Test 5 Flashcards
Your IT Director instructed you to ensure that all of the AWS resources in your VPC don’t go beyond their service limit.
Which of the following services can help in this task?
AWS Cloudwatch
AWS EC2
AWS Trusted Advisor
AWS SNS
AWS Cloudwatch
(Incorrect)
AWS EC2
AWS Trusted Advisor
(Correct)
AWS SNS
Explanation
Remember that the AWS Trusted Advisor analyzes your AWS environment and provides best practice recommendations in these five categories: Cost Optimization, Performance, Fault Tolerance, Security, and Service Limits. You can use a mnemonic, such as CPFSS, to memorize these five categories.
You are tasked to choose the most affordable AWS support plan that offers the following:
- ) 24x7 access to customer service, documentation, whitepapers, and support forums.
- ) Access to full set of Trusted Advisor checks
Which type of support plan will you choose?
Basic
Developer
Business
Enterprise
Explanation
Basic
Developer
(Incorrect)
Business
(Correct)
Enterprise
Explanation
There are 4 types of AWS support plans:
Basic Developer Business Enterprise All customers receive Basic Support included with your AWS account. All plans, including Basic Support, provide 24x7 access to customer service, AWS documentation, whitepapers, and support forums.
Business and Enterprise plans provide access to full set of Trusted Advisor checks.
You are planning to migrate an enterprise application architecture from your on-premise to AWS. You are looking for managed services in AWS that takes care of the maintenance of the resources that your application will use.
Choose 2 correct answers from the options below:
Elastic Beanstalk
RDS
DynamoDB
EC2
CloudFormation
Elastic Beanstalk
(Incorrect)
RDS
(Correct)
DynamoDB
(Correct)
EC2
CloudFormation
(Incorrect)
Explanation
The keyword in the question is managed service. This means that AWS will manage the underlying resources for the service. Amazon RDS and DynamoDB are examples of managed services in AWS.
Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models.
Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, enabling you to focus on your applications and business.
Which of the following are true about encrypted Amazon Elastic Block Store volumes? (Choose 2)
All data moving between the volume and the instance are encrypted.
Snapshots are automatically encrypted.
Snapshots are not automatically encrypted.
Existing volumes can be encrypted.
Shared volumes can be encrypted.
All data moving between the volume and the instance are encrypted.
(Correct)
Snapshots are automatically encrypted.
(Correct)
Snapshots are not automatically encrypted.
(Incorrect)
Existing volumes can be encrypted.
Shared volumes can be encrypted.
(Incorrect)
Explanation
Amazon Elastic Block Store (Amazon EBS) provides block level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance that is in the same Availability Zone. EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist independently from the life of the instance.
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
- All volumes created from those snapshots
There is no direct way to encrypt an existing unencrypted volume, or to remove encryption from an encrypted volume. However, you can migrate data between encrypted and unencrypted volumes.
You have EC2 instances running on your VPC. You have both UAT and production EC2 instances running. You want to ensure that employees who are responsible for the UAT instances don’t have the access to work on the production instances to minimize security risks.
Which of the following would be the best way to achieve this?
Launch the UAT and production EC2 instances in separate VPC’s connected by VPC peering.
Create an IAM policy with a condition which allows access to only EC2 instances that are used for production or development.
Launch the UAT and production instances in different Availability Zones and use Multi Factor Authentication.
Define the tags on the UAT and production servers and add a condition to the IAM policy which allows access to specific tags.
Launch the UAT and production EC2 instances in separate VPC’s connected by VPC peering.
Create an IAM policy with a condition which allows access to only EC2 instances that are used for production or development.
(Incorrect)
Launch the UAT and production instances in different Availability Zones and use Multi Factor Authentication.
Define the tags on the UAT and production servers and add a condition to the IAM policy which allows access to specific tags.
(Correct)
Explanation
For this scenario, the best way to achieve this solution is to use a combination of Tags and IAM policies. You can define the tags on the UAT and production EC2 instances and add a condition to the IAM policy which allows access to specific tags.
Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you’ve assigned to it.
By default, IAM users don’t have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. (This means that they also can’t do so using the Amazon EC2 console or CLI.) To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permission to use the specific resources and API actions they’ll need, and then attach those policies to the IAM users or groups that require those permissions.
You are working for a top IT consultancy and one of your clients asked you how to properly secure their AWS infrastructure. They have a VPC with two On-Demand EC2 instances with Elastic IP addresses which recently were under SSH brute force attacks over the Internet. Their IT Security team has identified the IP Addresses where these attacks originated.
What should you do to fix this security vulnerability?
Place the EC2 instances into private subnets
Remove the Internet Gateway from the VPC
Block the IP addresses in the Network Access Control List
Deploy the EC2 instances into private subnets then set up a bastion host
You are working for a top IT consultancy and one of your clients asked you how to properly secure their AWS infrastructure. They have a VPC with two On-Demand EC2 instances with Elastic IP addresses which recently were under SSH brute force attacks over the Internet. Their IT Security team has identified the IP Addresses where these attacks originated.
What should you do to fix this security vulnerability?
Place the EC2 instances into private subnets
Remove the Internet Gateway from the VPC
Block the IP addresses in the Network Access Control List
(Correct)
Deploy the EC2 instances into private subnets then set up a bastion host
(Incorrect)
Explanation
In this situation, the best thing to do is to block the IP addresses in the Network Access Control List.
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. This means that if you block an IP address in the Network ACL, it would not be able to access your VPC anymore.
Option 1 is incorrect because if you deploy the EC2 instance in the private subnet without a public or EIP address, it would not be accessible over the Internet, even to you.
Option 2 is incorrect because removing the Internet Gateway will also make your EC2 instance inaccessible to you as it will cut down the connection to the Internet.
Option 4 is a valid answer however, the problem is that the hackers may still attack your VPC in case your bastion host is not properly fortified with Network Access Control List and Security Group.
What can you use to configure your EC2 instances without having to establish a RDP or SSH connection to each instance?
AWS Config
(Incorrect)
AWS CodePipeline
Run Command
(Correct)
EC2Config
AWS Config
(Incorrect)
AWS CodePipeline
Run Command
(Correct)
EC2Config
Explanation
You can use Run Command from the console to configure instances without having to login to each instance.
AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.
A news company has been using a Hardware Security Module (CloudHSM) for secure key storage. It is only used for generating keys for their On-demand EC2 instances. After a new support staff attempted to log in as the administrator three times using an invalid password, the Hardware Security Module has been zeroized which means that the encryption keys on it have been wiped. Sadly, You did not have a copy of the keys stored anywhere else.
How can you obtain a new copy of the keys that you have stored on Hardware Security Module?
Restore a snapshot of the Hardware Security Module.
Contact AWS Support and they will provide you a copy of the keys.
The keys are lost permanently if you did not have a copy.
Use the Amazon CLI to get a copy of the keys.
Restore a snapshot of the Hardware Security Module.
(Correct)
Contact AWS Support and they will provide you a copy of the keys.
The keys are lost permanently if you did not have a copy.
(Incorrect)
Use the Amazon CLI to get a copy of the keys.
Explanation
Amazon does not have access to your keys nor credentials of your Hardware Security Module (HSM) and therefore has no way to recover your keys if you lose your credentials. Amazon strongly recommends that you use two or more HSMs in separate Availability Zones in any production CloudHSM Cluster to avoid loss of cryptographic keys.
You created a new CloudFormation template that creates 4 EC2 instances and are connected to one Elastic Load Balancer (ELB). Which section of the template should you configure to get the Domain Name Server hostname of the ELB upon the creation of the AWS stack?
Resources
Parameters
Outputs
Mappings
You created a new CloudFormation template that creates 4 EC2 instances and are connected to one Elastic Load Balancer (ELB). Which section of the template should you configure to get the Domain Name Server hostname of the ELB upon the creation of the AWS stack?
Resources
(Incorrect)
Parameters
Outputs
(Correct)
Mappings
Explanation
Outputs is an optional section of the cloudfront template that describes the values that are returned whenever you view your stack’s properties.
You are working for a large financial company. In their enterprise application, they want to apply a group of database specific settings to their Relational Database Instances.
Which of the following options can be used to easily apply the settings in one go for all of the Relational database instances?
Security Groups
NACL Groups
Parameter Groups
IAM Roles
You are working for a large financial company. In their enterprise application, they want to apply a group of database specific settings to their Relational Database Instances.
Which of the following options can be used to easily apply the settings in one go for all of the Relational database instances?
Security Groups
NACL Groups
Parameter Groups
(Correct)
IAM Roles
(Incorrect)
Explanation
You manage your DB engine configuration through the use of parameters in a DB parameter group. DB parameter groups act as a container for engine configuration values that are applied to one or more DB instances.
A client is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The client also uses Amazon Route53 to manage their public DNS.
How should the client configure the DNS zone apex record to point to the load balancer?
Create an A record pointing to the IP address of the load balancer.
Create a CNAME record pointing to the load balancer DNS name.
Create an alias for CNAME record to the load balancer DNS name.
Create an A record aliased to the load balancer DNS name.
Create an A record pointing to the IP address of the load balancer.
Create a CNAME record pointing to the load balancer DNS name.
(Incorrect)
Create an alias for CNAME record to the load balancer DNS name.
Create an A record aliased to the load balancer DNS name.
(Correct)
Explanation
Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).
Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.
In Amazon RDS, which type of database does not support Read Replicas?
Amazon Aurora
MySQL
MariaDB
Oracle
Amazon Aurora
MySQL
MariaDB
(Incorrect)
Oracle
(Correct)
Explanation
Read Replicas are supported by Amazon Aurora and Amazon RDS for MySQL, MariaDB and PostgreSQL. Unlike Multi-AZ deployments, Read Replicas for these engines use each’s built-in replication technology and are subject to its strengths and limitations.
The social media company that you are working for needs to capture the detailed information of all HTTP requests that went through their public-facing application load balancer every five minutes. They want to use this data for analyzing traffic patterns and for troubleshooting their web applications in AWS.
Which of the following options meet the customer requirements?
Enable AWS CloudTrail for their application load balancer.
Enable access logs on the application load balancer.
Add an Amazon CloudWatch Logs agent on the application load balancer.
Enable Amazon CloudWatch metrics on the application load balancer.
Enable AWS CloudTrail for their application load balancer.
Enable access logs on the application load balancer.
(Correct)
Add an Amazon CloudWatch Logs agent on the application load balancer.
(Incorrect)
Enable Amazon CloudWatch metrics on the application load balancer.
Explanation
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.
Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.
You are a Solutions Architect working for a startup company which is currently migrating their production environment to AWS. Your manager asked you to setup access to the AWS console using Identity Access Management (IAM). You have created 5 users for your system administrators.
What further steps do you need to take to enable your system administrators to get access to the AWS console?
Provide the system administrators the secret access key and access key id.
Enable multi-factor authentication on their accounts and define a password policy.
Provide a password for each user created and give these passwords to your system administrators.
Add the administrators to the Security Group.
You are a Solutions Architect working for a startup company which is currently migrating their production environment to AWS. Your manager asked you to setup access to the AWS console using Identity Access Management (IAM). You have created 5 users for your system administrators.
What further steps do you need to take to enable your system administrators to get access to the AWS console?
Provide the system administrators the secret access key and access key id.
Enable multi-factor authentication on their accounts and define a password policy.
(Incorrect)
Provide a password for each user created and give these passwords to your system administrators.
(Correct)
Add the administrators to the Security Group.
Explanation
The AWS Management Console is the web interface used to manage your AWS resources using your web browser. To access this, your users should have a password that they can use to login to the web console.
Option 1 is incorrect as the secret access key and access key id are used to trigger AWS API calls.
Option 2 is incorrect because the multi-factor authentication and a password policy are just additional security measures for the IAM user but these won’t enable them to access the AWS Management Console.
Option 4 is incorrect as you could not add an IAM user to a security group. Remember that a security group is used for EC2 instances only.
You have just launched a new API Gateway service in AWS. In what type of protocol will your API endpoint be exposed?
FTP
HTTPS
HTTP
XHTML
SOAP
You have just launched a new API Gateway service in AWS. In what type of protocol will your API endpoint be exposed?
FTP
HTTPS
(Correct)
HTTP
XHTML
SOAP
(Incorrect)
Explanation
All of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.
