Udemy Exams 1 & 2 Flashcards
Which AWS feature can be used to launch a pre-configured Amazon Elastic Compute Cloud (EC2) instance?
a) Amazon AppStream 2.0
b) Amazon Machine Image (AMI)
c) Amazon Elastic Block Store (EBS)
d) Amazon EC2 Systems Manager
Explanation
An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an AMI when you launch an instance. You can launch multiple instances from a single AMI when you need multiple instances with the same configuration. You can use different AMIs to launch instances when you need instances with different configurations.
CORRECT: “Amazon Machine Image (AMI)” is the correct answer.
INCORRECT: “Amazon Elastic Block Store (EBS)” is incorrect. EBS is block-based storage for EC2.
INCORRECT: “Amazon EC2 Systems Manager” is incorrect . AWS Systems Manager gives you visibility and control of your infrastructure on AWS.
INCORRECT: “Amazon AppStream 2.0” is incorrect. Amazon AppStream 2.0 is a fully managed non-persistent application and desktop streaming service.
A company uses Amazon EC2 instances to run applications that are dedicated to different departments. The company needs to break out the costs of these applications and allocate them to the relevant department. The EC2 instances run in a single VPC.
How can the company achieve these requirements?
a) Add additional Amazon VPCs and launch each application in a separate VPC
b) Create tags by department on the instances and then run a cost allocation report
c) Enable billing access for IAM users and view the costs in Cost Explorer
d) Enable billing alerts through Amazon CloudWatch and Amazon SNS
Explanation
The company should create cost allocation tags that specify the department and assign them to resources. These tags must be activated so they are visible in the cost allocation report. Once this is done and a monthly cost allocation report has been configured it will be easy to monitor the costs for each department.
CORRECT: “Create tags by department on the instances and then run a cost allocation report” is the correct answer.
INCORRECT: “Enable billing access for IAM users and view the costs in Cost Explorer” is incorrect. Cost explorer will not show a breakdown of the costs by department.
INCORRECT: “Enable billing alerts through Amazon CloudWatch and Amazon SNS” is incorrect. A billing alert simply lets you know you have reached a cost threshold.
INCORRECT: “Add additional Amazon VPCs and launch each application in a separate VPC” is incorrect. This will not help as billing is not broken out by VPC so they will not be able to determine the costs per department using this method.
Which resource should a new user on AWS use to get help with deploying popular technologies based on AWS best practices, including architecture and deployment instructions?
a) AWS Config
b) AWS Artifact
c) AWS CloudFormation
d) WS Quick Starts
Explanation
Quick Starts are built by Amazon Web Services (AWS) solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices for security and high availability. These accelerators reduce hundreds of manual procedures into just a few steps, so you can build your production environment quickly and start using it immediately.
Each Quick Start includes AWS CloudFormation templates that automate the deployment and a guide that discusses the architecture and provides step-by-step deployment instructions.
CORRECT: “AWS Quick Starts” is the correct answer.
INCORRECT: “AWS CloudFormation” is incorrect. CloudFormation is used to deploy infrastructure from templates, the Quick Starts use CloudFormation.
INCORRECT: “AWS Artifact” is incorrect. Artifact provides on-demand access to AWS security and compliance reports.
INCORRECT: “AWS Config” is incorrect. Config is a service used for compliance relating the configuration of AWS resources.
Which of the following is a sole responsibility of AWS?
a) Customer data access controls
b) Availability Zone management
c) Application deployment
d) Patch management
Explanation
According to the shared responsibility model, AWS is responsible to the management of all AWS global infrastructure components including Regions, Availability Zones, Edge locations, Regional Edge Caches, and Local Zones.
CORRECT: “Availability Zone management” is the correct answer.
INCORRECT: “Application deployment” is incorrect. Applications are deployed by customers, not AWS.
INCORRECT: “Patch management” is incorrect. Patch management is a shared responsibility. Customers must patch instances databases running on EC2 and AWS will patch the underlying infrastructure and some managed services.
INCORRECT: “Customer data access controls” is incorrect. Customers are responsible for implementing access controls for their data.
Which of the following AWS services are compute services? (Select TWO.)
a) Amazon EFS
b) Amazon Inspector
c) AWS Elastic Beanstalk
d) AWS CloudTrail
e) AWS Batch
Explanation
AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
CORRECT: “AWS Batch” is a correct answer.
CORRECT: “AWS Elastic Beanstalk” is also a correct answer.
INCORRECT: “AWS CloudTrail” is incorrect. CloudTrail is used for auditing.
INCORRECT: “Amazon EFS” is incorrect. The Elastic File System (EFS) is used for storing data and is mounted by EC2 instances.
INCORRECT: “Amazon Inspector” is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
A company needs to publish messages to a thousands of subscribers simultaneously using a push mechanism.
Which AWS service should the company use?
a) AWS Step Functions
b) Amazon Simple Notification Service (Amazon SNS)
c) Amazon Simple Workflow Service (SWF)
d) Amazon Simple Queue Service (Amazon SQS)
Amazon SNS is a publisher/subscriber notification service that uses a push mechanism to publish messages to multiple subscribers. Amazon SNS enables you to send messages or notifications directly to users with SMS text messages to over 200 countries, mobile push on Apple, Android, and other platforms or email (SMTP).
CORRECT: “Amazon Simple Notification Service (Amazon SNS)” is the correct answer.
INCORRECT: “Amazon Simple Queue Service (Amazon SQS)” is incorrect. SQS is a message queue service used for decoupling applications.
INCORRECT: “Amazon Simple Workflow Service (SWF)” is incorrect. SWF is a workflow orchestration service, not a messaging service.
INCORRECT: “AWS Step Functions” is incorrect. AWS Step Functions is a serverless workflow orchestration service for modern applications.
Which AWS service provides a managed software version control system?
a) Amazon CodeDeploy
b) AWS CodePipeline
c) AWS CodeCommit
d) AWS DataSync
Explanation
AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.
CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.
CORRECT: “AWS CodeCommit” is the correct answer.
INCORRECT: “Amazon CodeDeploy” is incorrect. CodeDeploy is a deployment service that deploys your application onto infrastructure.
INCORRECT: “AWS CodePipeline” is incorrect. CodePipeline is a continuous delivery service that automates release pipelines for code. CodeCommit can be used in a pipeline.
INCORRECT: “AWS DataSync” is incorrect. DataSync is used for replication and migrating data between storage systems and AWS.
A Cloud Practitioner requires point-in-time recovery (PITR) for an Amazon DynamoDB table. Who is responsible for configuring and performing backups?
a) The customer is responsible for both tasks
b) AWS is responsible for configuring and the user is responsible for performing backups
c) AWS is responsible for both tasks
d) The customer is responsible for configuring and AWS is responsible for performing backups
Explanation
Point-in-time recovery (PITR) provides continuous backups of your DynamoDB table data. When enabled, DynamoDB maintains incremental backups of your table for the last 35 days until you explicitly turn it off. It is a customer responsibility to enable PITR on and AWS is responsible for actually performing the backups.
CORRECT: “The customer is responsible for configuring and AWS is responsible for performing backups” is the correct answer.
INCORRECT: “AWS is responsible for configuring and the user is responsible for performing backups” is incorrect. This is backwards, users are responsible for configuring and AWS is responsible for performing backups.
INCORRECT: “AWS is responsible for both tasks” is incorrect. This is not true as users must configure PITR.
INCORRECT: “The customer is responsible for both tasks” is incorrect. This is not true, AWS perform the backups.
A Cloud Practitioner needs a tool that can assist with viewing and managing AWS costs and usage over time. Which tool should the Cloud Practitioner use?
a) AWS Budgets
b) Amazon Inspector
c) AWS Organizations
d) AWS Cost Explorer
Explanation
AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time. AWS Cost Explorer provides you with a set of default reports that you can use as the starting place for your analysis. From there, use the filtering and grouping capabilities to dive deeper into your cost and usage data and generate custom insights.
CORRECT: “AWS Cost Explorer” is the correct answer.
INCORRECT: “AWS Budgets” is incorrect. AWS Budgets allows you to set custom budgets to track your cost and usage from the simplest to the most complex use cases.
INCORRECT: “Amazon Inspector” is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS
INCORRECT: “AWS Organizations” is incorrect. AWS Organizations allows you to organize accounts, create accounts programmatically, and leverage consolidated billing.
Which of the following will help a user determine if they need to request an Amazon EC2 service limit increase?
a) AWS Service Health Dashboard
b) AWS Cost Explorer
c) AWS Trusted Advisor
d) AWS Personal Health Dashboard
Explanation
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices. Trusted Advisor checks help optimize your AWS infrastructure, improve security and performance, reduce your overall costs, and monitor service limits.
CORRECT: “AWS Trusted Advisor” is the correct answer.
NCORRECT: “AWS Personal Health Dashboard” is incorrect. The personal health dashboard shows issues or upcoming events that may impact your resources. It does not notify of service limit breaches.
INCORRECT: “AWS Service Health Dashboard” is incorrect. This dashboard simply shows the current service health and any issues across Regions.
INCORRECT: “AWS Cost Explorer” is incorrect. Cost Explorer is used for viewing costs and will not assist with service limits.
Which of the following can an AWS customer use to launch a new ElastiCache cluster? (Select TWO.)
a) AWS Systems Manager
b) AWS Management Console
c) AWS CloudFormation
d) AWS Concierge
e) AWS Data Pipeline
Explanation
There are several ways to launch resources in AWS. You can use the AWS Management Console or Command Line Interface (CLI) or you can automate the process by using tools such as AWS CloudFormation.
With AWS CloudFormation you can deploy infrastructure such as Amazon ElastiCache clusters by defining your desired configuration state in code using a template file written in JSON or YAML. CloudFormation will then deploy the resources by creating a Stack according to the template file.
CORRECT: “AWS CloudFormation” is a correct answer.
CORRECT: “AWS Management Console” is also a correct answer.
INCORRECT: “AWS Concierge” is incorrect. The Concierge Support Team is available for customer who have an Enterprise level support plan. This team does not launch resources for you.
INCORRECT: “AWS Systems Manager” is incorrect. Systems Manager will not launch an ElastiCache cluster for you.
INCORRECT: “AWS Data Pipeline” is incorrect. AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services.
Which AWS services can a company use to gather information about activity in their AWS account? (Select TWO.)
a) AWS CloudTrail
b) Amazon CloudFront
c) Amazon Connect
d) AWS Trusted Advisor
e) Amazon CloudWatch
Explanation
Amazon CloudWatch is a performance monitoring service. AWS services send metrics about their utilization to CloudWatch which collects the metrics. Additionally, CloudWatch collects metrics about account activity such as billing information which can also be viewed.
AWS CloudTrail is an auditing service that monitors API activity in your account. Whenever you perform any operation in the account this results in an API action and this information is recorded to create an audit trail.
CORRECT: “AWS CloudTrail” is a correct answer.
CORRECT: “Amazon CloudWatch” is also a correct answer.
INCORRECT: “Amazon CloudFront” is incorrect. CloudFront is a content delivery network (CDN).
INCORRECT: “AWS Trusted Advisor” is incorrect. This service is used to assist with guidance on provisioning resources according to best practice.
INCORRECT: “Amazon Connect” is incorrect. This is a contact center service.
A company is planning to deploy an application with a relational database on AWS. The application layer requires access to the database instance’s operating system in order to run scripts.
The company prefer to keep management overhead to a minimum. Which deployment should be used for the database?
a) Amazon S3
b) Amazon RDS
c) Amazon DynamoDB
d) Amazon EC2
Explanation
The company would like to keep management overhead to a minimum so RDS would be good to meet that requirement. However, with RDS you cannot access the operating system so the requirement for running scripts on the OS rules RDS out. Therefore, the next best solution is to deploy on an Amazon EC2 instances as the other options presented are unsuitable for a relational database.
CORRECT: “Amazon EC2” is the correct answer.
INCORRECT: “Amazon RDS” is incorrect as the application would not be able to access the OS of the RDS instance to run scripts.
INCORRECT: “Amazon DynamoDB” is incorrect. This is a non-relational database.
INCORRECT: “Amazon S3” is incorrect. This is an object-storage system and is not suitable for running a relational database.
Which tasks can a user complete using the AWS Cost Management tools? (Select TWO.)
a) Break down AWS costs by day, service, and linked AWS account
b) Move data stored in Amazon S3 Standard to an archiving storage class to reduce cost
c) Automatically terminate AWS resources if budget thresholds are exceeded
d) Create budgets and receive notifications if current or forecasted usage exceeds the budgets
e) Launch either EC2 Spot instances or On-Demand instances based on the current pricing
Explanation
The AWS Cost Management tools includes services, tools, and resources to organize and track cost and usage data, enhance control through consolidated billing and access permissions, enable better planning through budgeting and forecasts, and further lower costs with resources and pricing optimizations.
CORRECT: “Break down AWS costs by day, service, and linked AWS account” is a correct answer.
CORRECT: “Create budgets and receive notifications if current or forecasted usage exceeds the budgets” is also a correct answer.
INCORRECT: “Automatically terminate AWS resources if budget thresholds are exceeded” is incorrect. The cost management tools will not do this for you but they could generate an alert which could be processed by another service to terminate resources.
INCORRECT: “Launch either EC2 Spot instances or On-Demand instances based on the current pricing” is incorrect. The cost management tools do not integrate with the tools used to launch EC2 instances and cannot choose the best pricing plan.
INCORRECT: “Move data stored in Amazon S3 Standard to an archiving storage class to reduce cost” is incorrect. This is performed using lifecycle management in Amazon S3, it is not a task performed by cost management tools.
A company is deploying an application in the AWS Cloud. How can they secure the application? (Select TWO.)
a) Configure public access for the AWS services used by the application
b) Provide full admin access to developer and
operations staff
c) Enable encryption for the application data at rest
d) Limit access privileges according to the principal of least privilege
e) Enable monitoring by turning off encryption for data in transit
Explanation
In this scenario the company must apply best practice principals for securing their application. Enabling encryption for data at rest is definitely a good practice and data in transit should also be encrypted where possible as well. It is also a good practice to limit access privileges according to the principal of least privilege. This means limiting privileges to those required to perform a specific role.
CORRECT: “Enable encryption for the application data at rest” is a correct answer.
CORRECT: “Limit access privileges according to the principal of least privilege” is also a correct answer.
INCORRECT: “Configure public access for the AWS services used by the application” is incorrect. In some cases public access may be required and in that case only the front end service(s) should be configured for public access. Otherwise it would be best to not enable public access.
INCORRECT: “Enable monitoring by turning off encryption for data in transit” is incorrect. There is no need to turn off encryption in transit to enable monitoring and this would reduce security.
INCORRECT: “Provide full admin access to developer and
operations staff” is incorrect. This is not a security best practice; it is better to assign permissions according to the principal of least privilege
When running applications in the AWS Cloud, which common tasks can AWS manage on behalf of their customers? (Select TWO.)
a) Taking a backup of a database
b) Patching database software
c) Creating a database schema
d) Application security testing
e) Application source code auditing
Explanation
With AWS managed services you can reduce your time spent performing common IT tasks. With services such as Amazon RDS, AWS will patch the database host operating system and database software and perform patch management activities.
CORRECT: “Patching database software” is a correct answer.
CORRECT: “Taking a backup of a database” is also a correct answer.
INCORRECT: “Application source code auditing” is incorrect. AWS does not audit your source code. You can
use Amazon CodeGuru for recommendations for improvement though.
INCORRECT: “Creating a database schema” is incorrect. AWS does not create your schema; this is something that’s in the customer’s control.
INCORRECT: “Application security testing” is incorrect. AWS does not perform any security testing of your applications.
A company is deploying a new web application in a single AWS Region that will be used by users globally.
Which AWS services will assist with lowering latency and improving transfer speeds for the global users? (Select TWO.)
a) AWS Global Accelerator
b) AWS Transfer Gateway
c) AWS Direct Connect
d) AWS Snowcone
e) Amazon CloudFront
Explanation
Amazon CloudFront is a content delivery network (CDN) that caches content around the world for lower latency access. AWS Global Accelerator enables access to your application by leveraging the same Edge Locations as CloudFront and routing connections across the AWS global network.
Both of these services assist with lowering latency and improving transfer speeds for users who are distributed around the world.
CORRECT: “AWS Global Accelerator” is a correct answer.
CORRECT: “Amazon CloudFront” is also a correct answer.
INCORRECT: “AWS Direct Connect” is incorrect. This service provides private connections from data centers to AWS. It is not useful for distributed users as they will not be able to take advantage of it.
INCORRECT: “AWS Transfer Gateway” is incorrect. This service is used for optimizing the network topology of interconnected VPCs and on-premises networks.
INCORRECT: “AWS Snowcone” is incorrect. Snowcone is used as an edge device for transferring data.
Which of the following AWS features or services can be used to provide root storage volumes for Amazon EC2 instances?
a) Amazon Elastic Block Store (EBS)
b) Amazon Elastic File System (EFS)
c) Amazon Machine Image
d) Amazon Simple Storage Service (S3)
Explanation
The Amazon Elastic Block Store (EBS) provides block-based storage volumes for Amazon EC2 instances. Root volumes are where the operating system is installed and can be either EBS volumes or instance store volumes.
CORRECT: “Amazon Elastic Block Store (EBS)” is the correct answer.
INCORRECT: “Amazon Machine Image” is incorrect. An AMI provides the information required to launch an instance including the mapping of EBS volumes.
INCORRECT: “Amazon Elastic File System (EFS)” is incorrect. EFS volumes cannot be used for the root storage volume but can be mounted to store data.
INCORRECT: “Amazon Simple Storage Service (S3)” is incorrect. Amazon S3 buckets cannot be attached to EC2 instances in any way, it is a service that is accessed via a REST API.
A company is launching a new website which is expected to have highly variable levels of traffic. The website will run on Amazon EC2 and must be highly available.
What is the MOST cost-effective approach?
a) Use the AWS CLI to launch and terminate Amazon EC2 instances to match demand
b) Determine the highest expected traffic and use an appropriate instance type
c) Create an Amazon EC2 Auto Scaling group and configure an Elastic Load Balancer
d) Launch the website using an Amazon EC2 instance running on a dedicated host
Explanation
The most cost-effective approach for ensuring the website is highly available on Amazon EC2 instances is to use an Auto Scaling group. This will ensure that the appropriate number of instances is always available to service the demand. An Elastic Load Balancer can be placed in front of the instances to distribute incoming connections.
CORRECT: “Create an Amazon EC2 Auto Scaling group and configure an Elastic Load Balancer” is the correct answer.
INCORRECT: “Use the AWS CLI to launch and terminate Amazon EC2 instances to match demand” is incorrect. This is a manual approach and would not be recommended.
INCORRECT: “Determine the highest expected traffic and use an appropriate instance type” is incorrect. This approach will result in the company overpaying when the demand is low.
INCORRECT: “Launch the website using an Amazon EC2 instance running on a dedicated host” is incorrect. This is an expensive solution as dedicated hosts are very costly and should only be used when physical isolation of resources or host visibility is required.
Which design principles are enabled by the AWS Cloud to improve the operation of workloads? (Select TWO.)
a) Loose coupling
b) Remove single points of failure
c) Minimize platform design
d) Customized hardware
e) Minimum viable product
Explanation
Loose coupling is when you break systems down into smaller components that are loosely coupled together. This reduces interdependencies between systems components. This is achieved in the cloud using messages buses, notification and messaging services.
Removing single points of failure ensures fault tolerance and high availability. This is easily achieved in the cloud as the architecture and features of the cloud support the implementation of highly available and fault tolerant systems.
CORRECT: “Loose coupling” is a correct answer.
CORRECT: “Remove single points of failure” is also a correct answer.
INCORRECT: “Customized hardware” is incorrect. You cannot customize hardware in the cloud.
INCORRECT: “Minimize platform design” is incorrect. This is not an operational advantage for workloads in the cloud.
INCORRECT: “Minimum viable product” is incorrect. This is not an operational advantage for workloads in the cloud.
Which AWS service or feature can assist with protecting a website that is hosted outside of AWS?
a) Amazon VPC network ACLs
b) AWS Web Application Firewall (WAF)
c) Amazon VPC route tables
d) Amazon EC2 security groups
Explanation
AWS WAF can be used to protect on-premises resources if they are deployed behind an Application Load Balancer (ALB). In this scenario the on-premises website servers are added to a target group by IP address. The ALB has a WAF WebACL attached to it and distributes connections to the on-premises website.
CORRECT: “AWS Web Application Firewall (WAF)” is the correct answer.
INCORRECT: “Amazon VPC route tables” is incorrect. A route table cannot be used for protecting resources running outside AWS.
INCORRECT: “Amazon EC2 security groups” is incorrect. Security groups can only be attached to EC2 instances.
INCORRECT: “Amazon VPC network ACLs” is incorrect. Network ACLs only filter traffic entering and leaving a VPC subnet.
Which AWS service can a team use to deploy infrastructure on AWS using familiar programming languages?
a) AWS Config
b) AWS CodeCommit
c) Amazon CodeGuru
d) AWS Cloud Development Kit (AWS CDK)
Explanation
The AWS Cloud Development Kit (AWS CDK) is an open source software development framework to define cloud application resources using familiar programming languages. With AWS CDK you can stick to using programming languages that are familiar to you and have infrastructure deployed using AWS CloudFormation.
CORRECT: “AWS Cloud Development Kit (AWS CDK)” is the correct answer.
INCORRECT: “Amazon CodeGuru” is incorrect. CodeGuru is used to review code and provide intelligent recommendations for improvement.
INCORRECT: “AWS Config” is incorrect. AWS Config is used for configuration compliance management.
INCORRECT: “AWS CodeCommit” is incorrect. CodeCommit is a fully-managed source control service.
What advantages does a database administrator obtain by using the Amazon Relational Database Service (RDS)?
a) RDS enables users to dynamically adjust CPU and RAM resources
b) RDS provides 99.99999999999% reliability and durability
c) RDS simplifies relational database administration tasks
d) RDS databases automatically scale based on load
Explanation
Amazon RDS is a managed relational database service on which you can run several types of database software. The service is managed so this reduces the database administration tasks an administrator would normally undertake. The managed service includes hardware provisioning, database setup, patching and backups.
CORRECT: “RDS simplifies relational database administration tasks” is the correct answer.
INCORRECT: “RDS databases automatically scale based on load” is incorrect. This is not true, storage auto scaling is possible but for compute it scales by changing instance type (manual).
INCORRECT: “RDS provides 99.99999999999% reliability and durability” is incorrect. This is not true of Amazon RDS.
INCORRECT: “RDS enables users to dynamically adjust CPU and RAM resources” is incorrect. You cannot adjust CPU and RAM dynamically, you must change the instance type and reboot the database instance.
A company has many underutilized compute resources on-premises. Which AWS Cloud feature will help resolve this issue?
a) Elasticity
b) High availability
c) Fault tolerance
d) Global deployment
Explanation
Elasticity can resolve the issue of underutilization as you can easily and automatically adjust the resource allocations for your compute resources based on actual utilization. This ensures that you have the right amount of resources and do not pay for more than you need.
CORRECT: “Elasticity” is the correct answer.
INCORRECT: “High availability” is incorrect. This does not help with resolving underutilization.
INCORRECT: “Fault tolerance” is incorrect. This does not help with resolving underutilization.
INCORRECT: “Global deployment” is incorrect. This does not help with resolving underutilization.
A company plans to use reserved instances to get discounted pricing for Amazon EC2 instances. The company may need to change the EC2 instance type during the one year period.
Which instance purchasing option is the MOST cost-effective for this use case? a) Zonal Reserved Instances b) Standard Reserved Instances c) Regional Reserved Instances d) Convertible Reserved Instances
Explanation
A convertible reserved instance enables you to exchange one or more Convertible Reserved Instances for another Convertible Reserved Instance with a different configuration, including instance family, operating system, and tenancy.
CORRECT: “Convertible Reserved Instances” is the correct answer.
INCORRECT: “Standard Reserved Instances” is incorrect. With standard RIs you cannot change the instance type but you can change the instance size.
INCORRECT: “Regional Reserved Instances” is incorrect. Regional RIs apply to instance usage within any AZ in a specified Region.
INCORRECT: “Zonal Reserved Instances” is incorrect. Zonal RIs apply to instance usage within a specific AZ within an AWS Region.
A company is migrating a monolithic application that does not scale well into the cloud and refactoring it into a microservices architecture.
Which best practice of the AWS Well-Architected Framework does this plan relate to?
a) Stop spending money on undifferentiated heavy lifting.
b) Implement loosely coupled services.
c) Manage change in automation.
d) Use multiple solutions to improve performance.
Explanation
A microservices architecture will help ensure that each component of the application can scale independently and be updated independently. Loose coupling further assists as it places reduces the dependencies between systems and ensures that messages and data being passed between application components can be reliably and durably stored.
CORRECT: “Implement loosely coupled services” is the correct answer.
INCORRECT: “Stop spending money on undifferentiated heavy lifting” is incorrect. This is not the best practice being implemented by the company.
INCORRECT: “Manage change in automation” is incorrect. This is not the best practice being implemented by the company.
INCORRECT: “Use multiple solutions to improve performance” is incorrect. This is not the best practice being implemented by the company.
What is the best practice for managing AWS IAM access keys?
a) Customers should rotate access keys regularly.
b) Never use access keys, always use IAM roles.
c) There is no need to manage access keys.
d) AWS rotate access keys on a schedule.
Explanation
It is a security best practice to rotate access keys regularly. This practice ensures that if access keys are compromised the security exposure is mitigated.
CORRECT: “Customers should rotate access keys regularly” is the correct answer.
INCORRECT: “There is no need to manage access keys” is incorrect. This is not true; you must rotate access keys.
INCORRECT: “AWS rotate access keys on a schedule” is incorrect. AWS do not rotate your access keys.
INCORRECT: “Never use access keys, always use IAM roles” is incorrect. It is often better and more secure to use IAM roles for some uses but it is certainly not the case that you should never use access keys.
An Amazon Virtual Private Cloud (VPC) can include multiple: a) Internet gateways. b) Edge locations. c) Availability Zones. d) AWS Regions.
Explanation
An Amazon VPC includes multiple Availability Zones. Within a VPC you can create subnets in each AZ that is available in the Region and distribute your resources across these subnets for high availability.
CORRECT: “Availability Zones” is the correct answer.
INCORRECT: “AWS Regions” is incorrect. A VPC cannot include multiple Regions.
INCORRECT: “Edge locations” is incorrect. A VPC cannot include multiple Edge locations as these are independent of the Regions in which a VPC is created.
INCORRECT: “Internet gateways” is incorrect. You can only attach one Internet gateway to each VPC.
A company is deploying an application on Amazon EC2 that requires low-latency access to application components in an on-premises data center. Which AWS service or resource can the company use to extend their existing VPC to the on-premises data center? a) AWS Direct Connect b) AWS Outposts c) Amazon Workspaces d) Amazon Connect
Explanation
AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. With AWS Outposts you can extend your VPC into the on-premises data center as in the following diagram:
CORRECT: “AWS Outposts” is the correct answer.
INCORRECT: “Amazon Connect” is incorrect. Amazon Connect provides a seamless omnichannel experience through a single unified contact center for voice, chat, and task management.
INCORRECT: “AWS Direct Connect” is incorrect. Direct Connect is used for creating a low-latency private connection to an on-premises data center but it cannot be used to extend the VPC.
INCORRECT: “Amazon Workspaces” is incorrect. Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution.
A Cloud Practitioner anticipates an increase in application traffic at a future date and time when a sales event will take place. How can the Cloud Practitioner configure Amazon EC2 Auto Scaling to ensure the right number of Amazon EC2 instances are available ahead of the event? a) Configure a target tracking scaling policy. b) Configure predictive scaling. c) Configure a step scaling policy. d) Configure a scheduled scaling policy.
Explanation
Scheduled scaling helps you to set up your own scaling schedule according to predictable load changes. For example, let’s say that every week the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can configure a schedule for Amazon EC2 Auto Scaling to increase capacity on Wednesday and decrease capacity on Friday.
CORRECT: “Configure a scheduled scaling policy” is the correct answer.
INCORRECT: “Configure predictive scaling” is incorrect. Predictive scaling uses daily and weekly trends to determine when to scale. In this case the Cloud Practitioner knows about the event that will require more resources.
INCORRECT: “Configure a target tracking scaling policy” is incorrect. This policy will cause the ASG to attempt to keep resource utilization at the target value.
INCORRECT: “Configure a step scaling policy” is incorrect. Step scaling will launch resources in response to demand, this will not ensure the resource are ready at the right time as there will be a delay.
A website has a global customer base and users have reported poor performance when connecting to the site. Which AWS service will improve the customer experience by reducing latency? a) Amazon EC2 Auto Scaling b) AWS Direct Connect c) Amazon ElastiCache d) Amazon CloudFront
Explanation
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
CORRECT: “Amazon CloudFront” is the correct answer.
INCORRECT: “AWS Direct Connect” is incorrect. Direct Connect is a private network connection between an on-premises data center and AWS.
INCORRECT: “Amazon EC2 Auto Scaling” is incorrect.
Auto Scaling launches and terminates instances, this does not reduce latency for global users.
INCORRECT: “Amazon ElastiCache” is incorrect. ElastiCache is a database caching service, it is not used to cache websites.
How much data can a company store in the Amazon S3 service? a) 100 TB b) 1 PB c) Virtually unlimited d) 100 PB
Explanation
The Amazon Simple Storage Service (S3) offers virtually unlimited storage. The total volume of data and number of objects you can store are unlimited. Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes. The largest object that can be uploaded in a single PUT is 5 gigabytes.
CORRECT: “Virtually unlimited” is the correct answer.
INCORRECT: “1 PB” is incorrect. There is no such limit.
INCORRECT: “100 TB” is incorrect. There is no such limit.
INCORRECT: “100 PB” is incorrect. There is no such limit.
A user is planning to launch three EC2 instances behind a single Elastic Load Balancer. The deployment should be highly available.
a) Launch the instances as EC2 Spot Instances in the same AWS Region and the same Availability Zone.
b) Launch the instances across multiple Availability Zones in a single AWS Region.
c) Launch the instances in multiple AWS Regions, and use Elastic IP addresses.
d) Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different Availability Zones.
Explanation
To make the deployment highly available the user should launch the instances across multiple Availability Zones in a single AWS Region. Elastic Load Balancers can only serve targets in a single Region so it is not possible to deploy across Regions.
CORRECT: “Launch the instances across multiple Availability Zones in a single AWS Region” is the correct answer.
INCORRECT: “Launch the instances as EC2 Spot Instances in the same AWS Region and the same Availability Zone” is incorrect. The pricing model is not relevant to high availability and deploying in a single AZ does not result in a highly available deployment.
INCORRECT: “Launch the instances in multiple AWS Regions, and use Elastic IP addresses” is incorrect. You cannot use an ELB with instances in multiple Regions and using an EIP does not help.
INCORRECT: “Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different Availability Zones” is incorrect. Using reserved instances may not be appropriate as we do not know whether this is going to be a long-term workload or not.
Which AWS service can a company use to discover and protect sensitive data that is stored in Amazon S3 buckets. a) AWS Policy Generator b) Amazon Detective c) Amazon GuardDuty d) Amazon Macie
Explanation
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data.
Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations.
Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).
CORRECT: “Amazon Macie” is the correct answer.
INCORRECT: “Amazon GuardDuty” is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
INCORRECT: “AWS Policy Generator” is incorrect. The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.
INCORRECT: “Amazon Detective” is incorrect. Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity.
A large company is interested in avoiding long-term contracts and moving from fixed costs to variable costs.
What is the value proposition of AWS for this company? a) Economies of scale b) Automated cost optimization c) Volume pricing discounts d) Pay-as-you-go pricing
Explanation
Pay-as-you-go pricing helps companies move away from fixed costs to variable costs in a model in which they only pay for what they actually use. There are no fixed term contracts with AWS so that requirement is also met.
CORRECT: “Pay-as-you-go pricing” is the correct answer.
INCORRECT: “Economies of scale” is incorrect. You do get good pricing because of the economies of scale leveraged by AWS. However, the value proposition for companies wishing to avoid fixed costs is pay-as-you-go pricing. This flexibility can be more important in some cases than the actual cost per unit.
INCORRECT: “Volume pricing discounts” is incorrect. This is not the value proposition for this company as they are seeking to avoid long-term contracts and fixed costs, not to achieve a discount.
INCORRECT: “Automated cost optimization” is incorrect. This is a not a feature that relates to the value proposition for this customer.
How does the AWS cloud increase the speed and agility of execution for customers? (Select TWO.) a) Private connections to data centers b) Fast provisioning of resources c) Scalable compute capacity d) Secured data centers e) Lower cost of deployment
Explanation
The ability to quickly provision resources on AWS is a good example of speed and agility. On AWS the resources are readily available and can be deployed extremely quickly. Scalable compute capacity is another example as it gives you the agility to easily reconfigure your resources with more or less capacity as is required.
CORRECT: “Fast provisioning of resources” is a correct answer.
CORRECT: “Scalable compute capacity” is also a correct answer.
INCORRECT: “Private connections to data centers” is incorrect. A private connection to a data center is not an example of speed and agility.
INCORRECT: “Secured data centers” is incorrect. Secured data centers are not an example of speed and agility.
INCORRECT: “Lower cost of deployment” is incorrect. This is not an example of speed and agility.
Which of the following represents a value proposition for using the AWS Cloud?
a) Customers can request specialized hardware.
b) AWS is responsible for securing your applications.
c) AWS provides full access to their data centers.
d) It is not necessary to enter into long term contracts.
Explanation
With AWS you can pay for what you use and there is no requirement to enter into long term contracts. However, there are opportunities to gain large discounts by committing to 1 or 3 years contracts for reserved instances and savings plans.
CORRECT: “It is not necessary to enter into long term contracts” is the correct answer.
INCORRECT: “AWS is responsible for securing your applications” is incorrect. AWS does not secure your applications.
INCORRECT: “Customers can request specialized hardware” is incorrect. This is not true; you have no say in what hardware AWS utilize.
INCORRECT: “AWS provides full access to their data centers” is incorrect. This is never the case; you cannot access the AWS data centers.
For what purpose would a Cloud Practitioner access AWS Artifact?
a) Download configuration details for all AWS resources.
b) Gain access to AWS security and compliance documents.
c) Access training materials for AWS services.
d) Create a security assessment report for AWS services.
Explanation
AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
CORRECT: “Gain access to AWS security and compliance documents” is the correct answer.
INCORRECT: “Download configuration details for all AWS resources” is incorrect. Artifact does not provide this capability.
INCORRECT: “Access training materials for AWS services” is incorrect. Artifact does not provide training materials.
INCORRECT: “Create a security assessment report for AWS services” is incorrect. Artifact cannot be used for this purpose.
A company is planning to move a number of legacy applications to the AWS Cloud. The solution must be cost-effective. Which approach should the company take?
a) Rehost the applications on Amazon EC2 instances that are right-sized.
b) Use AWS Lambda to host the legacy applications in the cloud.
c) Migrate the applications to dedicated hosts on Amazon EC2.
d) Use an Amazon S3 static website to host the legacy application code.
Explanation
The most cost-effective solution that works is to use Amazon EC2 instances that are right-sized with the most optimum instance types. Right-sizing is the process of ensuring that the instance type selected for each application provides the right amount of resources for the application.
CORRECT: “Rehost the applications on Amazon EC2 instances that are right-sized” is the correct answer.
INCORRECT: “Migrate the applications to dedicated hosts on Amazon EC2” is incorrect. Dedicated hosts are expensive and there is no need to use them with this solution.
INCORRECT: “Use AWS Lambda to host the legacy applications in the cloud” is incorrect. It is unlikely that you can simply host legacy applications using AWS Lambda.
INCORRECT: “Use an Amazon S3 static website to host the legacy application code” is incorrect. You cannot host legacy application code in an S3 static website, only static content is possible.
An individual IAM user must be granted access to an Amazon S3 bucket using a bucket policy. Which element in the S3 bucket policy should be updated to define the user account for which access will be granted? a) Principal b) Resource c) Condition d) Action
Explanation
The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. The bucket policy below has a Principal element set to * which is a wildcard meaning any user. To grant access to a specific IAM user the following format can be used:
“Principal”:{“AWS”:”arn:aws:iam::AWSACCOUNTNUMBER:user/username”}
CORRECT: “Principal” is the correct answer.
INCORRECT: “Action” is incorrect. Actions are the permissions that you can specify in a policy.
INCORRECT: “Resource” is incorrect. Resources are the ARNs of resources you wish to specify permissions for.
INCORRECT: “Condition” is incorrect. Conditions define certain conditions to apply when granting permissions such as the source IP address of the caller.
An application uses a PostgreSQL database running on a single Amazon EC2 instance. A Cloud Practitioner has been asked to increase the availability of the database so there is automatic recovery in the case of a failure.
Which tasks can the Cloud Practitioner take to meet this requirement?
a) Migrate the database to Amazon RDS and enable the Multi-AZ feature.
b) Configure an Elastic Load Balancer in front of the EC2 instance.
c) Configure EC2 Auto Recovery to move the instance to another Region.
d) Set the DeleteOnTermination value to false for the EBS root volume.
Explanation
Moving the database to Amazon RDS means that the database can take advantage of the built-in Multi-AZ feature. This feature creates a standby instance in another Availability Zone and synchronously replicates to it. In the event of a failure that affects the primary database an automatic failover can occur and the database will become functional on the standby instance.
CORRECT: “Migrate the database to Amazon RDS and enable the Multi-AZ feature” is the correct answer.
INCORRECT: “Configure an Elastic Load Balancer in front of the EC2 instance” is incorrect. You cannot use an ELB to distribute traffic to a database and with a single instance there’s no benefit here at all.
INCORRECT: “Configure EC2 Auto Recovery to move the instance to another Region” is incorrect. The auto recovery feature of EC2 automatically moves the instance to another host, not to another Region.
INCORRECT: “Set the DeleteOnTermination value to false for the EBS root volume” is incorrect. This will simply preserve the root volume; it will not perform automatic recovery
A company is deploying a MySQL database on AWS. The database must easily scale and have automatic backup enabled.
Which AWS service should the company? a) Amazon Athena b) Amazon DynamoDB c) Amazon DocumentDB d) Amazon Aurora
Explanation
Amazon Aurora is a relational database that is compatible with MySQL and PostgreSQL database engines. Aurora is extremely fast and scales up to 128 TB. You can also deploy replicas for read scaling within and across Regions. Aurora also offers automated backups.
CORRECT: “Amazon Aurora” is the correct answer.
INCORRECT: “Amazon DynamoDB” is incorrect.
DynamoDB is a NoSQL (non-relational) database and you cannot deploy a MySQL database as it is a relational database type.
INCORRECT: “Amazon Athena” is incorrect. Athena is used for querying data in Amazon S3 using SQL.
INCORRECT: “Amazon DocumentDB” is incorrect. DocumentDB is a NoSQL database that supports document data structures.
Customers using AWS services must patch operating systems on which of the following services?
a) Amazon EC2
b) AWS Lambda c) Amazon DynamoDB d) AWS Fargate
Explanation
Amazon EC2 is an infrastructure as a service (IaaS) solution. This means the underlying hardware and software layer for running a virtual server are managed for you. As a customer you must then manage the operating system and any software you install. This includes installing patches on the operating system as part of regular maintenance activities.
CORRECT: “Amazon EC2” is the correct answer.
INCORRECT: “AWS Lambda” is incorrect. This is a serverless service and you do not need to manage patches.
INCORRECT: “AWS Fargate” is incorrect. This is a serverless service and you do not need to manage patches.
INCORRECT: “Amazon DynamoDB” is incorrect. This is a serverless service and you do not need to manage patches.
A company is designing a new a service that must align with the operational excellence pillar of the AWS Well-Architected Framework. Which design principles should the company follow? (Select TWO.) a) Perform operations as code. b) Perform manual operations. c) Create static operational procedures. d) Make large-scale changes. e) Anticipate failure.
Explanation
AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. There are 5 pillars and under the operational excellence pillar the following best practices are recommended:
• Perform operations as code
• Make frequent, small, reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all operational failures
CORRECT: “Anticipate failure” is a correct answer.
CORRECT: “Perform operations as code” is also a correct answer.
INCORRECT: “Make large-scale changes” is incorrect. This is not an operational best practice.
INCORRECT: “Perform manual operations” is incorrect. This is not an operational best practice.
INCORRECT: “Create static operational procedures” is incorrect. This is not an operational best practice.
A company is deploying a new workload and software licensing requirements dictate that the workload must be run on a specific, physical server.
Which Amazon EC2 instance deployment option should be used?
a) Dedicated Hosts
b) Reserved Instances c) Dedicated Instances d) Spot Instances
Explanation
An Amazon EC2 Dedicated Host is a physical server fully dedicated for your use, so you can help address corporate compliance requirements. Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2, so that you get the flexibility and cost effectiveness of using your own licenses, but with the resiliency, simplicity and elasticity of AWS
CORRECT: “Dedicated Hosts” is the correct answer.
INCORRECT: “Dedicated Instances” is incorrect. With dedicated instances you are not given a specific physical server to run your instances on.
INCORRECT: “Spot Instances” is incorrect. This deployment option does not provide a specific physical server.
INCORRECT: “Reserved Instances” is incorrect. This deployment option does not provide a specific physical server.
Which benefits can a company gain by deploying a relational database on Amazon RDS instead of Amazon EC2? (Select TWO.) a) Indexing of tables b) Software patching c) Automated backups d) Schema management e) Root access to OS
Explanation
Two of the benefits of using a managed Amazon RDS service instead of a self-managed database on EC2 are that you get automated backups and automatic software patching.
CORRECT: “Automated backups” is a correct answer.
CORRECT: “Software patching” is also a correct answer.
INCORRECT: “Schema management” is incorrect. This is not a feature of the managed service.
INCORRECT: “Indexing of tables” is incorrect. This is not a feature of the managed service.
INCORRECT: “Root access to OS” is incorrect. You do not get root access to an RDS instance’s operating system.
A Cloud Practitioner is developing a new application and wishes to integrate features of AWS services directly into the application. Which of the following is the BEST tool for this purpose? a) AWS CodeDeploy b) AWS Command Line Interface (CLI) c) AWS CodePipeline d) AWS Software Development Kit
Explanation
A software development kit (SDK) is a collection of software development tools in one installable package. AWS provide SDKs for various programming languages and these can be used for integrating the features of AWS services directly into an application.
CORRECT: “AWS Software Development Kit” is the correct answer.
INCORRECT: “AWS Command Line Interface (CLI)” is incorrect. The AWS CLI is used for running commands but is not the best tool for integrating features of AWS services directly into an application.
INCORRECT: “AWS CodeDeploy” is incorrect. CodeDeploy is used for deploying code from a code repository and actually installing the application.
INCORRECT: “AWS CodePipeline” is incorrect. CodePipeline is used for automating the code release lifecycle.
AWS are able to continually reduce their pricing due to: a) Pay-as-you go pricing. b) Economies of scale. c) Elastic compute services. d) Compute savings plans.
Explanation
By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices.
CORRECT: “economies of scale” is the correct answer.
INCORRECT: “pay-as-you go pricing” is incorrect. This is a benefit to the customer but is not the reason the actual unit prices are continually being reduce.
INCORRECT: “elastic compute services” is incorrect. Elasticity is useful for scaling your resources and aligning costs with demand but is not why AWS prices are being lowered.
INCORRECT: “compute savings plans” is incorrect. This is another feature you can take advantage of for bigger discounts but is not the reason for prices being lowered.
Which of the following are valid benefits of using the AWS Cloud? (Select TWO.)
a) Total control over data center infrastructure.
b) Outsource all application development to AWS.
c) Ability to go global quickly.
d) Fast provisioning of IT resources.
e) Outsource all operational risk.
Explanation
The ability to provision IT resources quickly and easily and also globally are valid benefits of using the AWS cloud. These are covered in AWS’ 6 advantages of cloud which include “Increase speed and agility” and “Go global in minutes”.
CORRECT: “Fast provisioning of IT resources” is a correct answer.
CORRECT: “Ability to go global quickly” is also a correct answer.
INCORRECT: “Outsource all operational risk” is incorrect. You do not outsource all operational risk; you still have to manage risk for the applications you run on AWS.
INCORRECT: “Total control over data center infrastructure” is incorrect. You don’t have any control over data center infrastructure in the AWS Cloud.
INCORRECT: “Outsource all application development to AWS” is incorrect. You must still develop your own applications on the AWS Cloud.
Which tasks require the use of the AWS account root user? (Select TWO.) a) Changing payment currency. b) Enabling encryption for S3. c) Changing AWS Support plans. d) Viewing AWS CloudTrail logs. e) Changing the account name.
Explanation
Some tasks can only be performed by the root user of an AWS account. This includes changing the account name and changing AWS support plans. For more information view the AWS article referenced below.
CORRECT: “Changing the account name” is a correct answer.
CORRECT: “Changing AWS Support plans” is also a correct answer.
INCORRECT: “Enabling encryption for S3” is incorrect. This does not require root.
INCORRECT: “Viewing AWS CloudTrail logs” is incorrect. This does not require root.
INCORRECT: “Changing payment currency” is incorrect. This does not require root.
Which of the following deployments involves the reliability pillar of the AWS Well-Architected Framework?
a) Use CloudFormation to deploy infrastructure
b) Attach a WebACL to a CloudFront distribution
c) Amazon EBS provisioned IOPS volume
d) Amazon RDS Multi-AZ deployment
Explanation
An Amazon Relational Database Service (RDS) deployment across multiple availability zones is a good example of using the reliability pillar of the AWS Well-Architected Framework. The specific design principle being followed here is “Automatically recover from failure”.
CORRECT: “Amazon RDS Multi-AZ deployment” is the correct answer.
INCORRECT: “Amazon EBS provisioned IOPS volume” is incorrect. This would be an example of performance efficiency.
INCORRECT: “Attach a WebACL to a CloudFront distribution” is incorrect. This would be an example of using the security pillar.
INCORRECT: “Use CloudFormation to deploy infrastructure” is incorrect. This would be an example of using the operational excellence pillar.
Which AWS Cloud service provides recommendations on how to optimize performance for AWS services? a) AWS CloudTrail b) Amazon Inspector c) AWS Trusted Advisor d) Amazon CloudWatch
Explanation
AWS Trusted Advisor can improve the performance of your service by checking your service limits, ensuring you take advantage of provisioned throughput, and monitoring for overutilized instances.
CORRECT: “AWS Trusted Advisor” is the correct answer.
INCORRECT: “Amazon Inspector” is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
INCORRECT: “Amazon CloudWatch” is incorrect. CloudWatch monitors performance but does not provide recommendations for optimization.
INCORRECT: “AWS CloudTrail” is incorrect. CloudTrail is an auditing service.
A company plans to deploy a relational database on AWS. The IT department will perform database administration. Which service should the company use? a) Amazon ElastiCache b) Amazon RedShift c) Amazon EC2 d) Amazon DynamoDB
Explanation
A self-managed relational database can be installed on Amazon EC2. When using this deployment you can choose the operating system and instance type that suits your needs and then install and manage any database software you require.
The table below helps you to understand when to use different types of database deployment:
CORRECT: “Amazon EC2” is the correct answer.
INCORRECT: “Amazon RedShift” is incorrect. RedShift is managed data warehouse solution and is better suited to use cases where analytics of data is required.
INCORRECT: “Amazon ElastiCache” is incorrect. ElastiCache is a managed service for in-memory, high-performance caching of database content.
INCORRECT: “Amazon DynamoDB” is incorrect. DynamoDB is a non-relational (NoSQL) type of database.
A company has multiple AWS accounts and is using AWS Organizations with consolidated billing. Which advantages will they benefit from? (Select TWO.)
a) They will receive one bill for the accounts in the Organization.
b) They will be automatically enrolled in a business support plan.
c) They will receive a fixed discount for all usage across accounts.
d) The default service limits in all accounts will be increased.
e) They may benefit from lower unit pricing for aggregated usage.
Explanation
You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts. With consolidated billing you get:
- One bill for multiple accounts.
- Easy tracking or charges across accounts.
- Combined usage across accounts and sharing of volume pricing discounts, reserved instance discounts and savings plans.
- No extra fee.
CORRECT: “They will receive one bill for the accounts in the Organization” is a correct answer.
CORRECT: “They may benefit from lower unit pricing for aggregated usage” is also a correct answer.
INCORRECT: “The default service limits in all accounts will be increased” is incorrect. This is not true; service limit defaults are unaffected.
INCORRECT: “They will receive a fixed discount for all usage across accounts” is incorrect. There is no fixed usage discount applied for consolidated billing.
INCORRECT: “They will be automatically enrolled in a business support plan” is incorrect. This is not true; you must always pay for the business support plan.
Which type of credential should a Cloud Practitioner use for programmatic access to AWS resources from the AWS CLI/API? a) SSH public keys b) Access keys c) SSL/TLS certificate d) User name and password
Explanation
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
CORRECT: “Access keys” is the correct answer.
INCORRECT: “SSL/TLS certificate” is incorrect. Certificates are not used by users for authenticating to AWS services.
INCORRECT: “SSH public keys” is incorrect. These are used for connections using the SSH protocol.
INCORRECT: “User name and password” is incorrect. An IAM user name and password can be used for console access but cannot be used with the CLI or API.
What is one method of protecting against distributed denial of service (DDoS) attacks in the AWS Cloud?
a) Monitor the Service Health Dashboard.
b) Configure a firewall in front of resources.
c) Use Amazon CloudWatch monitoring.
d) Enable AWS CloudTrail logging.
Explanation
Some forms of DDoS mitigation are included automatically with AWS services. You can further improve your DDoS resilience by using an AWS architecture with specific services and by implementing additional best practices. Using a firewall with AWS resources is recommended to reduce the attack surface of your services which can mitigate some DDoS attacks.
CORRECT: “Configure a firewall in front of resources” is the correct answer.
INCORRECT: “Use Amazon CloudWatch monitoring” is incorrect. Performance monitoring will not protect against DDoS.
INCORRECT: “Enable AWS CloudTrail logging” is incorrect. Logging API calls will not protect against DDoS.
INCORRECT: “Monitor the Service Health Dashboard” is incorrect. The service health dashboard is not personalized to your resources so is not useful for monitoring and will not protect against DDoS.
What are AWS Identity and Access Management (IAM) access keys used for?
a) Ensuring the integrity of log files.
b) Making programmatic calls to AWS from AWS APIs.
c) Logging in to the AWS Management Console.
d) Enabling encryption in transit for web servers.
Explanation
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
CORRECT: “Making programmatic calls to AWS from AWS APIs” is the correct answer.
INCORRECT: “Logging in to the AWS Management Console” is incorrect. You use a user name and password for the management console.
INCORRECT: “Ensuring the integrity of log files” is incorrect. This is not what access keys are used for.
INCORRECT: “Enabling encryption in transit for web servers”
is incorrect. SSL/TLS certificates are used for creating encrypted channels using HTTPS.
A Cloud Practitioner needs to monitor a new Amazon EC2 instances CPU and network utilization. Which AWS service should be used? a) Amazon CloudWatch b) Amazon Inspector c) AWS CloudTrail d) AWS Systems Manager
Explanation
Amazon CloudWatch is a performance monitoring service. AWS services send metrics about their utilization to CloudWatch which collects the metrics. You can then view the results in CloudWatch and configure alarms.
CORRECT: “Amazon CloudWatch” is the correct answer.
INCORRECT: “AWS CloudTrail” is incorrect. CloudTrail is used for auditing, not performance monitoring.
INCORRECT: “Amazon Inspector” is incorrect. Inspector is an automated security service.
INCORRECT: “AWS Systems Manager” is incorrect. Systems Manager is used for managing EC2 instances such as installing patches and software.
A user needs to identify underutilized Amazon EC2 instances to reduce costs. Which AWS service or feature will meet this requirement? a) AWS Personal Health Dashboard b) AWS CodeBuild c) AWS Trusted Advisor d) AWS Cost Explorer
Explanation
AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization, security, fault tolerance, performance, and service limits.
The Trusted Advisor “low utilization Amazon EC2 instances” check, checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days.
CORRECT: “AWS Trusted Advisor” is the correct answer.
INCORRECT: “AWS CodeBuild” is incorrect. CodeBuild is used for compiling and testing code ahead of deployment.
INCORRECT: “AWS Cost Explorer” is incorrect. Cost Explorer can be used to view itemized costs but you cannot check resource utilization.
INCORRECT: “AWS Personal Health Dashboard” is incorrect. This dashboard will not warn you about underutilization of resources.
What can a Cloud Practitioner use to categorize and track AWS costs by project? a) Multiple accounts b) Consolidated billing c) AWS Trusted Advisor d) Cost Allocation Tags
Explanation
Cost allocation tags can be used to tag and categorize your resources and then run view the billing in Cost Explorer and the cost allocation report. For example you can tag your resources by department or project and then view costs attributed to the resources used by those groups.
CORRECT: “Cost Allocation Tags” is the correct answer.
INCORRECT: “AWS Trusted Advisor” is incorrect. This service advises you on best practices for provisioning resources.
INCORRECT: “Consolidated billing” is incorrect. Consolidated billing will give you usage per account but not per project.
INCORRECT: “Multiple accounts” is incorrect. You do not need to split your usage across multiple accounts, you can instead use cost allocation tags.
According to the AWS shared responsibility model, which of the following is a responsibility of AWS?
a) Patching software running on Amazon EC2 instances.
b) Updating security group rules to enable connectivity.
c) Updating the firmware on the underlying EC2 hosts.
d) Configuring network ACLs to block malicious attacks.
Explanation
AWS are responsible for updating firmware on the physical Amazon EC2 host servers. Customers are then responsible for any patching of the EC2 operating system and any installed software.
CORRECT: “Updating the firmware on the underlying EC2 hosts” is the correct answer.
INCORRECT: “Configuring network ACLs to block malicious attacks” is incorrect. This is a customer responsibility.
INCORRECT: “Patching software running on Amazon EC2 instances” is incorrect. This is a customer responsibility.
INCORRECT: “Updating security group rules to enable connectivity” is incorrect. This is a customer responsibility.
Which of the following statements best describes the concept of agility in relation to cloud computing on AWS? (Select TWO.)
a) The ability to experiment quickly.
b) The ability to automatically scale capacity.
c) The speed at which AWS resources can be created.
d) The elimination of wasted capacity.
e) The speed at which AWS rolls out new features.
Explanation
In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes. This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower.
CORRECT: “The ability to experiment quickly” is a correct answer.
CORRECT: “The speed at which AWS resources can be created” is also a correct answer.
INCORRECT: “The speed at which AWS rolls out new features” is incorrect. This is not a statement that describes agility.
INCORRECT: “The elimination of wasted capacity” is incorrect. This is also known as right-sizing and it is a cost benefit of running in the cloud. It is not a statement that describes agility.
INCORRECT: “The ability to automatically scale capacity” is incorrect. Auto scaling ensures you have the right amount of capacity available.
A company runs a batch job on an Amazon EC2 instance and it takes 6 hours to complete. The workload is expected to double in volume each month with a proportional increase in processing time.
What is the most efficient cloud architecture to address the growing workload?
a) Run the batch job on a larger Amazon EC2 instance type with more CPU.
b) Change the Amazon EC2 volume type to a Provisioned IOPS SSD volume.
c) Run the application on a bare metal Amazon EC2 instance.
d) Run the batch workload in parallel across multiple Amazon EC2 instances.
Explanation
The most efficient option is to use multiple EC2 instances and distribute the workload across them. This is an example of horizontal scaling and will allow the workload to keep growing in size without any issue and without increasing the overall processing timeframe.
CORRECT: “Run the batch workload in parallel across multiple Amazon EC2 instances” is the correct answer.
INCORRECT: “Run the batch job on a larger Amazon EC2 instance type with more CPU” is incorrect. This may help initially but over time this will not scale well and the workload will take many days to complete.
INCORRECT: “Change the Amazon EC2 volume type to a Provisioned IOPS SSD volume” is incorrect. This will improve the underlying performance of the EBS volume but does not assist with processing (more CPU is needed, i.e. by spreading across instances).
INCORRECT: “Run the application on a bare metal Amazon EC2 instance” is incorrect. Bare metal instances are used for workloads that require access to the hardware feature set (such as Intel VT-x), for applications that need to run in non-virtualized environments for licensing or support requirements, or for customers who wish to use their own hypervisor.
A customer needs to determine Total Cost of Ownership (TCO) for a workload that requires physical isolation. Which hosting model should be accounted for? a) Reserved Instances b) Dedicated Hosts c) On-Demand Instances d) Spot Instances
Explanation
An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server.
Note that dedicated hosts can be considered “hosting model” as it determines that actual underlying infrastructure that is used for running your workload. All of the other answers are simply pricing plans for shared hosting models.
CORRECT: “Dedicated Hosts” is the correct answer.
INCORRECT: “Reserved Instances” is incorrect as this pricing model does not support physical isolation.
INCORRECT: “On-Demand Instances” is incorrect as this pricing model does not support physical isolation.
INCORRECT: “Spot Instances” is incorrect as this hosting pricing does not support physical isolation.
A company must provide access to AWS resources for their employees. Which security practices should they follow? (Select TWO.)
a) Enable multi-factor authentication for users.
b) Create IAM users in different AWS Regions.
c) Disable password policies and management console access.
d) Create IAM Roles and apply them to IAM groups.
e) Create IAM policies based on least privilege principles.
Explanation
There are a several security best practices for AWS IAM that are listed in the document shared below. Enabling multi-factor authentication is a best practice to require a second factor of authentication when logging in. Another best practice is to grant least privilege access when configuring users and password policies.
CORRECT: “Enable multi-factor authentication for users” is a correct answer.
CORRECT: “Create IAM policies based on least privilege principles” is also a correct answer.
INCORRECT: “Disable password policies and management console access” is incorrect. This is not a security best practice. There is no need to disable management console access and password policies should be used.
INCORRECT: “Create IAM users in different AWS Regions” is incorrect. You cannot create IAM users in different Regions as the IAM service is a global service.
INCORRECT: “Create IAM Roles and apply them to IAM groups” is incorrect. You cannot apply roles to groups, you apply policies to groups.
Which AWS service can be used to perform data extract, transform, and load (ETL) operations so you can prepare data for analytics? a) Amazon QuickSight b) Amazon S3 Select c) AWS Glue
d) Amazon Athena
Explanation
AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue provides all of the capabilities needed for data integration so that you can start analyzing your data and putting it to use in minutes instead of months.
AWS Glue provides both visual and code-based interfaces to make data integration easier. Users can easily find and access data using the AWS Glue Data Catalog. Data engineers and ETL (extract, transform, and load) developers can visually create, run, and monitor ETL workflows with a few clicks in AWS Glue Studio.
CORRECT: “AWS Glue” is the correct answer.
INCORRECT: “Amazon QuickSight” is incorrect. Amazon QuickSight is a cloud-native, serverless, business intelligence service.
INCORRECT: “Amazon Athena” is incorrect. Amazon Athena is a serverless, interactive query service to query data and analyze big data in Amazon S3 using standard SQL
INCORRECT: “Amazon S3 Select” is incorrect. This service enables applications to retrieve only a subset of data from an object by using simple SQL expressions.
Which of the following security operations tasks must be performed by AWS customers? (Select TWO.)
a) Enabling multi-factor authentication (MFA) for privileged users
b) Installing security updates on EC2 instances
c) Installing security updates for server firmware
d) Issuing data center access keycards
e) Collecting syslog messages from physical firewalls
Explanation
The customer is responsible for installing security updates on EC2 instances and enabling MFA. AWS is responsible for security of the physical data center and the infrastructure upon which customer services run.
CORRECT: “Installing security updates on EC2 instances” is a correct answer.
CORRECT: “Enabling multi-factor authentication (MFA) for privileged users” is also a correct answer.
INCORRECT: “Collecting syslog messages from physical firewalls” is incorrect as this is an AWS responsibility.
INCORRECT: “Issuing data center access keycards” is incorrect as this is an AWS responsibility.
INCORRECT: “Installing security updates for server firmware” is incorrect as this is an AWS responsibility.
Which cloud architecture design principle is supported by deploying workloads across multiple Availability Zones? a) Enable elasticity. b) Automate infrastructure. c) Design for agility. d) Design for failure.
Explanation
Amazon EC2 instances can be deployed in an Amazon VPC across multiple Availability Zones. You would then typically use an Elastic Load Balancer (ELB) to distribute load between the available instances. This architecture enables high availability as if a single instance fails or if something fails that causes an outage in an entire Availability Zone, the application still has available instances to continue to service demand.
CORRECT: “Design for failure” is the correct answer.
INCORRECT: “Design for agility” is incorrect. This is not an example of agility; it is an example of high availability and fault tolerance.
INCORRECT: “Automate infrastructure” is incorrect. This is not an example of automating.
INCORRECT: “Enable elasticity” is incorrect. This is not an example of elasticity. Elasticity would be enabled by using Amazon EC2 Auto Scaling.
Which AWS hybrid storage service enables a user’s on-premises applications to seamlessly use AWS Cloud storage? a) AWS Direct Connect b) AWS Backup c) AWS Storage Gateway d) Amazon Connect
Explanation
AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases.
These include moving tape backups to the cloud, reducing on-premises storage with cloud-backed file shares, providing low latency access to data in AWS for on-premises applications, as well as various migration, archiving, processing, and disaster recovery use cases.
CORRECT: “AWS Storage Gateway” is the correct answer.
INCORRECT: “AWS Backup” is incorrect. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services. It is not used for connecting on-premises storage to cloud storage.
INCORRECT: “Amazon Connect” is incorrect. Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost. It has nothing to do with storing data.
INCORRECT: “AWS Direct Connect” is incorrect. AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. It is not related to storage of data.
Which AWS services offer compute capabilities? (Select TWO.) a) Amazon DynamoDB b) Amazon CloudHSM c) AWS Lambda
d) Amazon ECS
e) Amazon EFS
Explanation
The Amazon Elastic Container Service (ECS) is a compute service that allows you to run Docker containers as tasks on AWS. AWS Lambda is a function as a service offering that provides the ability to run compute functions in response to triggers.
CORRECT: “Amazon ECS” is a correct answer.
CORRECT: “AWS Lambda” is also a correct answer.
INCORRECT: “Amazon DynamoDB” is incorrect. DynamoDB is a database service.
INCORRECT: “Amazon EFS” is incorrect. The Elastic File System (EFS) is a file-based storage system.
INCORRECT: “Amazon CloudHSM” is incorrect. CloudHSM is a service that is used to securely store and manage encryption keys.
According to the AWS shared responsibility model, which task is the customer’s responsibility?
a) Maintaining the infrastructure needed to run Amazon DynamoDB.
b) Maintaining Amazon API Gateway infrastructure.
c) Updating the operating system of AWS Lambda instances.
d) Updating the guest operating system on Amazon EC2 instances.
Explanation
According to the AWS Shared Responsibility Model updating Amazon EC2 guest operating systems falls under the area of security “in” the cloud which is a customer responsibility. With EC2, AWS manage the underlying platform on which EC2 runs but you must launch and manage your operating systems.
CORRECT: “Updating the guest operating system on Amazon EC2 instances” is the correct answer.
INCORRECT: “Maintaining the infrastructure needed to run Amazon DynamoDB” is incorrect. This is a responsibility of AWS.
INCORRECT: “Updating the operating system of AWS Lambda instances” is incorrect. This is a responsibility of AWS.
INCORRECT: “Maintaining Amazon API Gateway infrastructure” is incorrect. This is a responsibility of AWS.
A new user is unable to access any AWS services, what is the most likely explanation?
a) The default limit for user logons has been reached
b) The user needs to login with a key pair
c) By default new users are created without access to any AWS services
d) The services are currently unavailable
Explanation
By default new users are created with NO access to any AWS services – they can only login to the AWS console. You must apply permissions to users to allow them to access services.
The recommended way to do this is to organize users into groups and then apply permissions policies to the group.
CORRECT: “By default new users are created without access to any AWS services” is the correct answer.
INCORRECT: “The user needs to login with a key pair” is incorrect. Key pairs are used for programmatic access using the API so they are required for API access only.
INCORRECT: “The services are currently unavailable” is incorrect as it is far more likely that the user just doesn’t have permissions.
INCORRECT: “The default limit for user logons has been reached” is incorrect as there is no limit for user logons.
What can a Cloud Practitioner use the AWS Total Cost of Ownership (TCO) Calculator for?
a) Generate reports that break down AWS Cloud compute costs by duration, resource, or tags
b) Enable billing alerts to monitor actual AWS costs compared to estimated costs
c) Estimate a monthly bill for the AWS Cloud resources that will be used
d) Estimate savings when comparing the AWS Cloud to an on-premises environment
Explanation
The TCO calculators allow you to estimate the cost savings when using AWS, compared to on-premises, and provide a detailed set of reports that can be used in executive presentations. The calculators also give you the option to modify assumptions that best meet your business needs.
CORRECT: “Estimate savings when comparing the AWS Cloud to an on-premises environment” is the correct answer.
INCORRECT: “Generate reports that break down AWS Cloud compute costs by duration, resource, or tags” is incorrect. This describes the AWS Cost & Usage Report.
INCORRECT: “Estimate a monthly bill for the AWS Cloud resources that will be used” is incorrect. This describes the AWS Pricing Calculator (or Simple Monthly Calculator).
INCORRECT: “Enable billing alerts to monitor actual AWS costs compared to estimated costs” is incorrect. Billing alerts can be enabled using Amazon CloudWatch.
How can an organization assess application for vulnerabilities and deviations from best practice? a) Use AWS WAF b) Use AWS Artifact c) Use AWS Inspector d) Use AWS Shield
Explanation
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
CORRECT: “Use AWS Inspector” is the correct answer.
INCORRECT: “Use AWS Artifact” is incorrect. AWS Artifact is your go-to, central resource for compliance-related information that matters to you.
INCORRECT: “Use AWS Shield” is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
INCORRECT: “Use AWS WAF” is incorrect. AWS Web application Firewall (WAF) is a firewall service, it is not used for assessing best practice.
Which AWS service can be used to host a static website?
a) Amazon EFS
b) Amazon EBS c) Amazon S3 d) AWS CloudFormation
Explanation
You can use Amazon S3 to host a static website. On a static website, individual webpages include static content. They might also contain client-side scripts.
By contrast, a dynamic website relies on server-side processing, including server-side scripts such as PHP, JSP, or ASP.NET. Amazon S3 does not support server-side scripting, but AWS has other resources for hosting dynamic websites.
CORRECT: “Amazon S3” is the correct answer.
INCORRECT: “Amazon EBS” is incorrect as it cannot be used to host a static website.
INCORRECT: “AWS CloudFormation” is incorrect as it cannot be used to host a static website.
INCORRECT: “Amazon EFS” is incorrect as it cannot be used to host a static website.
Which AWS dashboard displays relevant and timely information to help users manage events in progress, and provides proactive notifications to help plan for scheduled activities? a) AWS Trusted Advisor dashboard b) AWS Personal Health Dashboard c) Amazon CloudWatch dashboard d) AWS Service Health Dashboard
Explanation
AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources.
The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.
CORRECT: “AWS Personal Health Dashboard” is the correct answer.
INCORRECT: “AWS Service Health Dashboard” is incorrect. This shows the current status of services across regions. However, it does not provide proactive notifications of scheduled activities or guidance of any kind.
INCORRECT: “AWS Trusted Advisor dashboard” is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
INCORRECT: “Amazon CloudWatch dashboard” is incorrect as this service is used for monitoring performance related information for your infrastructure and resources, not the underlying AWS resources.
What can be used to allow an application running on an Amazon EC2 instance to securely store data in an Amazon S3 bucket without using long-term credentials? a) Amazon Connect b) AWS Systems Manager c) AWS IAM access key d) AWS IAM role
Explanation
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.
CORRECT: “AWS IAM role” is the correct answer.
INCORRECT: “AWS Systems Manager” is incorrect. This service manages Amazon EC2 instances.
INCORRECT: “Amazon Connect” is incorrect. This is a contact center service.
INCORRECT: “AWS IAM access key” is incorrect. Access keys are considered long-term credentials and therefore should not be embedded on EC2 instances in code. Using a role is more secure
What are the benefits of using the AWS Managed Services? (Select TWO.) a) Designed for small businesses b) Managed applications so you can focus on infrastructure c) Alignment with ITIL processes d) Baseline integration with ITSM tools
e) Support for all AWS services
Explanation
AWS Managed Services manages the daily operations of your AWS infrastructure in alignment with ITIL processes. AWS Managed Services provides a baseline integration with IT Service Management (ITSM) tools such as the ServiceNow platform.
AWS Managed Services provides ongoing management of your AWS infrastructure so you can focus on your applications. By implementing best practices to maintain your infrastructure, AWS Managed Services helps to reduce your operational overhead and risk.
AWS Managed Services currently supports the 20+ services most critical for Enterprises, and will continue to expand our list of integrated AWS services.
AWS Managed Services is designed to meet the needs of Enterprises that require stringent SLAs, adherence to corporate compliance, and integration with their systems and ITIL®-based processes.
CORRECT: “Alignment with ITIL processes” is a correct answer.
CORRECT: “Baseline integration with ITSM tools” is also a correct answer.
INCORRECT: “Managed applications so you can focus on infrastructure” is incorrect as this is not offered by AWS Managed Services.
INCORRECT: “Designed for small businesses” is incorrect as the service is designed for enterprises.
INCORRECT: “Support for all AWS services” is incorrect as the service does not support all AWS services.
According to the shared responsibility model, which security-related task is the responsibility of the customer?
a) Maintaining server-side encryption.
b) Maintaining firewall configurations at a hardware level.
c) Securing servers and racks at AWS data centers.
d) Maintaining physical networking configuration.
Explanation
All client-side and server-side encryption is a responsibility of the customer using the AWS Cloud. This can be clearly seen in the shared responsibility model infographic below:
CORRECT: “Maintaining server-side encryption” is the correct answer.
INCORRECT: “Securing servers and racks at AWS data centers” is incorrect. This is an AWS responsibility.
INCORRECT: “Maintaining firewall configurations at a hardware level” is incorrect. This is an AWS responsibility.
INCORRECT: “Maintaining physical networking configuration” is incorrect. This is an AWS responsibility.
Which services are involved with security? (Select TWO.) a) AWS SMS b) AWS KMS c) Amazon ELB d) AWS DMS e) AWS CloudHSM
Explanation
AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
CORRECT: “AWS CloudHSM” is a correct answer.
CORRECT: “AWS KMS” is also a correct answer.
INCORRECT: “AWS DMS” is incorrect. AWS Database Migration Service is used for migration of databases.
INCORRECT: “AWS SMS” is incorrect. AWS Server Migration Service is used for migration of virtual machines.
INCORRECT: “Amazon ELB” is incorrect. Amazon Elastic Load Balancing is used for distributing incoming connections to pools of EC2 instances
A company requires a dashboard for reporting when using a business intelligence solution. Which AWS service can a Cloud Practitioner use? Which AWS service can be used? a) Amazon Kinesis b) Amazon Athena c) Amazon QuickSight d) Amazon Redshift
Explanation
Amazon QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service built for the cloud.
QuickSight lets you easily create and publish interactive BI dashboards that include Machine Learning-powered insights.
QuickSight dashboards can be accessed from any device, and seamlessly embedded into your applications, portals, and websites.
CORRECT: “Amazon QuickSight” is the correct answer.
INCORRECT: “Amazon Redshift” is incorrect. RedShift is a data warehouse solution not a dashboard. You can use QuickSight with RedShift.
INCORRECT: “Amazon Kinesis” is incorrect. This is a service for collecting streaming data.
INCORRECT: “Amazon Athena” is incorrect. Athena is used for running SQL queries on data in Amazon S3.
Which of the following are AWS recommended best practices in relation to IAM? (Select TWO.) a) Grant greatest privilege b) Assign permissions to users c) Create individual IAM users d) Embed access keys in application code e) Enable MFA for all users
Explanation
AWS recommends that you create individual IAM users rather than sharing IAM user accounts.
For extra security, AWS recommends that you require multi-factor authentication (MFA) for all users in your account. For privileged IAM users who are allowed to access sensitive resources or API operations, AWS recommend using U2F or hardware MFA devices.
CORRECT: “Create individual IAM users” is the correct answer.
CORRECT: “Enable MFA for all users” is the correct answer.
INCORRECT: “Assign permissions to users” is incorrect. You should use groups to assign permissions to IAM users and should avoid embedding access keys in application code.
INCORRECT: “Embed access keys in application code” is incorrect as this is against best practice as it is highly insecure.
INCORRECT: “Grant greatest privilege” is incorrect. AWS recommend creating individual IAM users and assigning the least privilege necessary for them to perform their role.
Which of the following tasks can a user perform to optimize Amazon EC2 costs? (Select TWO.)
a) Set a budget to limit spending on Amazon EC2 instances using AWS Budgets.
b) Create users in a single Region to reduce the spread of EC2 instances globally.
c) Implement Auto Scaling groups to add and remove instances based on demand.
d) Purchase Amazon EC2 Reserved Instances.
e) Create a policy to restrict IAM users from accessing the Amazon EC2 console.
Explanation
Cost optimization can include using Auto Scaling groups to scale the number of EC2 instances according to actual demand. Also, using Amazon EC2 reserved instances for suitable workloads is a good way of optimizing costs over the longer term.
CORRECT: “Implement Auto Scaling groups to add and remove instances based on demand” is a correct answer.
CORRECT: “Purchase Amazon EC2 Reserved Instances” is also a correct answer.
INCORRECT: “Create a policy to restrict IAM users from accessing the Amazon EC2 console” is incorrect. This is not an optimization strategy; it will just prevent access completely which could be going too far.
INCORRECT: “Set a budget to limit spending on Amazon EC2 instances using AWS Budgets” is incorrect. You can use AWS Budgets to notify you of spend but not to actually limit spend.
INCORRECT: “Create users in a single Region to reduce the spread of EC2 instances globally” is incorrect. You cannot create users in a single Region, all IAM Users are global.
AWS are able to continue to reduce their pricing due to: a) Pay-as-you go pricing b) The AWS global infrastructure c) Reserved instance pricing d) Economies of scale
Explanation
By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices.
CORRECT: “Economies of scale” is the correct answer.
INCORRECT: “The AWS global infrastructure” is incorrect. The global infrastructure is the basis of the AWS platform but it is not the reason prices continue to reduce.
INCORRECT: “Pay-as-you go pricing” is incorrect. This pricing model is a benefit but not the reason unit prices are reducing.
INCORRECT: “Reserved instance pricing” is incorrect. This pricing model results in savings for customers in specific areas but not the reason for the overall reduction in prices.
Which of the following should be used to improve the security of access to the AWS Management Console? (Select TWO.) a) AWS Certificate Manager b) AWS Secrets Manager c) Security group rules d) AWS Multi-Factor Authentication (AWS MFA) e) Strong password policies
Explanation
For extra security, AWS recommends that you require multi-factor authentication (MFA) for all users in your account. With MFA, users have a device that generates a response to an authentication challenge.
Both the user’s credentials (something you know) and the device-generated response (something you have) are required to complete the sign-in process. If a user’s password or access keys are compromised, your account resources are still secure because of the additional authentication requirement.
Additionally, strong password policies should be used to enforce measures including minimum password length, complexity, and password reuse restrictions.
CORRECT: “AWS Multi-Factor Authentication (AWS MFA)” is a correct answer.
CORRECT: “Strong password policies” is also a correct answer.
INCORRECT: “AWS Secrets Manager” is incorrect. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
INCORRECT: “AWS Certificate Manager” is incorrect. This service is used for creating SSL/TLS certificates for use with HTTPS connections.
INCORRECT: “Security group rules” is incorrect as these are used to restrict traffic to/from your EC2 instances.
An eCommerce company plans to use the AWS Cloud to quickly deliver new functionality in an iterative manner, minimizing the time to market. Which feature of the AWS Cloud provides this functionality? a) Fault tolerance b) Cost effectiveness c) Elasticity d) Agility
Explanation
In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes.
This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower.
CORRECT: “Agility” is the correct answer.
INCORRECT: “Elasticity” is incorrect. Elasticity enables infrastructure to scale based on demand and helps applications perform and be cost effective. It does not reduce time to market.
INCORRECT: “Fault tolerance” is incorrect as this is involved with ensuring applications stay available in the event of a fault.
INCORRECT: “Cost effectiveness” is incorrect. The AWS Cloud can be cost effective but this is not the benefit that allows faster time to market.
Which AWS service is used to send both text and email messages from distributed applications?
a) Amazon Simple Queue Service (Amazon SQS)
b) Amazon Simple Notification Service (Amazon SNS)
c) Amazon Simple Email Service (Amazon SES)
d) Amazon Simple Workflow Service (Amazon SWF)
Explanation
Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications.
Amazon SNS provides topics for high-throughput, push-based, many-to-many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints for parallel processing, including Amazon SQS queues, AWS Lambda functions, and HTTP/S webhooks.
Additionally, SNS can be used to fan out notifications to end users using mobile push, SMS, and email.
CORRECT: “Amazon Simple Notification Service (Amazon SNS)” is the correct answer.
INCORRECT: “Amazon Simple Email Service (Amazon SES)” is incorrect. This service is used for sending email but not SMS text messages.
INCORRECT: “Amazon Simple Workflow Service (Amazon SWF)” is incorrect. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud.
INCORRECT: “Amazon Simple Queue Service (Amazon SQS)” is incorrect. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
Which technology can automatically adjust compute capacity as demand for an application increases or decreases? a) High availability b) Load balancing c) Auto Scaling d) Fault tolerance
Explanation
Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define. You can use the fleet management features of EC2 Auto Scaling to maintain the health and availability of your fleet.
You can also use the dynamic and predictive scaling features of EC2 Auto Scaling to add or remove EC2 instances. Dynamic scaling responds to changing demand and predictive scaling automatically schedules the right number of EC2 instances based on predicted demand. Dynamic scaling and predictive scaling can be used together to scale faster.
The image below shows an example where an Auto Scaling group is configured to ensure the average CPU of instances in the ASG does not exceed 60%. An additional instance is being launched as the actual load is 71.5%.
CORRECT: “Auto Scaling” is the correct answer.
INCORRECT: “Load balancing” is incorrect. Load balancing is not about compute capacity but ensuring connections are distributed across multiple instances.
INCORRECT: “Fault tolerance” is incorrect. Fault tolerance is related to the architecture of an application that ensures that the failure of any single component does not affect the application.
INCORRECT: “High availability” is incorrect. High availability ensures the maximum uptime for your application by designing the system to recover from failure.
Which AWS service does AWS Snowball Edge natively support?
a) Amazon EC2
b) AWS Database Migration Service (AWS DMS)
c) AWS Trusted Advisor
d) AWS Server Migration Service (AWS SMS)
Explanation
You can run Amazon EC2 compute instances hosted on a Snowball Edge with the sbe1, sbe-c, and sbe-g instance types. The sbe1 instance type works on devices with the Snowball Edge Storage Optimized option. The sbe-c instance type works on devices with the Snowball Edge Compute Optimized option. Both the sbe-c and sbe-g instance types work on devices with the Snowball Edge Compute Optimized with GPU option.
CORRECT: “Amazon EC2” is the correct answer.
INCORRECT: “AWS Server Migration Service (AWS SMS)” is incorrect. AWS SMS does not integrate natively with Snowball Edge.
INCORRECT: “AWS Database Migration Service (AWS DMS)” is incorrect. AWS DMS does not integrate natively with Snowball Edge.
INCORRECT: “AWS Trusted Advisor” is incorrect. Trusted Advisor does not integrate natively with Snowball Edge.
What should a Cloud Practitioner ensure when designing a highly available architecture on AWS?
a) A single monolithic application component handles all operations.
b) There are enough servers to run at peak load available at all times.
c) Servers have low-latency and high throughput network connectivity.
d) The failure of a single component should not affect the application.
Explanation
In a highly available system the failure of a single component should not affect the application. This means that if a single component such as an application server fails, there should be other applications servers available that can seamlessly take over operations and ensure the application continues to operate.
CORRECT: “The failure of a single component should not affect the application” is the correct answer.
INCORRECT: “Servers have low-latency and high throughput network connectivity” is incorrect. It is not necessary for all architectures to have low-latency and high throughput network connectivity and this does not ensure high availability.
INCORRECT: “There are enough servers to run at peak load available at all times” is incorrect. This would be wasteful in terms of resources and cost. There should be enough servers available to handle current load with adequate capacity to operate functionally in the event of a system failure. Additional servers can be launched automatically. as the application demand increases.
INCORRECT: “A single monolithic application component handles all operations” is incorrect. This is a bad design practice that reduces the availability of the system as the failure of update of any individual component can bring the whole system down.
A Cloud Practitioner requires a simple method to identify if unrestricted access to resources has been allowed by security groups. Which service can the Cloud Practitioner use?
a) AWS CloudTrail
b) VPC Flow Logs
c) AWS Trusted Advisor
d) Amazon CloudWatch
Explanation
AWS Trusted Advisor checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.
The following image shows the results of the security group checks in an AWS account:
CORRECT: “AWS Trusted Advisor” is the correct answer.
INCORRECT: “Amazon CloudWatch” is incorrect. CloudWatch is used for performance monitoring.
INCORRECT: “VPC Flow Logs” is incorrect. VPC Flow Logs are used to capture network traffic information, they will not easily identify unrestricted security groups.
INCORRECT: “AWS CloudTrail” is incorrect. This service is used for auditing API actions
Which service can a Cloud Practitioner use to configure custom cost and usage limits and enable alerts for when defined thresholds are exceeded? a) AWS Budgets b) AWS Trusted Advisor c) Consolidated billing d) Cost Explorer
Explanation
AWS Budgets allows you to set custom budgets to track your cost and usage. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold, or when your actual RI and Savings Plans’ utilization or coverage drops below your desired threshold.
CORRECT: “AWS Budgets” is the correct answer.
INCORRECT: “Consolidated billing” is incorrect. This is associated with AWS Organizations and provides a single bill across multiple member accounts.
INCORRECT: “AWS Trusted Advisor” is incorrect. This service provides guidance on AWS best practices.
INCORRECT: “Cost Explorer” is incorrect. This service is used for exploring the costs incurred within your account.
Which of the statements below is correct in relation to Consolidated Billing? (Select TWO.)
a) You receive a single bill for multiple accounts
b) You can combine usage and share volume pricing discounts c) You are charged a fee per user d) You pay a fee per linked account e) You receive one bill per AWS account
Explanation
Consolidated billing has the following benefits:
One bill – You get one bill for multiple accounts.
Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.
Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts and Reserved Instance discounts. This can result in a lower charge for your project, department, or company than with individual standalone accounts.
CORRECT: “You receive a single bill for multiple accounts” is a correct answer.
CORRECT: “You can combine usage and share volume pricing discounts” is also a correct answer.
INCORRECT: “You receive one bill per AWS account” is incorrect as you receive a single bill for multiple accounts.
INCORRECT: “You pay a fee per linked account” is incorrect as you do not pay a fee.
INCORRECT: “You are charged a fee per user” is incorrect as you do not pay a fee.
Which of the following is an advantage for a company running workloads in the AWS Cloud vs on-premises? (Select TWO.)
a) Less staff time is required to launch new workloads.
b) Increased time to market for new application features.
c) Lower overall utilization of server and storage systems.
d) Increased productivity for application development teams.
e) Higher acquisition costs to support elastic workloads.
Explanation
Using AWS cloud services can help development teams to be more productive as they spend less time working on the infrastructure layer as it is provided for them. This additionally means launching new workloads requires less time as you can automate the implementation of the application and there is no underlying hardware layer to configure.
CORRECT: “Less staff time is required to launch new workloads” is a correct answer.
CORRECT: “Increased productivity for application development teams” is also a correct answer.
INCORRECT: “Increased time to market for new application features” is incorrect. AWS services should decrease time to market, not increase time.
INCORRECT: “Higher acquisition costs to support elastic workloads” is incorrect. The acquisition costs should be lower, not higher.
INCORRECT: “Lower overall utilization of server and storage systems” is incorrect. This is not a benefit of moving to the cloud.
Which AWS service should a Cloud Practitioner use to establish a secure network connection between an on-premises network and AWS? a) AWS Mobile Hub b) AWS Web Application Firewall (WAF) c) Virtual Private Network
d) Amazon Virtual Private Cloud (VPC)
Explanation
AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.
CORRECT: “Virtual Private Network” is the correct answer.
INCORRECT: “AWS Mobile Hub” is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services.
INCORRECT: “AWS Web Application Firewall (WAF)” is incorrect. This service is used for protecting against common web exploits.
INCORRECT: “Amazon Virtual Private Cloud (VPC)” is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.
A user has limited knowledge of AWS services, but wants to quickly deploy a scalable Node.js application in an Amazon VPC. Which service should be used to deploy the application? a) Amazon EC2 b) Amazon LightSail c) AWS CloudFormation d) AWS Elastic Beanstalk
Explanation
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.
CORRECT: “AWS Elastic Beanstalk” is the correct answer.
INCORRECT: “Amazon LightSail” is incorrect. LightSail is a good service to use when you don’t have good knowledge of AWS. However, you cannot deploy a scalable node.js application into a VPC.
INCORRECT: “AWS CloudFormation” is incorrect. CloudFormation is used for automating the deployment of infrastructure resources in AWS.
INCORRECT: “Amazon EC2” is incorrect. This would require more expertise that using Elastic Beanstalk.
A Cloud Practitioner is re-architecting a monolithic application. Which design principles for cloud architecture do AWS recommend? (Select TWO.) a) Rely on individual components. b) Implement manual scalability. c) Implement loose coupling.
d) Design for scalability.
e) Use self-managed servers.
Explanation
Dependencies such as queuing systems, streaming systems, workflows, and load balancers are loosely coupled. Loose coupling helps isolate behavior of a component from other components that depend on it, increasing resiliency and agility
AWS recommend that you architect applications that scale horizontally to increase aggregate workload availability. This scaling should be automatic where possible.
CORRECT: “Implement loose coupling” is a correct answer.
CORRECT: “Design for scalability” is also a correct answer.
INCORRECT: “Implement manual scalability” is incorrect. AWS do not recommend manual processes. Everything should be automated as much as possible.
INCORRECT: “Use self-managed servers” is incorrect. AWS do not recommend using self-managed servers. They do recommend using serverless services if you can.
INCORRECT: “Rely on individual components” is incorrect. This is not a best practice; you should never rely on individual components. It is better to build redundancy into the system so the failure of an individual component does not affect the functioning of the application.
Which AWS service protects against common exploits that could compromise application availability, compromise security or consume excessive resources? a) AWS Shield b) Network ACL c) Security Group d) AWS WAF
Explanation
AWS WAF is a web application firewall that protects against common exploits that could compromise application availability, compromise security or consume excessive resources.
CORRECT: “AWS WAF” is the correct answer.
INCORRECT: “AWS Shield” is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
INCORRECT: “Security Group” is incorrect. Security groups are firewalls applied at the instance level.
INCORRECT: “Network ACL” is incorrect. Network ACLs are firewalls applied at the subnet level.
Which benefit of AWS enables companies to replace upfront fixed expenses with variable expenses when using on-demand technology services? a) High availability b) Pay-as-you-go pricing c) Global reach d) Economies of scale
Explanation
Pay-as-you-go-pricing is an example of the AWS advantage “Trade capital expense for variable expense”. This is documented in the Six Advantages of Cloud Computing.
Instead of having to invest heavily in data centers and servers before you know how you’re going to use them, you can pay only when you consume computing resources, and pay only for how much you consume.
CORRECT: “Pay-as-you-go pricing” is the correct answer.
INCORRECT: “Economies of scale” is incorrect. This is not an example of replacing fixed expenses with variable expenses. The benefit of economies of scale relates to achieving a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices.
INCORRECT: “Global reach” is incorrect. This is most closely associated with the advantage “Go global in minutes”. With AWS you can easily deploy your application in multiple regions around the world with just a few clicks. This means you can provide lower latency and a better experience for your customers at minimal cost.
INCORRECT: “High availability” is incorrect. High availability is not related to pricing. Instead, it means you can design your applications to be available with minimum downtime even when disruptions occur.
A company needs a consistent and dedicated connection between AWS resources and an on-premise system. Which AWS service can fulfil this requirement? a) AWS Managed VPN b) AWS Direct Connect c) AWS DataSync d) Amazon Connect
Explanation
An AWS Direct Connect connection is a private, dedicated link to AWS. As it does not use the internet, performance is consistent.
The following diagram shows how a corporate data center is connected to AWS using a Direct Connect link via an AWS Direct Connect location:
CORRECT: “AWS Direct Connect” is the correct answer.
INCORRECT: “AWS Managed VPN” is incorrect. This services uses the public internet so it is not a dedicated link and performance will not be consistent.
INCORRECT: “Amazon Connect” is incorrect. Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost
INCORRECT: “AWS DataSync” is incorrect. AWS DataSync makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx for Windows File Server.
An application has highly dynamic usage patterns. Which characteristics of the AWS Cloud make it cost-effective for this type of workload? (Select TWO.) a) Reliability b) Pay-as-you-go pricing c) Strict security d) High availability e) Elasticity
Explanation
AWS is a cost-effective for dynamic workloads because it is elastic, meaning your workload can scale based on demand. And because you only pay for what you use (pay-as-you-go pricing).
CORRECT: “Elasticity” is the correct answer.
CORRECT: “Pay-as-you-go pricing” is the correct answer.
INCORRECT: “High availability” is incorrect. This is not a characteristic that results in cost-effectiveness.
INCORRECT: “Strict security” is incorrect. This is not a characteristic that results in cost-effectiveness.
INCORRECT: “Reliability” is incorrect. This is not a characteristic that results in cost-effectiveness.
A Service Control Policy (SCP) is used to manage the maximum available permissions and is associated with which of the following?
Service control policies (SCPs) manage permissions for which of the following? a) Availability Zones b) AWS Organizations c) AWS Global Infrastructure d) AWS Regions
Explanation
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs are associated with AWS Organizations and help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled.
CORRECT: “AWS Organizations” is the correct answer.
INCORRECT: “AWS Global Infrastructure” is incorrect. SCPs are not associated with the AWS Global Infrastructure.
INCORRECT: “AWS Regions” is incorrect. SCPs are not associated with AWS Regions.
INCORRECT: “Availability Zones” is incorrect. SCPs are not associated with Availability Zones.
A Cloud Practitioner noticed that IP addresses that are owned by AWS are being used to attempt to flood ports on some of the company’s systems.
To whom should the issue be reported? a) AWS Partner Network (APN) b) AWS Technical Account Manager (TAM) c) AWS Professional Services d) AWS Trust & Safety team
Explanation
If you suspect that AWS resources are used for abusive purposes, contact the AWS Trust & Safety team using the Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com. Provide all the necessary information, including logs in plaintext, email headers, and so on, when you submit your request.
CORRECT: “AWS Trust & Safety team” is the correct answer.
INCORRECT: “AWS Professional Services” is incorrect. This is not the correct team.
INCORRECT: “AWS Partner Network (APN)” is incorrect. This is not the correct team.
INCORRECT: “AWS Technical Account Manager (TAM)” is incorrect. This is not the correct team.
What are the names of two types of AWS Storage Gateway? (Select TWO.) a) Cached Gateway b) Gateway Virtual Tape Library c) S3 Gateway d) Block Gateway e) File Gateway
Explanation
The AWS Storage Gateway service enables hybrid storage between on-premises environments and the AWS Cloud. It provides low-latency performance by caching frequently accessed data on premises, while storing data securely and durably in Amazon cloud storage services. AWS Storage Gateway supports three storage interfaces: file, volume, and tape
File gateway provides a virtual on-premises file server, which enables you to store and retrieve files as objects in Amazon S3
The volume gateway represents the family of gateways that support block-based volumes, previously referred to as gateway-cached and gateway-stored modes
Tape Gateway (formerly known as Gateway Virtual Tape Library) is used for backup with popular backup software.
All other answers are bogus and use terms that are associated with Storage Gateways (S3, block, cached)
CORRECT: “File Gateway” is a correct answer.
CORRECT: “Tape Gateway” is also a correct answer.
INCORRECT: “S3 Gateway” is incorrect as explained above.
INCORRECT: “Block Gateway” is incorrect as explained above.
INCORRECT: “Cached Gateway” is incorrect as explained above.
A cloud practitioner needs to migrate a 70 TB of data from an on-premises data center into the AWS Cloud. The company has a slow and unreliable internet connection. Which AWS service can the cloud practitioner leverage to transfer the data? a) AWS DataSync b) AWS Snowball c) AWS Storage Gateway d) Amazon S3 Glacier
Explanation
AWS Snowball is a method of transferring the data using a physical device. A Snowball Edge device can hold up to 80 TB so a single device can be used. This transfer method completely avoids the slow and unreliable internet connection.
CORRECT: “AWS Snowball” is the correct answer.
INCORRECT: “Amazon S3 Glacier” is incorrect. Glacier is used for archiving data in the cloud.
INCORRECT: “AWS Storage Gateway” is incorrect. Storage Gateway is a service that offers options for connecting on-premises storage to the cloud.
INCORRECT: “AWS DataSync” is incorrect. DataSync uses the internet to transfer data You can utilize Snowcone but that only holds up to 8 TB per device.
Which on-premises costs must be included in a Total Cost of Ownership (TCO) calculation when comparing against the AWS Cloud? (Select TWO.) a) Operating system administration b) Database schema development c) Project management services d) Network infrastructure in the data center e) Physical compute hardware
Explanation
When performing a TCO analysis you must include all costs you are currently incurring in the on-premises environment that you will not pay for in the AWS Cloud. This should include labor costs for activities that will be reduced or eliminated. Labor costs that will continue to be incurred in the cloud need not be included.
CORRECT: “Physical compute hardware” is a correct answer.
CORRECT: “Network infrastructure in the data center” is also a correct answer.
INCORRECT: “Operating system administration” is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud.
INCORRECT: “Project management services” is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud.
INCORRECT: “Database schema development” is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud.
Which AWS service can be used to run Docker containers? a) Amazon ECS b) Amazon ECR c) Amazon AMI d) AWS Lambda
Explanation
Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.
CORRECT: “Amazon ECS” is the correct answer.
INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a serverless technology that lets you run code in response to events as functions
INCORRECT: “Amazon ECR” is incorrect. Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images
INCORRECT: “Amazon AMI” is incorrect. Amazon Machine Images (AMI) store configuration information for Amazon EC2 instances.
A company plan to move the application development to AWS. Which benefits can they achieve when developing and running applications in the AWS Cloud compared to on-premises? (Select TWO.)
a) AWS makes it easy to implement high availability.
b) AWS will fully manage the entire application.
c) AWS can accommodate large changes in application demand.
d) AWS automatically replicates all data globally.
e) AWS takes care of application security patching.
Explanation
AWS provides many options for high availability including multiple availability zones within Regions and multiple Regions around the world. There are also many options to leverage durable data storage, message buses, databases.
AWS have a huge global infrastructure with massive amounts of capacity. It is therefore very easy to accommodate large changes in application demand and this can often be seamless to your application.
CORRECT: “AWS makes it easy to implement high availability” is a correct answer.
CORRECT: “AWS can accommodate large changes in application demand” is also a correct answer.
INCORRECT: “AWS automatically replicates all data globally” is incorrect. This is not true; data is not replicated globally unless you configure it do so.
INCORRECT: “AWS will fully manage the entire application” is incorrect. This is not true; AWS will not manage your application.
INCORRECT: “AWS takes care of application security patching” is incorrect. AWS take care of security patches for the underlying infrastructure but not your application.
Which AWS service helps customers meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware appliances within the AWS Cloud?
a) AWS CloudHSM
b) AWS Directory Service c) AWS Secrets Manager d) AWS Key Management Service (AWS KMS)
Explanation
The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS Cloud.
CORRECT: “AWS CloudHSM” is the correct answer.
INCORRECT: “AWS Secrets Manager” is incorrect. AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
INCORRECT: “AWS Key Management Service (AWS KMS)” is incorrect. This service is also involved with creating and managing encryption keys but does not use dedicated hardware.
INCORRECT: “AWS Directory Service” is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
An application stores images which will be retrieved infrequently, but must be available for retrieval immediately. Which is the most cost-effective storage option that meets these requirements?
a) Amazon Glacier with expedited retrievals
b) Amazon S3 Standard-Infrequent Access
c) Amazon EFS
d) Amazon S3 Standard
Explanation
Amazon S3 Standard-Infrequent Access is the most cost-effective choice. It provides immediate access and is suitable for this use case as it is lower cost than S3 standard. Note that you must pay a fee for retrievals which is why you would only use this tier for infrequent access use cases.
CORRECT: “Amazon S3 Standard-Infrequent Access” is the correct answer.
INCORRECT: “Amazon Glacier with expedited retrievals” is incorrect. Amazon Glacier with expedited retrievals is fast (1-5 minutes) but not immediate.
INCORRECT: “Amazon EFS” is incorrect. Amazon EFS is a high-performance file system and not ideally suited to this scenario, it is also not the most cost-effective option.
INCORRECT: “Amazon S3 Standard” is incorrect. Amazon S3 Standard provides immediate retrieval but is not less cost-effective compared to Standard-Infrequent access.
How can a security compliance officer retrieve AWS compliance documentation such as a SOC 2 report? a) Using AWS Artifact b) Using the AWS Personal Health Dashboard c) Using AWS Inspector d) Using AWS Trusted Advisor
Explanation
AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements.
You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports.
CORRECT: “Using AWS Artifact” is the correct answer.
INCORRECT: “Using AWS Trusted Advisor” is incorrect. AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.
INCORRECT: “Using AWS Inspector” is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
INCORRECT: “Using the AWS Personal Health Dashboard” is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.
Which AWS support plans provide support via email, chat and phone? (Select TWO.) a) Global b) Developer c) Business d) Basic e) Enterprise
Only the business and enterprise plans provide support via email, chat and phone.
CORRECT: “Business” is the correct answer.
CORRECT: “Enterprise” is the correct answer.
INCORRECT: “Basic” is incorrect does not provide support via email, chat and phone.
INCORRECT: “Developer” is incorrect only provides email support.
INCORRECT: “Global” is incorrect is not a support plan offered by AWS.
Which AWS service can be used to load data from Amazon S3, transform it, and move it to another destination? a) AWS Glue b) Amazon RedShift c) Amazon Kinesis d) Amazon EMR
Explanation
AWS Glue is an Extract, Transform, and Load (ETL) service. You can use AWS Glue with data sources on Amazon S3, RedShift and other databases. With AWS Glue you transform and move the data to various destinations. It is used to prepare and load data for analytics.
CORRECT: “AWS Glue” is the correct answer.
INCORRECT: “Amazon RedShift” is incorrect. Amazon
RedShift is a data warehouse. With a data warehouse you load data from other databases such as transactional SQL databases and run analysis. You can analyze data using SQL and Business Intelligence tools.
INCORRECT: “Amazon EMR” is incorrect. Amazon EMR is a managed Hadoop framework running on EC2 and S3. It is used for analyzing data, not for ETL.
INCORRECT: “Amazon Kinesis” is incorrect. Amazon Kinesis is used for collecting, processing and analyzing real-time streaming data.
Which AWS service or feature allows a company to receive a single monthly AWS bill when using multiple AWS accounts? a) Consolidated billing b) Amazon Cloud Directory c) AWS Cost Explorer d) AWS Cost and Usage report
Explanation
You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.
Consolidated billing has the following benefits:
- One bill – You get one bill for multiple accounts.
- Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.
- Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts.
- No extra fee – Consolidated billing is offered at no additional cost.
CORRECT: “Consolidated billing” is the correct answer.
INCORRECT: “Amazon Cloud Directory” is incorrect. Cloud Directory is used for creating cloud-native directories. This is not related to billing.
INCORRECT: “AWS Cost Explorer” is incorrect. AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time. It does not centralize billing.
INCORRECT: “AWS Cost and Usage report” is incorrect. The AWS Cost & Usage Report lists AWS usage for each service category used by an account and its IAM users in hourly or daily line items, as well as any tags that you have activated for cost allocation purposes.
Which AWS service should a Cloud Practitioner use to automate configuration management using Puppet? a) AWS OpsWorks b) AWS CloudFormation c) AWS Config d) AWS Systems Manager
Explanation
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.
OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments,
CORRECT: “AWS OpsWorks” is the correct answer.
INCORRECT: “AWS Config” is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
INCORRECT: “AWS CloudFormation” is incorrect. AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment.
INCORRECT: “AWS Systems Manager” is incorrect. AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.
Which of the following best describes an Availability Zone in the AWS Cloud?
a) One or more physical data centers
b) A completely isolated geographic location
c) One or more edge locations based around the world
d) A subnet for deploying resources into
Explanation
An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
CORRECT: “One or more physical data centers” is the correct answer.
INCORRECT: “A completely isolated geographic location” is incorrect. This is a description of an AWS Region.
INCORRECT: “One or more edge locations based around the world” is incorrect. Edge locations are used by Amazon CloudFront for caching content.
INCORRECT: “A subnet for deploying resources into” is incorrect. Subnets are created within AZs.
A company has a global user base and needs to deploy AWS services that can decrease network latency for their users. Which services may assist? (Select TWO.) a) AWS Direct Connect b) Application Auto Scaling c) Amazon CloudFront d) Amazon VPC e) AWS Global Accelerator
Explanation
Amazon CloudFront is a content delivery network (CDN) that caches media assets such as files, photos, and videos in Edge locations around the world. This gets your content closer to the user base which decreases latency.
AWS Global Accelerator is a service that can direct users to the nearest AWS Region that contains and endpoint for an application. The service utilizes Edge locations to decrease latency and then forwards all traffic on the AWS global network which also decreases latency.
CORRECT: “Amazon CloudFront” is a correct answer.
CORRECT: “AWS Global Accelerator” is also a correct answer.
INCORRECT: “Amazon VPC” is incorrect as this service does not decrease latency for global users.
INCORRECT: “Application Auto Scaling” is incorrect as this is used to scale applications based on workload, it does not decrease latency.
INCORRECT: “AWS Direct Connect” is incorrect as this service does decrease latency but not for a global user base.
Which Amazon EC2 pricing model should be avoided if a workload cannot accept interruption if capacity becomes temporarily unavailable? a) Standard Reserved Instances b) On-Demand Instances c) Spot Instances d) Convertible Reserved Instances
Explanation
Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices.
The downside is that if capacity becomes temporarily unavailable, your instances may be terminated.
CORRECT: “Spot Instances” is the correct answer.
INCORRECT: “On-Demand Instances” is incorrect. On-demand instances are not subject to interruption if capacity becomes temporarily unavailable.
INCORRECT: “Standard Reserved Instances” is incorrect. Reserved instances are not subject to interruption if capacity becomes temporarily unavailable
INCORRECT: “Convertible Reserved Instances” is incorrect. Reserved instances are not subject to interruption if capacity becomes temporarily unavailable.
What is the function of Amazon EC2 Auto Scaling?
a) Automatically modifies the network throughput of EC2 instances, based on demand.
b) Scales the size of EC2 instances up or down automatically, based on demand.
c) Scales the number of EC2 instances in or out automatically, based on demand.
d) Automatically updates the EC2 pricing model, based on demand.
Explanation
Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define. You can use the fleet management features of EC2 Auto Scaling to maintain the health and availability of your fleet. You can also use the dynamic and predictive scaling features of EC2 Auto Scaling to add or remove EC2 instances.
CORRECT: “Scales the number of EC2 instances in or out automatically, based on demand.” is the correct answer.
INCORRECT: “Scales the size of EC2 instances up or down automatically, based on demand.” is incorrect. Auto Scaling adjusts the number of EC2 instances, not the size of EC2 instances.
INCORRECT: “Automatically updates the EC2 pricing model, based on demand.” is incorrect. Auto Scaling does not change pricing models
INCORRECT: “Automatically modifies the network throughput of EC2 instances, based on demand.” is incorrect. Auto Scaling does not modify network throughput for instances.
A user needs an automated security assessment report that will identify unintended network access to Amazon EC2 instances and vulnerabilities on those instances. Which AWS service will provide this assessment report? a)EC2 security groups b) Amazon Macie c) AWS Config d) Amazon Inspector
Explanation
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
CORRECT: “Amazon Inspector” is the correct answer.
INCORRECT: “EC2 security groups” is incorrect. Security groups are instance-level firewalls used for controlling network traffic reaching and leaving EC2 instances.
INCORRECT: “AWS Config” is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
INCORRECT: “Amazon Macie” is incorrect. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.
According to the shared responsibility mode, which security and compliance task is AWS responsible for? a) Updating Amazon EC2 host firmware b) Updating operating systems c) Encrypting data at rest d) Granting permissions to users and services
Explanation
According to the AWS shared responsibility model AWS are responsible for security “of” the cloud. This includes updating the firmware of the EC2 host servers on which instances run. All of the other answers are incorrect as they represent security “in” the cloud which is a customer responsibility.
CORRECT: “Updating Amazon EC2 host firmware” is the correct answer.
INCORRECT: “Granting permissions to users and services” is incorrect as this is a customer responsibility.
INCORRECT: “Encrypting data at rest” is incorrect as this
is a customer responsibility.
INCORRECT: “Updating operating systems” is incorrect as this is a customer responsibility.
Which benefits can a company immediately realize using the AWS Cloud? (Select TWO.)
a) User control of physical infrastructure
b) Variable expenses are replaced with capital expenses
c) No responsibility for security
d) Capital expenses are replaced with variable expenses
e) Increased agility
Explanation
A couple of the benefits that companies will realize immediately when using the AWS Cloud are increased agility and a change from capital expenditure to variable operational expenditure.
Agility is enabled through the flexibility of cloud services and the ease with which applications can be deployed, scaled, and managed. When using cloud services you pay for what you use and this is a variable, operational expense which can be beneficial to company cashflow.
CORRECT: “Capital expenses are replaced with variable expenses” is a correct answer.
CORRECT: “Increased agility” is also a correct answer.
INCORRECT: “Variable expenses are replaced with capital expenses” is incorrect. This is the wrong way around, capital expenses are replaced with variable expenses.
INCORRECT: “User control of physical infrastructure” is incorrect. This is not true, you do not get control of the physical infrastructure.
INCORRECT: “No responsibility for security” is incorrect.
This is not true, you are still responsible for “security in the cloud”.
Which AWS service is a fully-managed source control service that hosts secure Git-based repositories?
a) AWS CodeCommit
b) AWS CodeBuild c) AWS CodeDeploy d) AWS CodePipeline
Explanation
AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem.
CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools.
CORRECT: “AWS CodeCommit” is the correct answer.
INCORRECT: “AWS CodeBuild” is incorrect. AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy.
INCORRECT: “AWS CodeDeploy” is incorrect. CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services.
INCORRECT: “AWS CodePipeline” is incorrect. AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.
Which of the following a valid best practices for using the AWS Identity and Access Management (IAM) service? (Select TWO.)
a) Use inline policies instead of customer managed policies.
b) Embed access keys in application code.
c) Grant maximum privileges to IAM users.
d) Use groups to assign permissions to IAM users.
e) Create individual IAM users.
Explanation
This is the list of valid IAM best practices:
• Lock away your AWS account root user access keys
• Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Get started using permissions with AWS managed policies
• Use customer managed policies instead of inline policies
• Use access levels to review IAM permissions
• Configure a strong password policy for your users
• Enable MFA
• Use roles for applications that run on Amazon EC2 instances
• Use roles to delegate permissions
• Do not share access keys
• Rotate credentials regularly
• Remove unnecessary credentials
• Use policy conditions for extra security
• Monitor activity in your AWS account
• Video presentation about IAM best practices
CORRECT: “Create individual IAM users” is a correct answer.
CORRECT: “Use groups to assign permissions to IAM users” is also a correct answer.
INCORRECT: “Embed access keys in application code” is incorrect. This is not a best practice; you should always try and avoid embedding any secret credentials and access keys in application code. Instead, it is preferable to use IAM roles to delegate permission to applications.
INCORRECT: “Use inline policies instead of customer managed policies” is incorrect. This is not a best practice. You should use customer managed policies instead of inline policies.
INCORRECT: “Grant maximum privileges to IAM users” is incorrect. You should instead follow the principle of least privilege and grant the minimum permissions a user needs to perform their job role.
Which of the following can be used to identify a specific user who terminated an Amazon RDS DB instance? a) Amazon CloudWatch b) Amazon Inspector c) AWS Trusted Advisor d) AWS CloudTrail
Explanation
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.
CORRECT: “AWS CloudTrail” is the correct answer.
INCORRECT: “Amazon Inspector” is incorrect. Inspector is used for running an automated security assessment service on cloud resources.
INCORRECT: “Amazon CloudWatch” is incorrect. CloudWatch is used for performance monitoring.
INCORRECT: “AWS Trusted Advisor” is incorrect. Trusted Advisor helps you to build your AWS resources in accordance with best practices.
How should an organization deploy an application running on multiple EC2 instances to ensure that a power failure does not cause an application outage?
a) Launch the EC2 instances in separate regions
b) Launch the EC2 instances into different Availability Zones
c) Launch the EC2 instances into different VPCs
d) Launch the EC2 instances into Edge Locations
Explanation
If you have multiple EC2 instances that are part of an application, you should deploy them into separate availability zones (AZs). Each AZ has redundant power and is also fed from a different grid. AZs also have low-latency network links which is often advantageous for most applications.
You do not need to deploy into separate regions to prevent a power outage bringing your application down. AZs have redundant power and grids so you are safe deploying your applications into multiple AZs. If you split your applications across regions you introduce latency which may impact your application. You may also run into data sovereignty issues in some cases.
Deploying your EC2 instances into different VPCs is not required and would complicate your application deployment. Also, bear in mind that VPCs within a region use the same underlying infrastructure so deploying into different VPCs may still result in your EC2 instances being deployed into the same AZs. It is a best practice to deploy into separate AZs.
CORRECT: “Launch the EC2 instances into different Availability Zones” is the correct answer.
INCORRECT: “Launch the EC2 instances in separate regions” is incorrect as described above.
INCORRECT: “Launch the EC2 instances into different VPCs” is incorrect as described above.
INCORRECT: “Launch the EC2 instances into Edge
Locations” is incorrect. You cannot deploy EC2 instances into Edge Locations.
A Cloud Practitioner wants to configure the AWS CLI for programmatic access to AWS services. Which credential components are required? (Select TWO.) a) A private key b) A public key c) A secret access key
d) An IAM Role
e) An access key ID
Explanation
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.
CORRECT: “An access key ID” is a correct answer.
CORRECT: “A secret access key” is also a correct answer.
INCORRECT: “A public key” is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances.
INCORRECT: “A private key” is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances.
INCORRECT: “An IAM Role” is incorrect. IAM Roles are not used for configuring the CLI for programmatic access. They can be used for delegating access to AWS services and cross-account access.
Amazon S3 is typically used for which of the following use cases? (Select TWO.) a) In-memory data cache b) Host a static website c) Message queue d) Install an operating system e) Media hosting
Explanation
Amazon S3 is an object storage system. Typical use cases include: Backup and storage, application hosting, media hosting, software delivery and hosting a static website.
CORRECT: “Host a static website” is the correct answer.
CORRECT: “Media hosting” is the correct answer.
INCORRECT: “Install an operating system” is incorrect. You cannot install an operating system on an object-based storage system. Instead, you need a block-based storage system such as Amazon EBS.
INCORRECT: “In-memory data cache” is incorrect. You cannot use Amazon S3 as an in-memory data cache; for this you need a service such as Amazon ElastiCache.
INCORRECT: “Message queue” is incorrect. You cannot use Amazon S3 as a message queue (or at least it is not a typical use case). You should use a services such as Amazon SQS or Amazon MQ.
Which of the following compliance programs allows the AWS environment to process, maintain, and store protected health information? a) ISO 27001 b) SOC 1 c) PCI DSS d) HIPAA
Explanation
AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information.
CORRECT: “HIPAA” is the correct answer.
INCORRECT: “ISO 27001” is incorrect as ISO/IEC 27001 is an information security standard.
INCORRECT: “PCI DSS” is incorrect as PCI DSS is related to the security of credit card payments.
INCORRECT: “SOC 1” is incorrect as this relates to financial reporting.
Which AWS-managed service can be used to process vast amounts of data using a hosted Hadoop framework? a) Amazon DynamoDB b) Amazon Redshift c) Amazon EMR
d) Amazon Athena
Explanation
Amazon Elastic Map Reduce (EMR) is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3.
CORRECT: “Amazon EMR” is the correct answer.
INCORRECT: “Amazon DynamoDB” is incorrect. DynamoDB is not a hosted Hadoop framework, it is a no-SQL database.
INCORRECT: “Amazon Athena” is incorrect. Amazon Athena is a serverless, interactive query service to query data and analyze big data in Amazon S3 using standard SQL
INCORRECT: “Amazon Redshift” is incorrect. Amazon Redshift is a fast, simple, cost-effective data warehousing service.
