Udemy Exams 3 Flashcards
Which AWS service provides on-demand downloads of AWS security and compliance reports? a) AWS Trusted Advisor b) AWS Directory Service c) AWS Artifact d) Amazon Inspector
Explanation
AWS Artifact is the go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
Reports available in AWS Artifact include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.
CORRECT: “AWS Artifact” is the correct answer.
INCORRECT: “AWS Directory Service” is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is an AWS-managed directory service built on actual Microsoft Active Directory and powered by Windows Server 2012 R2.
INCORRECT: “AWS Trusted Advisor” is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
INCORRECT: “Amazon Inspector” is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Which service allows an organization to view operational data from multiple AWS services through a unified user interface and automate operational tasks? a) AWS OpsWorks b) AWS Config c) Amazon CloudWatch d) AWS Systems Manager
Explanation
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.
CORRECT: “AWS Systems Manager” is the correct answer.
INCORRECT: “AWS Config” is incorrect. AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.
INCORRECT: “AWS OpsWorks” is incorrect. AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet.
INCORRECT: “Amazon CloudWatch” is incorrect. Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You use CloudWatch for performance monitoring, not automating operational tasks.
To gain greater discounts, which services can be reserved? (Select TWO.) a) AWS Lambda b) Amazon S3 c) Amazon DynamoDB
d) Amazon RedShift
e) Amazon CloudWatch
Explanation
Reservations provide you with greater discounts, up to 75%, by paying for capacity ahead of time. Some of the services you can reserve include: EC2, DynamoDB, ElastiCache, RDS, and RedShift.
CORRECT: “Amazon RedShift” is a correct answer.
CORRECT: “Amazon DynamoDB” is also a correct answer.
INCORRECT: “Amazon S3” is incorrect. You cannot reserve Amazon S3, you pay for what you use.
INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a service that provides functions and cannot be reserved.
INCORRECT: “Amazon CloudWatch” is incorrect. You cannot reserve Amazon CloudWatch which is a monitoring service.
Which AWS services can be used as infrastructure automation tools? (Select TWO.) a) AWS CloudFormation b) Amazon QuickSight c) Amazon CloudFront d) AWS OpsWorks e) AWS Batch
Explanation
AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment. AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.
CORRECT: “AWS CloudFormation” is a correct answer.
CORRECT: “AWS OpsWorks” is also a correct answer.
INCORRECT: “Amazon CloudFront” is incorrect. Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds.
INCORRECT: “AWS Batch” is incorrect. AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS.
INCORRECT: “Amazon QuickSight” is incorrect. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.
Which of the below is an example of an architectural benefit of moving to the cloud? a) Proprietary hardware b) Monolithic services c) Vertical scalability d) Elasticity
Explanation
A key architectural benefit of moving to the cloud is that you get elasticity. This means your applications can scale as demand increases and scale back as demand decreases. This reduces cost as you only pay for what you use, when you need it.
CORRECT: “Elasticity” is the correct answer.
INCORRECT: “Monolithic services” is incorrect. Monolithic services are not a design patter of the public cloud. Developers and architects prefer service oriented or micro-service architectures instead.
INCORRECT: “Proprietary hardware” is incorrect. You do
not get to choose your hardware in AWS as the infrastructure on which your services run is managed and operated by AWS. So you cannot use proprietary hardware.
INCORRECT: “Vertical scalability” is incorrect. Vertical scalability is not unique to the cloud, nor is it something we aspire to as architects. Most of the time horizontal scalability is preferred and is something that the AWS cloud provides for many services.
Which AWS service or feature can be used to capture information about inbound and outbound IP traffic on network interfaces in a VPC? a) VPC Endpoint b) AWS CloudTrail c) VPC Flow Logs d) Internet gateway
Explanation
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.
Flow logs can help you with a number of tasks, such as:
• Diagnosing overly restrictive security group rules
• Monitoring the traffic that is reaching your instance
• Determining the direction of the traffic to and from the network interfaces
Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.
CORRECT: “VPC Flow Logs” is the correct answer.
INCORRECT: “Internet gateway” is incorrect. An internet gateway is attached to a VPC and used for sending and receiving data from the internet.
INCORRECT: “AWS CloudTrail” is incorrect. CloudTrail is used for auditing API activity.
INCORRECT: “VPC Endpoint” is incorrect. VPC endpoints are used for connecting to public AWS services using private IP addresses.
What is a benefit of moving an on-premises database to Amazon Relational Database Service (RDS)?
a) There is no need to manage operating systems
b) You can run any database engine
c) There is no database administration required
d) You can scale vertically without downtime
Explanation
With Amazon RDS, which is a managed service, you do not need to manage operating systems. This reduces operational costs.
CORRECT: “There is no need to manage operating systems” is the correct answer.
INCORRECT: “You can scale vertically without downtime” is incorrect. You cannot scale vertically without downtime. When scaling with RDS you must change the instance type, and this requires a short period of downtime while the instances’ operating system reboots.
INCORRECT: “There is no database administration required” is incorrect. There is still database administration required in the cloud. You don’t manage the underlying operating system but still need to manage your own tables and data within the DB.
INCORRECT: “You can run any database engine” is incorrect. You cannot run any database engine with RDS. The options are MySQL, Microsoft SQL, MariaDB, Oracle, PostgreSQL and Aurora.
How does the consolidated billing feature of AWS Organizations treat Reserved Instances that were purchased by another account in the organization?
a) All accounts in the organization are treated as one account so any account can receive the hourly cost benefit
b) Only the master account can benefit from the hourly cost benefit of the reserved instances
c) All accounts in the organization are treated as one account for volume discounts but not for reserved instance
d) AWS Organizations does not support any volume or reserved instance benefits across accounts, it is just a method of aggregating bills
Explanation
For billing purposes, the consolidated billing feature of AWS Organizations treats all the accounts in the organization as one account. This means that all accounts in the organization can receive the hourly cost benefit of Reserved Instances that are purchased by any other account.
CORRECT: “All accounts in the organization are treated as one account so any account can receive the hourly cost benefit” is the correct answer.
INCORRECT: “Only the master account can benefit from the hourly cost benefit of the reserved instances” is incorrect as explained above.
INCORRECT: “All accounts in the organization are treated as one account for volume discounts but not for reserved instances” is incorrect as explained above..
INCORRECT: “AWS Organizations does not support any volume or reserved instance benefits across accounts, it is just a method of aggregating bills” is incorrect as explained above.
Which statement best describes Amazon Route 53?
a) Amazon Route 53 is a service for distributing incoming connections between a fleet of registered EC2 instances
b) Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service
c) Amazon Route 53 enables hybrid cloud models by extending an organization’s on-premise networks into the AWS cloud
d) Amazon Route 53 is a service that enables routing within VPCs in an account
Explanation
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like www.example.com into the numeric IP addresses like 192.0.2.1 that computers use to connect to each other. Amazon Route 53 is fully compliant with IPv6 as well.
CORRECT: “Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service” is the correct answer.
INCORRECT: “Amazon Route 53 is a service that enables routing within VPCs in an account” is incorrect. The VPC router performs routing within a VPC.
INCORRECT: “Amazon Route 53 enables hybrid cloud models by extending an organization’s on-premise networks into the AWS cloud” is incorrect. Direct Connect enables hybrid cloud models by extending an organization’s on-premise networks into the AWS cloud.
INCORRECT: “Amazon Route 53 is a service for distributing incoming connections between a fleet of registered EC2 instances” is incorrect. Auto Scaling is a service for distributing incoming connections between a fleet of registered EC2 instances.
Which IAM entity can be used for assigning permissions to AWS services? a) IAM Access Key ID and Secret Access Key b) Security Token Service (STS) c) IAM Policy d) IAM Role
Explanation
With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. username and password). To do so you can create a role and assign an IAM policy to the role that has the permissions required.
CORRECT: “IAM Role” is the correct answer.
INCORRECT: “IAM Access Key ID and Secret Access Key” is incorrect. An access key ID and secret access key are assigned to IAM users and used for programmatic access using the API or CLI.
INCORRECT: “IAM Policy” is incorrect. An IAM policy is a policy document that is used to define permissions that can be applied to users, groups and roles. You don’t apply the policy to the service, you apply it to the role. The role is then used to assign permissions to the AWS service.
INCORRECT: “Security Token Service (STS)” is incorrect. This service is used for gaining temporary security credentials.
A company has a website that delivers static content from an Amazon S3 bucket to users from around the world. Which AWS service will deliver the content with low latency? a) AWS Lambda b) AWS Elastic Beanstalk c) Amazon CloudFront d) AWS Global Accelerator
Explanation
Amazon CloudFront is a content delivery network (CDN) and can use an Amazon S3 bucket configured as a static website as an origin for the content is caches globally. CloudFront reduces latency for global users by serving the requested content from a local cache.
CORRECT: “Amazon CloudFront” is the correct answer.
INCORRECT: “AWS Lambda” is incorrect. Lambda is a serverless compute service that runs code in response to triggers.
INCORRECT: “AWS Elastic Beanstalk” is incorrect. Elastic Beanstalk is a platform as a service offering that is used to run applications on a managed platform.
INCORRECT: “AWS Global Accelerator” is incorrect. Global Accelerator is used to direct traffic to application endpoints in different Regions using the AWS global network. It does not cache content and would not be used in front of an S3 bucket.
A company has been using an AWS managed IAM policy for granting permissions to users but needs to add some permissions. How can this be achieved? a) Create a Service Control Policy. b) Edit the AWS managed policy. c) Create a rule in AWS WAF. d) Create a custom IAM policy.
Explanation
AWS managed policies cannot be edited so if you need to add permissions to users that are not granted in the policy you must create your own custom IAM policy.
CORRECT: “Create a custom IAM policy” is the correct answer.
INCORRECT: “Edit the AWS managed policy” is incorrect. You cannot edit AWS managed policies.
INCORRECT: “Create a Service Control Policy” is incorrect. SCPs are used in AWS Organizations to restrict available permissions. They do not grant permissions.
INCORRECT: “Create a rule in AWS WAF” is incorrect. WAF is a web application firewall used for protecting resources from web-based attacks.
What are the benefits of using Amazon Rekognition with image files?
a) Can be used to resize images
b) Can be used to identify objects in an image
c) Can help with image compression
d) Can be used to transcode audio
Explanation
Rekognition Image is a deep learning powered image recognition service that detects objects, scenes, and faces; extracts text; recognizes celebrities; and identifies inappropriate content in images. It also allows you to search and compare faces.
CORRECT: “Can be used to identify objects in an image” is the correct answer.
INCORRECT: “Can be used to resize images” is incorrect. You cannot use Rekognition to resize images.
INCORRECT: “Can be used to transcode audio” is incorrect. You should use the Elastic Transcoder service to transcode audio.
INCORRECT: “Can help with image compression” is incorrect. You cannot use Rekognition to compress images.
Which of the below AWS services supports automated backups as a default configuration? a) Amazon S3 b) Amazon EBS c) Amazon EC2 d) Amazon RDS
Explanation
Amazon RDS automated backups allow point in time recovery to any point within the retention period down to a second. When automated backups are turned on for your DB Instance, Amazon RDS automatically performs a full daily snapshot of your data (during your preferred backup window) and captures transaction logs (as updates to your DB Instance are made). Automated backups are enabled by default and data is stored on S3 and is equal to the size of the DB
CORRECT: “Amazon RDS” is the correct answer.
INCORRECT: “Amazon S3” is incorrect. Amazon S3 objects are replicated across multiple facilities. You can also archive data onto Amazon Glacier and use versioning to maintain copies of older versions of objects
INCORRECT: “Amazon EC2” is incorrect. EC2 instances using EBS volumes can be backed up by creating a snapshot of the EBS volume.
INCORRECT: “Amazon EBS” is incorrect. EC2 instances using EBS volumes can be backed up by creating a snapshot of the EBS volume.
Which authentication method is used to authenticate programmatic calls to AWS services? a) Console password b) Access keys c) Server certificate d) Key pair
Explanation
Access keys are a combination of an access key ID and a secret access key. They are used to make programmatic calls to AWS using the API.
CORRECT: “Access keys” is the correct answer.
INCORRECT: “Console password” is incorrect. Console passwords are used for signing users into the AWS Management Console, not for making programmatic calls to AWS services.
INCORRECT: “Server certificate” is incorrect. Server certificates can be used to authenticate to some AWS services using HTTPS.
INCORRECT: “Key pair” is incorrect. Key pairs should not be confused with access keys. Key pairs are used for authenticating to Amazon EC2 instances.
Which service can be used to easily create multiple accounts? a) AWS IAM b) AWS Organizations c) Amazon Connect d) AWS CloudFormation
Explanation
AWS Organizations can be used for automating AWS account creation via the Organizations API.
CORRECT: “AWS Organizations” is the correct answer.
INCORRECT: “AWS IAM” is incorrect. You cannot use IAM for creating accounts.
INCORRECT: “AWS CloudFormation” is incorrect. You could theoretically use AWS CloudFormation to automate the account creation along with some scripting, but that is certainly not an easy way to reach this result.
INCORRECT: “Amazon Connect” is incorrect. Amazon Connect is a self-service, cloud-based contact center service that makes it easy for businesses to deliver better customer service at a lower cost.
Which Amazon EC2 pricing model is the most cost-effective for an always-up, right-sized database server running a project that will last 1 year? a) Convertible Reserved Instances b) Standard Reserved Instances c) Spot Instances d) On-Demand Instances
Explanation Reserved Instances (RIs) provide you with a significant discount (up to 72%) compared to On-Demand instance pricing. Standard reserved instances offer the most cost savings. RIs are based on a 1 or 3 year contract so they are suitable for workloads that will run for the duration of the contract period.
CORRECT: “Standard Reserved Instances” is the correct answer.
INCORRECT: “Convertible Reserved Instances” is incorrect. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs. However, this is not required for a right-sized server.
INCORRECT: “On-Demand Instances” is incorrect. This pricing model offers not discounts.
INCORRECT: “Spot Instances” is incorrect. Though you can achieve greater cost savings with Spot instances, the instances can be terminated when AWS need the capacity back.
A company needs to optimize costs and resource usage through monitoring of operational health for all resources running on AWS. Which AWS service will meet these requirements? a) AWS Config b) Amazon CloudWatch c) AWS Control Tower d) AWS CloudTrail
Explanation
Amazon CloudWatch is a performance monitoring tool that receives metrics from AWS services. This data can be used for monitoring the operational health of resources as well as being used to optimize costs through ensuring systems are right-sized and just enough capacity is provisioned.
CORRECT: “Amazon CloudWatch” is the correct answer.
INCORRECT: “AWS Control Tower” is incorrect. AWS Control Tower is a service that is intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern at scale
INCORRECT: “AWS CloudTrail” is incorrect. CloudTrail is used for auditing (who did what and when), it is not used for monitoring operational health.
INCORRECT: “AWS Config” is incorrect. Config is used for managing compliance for AWS services.
Which AWS service or feature can be used to restrict the individual API actions that users and roles in each member account can access? a) AWS Shield b) Amazon Macie c) AWS Organizations
d) AWS IAM
Explanation
AWS Organizations offers Service control policies (SCPs) which are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions (API actions) for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled.
CORRECT: “AWS Organizations” is the correct answer.
INCORRECT: “Amazon Macie” is incorrect. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS
INCORRECT: "AWS Shield" is incorrect. AWS Shield a service that protects workloads against distributed denial of service (DDoS) attacks.
INCORRECT: “AWS IAM” is incorrect. AWS IAM is used for assigning permissions but SCPs in AWS Organizations are used to control which API actions are allowed in an account. You need to be granted permission in IAM and have the API allowed to be able to use the API successfully.
Which AWS tools can be used for automation? (Select TWO.) a) Amazon Elastic File System (EFS) b) AWS Elastic Beanstalk c) AWS CloudFormation d) AWS Lambda e) Elastic Load Balancing
Explanation
AWS Elastic Beanstalk and AWS CloudFormation are both examples of automation. Beanstalk is a platform service that leverages the automation capabilities of CloudFormation to build out application architectures.
CORRECT: “AWS Elastic Beanstalk” is a correct answer.
CORRECT: “AWS CloudFormation” is also a correct answer.
INCORRECT: “Elastic Load Balancing” is incorrect. Elastic Load Balancing (ELB) is used for distributing incoming connections to Amazon EC2 instances. This is not an example of automation; it is load balancing.
INCORRECT: “Amazon Elastic File System (EFS)” is
incorrect. Amazon EFS is a file system.
INCORRECT: “AWS Lambda” is incorrect. AWS Lambda is a compute service, not an automation service.
Which of the following statements are correct about the benefits of AWS Direct Connect? (Select TWO.)
a) Increased bandwidth (predictable bandwidth)
b) Increased reliability (predictable performance)
c) Uses redundant paths across the Internet
d) Lower cost than a VPN
e) Quick to implement
Explanation
AWS Direct Connect is a network service that provides an alternative to using the Internet to connect customers’ on premise sites to AWS.
Data is transmitted through a private network connection between AWS and a customer’s data center or corporate network.
Benefits of AWS Direct Connect:
– Reduce cost when using large volumes of traffic.
– Increase reliability (predictable performance).
– Increase bandwidth (predictable bandwidth).
– Decrease latency.
CORRECT: “Increased reliability (predictable performance)” is a correct answer.
CORRECT: “Increased bandwidth (predictable bandwidth)” is also a correct answer.
INCORRECT: “Quick to implement” is incorrect. Direct Connect is not fast to implement as it can take weeks to months to setup (use VPN for fast deployment times).
INCORRECT: “Lower cost than a VPN” is incorrect. Direct Connect is more expensive than VPN.
INCORRECT: “Uses redundant paths across the Internet” is incorrect. Direct Connect uses private network connections, it does not use redundant paths over the Internet.
Which AWS services are associated with Edge Locations? (Select TWO.) a) Amazon CloudFront b) AWS Shield c) AWS Config d) Amazon EBS e) AWS Direct Connect
Explanation
Edge Locations are parts of the Amazon CloudFront content delivery network (CDN) that are all around the world and are used to get content closer to end-users for better performance.
AWS Shield which protects against Distributed Denial of Service (DDoS) attacks is available globally on Amazon CloudFront Edge Locations.
CORRECT: “Amazon CloudFront” is a correct answer.
CORRECT: “AWS Shield” is also a correct answer.
INCORRECT: “AWS Direct Connect” is incorrect. AWS Direct Connect is a networking service used for creating a hybrid cloud between on-premises and AWS Cloud using a private network connection
INCORRECT: “Amazon EBS” is incorrect. Amazon EBS is a storage service.
INCORRECT: “AWS Config” is incorrect. AWS Config is used for evaluating the configuration state of AWS resources.
Which AWS service is known as a "serverless" service and runs code as functions triggered by events? a) Amazon ECS b) Amazon CodeDeploy c) Amazon Cognito d) AWS Lambda
Explanation
AWS Lambda lets you run code as functions without provisioning or managing servers. Lambda-based applications (also referred to as serverless applications) are composed of functions triggered by events. With serverless computing, your application still runs on servers, but all the server management is done by AWS.
CORRECT: “AWS Lambda” is the correct answer.
INCORRECT: “Amazon ECS” is incorrect. Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances.
INCORRECT: “Amazon CodeDeploy” is incorrect. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Lambda, and your on-premises servers.
INCORRECT: “Amazon Cognito” is incorrect. Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.
Which service can an organization use to track API activity within their account? a) AWS IAM b) AWS CloudTrail c) AWS CloudHSM d) Amazon CloudWatch
Explanation
AWS CloudTrail is a web service that records activity made on your account and delivers log files to an Amazon S3 bucket. CloudTrail is for auditing (CloudWatch is for performance monitoring).
CloudTrail is about logging and saves a history of API calls for your AWS account. Provides visibility into user activity by recording actions taken on your account. API history enables security analysis, resource change tracking, and compliance auditing
CORRECT: “AWS CloudTrail” is the correct answer.
INCORRECT: “Amazon CloudWatch” is incorrect. Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. CloudWatch is for performance monitoring (CloudTrail is for auditing). Used to collect and track metrics, collect and monitor log files, and set alarms.
INCORRECT: “AWS IAM” is incorrect. AWS Identity and Access Management is an identity service that provide authentication and authorization services
INCORRECT: “AWS CloudHSM” is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
What are the charges for using Amazon Glacier? (Select TWO.) a) Data transferred into Glacier b) Data storage c) Number of Availability Zones d) Enhanced networking e) Retrieval requests
Explanation
With Amazon Glacier you pay for storage on a per GB / month basis, retrieval requests and quantity (based on expedited, standard, or bulk), and data transfer out of Glacier.
CORRECT: “Retrieval requests” is the correct answer.
CORRECT: “Data storage” is the correct answer.
INCORRECT: “Data transferred into Glacier” is incorrect. You do not pay for data transferred in and there are no minimum storage fees.
INCORRECT: “Enhanced networking” is incorrect. Enhanced networking is a feature of EC2.
INCORRECT: “Number of Availability Zones” is incorrect. You do not pay for the number of AZs.
When using AWS Organizations with consolidated billing what are two valid best practices? (Select TWO.)
a) Always use a straightforward password on the root account
b) Always enable multi-factor authentication (MFA) on the root account
c) The paying account should be used for billing purposes only
d) Never exceed the limit of 20 linked accounts
e) Use the paying account for deploying resources
Explanation
When using AWS Organizations with consolidated billing, best practices include:
– Always enable multi-factor authentication (MFA) on the root account.
– Always use a strong and complex password on the root account.
– The Paying account should be used for billing purposes only. Do not deploy resources into the Paying account.
There is a default limit of 20 linked accounts but this can be extended and there is no reason why you should stick to a maximum of 20 accounts.
CORRECT: “Always enable multi-factor authentication (MFA) on the root account” is a correct answer.
CORRECT: “The paying account should be used for billing purposes only” is also a correct answer.
INCORRECT: “Always use a straightforward password on the root account” is incorrect as you should use a complex password.
INCORRECT: “Use the paying account for deploying resources” is incorrect as you should deploy resources in the linked accounts.
INCORRECT: “Never exceed the limit of 20 linked accounts” is incorrect as you can extend the default limit.
