Udemy

Question 1

What are the two required “items” to use AWS Inspector on the host?

Answer 1

• Inspector Agent

- Instance must be tagged

Question 2

What are the two types of assessments for inspector?

Answer 2

Network Assessment (checks for open ports)
Host Assessment

Question 3

What are the two runtime options for Inspector?

Answer 3

Run once and run weekly

Question 4

What cannot be done with AWS managed CMKs?

Answer 4

Manage the keys yourself,
rotate them manually
change the key policies
use them in your own operations

Question 5

How are AWS manages KMS keys priced?

Answer 5

No monthly fee
Free tier
Above that: usage of key

Question 6

How often is a Customer managed CMK / AWS managed CMK automatically rotated?

Answer 6

Customer managed: 1 year (optional)

AWS managed: 3 years

Question 7

What are the benefits of CloudHSM (in comparison to KMS)

Answer 7

Complete control of the keys, AWS has no access
Single Tenancy
Higher FIPS 140-2 rating

Question 8

What are Web ACL?

Answer 8

Rules made by AWS WAF.

Can Count, Allow or Block if criteria is met

Question 9

A company plans to expand its use of AWS services across its product portfolios. To ensure separation of business processes for billing, security, and compliance, the SysOps Administrator must provide each department with new AWS accounts having governance guardrails and a defined baseline in place. An efficient and scalable provisioning process is required to optimize the workflow and save time.

Which of the following options can satisfy the given requirement?

1. Use AWS Batch and AWS Organizations to automatically provision new resources and accounts.
2. Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.
3. Use AWS Service Catalog and AWS Config to automate account creation and configuration.
4. Use AWS OpsWorks for Chef Automate and bootstrapping scripts to handle the configuration management and provisioning tasks.

Answer 9

2. Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.

AWS Control Tower provides three methods for creating member accounts:

• Through the Account Factory console that is part of AWS Service Catalog.
• Through the Enroll account feature within AWS Control Tower.
• From your AWS Control Tower landing zone’s management account, using Lambda code and appropriate IAM roles.

Question 10

As part of the yearly AWS data cleanup, you need to delete all unused S3 buckets and their contents. The tutorialsdojo bucket, which contains several educational video files, has both the Versioning and MFA Delete features enabled. One of your Systems Engineers who has an Administrator account tried to delete an S3 bucket using the aws s3 rb s3://tutorialsdojo command. However, the operation fails even after repeated attempts.

Which of the following are valid options that you can implement to properly delete the bucket? (Select TWO.)

1. Delete all markers from the S3 bucket and then run the aws s3 rb s3://tutorialsdojo command again to fully delete the bucket and its contents.
2. Use the <code>aws s3 rb s3://tutorialsdojo</code> command again with an additional <code>--force</code> option to forcibly delete the bucket via the CLI.
3. Use the AWS SDK to send deletion requests to S3 to remove all objects in your bucket. Ensure that you include the <code>x-amz-mfa</code> header in all requests which contains the MFA authentication code. Afterwards, retry to delete the bucket with the same CLI command that you used before.
4. Remove the policy that requires MFA Delete on your S3 bucket. Use the AWS SDK to remove all of the bucket’s delete markers and object versions. Delete the bucket again using the same CLI command that you used before.

Answer 10

3. Use the AWS SDK to send deletion requests to S3 to remove all objects in your bucket. Ensure that you include the <code>x-amz-mfa</code> header in all requests which contains the MFA authentication code. Afterwards, retry to delete the bucket with the same CLI command that you used before.
4. Remove the policy that requires MFA Delete on your S3 bucket. Use the AWS SDK to remove all of the bucket’s delete markers and object versions. Delete the bucket again using the same CLI command that you used before.

Question 11

A company deployed a fleet of Linux-based EC2 instances to run an e-commerce website. The SysOps Administrator needs to monitor the CPU utilization of individual processes that are running in each server.

Which of the following options fulfills this requirement?

1. Install Amazon Inspector agent on EC2 instances.
2. Enable detailed monitoring on EC2 instances.
3. Use AWS Systems Manager agent <code>procstat</code> plugin to collect process metrics on EC2 instances.
4. Use Amazon CloudWatch agent <code>procstat</code> plugin to collect process metrics on EC2 instances.

Answer 11

4. Use Amazon CloudWatch agent <code>procstat</code> plugin to collect process metrics on EC2 instances.

Question 12

You are tasked to prepare a CloudFormation template which should automatically roll back in the event that the entire stack failed to launch. The application stack requires the pre-requisite packages to be installed first in order for it to run properly, which could take about an hour or so to complete.

What should you add in the template to accomplish this requirement?

1. In the ResourceSignal parameter of the CreationPolicyresource attribute, add a Timeout property with a value of 2 hours.
2. In the ResourceSignal parameter of the DependsOnresource attribute, add a Timeout property with a value of 2 hours.
3. In the ResourceSignal parameter of the UpdatePolicy resource attribute, add a Timeout property with a value of 2 hours.
4. In the ResourceSignal parameter of the Conditions resource attribute, add a Timeout property with a value of 2 hours

Answer 12

1.In the ResourceSignal parameter of the CreationPolicyresource attribute, add a Timeout property with a value of 2 hours.

Question 13

It is a requirement in your work that you produce regular reports and statistics on your EC2 resource consumption across different regions. In an upcoming meeting, you are asked to present these findings to your CTO and Data Analytics team. Aggregating these statistics would detail a lot of information on your resource consumption with ease.

What is the procedure for viewing aggregation statistics in CloudWatch?

1. Create a Lambda function that collects metrics from your EC2 instances, computes your desired statistical output, and sends it to CloudWatch for viewing.
2. Use CloudWatch Metric Math to query metrics and apply mathematical operations on these metrics.
3. There is no way to view aggregate statistics in CloudWatch. CloudWatch cannot aggregate data across Regions.
4. Enable detailed monitoring on your EC2 instances.

Answer 13

2. Use CloudWatch Metric Math to query metrics and apply mathematical operations on these metrics.

You can also use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions. Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can visualize the resulting time series on the CloudWatch console and add them to dashboards.

Question 14

Why are Disk Read Operations and Disk Write Operations not correct metrics to check whether a EBS backed EC2 instance is slow?

Answer 14

the instances are being overloaded.

Disk Read Operations and Disk Write Operations are both incorrect because the Disk Read and Write Operations metrics are only applicable for instance store-backed AMI instances.

Question 15

You work for a government agency as their Cloud Infrastructure Consultant and were given the task of automating the recurring tasks in their finance department such as data synchronizaton, infrastructure selection, and patch management, which will improve their current processes. You need to use a tool that can coordinate multiple AWS services into serverless workflows.

Which of these options is the most cost-effective service that you should use?

1´. AWS Batch

2. Lambda
3. Amazon SWF
4. AWS Step Functions

Answer 15

AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.

Question 16

A mobile development company has various AWS resources to support its various mobile products. To keep control of costs, they have requested for you to get the billing alerts for your AWS account once it reaches a certain limit.

Which of the following should you enable before you can receive billing alerts in AWS?

1. Enable billing alerts in Account Preferences of the AWS Console.
2. Request AWS support to notify you on estimated charges.

3 .Enable billing alerts in CloudWatch Console.

Answer 16

1. Enable billing alerts in Account Preferences of the AWS Console.

Before you can create an alarm for your estimated charges, you must enable billing alerts on your Accounts Preferences page first, so that you can monitor your estimated AWS charges and create an alarm using billing metric data. After you enable billing alerts, you cannot disable data collection, but you can delete any billing alarms that you created.

Question 17

A popular online graphic design tool startup uses a standard S3 bucket that has versioning enabled to store the user-generated images on its platform. They have millions of users around the globe that store their logos, graphics, infographics, and other designs on their platform. Lately, there are a lot of users complaining that they receive a lot of HTTP 503 responses on the platform.

Which of the following options could be the reason why this issue exists?

1. The cross-origin resource sharing (CORS) option is not enabled.
2. S3 could not handle simultaneous access to the bucket since the S3 transfer acceleration option is not enabled.
3. You might have one or more objects in the bucket for which there are millions of versions.
4. The Cross-Region Replication (CRR) option is not enabled, which is required if the S3 bucket is being accessed from multiple regions.

Answer 17

3. You might have one or more objects in the bucket for which there are millions of versions.

When you have objects with millions of versions, Amazon S3 automatically throttles requests to the bucket to protect the customer from an excessive amount of request traffic, which could potentially impede other requests made to the same bucket.

Question 18

What is the use case of AD Connector?

Answer 18

To connect to AWS using a self-managed Active Directory

Question 19

A Company uses LDAP and needs to implement access control in AWS as part of an integration between internal and cloud

Answer 19

Need to configure SAM federation of IAM users and groups with the LDAP DB and map LDAP user and groups to IAM roles

Question 20

What route53 queries are charged and which are not

Answer 20

CNAME: charged
ALIAS: free

Question 21

What are the key facts to Cost-Explorer?

Answer 21

• Free Tool
• Charts about costs
• 13month in the past + 3 month of predictions
• Sectioned by Account, AZ, Service etc.
• discovers patterns to identify cost problems

Question 22

What are the key facts to Cost Allocation Tags?

Answer 22

• Must be activated on the Billing and Cost Management console
• used to organize resources to track costs
• Tags can be created in the Tag Editor

Question 23

What are the key facts to Cost and Usage Report?

Answer 23

• csv in S3

- Lists all items that generate costs

Question 24

What are the key facts to Cost Allocation Tags?

Answer 24

• Must be activated on the Billing and Cost Management console
• used to organize resources to track costs

Question 25

What are the key facts to AWS Budgets

Answer 25

• alerts when costs or usage exceed (or are forecasted to exceed) budgeted amount

Question 26

How to make sure that a S3 bucket cannot be deleted in an AWS Organization?

Answer 26

Deny s3:DeleteBucket in an SCP

Question 27

What is the process to create a custom dashboard in CloudWatch for custom metrics?

Answer 27

• Create Dashboard
• Create metric filters
• Select custom metrics

Question 28

What would happen to the metrics if the EC2 Instances server time is set incorrectly?

Answer 28

CloudWatch will still accept the metrics if it’s below 30min

Question 29

What would happen to the metrics if the EC2 Instances server time is set incorrectly?

Answer 29

CloudWatch will still accept the metrics

Question 30

How to determine the source of requests to an SQS queue?

Answer 30

CloudTrail - since they are API calls

Question 31

How to ensure that newly created S3 buckets have logging enabled?

Answer 31

Use AWS Config with the Auto remediate rule S3_BUCKET_LOGGING_ENABLED

Question 32

How to limit the AMIs that can be used?

Answer 32

Add a (custom) Config rule to check the AMIs

Question 33

How to limit the AMIs that can be used?

Answer 33

Add a (custom

Question 34

How to automatically disable access key that are > 90 days

Answer 34

Use Config to identify the keys and Systems Manager Automation to disable the keys.

Question 35

A replica of an existing infrastructure, using AWS Service Catalog, should be made

Answer 35

Share the Service Catalog portfolio and import it to the new account

Question 36

How to monitor costs per user in an account?

Answer 36

Use Cost Explorer, activate the createdBy tag and filter by it

Question 37

How to check for underutilized EC2 instances?

Answer 37

Use Cost Explorer to generate a recommendation report

Question 38

You need to check that security best practices are being followed for the AWS account root user

Answer 38

Use Trusted Advisor security checks

Question 39

What are the protocols a Network Load Balancer works on?

Answer 39

TCP, TLS, UDP

Question 40

Can you put EC2 instances in private subnets and still connect them to an ALB?

Answer 40

Yes, it will target the private IP addresses, but the ALB must be put into a public subnet in the same AZ

Question 41

Can you put EC2 instances in private subnets and still connect them to an ALB?

Answer 41

Yes, it will target the private IP addresses

Question 42

What is the Termination Policy and how is it done per default?

Answer 42

Decides which instance will be terminated (if the target group gets scaled in)

1. From AZ with the most instances
2. From the Spot/on Demand strategy
3. Oldest launch template
4. Oldest launch configuration
5. Closets to the next billing hour

Question 43

What are the three types of scaling?

Answer 43

Target scaling - CPU load should be at 50%
Simple scaling - If CPU > 50% launch new instance
Step Scaling Policy - If CPU >50% launch 1 new instance if CPU>70% launch 2

Question 44

(Auto Scaling)

What are the Pending:Wait & Terminating:Wait states

Answer 44

Gives time to do some work, like saving log files (with Lamda) or sending a message to SNS

Question 45

What are the SurgeQueueLength & SpilloverCount?

Answer 45

SurgeQueueLength: Number of requests pending
SpilloverCount: Number of requests dropped

Question 46

When a launch configuration is created from the CLI, which monitoring tier is selected per default?

Answer 46

Detailed.

If done from Console: basic

Question 47

What happens to the EC2 instances if you delete an Auto Scaling Group

Answer 47

They get deleted as well.

Question 48

What could be a reason if there are HTTPCode_ELB_5XX_Count metrics in an ALB?

Answer 48

There are no healthy instances in the target group

Question 49

What are the reasons why there are no new instances launched even though max. capacity is not reached?

Answer 49

• Service Limits

- RunInstance checks in CloudTrail

Question 50

What are the numbers of AZs and instances to create HA?

Answer 50

At least 3 AZs

desired. 2, min.2, max. >= 2

Question 51

ALB is expecting a large spike in traffic for a memory heavy application.
How to scale?

Answer 51

Use the RequestCountPerTarget, since you cannot use RAM

Question 52

What is EBS Multi-Attach?

Answer 52

Possibility to connect one EBS drive to up to 16 instances.

For Nitro system-based EC2 instances and PIOPS drives.

Question 53

What is termination protection?

Answer 53

Option to not delete the root drive

Question 54

(EBS) How does encryption affect performance?

Answer 54

It should not.

Even though there’s an overhead - it is taken care in a separate process

Question 55

Who can be the user of a Customer Managed Key?

Answer 55

User
Role
Another account

Question 56

Can you add/remove users from a Customer Managed Key?

Answer 56

Yes, for example to share an encrypted snapshot with another account

Question 57

(EFS) What are the two performance and and throughput modes?

Answer 57

Performance: General Purpose & Max I/O
Throughput: Bursting (scales with size) & Provisioned (fixed amount)

Question 58

What are the characteristics of File Gateway?

Answer 58

• Mounted with SMB / NFS
• optional local cache
• files are stored in S3
• can make use of S3 storage classes, such as S3 I.A.

Question 59

What is the process of a Tape Gateway?

Answer 59

• Mounted as iSCSI to the Gateway
• When data is written it is stored in S3
• After ejecting the tape the data is then pushed to Glacier (deep archive)

Question 60

What can you do to get notified when an EBS volume runs out of space?

Answer 60

• Install the CloudWatch agent on the EC2 instance

- Monitor disk size with an CloudWatch Alarm

Question 61

(Cached Gateway)

What should be done if the CacheHitPercent is < 50% and the CachePercentUsed is >95%?

Answer 61

• Create a larger disk for cache volume

Question 62

Describe the five deployment types in Beanstalk

Answer 62

All at once: Will replace the entire infrastructure at once. Will cause downtime.

Rolling: will replace infrastructure piece by piece. Can cause performance issues. Batch size can be set.

Rolling with additional batch: Rolling plus more instances. No performance issues to be expected.Batch size can be set.

Immutable: Will create a separate stack and switch once its healthy

Green/Blue Deployment: Creates a test environment which gives a portion of traffic to the new environment. Done by Route53.

Question 63

How to use a custom domain with ElasticBeanstalk?

Answer 63

Create an ALIAS record to the environment URL

Question 64

What is needed for Systems Manager to utilize EC2 instances?

Answer 64

• SSM Manager on the instance
• Role to talk to SSM
• (optional) tags

Question 65

What can be done in order to avoid an instance to slow down while using AWS SSM Run Command or Patches

Answer 65

Lower the targets Rate Control -> Concurrency

Question 66

What can replace bastion hosts to connect to a private instance via a shell?

Answer 66

AWS Systems Manager - Session Manager

Connects to Linus/Windows with no open ports for SSH

The Instance needs permissions for SSM, S3 , CloudWatch Logs

Question 67

How to secure parameters from forbidden internal use?

Answer 67

Don’t allow access via IAM.

Question 68

An Application running on EC2 needs login credentials for a DB that are stored in SSM Parameter store.
How to retrieve them?

Answer 68

Create an IAM role for the instance and grant permissions to read the parameter

Question 69

There are 100 Linux instances that need to be patched, what can be done to ensure the system will not slow down?

Answer 69

In the maintenance window change the concurrency to 10%

Question 70

You created a custom Linux AMI and want to configure it using SSM, but cannot find it. Where could be the problem?

Answer 70

• Missing permissions in the instance profile

- SSM Manager is not installed

Question 71

IAM access keys that are stored on EC2 instances should be automatically deleted after 60 days, what can be done?

Answer 71

Create an AWS Config rule to identify the keys and a AWS Systems Manager Automation document to delete them and create new ones

Question 72

You want to create infrastructure across multiple accounts, what should be used and how is it done?

Answer 72

CloudFormation StackSets

The administrator account creates the Set and sets the target to the account where the infrastructure is created

Question 73

You want to create a CloudFormation Template (which creates an EC2 instance) that can be copied to another region without changing the template.
What function can be used?

Answer 73

Use the FindInMap function to select an AMI suited for the Region

Question 74

You want to create one CloudFormation template for multiple environments, how can this be done?

Answer 74

• Create an environment parameter

- use “Ref” to reference to the value in mappings

Question 75

You need to pass user data into your EC2 instance launched via CloudFormation, how can you do that?

Answer 75

Using Properties: UserData: FN::Base64:
[… COMMANDS …]

in the properties of the EC2 Instance

Question 76

You deployed instances from CloudFormation and want to install software after the data is created, how can this be done in reference to AWS sources?

Answer 76

Using the helper script cfn-init in the user data

Question 77

You deployed instances from CloudFormation and want to install software after some other events happend, how can you do that?

Answer 77

Use the helper scrip cfn-signal to call AWS when you’re ready to proceed.
This is captured by the CreationPolicy to call the next steps.

Question 78

You deployed instances from CloudFormation and wanted to install software with the cfn-init helper script is created,but it is not working. What could be the issue?

Answer 78

• helper scripts are not included in the AMI

- commands are not configured correctly and did not run

Question 79

You deployed a stack using CloudFormation and your resources are not needed anymore and should be deleted. But you want to keep the S3 Bucket and its data. What can be done?

Answer 79

Set the DeletionPolicy to Retain for the S3 Bucket

Question 80

You deployed instances from CloudFormation and your resources are not needed anymore and should be deleted. But you want to keep the data on an EBS drive. What can be done?

Answer 80

Set the DeletionPolicy to Snapshot

Question 81

You want to deploy a stack using CloudFormation and you have to make sure that a S3 Bucket is created before the EC2 instance is launched. How can this be done?

Answer 81

Use DependsOn from the EC2 instance on the Bucket

Question 82

You need to update a stack, which will replace EC2 instances but you need to keep a copy of the old instances, how can this be done?

Answer 82

Using the UpdatePolicy

Question 83

Your rollback of a stack is failed (UPDATE_ROLLBACK_FAILED) and you want to troubleshoot, what can be done?

Answer 83

You can reverse the rollback and try again

Question 84

(CloudFormation)

You need to review changes to a CloudFormation Stack before deploying it

Answer 84

Use change sets

Question 85

(CloudFormation)
Manual changes have been made.
How can you include those in the template?

Answer 85

Use drift detection and use the output in the template and redeploy

Question 86

(CloudFormation)

You need to update changes to the instances in an AutoScalingGroup, but DNS cannot change

Answer 86

Use the AutoScalingReplacingUpdate ploicy to make sure that the ASG stays the same

Question 87

Your rollback of a stack is failed (UPDATE_ROLLBACK_FAILED), but you fixed the issue - what can be done?

Answer 87

Select “Continue update rollback” in the console

Question 88

(EC2)

How to change the instance type?

Answer 88

• Shutdown behavior must be “stopped”
• Stop the instance
• Change the type
• Start the instance

Question 89

You have multiple stacks of infrastructure, which are mostly the same but have a few differences.
What is the most effective strategy?

Answer 89

• Use nested stacks

- Build a standard stack & reference the parts that differ

Question 90

(EC2)

You have several Spot Instances, it does not matter if they are not running, but you need to keep the data.

Answer 90

Change the “Interruption behavior” to Stop, which will keep the EBS volumes

Question 91

(EC2)

You have an compute intensive Lambda function, what can you do to make it run faster?

Answer 91

Expand the RAM, because if more RAM is allocated, so is more CPU

Question 92

(EC2)

What can resolve a failed system status check?

Answer 92

Stop and start again, this will move the instance to a new host

Question 93

(EC2)

You expect a large increase in demand of you Lambda function, what can be done?

Answer 93

Increase the concurrency limit

Question 94

You configured a deny rule for a malicious IP in a NACL, but the user can still connect. What could be a reason?

Answer 94

Prior to the deny rule, there’s a allow rule on the port

Question 95

You peered two VPC inter-regional, there are securitry groups allowing traffic by referencing security group ids.
But it is not possible to send traffic.

Answer 95

You cannot attach security groups in this case, but need to use IPs

Question 96

I am creating an application and would like for it to be running with minimal cost in a development environment with Elastic Beanstalk. I should run it in

​
Single Instance Mode

​
High Availability Mode

Answer 96

Single Instance Mode

This will create one EC2 instance and one Elastic IP

Question 97

You’ve added files in your bucket and then enabled versioning. The files you’ve already added will have which version?

​
1
​
0
​
-1
​
null

Answer 97

null

Question 98

I have an on-premise personal server that I’d like to use to perform AWS API calls

​
I should run aws configure and put my credentials there. Invalidate them when I’m done
​
I should attach an EC2 IAM Role to my personal server

Answer 98

I should run aws configure and put my credentials there. Invalidate them when I’m done

You cannot attach a role to an on premise server

Question 99

You would like to provide your users access to hundreds of private files in your CloudFront distribution, which is fronting an HTTP web server behind an application load balancer. What should you use?

​
CloudFront Signed URL
​
CloudFront Signed Cookies
​
CloudFront Origin Access Identity
​
CloudFront HTTPS encryption

Answer 99

CloudFront Signed Cookies

Question 100

You are creating an application that is going to expose an HTTP REST API. There is a need to provide request routing rules at the HTTP level. Due to security requirements, your application can only be exposed through the use of two static IPs. How can you create a solution that validates these requirements?

​
Use Global Accelerator and an Application Load Balancer
​
Use a Network Load Balancer and attach Elastic IPs to it

Use an Application Load Balancer and attach Elastic IPs to it
​
Use CloudFront with Elastic IP and an Application Load Balancer

Answer 100

Global Accelerator will provide us with the two static IP, and the ALB will provide use with the HTTP routing rules

Question 101

You would like messages to be processed by SQS consumers only after 5 minutes of being published to SQS. What should you do?

​
Increase the DelaySeconds parameters
​
Change the Visibility Timeout
​
Enable Long Polling
​
Use the extended SQS client

Answer 101

Increase the DelaySeconds parameters

Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes

Question 102

You have a Kinesis stream usually receiving 5MB/s of data and sending out 8 MB/s of data. You have provisioned 6 shards. Some days, your traffic spikes up to 2 times and you get a throughput exception. You should

​
Enable Kinesis replication
​

​
Use SQS as a buffer to Kinesis

Answer 102

Add more shards

Each shard allows for 1MB/s incoming and 2MB/s outgoing of data

Question 103

You have a Lambda function that will process data for 25 minutes before successfully completing. The code is working fine in your machine, but in AWS Lambda it just fails with a “timeout” issue after 3 seconds. What should you do?

​
Set the timeout to 25 minutes

​
Set the memory to 3GB

​
Run your code somewhere else than Lambda - the maximum timeout is 15 minutes

Answer 103

​

Run your code somewhere else than Lambda - the maximum timeout is 15 minutes

Question 104

You’d like to have a dynamic DB_URL variable loaded in your Lambda code

​
Place it in the environment variables

​
Place it in the code zip file

​
Place it in the code itself

Answer 104

​Place it in the environment variables

Environment variables allow for your Lambda to have dynamic variables from within

Question 105

We have to provision the instance type for our DynamoDB database

​
true
​
false

Answer 105

DynamoDB is a serverless service and as such we don’t provision an instance type for our database. We just say how much RCU and WCU we require for our table (or auto scaling)

Question 106

A DynamoDB table has been provisioned with 10 RCU and 10 WCU. You would like to increase the RCU to sustain more read traffic. What is true about RCU and WCU?

​
RCU and WCU are decoupled, so WCU can stay the same
​
You will also have to increase WCU to match the RCU value

Answer 106

​

RCU and WCU are decoupled, so WCU can stay the same

Question 107

You are about to enter the Christmas sale and you know a few items in your website are very popular and will be read often. Last year you had a ProvisionedThroughputExceededException. What should you do this year?

​
Increase the RCU to a very, very high value
​
Create a DAX cluster
​
Migrate the database away from DynamoDB for the time of the sale

Answer 107

A DynamoDB Accelerator (DAX) cluster is a cache that fronts your DynamoDB tables and caches the most frequently read values. They help offload the heavy reads on hot keys off of DynamoDB itself, hence preventing the ProvisionedThroughputExceededException

Question 108

You have hosted a DynamoDB table in ap-northeast-1 and would like to make it available in eu-west-1. What must be enabled first to create a DynamoDB Global Table?

​
DynamoDB Streams
​
DynamoDB DAX
​
DynamoDB Versioning
​
DynamoDB Backups

Answer 108

Streams enable DynamoDB to get a changelog and use that changelog to replicate data across regions

Question 109

In server side encryption, only the encryption happens on the server. Where does the decryption happen?

​
The Server

​
The Client

Answer 109

The Server

Question 110

A media agency stores its re-creatable artifacts on Amazon S3 buckets. The artifacts are accessed by a large volume of users for the first few days and the frequency of access falls down drastically after a week. Although the artifacts would be accessed occasionally after the first week, but they must continue to be immediately accessible when required. The cost of maintaining all the artifacts on S3 storage is turning out to be very expensive and the agency is looking at reducing costs as much as possible.

As a Solutions Architect, can you suggest a way to lower the storage costs while fulfilling the business requirements

​
Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 30 day

Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days

​Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 7 days

Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 7 days

Answer 110

Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days

Question 111

Researchers at a pharma company are working on developing a vaccine for the COVID-19 pandemic. They have identified multiple candidates as potential vaccines and they need to analyze healthcare data of individuals in the US to identify the first batch of recipients for the initial trials. For faster processing, the data processing application needs to parse through this healthcare data in an in-memory database that is highly available as well as HIPAA compliant.

As a solutions architect, which of the following AWS services would you recommend for this task?

​
ElastiCache for Memcached
​
DynamoDB
​
ElastiCache for Redis
​
DocumentDB

Answer 111

ElastiCache for Redis

• Elasticache for Memcached is not HIPAA eligible, so this option is incorrect.

Question 112

A startup has recently moved their monolithic web application to AWS Cloud. The application runs on a single EC2 instance. Currently, the user base is small and the startup does not want to spend effort on elaborate disaster recovery strategies or Auto Scaling Group. The application can afford a maximum downtime of 10 minutes.

In case of a failure, which of these options would you suggest as a cost-effective and automatic recovery procedure for the instance?

Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume

Configure AWS Trusted Advisor to monitor the health check of EC2 instance and provide a remedial action in case an unhealthy flag is detected

Configure Amazon CloudWatch events that can trigger the recovery of the EC2 instance, in case the instance or the application fails
​
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance can be configured with EBS volume or with instance store volumes

Answer 112

Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume

• The recover action is supported only on instances that have EBS volumes configured on them, instance store volumes are not supported for automatic recovery by CloudWatch alarms.

Question 113

Which of the following is true regarding cross-zone load balancing as seen in Application Load Balancer versus Network Load Balancer?

​
By default, cross-zone load balancing is disabled for both Application Load Balancer and Network Load Balancer
​
By default, cross-zone load balancing is enabled for both Application Load Balancer and Network Load Balancer
​
By default, cross-zone load balancing is disabled for Application Load Balancer and enabled for Network Load Balancer
​
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer

Answer 113

By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer

By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer. When cross-zone load balancing is enabled, each load balancer node distributes traffic across the registered targets in all the enabled Availability Zones. When cross-zone load balancing is disabled, each load balancer node distributes traffic only across the registered targets in its Availability Zone.

Question 114

A retail company uses AWS Cloud to manage its IT infrastructure. The company has set up “AWS Organizations” to manage several departments running their AWS accounts and using resources such as EC2 instances and RDS databases. The company wants to provide shared and centrally-managed VPCs to all departments using applications that need a high degree of interconnectivity.

As a solutions architect, which of the following options would you choose to facilitate this use-case?

​
Use VPC peering to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
​
Use VPC peering to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations
​
Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations

Use VPC sharing to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations

Answer 114

Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations

VPC sharing (part of Resource Access Manager) allows multiple AWS accounts to create their application resources such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared and centrally-managed Amazon Virtual Private Clouds (VPCs). To set this up, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.

Question 115

The engineering team at an e-commerce company is working on cost optimizations for EC2 instances. The team wants to manage the workload using a mix of on-demand and spot instances across multiple instance types. They would like to create an Auto Scaling group with a mix of these instances.

Which of the following options would allow the engineering team to provision the instances for this use-case?

​
You can use a launch configuration or a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
​
You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost

You can only use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost

You can neither use a launch configuration nor a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost

Answer 115

You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost

Question 116

The CTO at an IT company wants to move away from license-based, expensive, and legacy commercial database solutions deployed at the on-premises data center to more efficient, open-source, and cost-effective options on AWS Cloud. At the same time, the CTO is concerned about identifying areas for data-conversion that require special attention during migration since the on-premises databases have multiple active complex configurations such as secondary indexes, foreign keys, and stored procedures.

As a solutions architect, which of the following AWS services would you recommend being used for this solution (Select two)?

​
AWS Database Migration Service

AWS Glue
​
AWS Schema Conversion Tool
​
Basic Schema Copy

AWS Snowball Edge

Answer 116

AWS Database Migration Service
AWS Schema Conversion Tool

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. AWS Database Migration Service supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora.

First use the AWS Schema Conversion Tool to convert the source schema and code to match that of the target database, and then use the AWS Database Migration Service to migrate data from the source database to the target database

Question 117

Your company is a large enterprise with a small number of applications on AWS with a VPN connection. What is the simplest, low cost, low latency solution for LDAP authentication to access AWS?

​
Create an LDAP replica on AWS for the applications.
​
Create a second LDAP domain and build a trust relationship.
​
Use AWS Direct Connect
​
Create an LDAP server on AWS for your enterprise

Answer 117

Creating an LDAP replica on AWS is the simplest, low cost, low latency solution.

Question 118

If you have attached an ELB to your Auto Scaling group and an instance fails the load balancer health checks, Auto Scaling does not replace the instance by default.
​
True
​
False

Answer 118

True

By default, an Auto Scaling group determines the health state of each instance by periodically checking the results of the EC2 instance status checks. If an instance fails the EC2 instance status checks, Auto Scaling considers the instance unhealthy and replaces it. However, if you have attached one or more load balancers to your Auto Scaling group and an instance fails the load balancer health checks, Auto Scaling does not replace the instance by default

Question 119

If your instance type supports one instance store volume, and your AMI has mappings for two instance store volumes, then the instance launches with two instance store volumes.

​
True
​
False

Answer 119

The number and size of available instance store volumes for your instance varies by instance type. Some instance types do not support instance store volumes

Question 120

A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process of an unhealthy instance. What will happen to the availability zone rebalancing process during this period?

​
Auto Scaling will not launch or terminate any instances
​
Auto Scaling will allow the instances to grow more than the maximum size
​
Auto Scaling will keep launching instances till the maximum instance size
​
It is not possible to suspend the terminate process while keeping the launch active

Answer 120

Auto Scaling will allow the instances to grow more than the maximum size

Although you have suspended the termination or launch of an instance, autoscaling will still maintain the number of healthy instances

Question 121

To configure your bucket to allow cross-origin requests, you create a CORS configuration, an HTML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) will support for each origin, and other operation-specific information

​
True
​
False

Answer 121

False

XML not HTML.

Question 122

You can’t move an existing instance into a placement group.

​
True
​
False

Answer 122

You can move an existing instance to a placement group, move an instance from one placement group to another, or remove an instance from a placement group. Before you begin, the instance must be in the stopped state.

Question 123

AutoScaling PercentChangeInCapacity scaling operation results in 0.8. How many instances are added?

​
1
​
2
​
None

Answer 123

1

Values greater than 1 are rounded down. For example, 12.7 is rounded to 12.

Values between 0 and 1 are rounded to 1. For example, .67 is rounded to 1.

Values between 0 and -1 are rounded to -1. For example, -.58 is rounded to -1.

Values less than -1 are rounded up. For example, -6.67 is rounded to -6.

Question 124

Which storage engine is required for My SQL read replicas?

​
MyISAM
​
MySQL Managed File System (MFS)
​
InnoDB

Answer 124

InnoDB

Question 125

S3 Tag Values do not have to be unique in a tag set, and they can be null.

​
True
​
False

Answer 125

True

Question 126

By default, the CloudFormation “automatic rollback on error” feature is not enabled.

True
​
False

Answer 126

By default, the “automatic rollback on error” feature is enabled. This will cause all AWS resources that AWS CloudFormation created successfully for a stack up to the point where an error occurred to be deleted

Question 127

What is the max total size of all the messages that you send in a single call to SQS SendMessageBatch.

​
64 k
​
256 k

​512 k
​
4 MB

Answer 127

256 k

Question 128

You are setting up a PostgreSQL database server that runs on a Reserved EC2 instance which will be used by the various internal applications within your VPC. To simplify the naming convention of the database server, you are planning to allocate a custom domain name for the database.

Which of the following should you do to complete this task?

​
Set up a private hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
​
Set up a private hosted zone in Route 53. Create a CNAME record, such as db.tutorialsdojo.com, and specify the IP address of the database server.

Set up a publicly hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
​
Set up a publicly hosted zone in Route 53. Create a CNAME record, such as db.tutorialsdojo.com, and specify the IP address of the database server.

Answer 128

Set up a private hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.

you enter the IP of the Server

Question 129

You are working as the Systems Administrator for a leading bank which has a web application that is heavily using the RDS instance for its database tier. You are required to monitor how the different processes or threads on a DB instance use the CPU such as the percentage of the CPU bandwidth and total memory consumed by each process.

Which of the following is the most suitable solution to properly monitor your database?

​
Enable Enhanced Monitoring in RDS.
​
Set up a monitoring system which uses Amazon CloudWatch to track the CPU Utilization of your database.

Write a shell script that collects and publishes custom metrics to CloudWatch which tracks the real-time CPU Utilization of the RDS instance.

View the CPU% and MEM% metrics which are readily available in the Amazon RDS console.

Answer 129

Enable Enhanced Monitoring in RDS.

Question 130

Hiring new Database Administrators who will manage the backups of the AWS resources will increase the company’s operating expenses and thus, they are looking for ways to automate their processes to cut costs. The company is using point-in-time snapshots of their resources provisioned on AWS.

Which of the following services provides you with a user configurable automatic backup service and backup rotation options without the need for regular user intervention? (Select TWO.)

​
Amazon EFS
​
Amazon Redshift
​
Amazon EC2
​
Amazon RDS
​
Amazon S3

Answer 130

Amazon RDS

Amazon Redshift

Question 131

A company has multiple AWS accounts that are consolidated using AWS Organizations. A Systems Engineer has been tasked to set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company’s AWS accounts and cloud applications. The Engineer has already created a directory in the master account using the AWS Directory Service. Full access has also been configured by the Engineer in AWS Organizations.

Which of the following should the Engineer configure to complete the setup?

​
For each member account, set up IAM roles that will be used by AWS SSO. Associate the users with these IAM roles using AWS SSO.

​Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
​
Set up permission sets in AWS Organizations. Associate the permission sets with AWS SSO users and groups.
​
Set up service control policies (SCPs) in AWS Organizations. Associate the SCPs with Directory Service users and groups using the AWS Management Console.

Answer 131

Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.

AWS SSO manages access to all your AWS Organizations accounts, AWS SSO-integrated applications, and other business applications that support the Security Assertion Markup Language (SAML) 2.0 standard.

You can configure your identity source in AWS SSO to determine where your users and groups are stored. Once configured, you can then look up users or groups in your store to grant them single sign-on access to AWS accounts, cloud applications, or both.

Question 132

An investment bank is storing the account transactions of their clients in S3. As the SysOps Administrator of the company, you enabled Versioning and MFA Delete to secure the objects stored in the S3 bucket from accidental deletion. In this scenario, which of the following operations in S3 will now require additional authentication? (Select TWO.)

​
Permanently deleting an object version.
​
Renaming an object.

Change the versioning state of your bucket. 
​
Change the ACL of your bucket. 
​
Moving an object.

Answer 132

Change the versioning state of your bucket.

Permanently deleting an object version.

Question 133

A company uses a Volume Gateway as part of their Hybrid Cloud storage solutions to accommodate its growing application. The Volume Gateway is using stored volumes to save the files stored on-premises with scheduled offsite backups. Due to inadequate capacity planning, the volume is quickly running out of space for new data.

How can you expand the volume?

​
Launch a new volume with a larger size then use that as the storage for new data.

Request a service quota increase for the stored volume size.

Create a new volume of larger size from the existing cached volume.

Create a snapshot of the volume that you want to expand. Use the snapshot to create a new volume of a larger size.

Answer 133

Create a snapshot of the volume that you want to expand. Use the snapshot to create a new volume of a larger size.

Question 134

You are working in a leading global investment bank which has strict security compliance requirements in handling their financial data. As the SysOps Administrator, you are instructed to ensure that the data stored in the EBS Volumes, which are used by your EC2 instances, are also available in another AWS region. This will provide a better redundancy to critical data stored in the volumes.

Which of the following options can you implement to achieve this? (Select TWO.)

​
Use the Amazon Data Lifecycle Manager (DLM) for EBS Snapshots.
​
Create a snapshot of the volume and then copy it to the new region.

Create a snapshot from the EBS volumes in another region.

Create a copy of the EBS volumes in the new region.
​
Use the AWS Trusted Advisor API service for EBS Snapshots.

Answer 134

Use the Amazon Data Lifecycle Manager (DLM) for EBS Snapshots.
​
Create a snapshot of the volume and then copy it to the new region.

You can also copy snapshots across regions using Data Lifecycle Manager (DLM). You can enable policies which, along with create, can now also copy snapshots to one or more AWS region(s). Copies can be scheduled for up to three regions from a single policy and retention periods are set for each region separately.

Question 135

An online food delivery website is hosted in an Amazon ECS Cluster and is using an RDS database instance. The company has recently deployed the new version of their delivery website which uses DynamoDB instead of RDS. Your manager instructed you to disable the backups of your RDS instance as these will no longer be used. You were able to successfully set the retention period to 1 with no issues but you encountered an error when you tried to set this at 0.

Which of the following could be the possible reason for this issue?

​
The RDS instance has Read Replicas.

The RDS instance is using a Multi-AZ deployments configuration.

You do not have the required IAM access to configure your RDS instance.

The minimum retention period that you can set is 1.

Answer 135

The RDS instance has Read Replicas.

There are several reasons why you may need to set the backup retention period to 0. For example, you can disable automatic backups immediately by setting the retention period to 0. If you set the value to 0 and receive a message saying that the retention period must be between 1 and 35, check to make sure you haven’t setup a read replica for the instance. Read replicas require backups for managing read replica logs, thus, you can’t set the retention period of 0. Hence, the correct answer is the option that says, “the RDS instance has Read Replicas.”

Question 136

You are migrating an online accounting application to AWS which uses TCP protocol. As the Systems Administrator, you are instructed to improve the scalability and availability of the application and to ensure that the IP address of the clients using the application are recorded for tracking.

Which of the following steps would you implement to fulfill this requirement?

​
Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled to load-balance the two application servers located in different Availability Zones.

Use Route 53 with Latency Based Routing enabled to distribute load on two or more application servers in different Availability Zones.

Use Route 53 with Weighted Routing to distribute load on two application servers in different Availability Zones.

Use an Elastic Load Balancer with a TCP Listener then enable the Proxy Protocol to distribute load on two or more application servers in different AZs.

Answer 136

Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested. Elastic Load Balancing uses Proxy Protocol version 1, which uses a human-readable header format.

Question 137

A leading telecommunications company has decided to host their e-commerce website in an Auto Scaling group of EC2 instances and a RDS database instance for their mobile phone plans. To secure the online transactions, you were instructed to configure the database to encrypt the data in transit.

Which of the following should you do to meet the requirements?

​
Use a VPC endpoint, which is powered by AWS PrivateLink, that enables you to connect to the RDS database instance.

Based on its respective DB engine, configure the database to use SSL and use the certificates which are readily available from AWS.
​
Do nothing. By default, RDS already provides data encryption for data at rest.
​
Use the CloudHSM service to encrypt the incoming and outgoing traffic to RDS.

Answer 137

Based on its respective DB engine, configure the database to use SSL and use the certificates which are readily available from AWS.

Question 138

An innovative financial startup has been experiencing rapid growth and demand for their cloud-based services. To meet the demand, they are planning to expand their cloud infrastructure for their online portal to two AWS regions: ca-central-1 Canada (Central) and ap-northeast-1 Asia Pacific (Tokyo) to serve their new clients. There is also a requirement to route more or less traffic to a given resource by specifying a value.

As their SysOps Administrator, how can you ensure that the traffic is served based on the geographic location of your users and your resources?
​
Configure the load balancer of their online portal to redirect distant users to a closer region.

Use a 3rd-party geolocation service to automatically route their users to the best-performing region.

Use the Route 53 service and create a new latency record for the website.

Answer 138

Set up a Geoproximity routing using Route 53 to properly route their users to the best-performing region.

You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias, that expands or shrinks the size of the geographic region from which traffic is routed to a resource.

Question 139

A company has a fleet of On-Demand EC2 instances on their new VPC created using the AWS CLI. You noticed that all recently launched EC2 instances do not have public DNS hostnames. This prevents you from accessing the instances over the Internet.

Which of the following could be a possible reason for this issue?

​
By default, the enableDnsSupport is set to false and enableDnsHostNames is set to true for VPCs created using the AWS CLI
​
By default, the enableDnsHostNames is set to false for VPCs created using the AWS CLI
​
By default, the enableDnsSupport is set to false for VPCs created using the AWS CLI
​
By default, both the enableDnsSupport and enableDnsHostNames are set to false for VPCs created using the AWS CLI

Answer 139

​

By default, the enableDnsHostNames is set to false for VPCs created using the AWS CLI

Question 140

A company has hundreds of Customer Master Keys (CMKs) which they are using with the Amazon Key Management Service to secure their S3 buckets, RDS instances, and other AWS resources. You were instructed to delete some CMKs to avoid management overhead and costs associated with maintaining unused keys.

In this scenario, which of the following is true regarding the deletion of customer master keys? (Select TWO.)

​
You can schedule the CMK for deletion with a default waiting period of 7 days.

You can directly delete a CMK immediately.
​
AWS KMS does not rotate the backing keys of CMKs that are pending deletion.
​
AWS KMS still rotates the backing keys of CMKs that are pending deletion.
​
A CMK that is pending deletion can still be used in any cryptographic operation.
​
A CMK that is pending deletion cannot be used in any cryptographic operation.

Answer 140

​
A CMK that is pending deletion cannot be used in any cryptographic operation.

AWS KMS does not rotate the backing keys of CMKs that are pending deletion.

The option that says: You can schedule the CMK for deletion with a default waiting period of 7 days is incorrect because although you can schedule the CMK for deletion, its default waiting period is 30 days and not 7 days.

The option that says: You can directly delete a CMK immediately is incorrect because you cannot directly delete a CMK immediately. You have to schedule its deletion.

Question 141

A company uses AWS Organizations to manage several AWS accounts. A department in the company requires a new AWS account. A SysOps Administrator must create the new account and configure user-defined cost allocation tags.

What should the Administrator do to enable user-defined cost allocation tags?

​
Use the Billing and Cost Management console in the payer account to create the new user-defined cost allocation tags.
​
Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the payer account to mark the tags as cost allocation tags.

Use the Billing and Cost Management console in the new account to create the new user-defined cost allocation tags.

Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the new account to mark the tags as cost allocation tags.

Answer 141

Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the payer account to mark the tags as cost allocation tags

Question 142

A company is deploying AWS Single Sign-On (SSO). A SysOps Administrator has created an AWS SSO directory in an AWS Organizations master account and enabled full access. What is the next step to configure the single sign-on functionality?

​
Create permission sets in AWS SSO and associate the permission sets with Directory Service users or groups.

​
Create service control policies (SCPs) in Organizations and associate the SCPs with Directory Service users or groups.

Create IAM users in the master account and use AWS SSO to associate the users with the accounts they will access.
​
Create IAM roles in each account to be used by AWS SSO and associate users with these roles using AWS SSO.

Answer 142

Create permission sets in AWS SSO and associate the permission sets with Directory Service users or groups.

Permission sets define the level of access that users and groups have to an AWS account. Permission sets are stored in AWS SSO and provisioned to the AWS account as IAM roles.

You can assign more than one permission set to a user. Users who have multiple permission sets must choose one when they sign into the user portal. (Users will see these as IAM roles). For this scenario, the Administrator must next create the permissions sets and then associate the permission set with the user accounts or groups.

Question 143

A SysOps Administrator has been tasked with setting up a record set in Amazon Route 53 to point to an Application Load Balancer (ALB). The hosted zone and the ALB are in different accounts.

What is the MOST cost-effective and efficient solution to this requirement?

​
Create an alias record in the hosted zone pointing to the Application Load Balancer.

Create an Application Load Balancer in the same account as the hosted zone and forward connections cross-account to the other ALB.
​
Create an asynchronous replica of the hosted zone in the account with the Application Load Balancer.

Create a CNAME record in the hosted zone pointing to an alias record to the Application Load Balancer.

Answer 143

Create an alias record in the hosted zone pointing to the Application Load Balancer.

It is possible to create an Alias record that points to a resource in another account. In this case the fully qualified domain name of the ALB must be obtained and then entered when creating the record set. This is the most cost-effective option as you do not pay for Alias records and there is minimal configuration required.

Question 144

A company manages a fleet of Amazon EC2 instances in a VPC and wishes to remove their public IP addresses to protect them from internet-based threats. Some applications still require access to Amazon S3 buckets. A SysOps Administrator has been tasked with providing continued access to the S3 buckets.

Which solutions can the Administrator recommend? (Select TWO.)

​
Add an outbound rule in the security groups of the EC2 instances for Amazon S3 using private IP addresses.
​
Create a VPC endpoint in the VPC and configure the route tables appropriately.
​
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.

Set up AWS Direct Connect and configure a virtual interface between the EC2 instances and the S3 buckets.

Configure the internet gateway to route connections to S3 using private IP addresses.

Answer 144

Create a VPC endpoint in the VPC and configure the route tables appropriately.
​
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.

Question 145

A company is creating a new application that will run in a hybrid environment. The application processes data that must be secured and the developers require encryption in-transit across shared networks and encryption at rest.

Which combination of actions should a SysOps Administrator take to meet these requirements? (Select TWO.)

​
Use AWS KMS to create TLS/SSL certificates.

Use AWS KMS to manage the encryption keys used for data encryption.
​
Configure an AWS VPN between the on-premises data center and AWS.

Use AWS CloudHSM to encrypt the data using a CMK.

Use AWS Certificate Manager to create TLS/SSL certificates.

Answer 145

Use AWS KMS to manage the encryption keys used for data encryption.
​
Configure an AWS VPN between the on-premises data center and AWS.

An AWS virtual private network (VPN) connection can be configured to encrypt data over the shared, hybrid network connection. This ensures encryption in-transit and if you don’t have a certificate you can create a pre-shared key.

AWS KMS can be used to manage encryption keys that can be used for data encryption. In this case the keys would then be used outside of KMS to actually encrypt the data.

Question 146

A SysOps Administrator created a script that generates custom Amazon CloudWatch metrics. The EC2 instance on which the script was run had a misconfigured clock resulting in timestamps on the logs that were set to 30 minutes in the past.

What will be the result of this situation?

​
Amazon CloudWatch will accept the custom metric data and record it.

Amazon CloudWatch will not capture the data because it is in the past.
​
Amazon CloudWatch will correct the time when recording the timestamp.

Amazon CloudWatch creates its own timestamps and ignores metric timestamps.

Answer 146

Amazon CloudWatch will accept the custom metric data and record it.

The time stamp can be up to two weeks in the past and up to two hours into the future. If you do not provide a time stamp, CloudWatch creates a time stamp for you based on the time the data point was received.

Question 147

A security team has identified an attack on web applications running on Amazon EC2. The attack uses malformed HTTP headers. Which AWS service or feature can be used to prevent this type of attack from reaching the EC2 instances?

​
Network Access Control List (NACL)

Amazon Security Group rules

Application Load Balancer (ALB)

AWS Web Application Firewall (WAF)

Answer 147

Application Load Balancer (ALB)

An application load balancer will block malformed requests that do not meet the HTTP specification with a HTTP 400: Bad request error. An ALB can be placed in front of the EC2 web applications and this will prevent the attack from reaching the instances.

The ALB attribute “Drop Invalid Header Fields” setting can be used to control if invalid header fields are removed by the load balancer.

Question 148

A SysOps Administrator attempted to deploy an AWS CloudFormation StackSet across multiple AWS accounts. The stack operation failed, and the stack instance status is OUTDATED. What could be a possible cause of this error?

​
The deployment was run without specifying a CloudFormation template.

The deployment requires multi-factor authentication and a token was not provided.

The deployment is trying to create resources in other accounts in a different region.

The deployment was run with insufficient permissions in the target account.

Answer 148

The deployment was run with insufficient permissions in the target account.

Question 149

A team of Analysts require a specialized Amazon EC2 configuration. The team need to able to launch and terminate instances across the company’s AWS accounts but do not wish to configure EC2 settings on their own. The specialized EC2 configuration contains licensed software and must be available for use only by the Analysts.

Which solution should a SysOps Administrator use to allow the Analysts to deploy their workloads with MINIMAL effort?

​
Create an Amazon Machine Image (AMI) encrypted with an AWS KMS key. Share the encrypted AMI with authorized accounts. Allow the Analysts access to use the KMS key.

​
Create an AWS Elastic Beanstalk environment. Share the environment across accounts and use IAM policies to enable access for the team of Analysts.

​
Create an AWS CloudFormation template and use it to create a portfolio in AWS Service Catalog. Grant the Analysts permissions to launch products from the portfolio.

​
Create an AWS CloudFormation template and configure launch permissions on the AMI used by the template to add the authorized accounts. Share the template in an Amazon S3 bucket.

Answer 149

Create an AWS CloudFormation template and use it to create a portfolio in AWS Service Catalog. Grant the Analysts permissions to launch products from the portfolio.

Question 150

An application runs on Amazon EC2 instances in multiple Availability Zones (AZs) behind an internet-facing Application Load Balancer (ALB). A SysOps Administrator needs to track the originating IP address of each application request and the EC2 instance that processes it.

What should the Administrator use to access this information?

​
VPC Flow Logs
​
AWS CloudTrail

The ALB access logs
​
Amazon CloudWatch

Answer 150

The ALB access logs

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. The entries include the client:port which shows the the IP address and port of the requesting client and the target:port which includes the IP address and port of the target that processed this request.

Question 151

A company runs and Amazon Aurora database instance. According to the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer?

​
Managing network infrastructure for the database.

​
Provisioning the underlying server hardware.

​
Executing maintenance, patches, and other updates.

​
Scheduling maintenance, patches, and other updates.

Answer 151

Scheduling maintenance, patches, and other updates.

Question 152

A company has several departments and needs to ensure that each department operates within their own isolated environment. They should also only be able to use AWS services that have been pre-approved.

How can these requirements be met?

​
Create IAM policies for each department that grant access to specific services and attach them to the user accounts.

Create a catalog of services that are approved for use by each department in AWS Service Catalog.

Use an AWS Organization to create accounts for each department and apply service control policies (SCPs) to control access to pre-approved services.
​
Create separate Amazon VPCs for each department and restrict access to approved services using IAM roles

Answer 152

Use an AWS Organization to create accounts for each department and apply service control policies (SCPs) to control access to pre-approved services.

AWS Organizations can be used to create new accounts programmatically using the Organizations API. This will create an isolated environment for each department. Service Control Policies (SCPs) can then be used to limit the AWS services that the users can use in that account. This enables a pre-approved set of services to be accessible whilst denying access to all others.

Question 153

Each IT staff member in a company uses a unique IAM user account. Permissions are applied to users using IAM policies and IAM groups. The security team has requested that staff members should log in with their on-premises Active Directory user accounts instead of their IAM user accounts when accessing the AWS Management Console.

Which solution can a SysOps Administrator implement to the requirements of the security team?

​
Enable an Active Directory federation in an Amazon Route 53 private zone.

​Use the IAM connector to synchronize the on-premises Active Directory.

Implement a two-way trust relationship between AWS IAM and Active Directory.

​Implement a VPN tunnel and configure an Active Directory connector.

Answer 153

​Implement a VPN tunnel and configure an Active Directory connector.

AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:

* Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
* Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
* Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.

This solution will result in users’ using their on-premises Active Directory user accounts to login to AWS IAM. They would then be able to access the AWS Management Console.

Question 154

An application uses an Amazon RDS Multi-AZ DB instance. Due to new security compliance requirements a SysOps Administrator needs to encrypt the database.

Which approach can the Administrator take to encrypt the database?

​
Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.

Use the RDS management console to enable encryption for the database.
​
Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

Create an encrypted read replica and promote the replica to master.

Answer 154

Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.

You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance.

To do this you create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.

Question 155

A company plans to use AWS CloudFormation to deploy their infrastructure using templates. The deployments will include several environments across multiple AWS Regions. A SysOps Administrator plans to write a single template that can be reused for each environment deployment.

What is the recommended way to use AWS CloudFormation to meet this requirement?

​
Use parameters to provision the resources.
​Use cross-stack references to provision the resources.
Use change sets to provision additional environments
Use nested stacks to provision the resources.

Answer 155

Use parameters to provision the resources.

You can use the optional Parameters section to customize your templates. Parameters enable you to input custom values to your template each time you create or update a stack. You use the Ref intrinsic function to reference a parameter, and AWS CloudFormation uses the parameter’s value to provision the stack. You can reference parameters from the Resources and Outputs sections of the same template.

To make templates reusable, parameters can be used with mappings, and conditions sections so that you can customize your stacks when you create them. For example, for your development environments, you can specify a lower-cost instance type compared to your production environment, but all other configurations and settings remain the same.

INCORRECT: “Use nested stacks to provision the resources” is incorrect. Nested stacks are good for defining common patterns for reuse in separate templates. However, to use a single template, use parameters, mappings, and conditions.

Question 156

A company runs an Amazon RDS MySQL DB instance in a production account. Each week a backup of the database must be copied to a separate development account for testing.

What is the MOST cost-effective way to meet this requirement?

​
Copy an automated RDS snapshot to the development account using the copy-db-snapshot command with the AWS CLI.
​
Use the Amazon S3 cross-region replication (CRR) to copy the automated backup to the development account.

Create a manual RDS snapshot with the create-db-snapshot CLI command and share it with the development account, create a copy in the development account.

Create a multi-AZ standby of the RDS database in the development account and take a manual snapshot using the create-db-snapshot AWS CLI command.

Answer 156

Create a manual RDS snapshot with the create-db-snapshot CLI command and share it with the development account, create a copy in the development account.

Using Amazon RDS, you can share a manual DB snapshot in the following ways:

* Sharing a manual DB snapshot, whether encrypted or unencrypted, enables authorized AWS accounts to copy the snapshot.
* Sharing an unencrypted manual DB snapshot enables authorized AWS accounts to directly restore a DB instance from the snapshot instead of taking a copy of it and restoring from that.

You can share a manual snapshot with up to 20 other AWS accounts. You can also share an unencrypted manual snapshot as public, which makes the snapshot available to all AWS accounts.

INCORRECT: “Copy an automated RDS snapshot to the development account using the copy-db-snapshot command with the AWS CLI” is incorrect. You cannot copy an automated DB snapshot.

Question 157

An Amazon EBS volume attached to an Amazon EC2 instance running a database and is encrypted using AWS KMS customer-managed customer master keys (CMKs). A SysOps Administrator wants to rotate the AWS KMS keys using automatic key rotation and needs to ensure that the EBS volume encrypted with the current key remains readable.

What should be done to accomplish this?

​
Back up the current KMS data key and enable automatic key rotation.

​
Create a new data key in KMS and assign the key to Amazon EBS.

​
Create a new customer master key in KMS and enable rotation.
​
Enable automatic key rotation of the customer master key in KMS.

Answer 157

Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

Question 158

A company uses AWS Service Catalog to manage approved services. A new AWS account has been created and a SysOps Administrator needs to create a replica of the company’s existing AWS infrastructure in the new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources.

What is the MOST efficient way to accomplish this?

​
Create an AWS CloudFormation template to redeploy the AWS Service Catalog portfolio in the new AWS account
​
Manually create an AWS Service Catalog portfolio in the new AWS account and recreate the original portfolio.

Run an AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation.

Share the AWS Service Catalog portfolio with the other AWS account and import the portfolio into the AWS account.

Answer 158

Share the AWS Service Catalog portfolio with the other AWS account and import the portfolio into the AWS account.

Question 159

A website runs on Amazon EC2 instances and uses an Amazon RDS database with the MySQL engine. A caching layer based on Amazon ElastiCache for Redis (cluster mode enabled) is used to improve read performance.

A new product launch is expected to result in a significant traffic increase over the first few days, potentially doubling the load on the website.

What can a SysOps Administrator do to ensure improved read times for users during the event?

​
Add shards to the existing Redis cluster.
​
Use Amazon RDS Multi-AZ.

Offload static data to Amazon S3.

Use a message queue to cache data.

Answer 159

Horizontal scaling allows you to change the number of node groups (shards) in the replication group by adding or removing node groups (shards). The online resharding process allows scaling in/out while the cluster continues serving incoming requests.

Question 160

A company runs an application on Amazon EC2 instances in a VPC private subnet. The instances must upload objects to an Amazon S3 bucket. The company requires access to the bucket to be restricted to the EC2 instances in the private network and data must not traverse the public network.

What actions should the SysOps Administrator take to meet these requirements?

​
Create a VPC endpoint for the S3 bucket and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

Create a VPC endpoint for the S3 bucket and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

Create a NAT gateway in the VPC and modify the private subnet route table to route all traffic destined for S3 through the NAT gateway.

Create an AWS VPN tunnel between the VPC private subnet and the Amazon S3 public endpoint.

Answer 160

Create a VPC endpoint for the S3 bucket and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.

Question 161

You are attempting to launch EC2 instances in an auto-scaling group, however every time you try, the launch operation fails. Which of the following could be a reason for the failure? [Select all that apply]
​
The Security Group specified in the launch configuration doesn’t exist

The Key Pair you have specified doesn’t exist
​
You have hit the default limit for the number of times you can use the Key Pair
​
The requested instance type is not supported in your Availability Zone

Answer 161

The Key Pair you have specified doesn’t exist

The Security Group specified in the launch configuration doesn’t exist​

The requested instance type is not supported in your Availability Zone

Question 162

STS (Security Token Service) grants temporary access to AWS resources to users authenticated using which methods?

​
AWS Rekognition
​
Cross-Origin Resource Sharing
​
Cross Account Access
​
Federation with Web Identity Providers
​
Active Directory Federation

Answer 162

Cross Account Access
​
Federation with Web Identity Providers
​
Active Directory Federation

Question 163

A financial organization created a CMK with imported key material. The CMK is used to encrypt the data of a Java web application. To meet the strict security compliance requirements, you must rotate the CMK every 6 months.

Which of the following could help you achieve this requirement?
​
- Rotate the keys automatically by using AWS managed CMK.
​
- Enable automatic key rotation.
​
- In the current CMK, delete the existing key material and import the new key material.
​
- Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key.

Answer 163

• Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key.

Remember that automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. To meet the strict security compliance requirements, you must rotate the keys manually.