to Route 53 does not.

Answer 156

A

A, C. This is another tough question. An interface endpoint provides a private IP address for connecting to a specific entry point for a specific AWS service. Anything that’s more general—like DynamoDB—isn’t a valid candidate. Additionally, a VPN (B) doesn’t make sense, as a VPN is a different type of connection altogether. In this case, that leaves a specific API gateway and a specific Kinesis data stream (A and C).

Answer 157

A

C, D. Instances that take advantage of a VPC endpoint do not need to have a public IP address or use a NAT instance. Instead, assuming they have a route to the endpoint (D), they send traffic over the AWS network to the connected service (C).

Answer 158

A

C. The best way to remember this is to consider the process for creating an instance: you must select the security group for every instance. So security groups operate at the instance level (C).

Answer 159

A

A. Security groups only provide for allow rules (A). All other traffic is automatically denied, so allow rules are the only means of allowing traffic in.

Answer 160

A

A, C. Security groups disallow all traffic unless there are specific allow rules for the traffic in the security group.

Answer 161

A

A. Security groups evaluate all the rules on the group before deciding how to handle traffic.

Answer 162

A

D. Security groups evaluate all the rules on the group before deciding how to handle traffic.

Answer 163

A

B. Five VPCs are allowed per region, per account, unless you contact AWS to raise this default limit.

Answer 164

A

B. All custom VPCs have a route table (so A is false) and a NACL (so C is false) and will not have an internet gateway (D is false). This leaves B, which is true: subnets can communicate with each other across availability zones by default.

Answer 165

A

D. Only a bastion host (D) makes SSH available to private instances. You can use a NAT gateway or NAT instance to route traffic from these instances out, but a bastion host allows for SSH into private instances.

Answer 166

A

A, C. Both a NAT instance and a NAT gateway provide for outgoing traffic to route to the Internet from instances within a private subnet.

Answer 167

A

A. A VPC can only have a single internet gateway.

Answer 168

A

C. A single region can only have five VPCs by default, but this limit can be raised by contacting AWS.

Answer 169

A

C. A single VPC can have a single internet gateway. This limit isn’t based on region (D) but on VPC (C).

Answer 170

A

A, D. First, realize it’s possible that almost any of these answers could be a part of a larger solution. However, the question asks for the simplest—or most direct—solutions. Given that, the solutions that are best are giving the instances public IP addresses (D) and adding an internet gateway to the VPC. You also will likely need routes in and out, security groups, etc.

Answer 171

A

B, C. Given the internet gateway, the most likely issues are the instances being accessible via IP (which C addresses) and traffic for web/HTTP being disallowed (B).

Answer 172

A

D. VPCs can have a single internet gateway and multiple subnets. However, instances within a VPC with a public address have that address released when it is stopped and are reassigned a new IP when restarted.

Answer 173

A

B. A VPC can peer with unlimited other VPCs, so B is false. A subnet cannot span AZs, a VPC can peer with VPCs in other accounts, and a VPC having an internet gateway has no bearing on the public or private status of subnets within it.

Answer 174

A

D. All of the statements about NAT instances are false in A through C. Further, a NAT gateway is preferable to a NAT instance because it is managed by AWS rather than you, the architect.

Answer 175

A

D. A VPC cannot be changed from dedicated hosting tenancy to default hosting. You have to re-create the VPC.

Answer 176

A

A. Changes to a security group take place immediately. As a note, option D is a bit misleading. While security groups operate at various levels, they absolutely affect VPCs, so D is false.

Answer 177

A

A. This is a routing question. Instances need to have their outbound traffic directed to the internet gateway on the VPC, and then that traffic can flow outward to the Internet.

Answer 178

A

A. CloudFront supports both static and dynamic content.

Answer 179

A

A, C. With only the information presented, the best options are to focus on the database and the dynamic content; the web application servers (from the question’s limited information) are not the issue. That means look at the database instance size (A) and caching dynamic content (C). B and D focus on the web app instances, which would not appear to be the issue.

Answer 180

A

B, C. An internet gateway is required to handle Internet traffic, and a VPC endpoint is ideal for connecting the instances to S3. A customer gateway is used in setting up a VPN or site-to-site connection, and if NACL changes are required, you’d make them to the existing NACL, not a new one.

Answer 181

A

C, D. The key here is recalling that the default VPC already has an internet gateway attached, so you wouldn’t need one (B). A customer gateway is for a VPN or direct connection. This leaves C, a VPC endpoint for communication with S3, and D, updated NACL rules for the endpoint and the gateway (potentially).

Answer 182

A

A, D. The most likely culprits are the routing table of the VPC subnet and the virtual private gateway. A storage gateway (B) is not part of a Direct Connect solution, nor is a NAT instance (C).

Answer 183

A

B. Route propagation is a routing option that automatically propagates routes to the route tables so you don’t need to manually enter VPN routes. It’s most common in a Direct Connect setup. A is too broad a statement—not all routes are automatically copied. C is incorrect, and in D, a storage gateway is not part of a Direct Connect solution (it can be, but isn’t required).

Answer 184

A

B. This is a matter of rote memorization. All metadata for instances is available at http://169.254.169.254, at /latest/meta-data. /latest/instance-data is actually not a URL that is responsive to requests.

Answer 185

A

A. S3 is highly durable and stores data as key-value pairs.

Answer 186

A

B. B is the only answer that doesn’t presume at least semi-frequent access. Glacier is best for files that are rarely accessed and do not require quick access times.

Answer 187

A

A, D. The best answer here is to enable MFA Delete (D). However, to do this, you’ll also need versioning (A). It is not practical to disallow developers from all delete access (B), and signed URLs do not help the issue.

Answer 188

A

C. For all new AWS accounts, 20 instances are allowed per region. However, you can increase this limit by requesting it via AWS support.

Answer 189

A

C. The only one of these that makes sense is C, increasing the size of the NAT instance. It is impossible to add an additional internet gateway to a VPC that already has one (A), and adding an additional elastic IP requires using a newer EC2 instance, and it will not affect performance in this case (B).

Answer 190

A

B. If instances are scaling up and down quickly, this means that the thresholds for adding and removing instances are being met frequently. Since you don’t want to reduce the scaling up to meet demand, you should increase what it takes for the system to scale down; that’s what B suggests. Proactive cycling (A) won’t help the situation and C is completely made up.

Answer 191

A

A, C. Routing is one of the most important steps (A); you must set the route to the public Internet to go to the NAT instance. Additionally, you need to disable source/destination checks, a commonly forgotten step (C). The NAT instance cannot be in a private subnet (B), and D doesn’t make sense in this context.

Answer 192

A

B. This is a tough one because it must simply be memorized. CloudWatch provides disk read operations, CPU usage, and inbound network traffic but does not provide memory usage by default.

Answer 193

A

A, B. The instance will need an elastic IP for public communication (A) and should be behind the same ELB as the other instances (B). Adding it into a private subnet (C) will remove its ability to communicate with the public Internet. D looks good, but if the instance is in the same subnet as the other instances, it automatically gets their routes; routing tables apply to the subnet, not a specific instance.

Answer 194

A

D. The public Internet is addressed via 0.0.0.0/0.

Answer 195

A

A. The public Internet is addressed via 0.0.0.0/0, so if that’s the destination, the target should be the internet gateway within the VPC.

Brainscape's Knowledge GenomeTM

Resilient Architecture part 1 Flashcards

Brainscape's Knowledge Genome^TM