whizlab incorrect answers Flashcards
I need to migrate millions of customers’ financial transaction data from the On-Premise Mainframe system to a non-relational database in AWS. The database should also provide good performance for data retrieval and data analytics. Which of the following Database services is the most suitable?
A. Amazon RDS
B. Amazon RedShift
C. Amazon ElastiCache
D. Amazon DynamoDB
D.
A client who has adopted AWS cloud services would like to ensure that his systems always scale with increasing traffic for a great end-user experience. I have implemented the same by defining AutoScaling Scale-In & Scale-Out policies & CloudWatch alarms that trigger the AutoScaling. Which Cloud Architecture Design principles have I implemented here? Select TWO most suitable options.
A. Encryption B. Operational Excellence C. Performance Efficiency D. Cost Optimization E. Least privilege
B.
C.
Which of the following may NOT be an Economic benefit to a client using AWS cloud services?
A. The Client is running a dedicated MySQL Database Server on AWS with his own CPU bound license (BOYL).
B. The Client is running Spot Instances for batch data processing workloads.
C. The client is running applications with a relatively predictable & consistent resource Demand using AWS Reserved Instances.
D. The client is using S3 Intelligent Tiering storage class while uploading objects.
E. The client is using an Active - Passive failover routing strategy of his On - Promise Data Center to AWS cloud.
A
Which of the following AWS resources or the AWS features (cloud concepts) does NOT provide automation capabilities?
A. AWS Elastic Beanstalk
B. Amazon DynamoDB
C. AWS CloudFormation
D. RDS manual snapshot
D
I have certain applications On-Premises that experience times within a year where infrastructure takes a heavier load impact (e.g., Christmas, Thanksgiving, etc.) than other times in the year. You do not want to decommission the on-premises infrastructure. What is the easiest and most cost-effective way in which I can handle this load?
A. By moving all my infrastructure to AWS Cloud and using On-Demand capacity
B. By creating a Private Cloud environment in my On-Premises data center that will provide me with the required elasticity
C. By using Scheduled Reserved Instances to match capacity reservation for the load
D. By provisioning Burst Capacity on the AWS Cloud for the duration of the load
D.
To make programmatic calls to AWS, a user was provided an access key ID and secret access key. However, the user has now forgotten the shared credentials and cannot make the required programmatic calls.
How can an access key ID and secret access key be provided to the user?
A. Use the “Forgot Password” Option
B. Use “Create New Access Key” by logging in to AWS Management Console as the root user.
C. Credentials can not be generated
D. Raise a ticket with AWS Support
B
When provisioning a security certificate from AWS Certificate Manager (ACM). which of the following statements is true? Choose TWO.
A. ACM-issued security certificate cannot be applied to an Application load balancer.
B. To verify a security certificate, a CNAME record would need to be created.
C. Third-party security certificates cannot be applied to AWS resources.
D. To verify a security certificate, the administrator would need to acknowledge a verification email sent to an address of their choice.
E. A security certificate issued in ACM can only be applied to one AWS resource.
B. To verify a security certificate, a CNAME record would need to be created.
D. To verify a security certificate, the administrator would need to acknowledge a verification email sent to an address of their choice.
An administrator would like VPCs in three different AWS accounts to access on-premise resources via a VPN connection terminating on a Transit Gateway. Each of the VPCs is in distinct AWS regions. How can this be achieved?
A. Use AWS Resource Access Manager (RAM) to share the Transit Gateway resource.
B. Configure a Virtual Private Gateway (VGW) for each VPC and then extend the VPN tunnels to them.
C. Create VPC attachments from each of the VPCs to the Transit Gateway.
D. Configure VPC peering connections between the VPCs and then route traffic from on-premise through the VPN to the Transit Gateway and then to each VPC peer.
A. Use AWS Resource Access Manager (RAM) to share the Transit Gateway resource.
During an audit process, an organization is advised by the audit committee to centrally manage all the VPC security groups and WAF rules across their AWS environment. Given that the organization has multiple AWS accounts, how can this be achieved?
A. AWS Identity & Access Management (IAM)
B. AWS Firewall Manager
C. Amazon Cloud Directory
D. AWS Security Hub
B. AWS Firewall Manager makes it possible to manage VPC security groups, AWS Shield Advanced and WAF rules on one platform even across multiple AWS accounts.
A. IAM does not allow for the management of VPC security groups or WAF rules.
C. Amazon Cloud Directory is a repository for developer objects. The service does not have the functionality to centrally manage all the VPC security groups or WAF rules in the AWS environment
D. AWS Security Hub is a full-view. single-look, comprehensive depiction of the security state of the customer’s AWS environment
Which of the following statements accurately describe a function of AWS Secrets Manager? [Select Two]
A. Encrypts authentication information in code, ensuring that it is unreadable, that is, not in plain-text.
B. Replaces the need to hardcode authentication credentials in code.
C. Makes it possible to include an API call in code that retrieves authentication information from a central repository.
D. Automatically rotates and updates the code in the application build, ensuring that repositories are kept up to date.
E. Facilitates the embedding of authentication information in code during runtime.
B,C
A client has decided to go for a MySQL RDS database on the AWS cloud-based on its Scalability & High Availability features. When he does so, what role does he play in making the database secure? (Select TWO)
A. He can restrict RDS database access by using a Security Group.
B. He can provide the most recent updates of his database software installed on the EC2 Instance for preventing Security attacks.
C. He can provide the most recent versions of his Operating System on the EC2 instance for preventing Security attacks.
D. He can Encrypt database data at rest by using EBS volume storage encryption.
E. He can plan for backup & recovery strategies for data that may be lost.
A. He can restrict RDS database access by using a Security Group.
E. He can plan for backup & recovery strategies for data that may be lost.
I have a Mobile App that needs to access AWS resources like S3, DynamoDB. What is the best way to allow users of the mobile app access to these AWS resources?
A. Keep the Security Credentials associated with the AWS resource access within the Mobile App
B. Use Security Token Service (STS) with Identity Federation that will allow an User access to resources within a session
C. Create Users & Groups within IAM and assign IAM policies for accessing the resources
D. Have the mobile app connect to another web application running on an EC2 instance that can assume a role for accessing the AWS resources
B. A mobile app that becomes popular can have a large user base. The best way to provide access to AWS resources in this scenario will be to use Federated Identity access using External Identity Providers(IcIP) like Amazon, Facebook, Google etc.
I have a compliance requirement for my application, stating that unrestricted SSH access to any EC2 instance needs to be immediately notified to an admin. Which services can I use to achieve the requirement?
A. AWS Trusted Advisor, Amazon SNS
B. AWS Inspector, Amazon SNS
C. AWS Config, Amazon SNS
D. Both B & C right
D. Both AWS Inspector & AWS Config can scan EC2 instances, access their network exposure, and then integrate with Amazon SNS to send notifications. Trusted Advisor also can check for overly permissive access of EC2 instances. Still, the notifications can be performed by monitoring the Trusted Advisor check results with AWS CloudWatch events that can use specific targets like Lambda. SNS etc.
A startup is using only an AWS Basic Support plan and cannot afford a higher plan right now. They require technical assistance from AWS to better understand the behavior of their services.
Which of the following can be a source of technical assistance for this startup?
AWS Technical Account Manager
AWS Discussion Forums
AWS Trusted Advisor
AWS Concierge Support
AWS Discussion Forums
Which of the following are valid use cases supported by Amazon CloudFront? (Select TWO.)
Schema Conversion Serverless Interactive Query Live and on-demand video streaming Automated Backups Static asset caching
– Static asset caching
– Live & on-demand video streaming
Which of the following services offers you the same AWS hardware infrastructure, services, APIs, and tools to build and run your applications on-premises and in the cloud?
AWS Organizations
AWS Wavelength
AWS Lambda
AWS Outposts
AWS Outposts
A company plans to use an application streaming service to give its employees instant access to their desktop applications from any device.
Which of the following services fulfills this requirement?
AWS AppSync
Amazon Kinesis Data Streams
Amazon AppStream 2.0
Amazon WorkSpaces
Amazon AppStream 2.0
A company plans to migrate on-premises VMs to AWS. To coordinate the large-scale migration, they must find a way to automate, schedule, and track the entire procedure.
Which of the following services should they use?
Use AWS Migration Hub to track the progress of migrations.
Use AWS Application Migration Service to migrate on-premises workloads to AWS.
Use Amazon CloudWatch to monitor the migration process.
Use AWS Database Migration Service to migrate on-premises workloads to AWS.
AWS Application Migration Service (MGN) is the primary migration service recommended for lift and shift migrations to AWS.
A gaming company needs a service that uses the AWS global network to optimize users’ access speed to their applications through an anycast static IP address. Which of the following services fits this criteria?
AWS Global Accelerator
Amazon ElastiCache
Amazon CloudFront
Amazon Route 53
AWS Global Accelerator
Amazon ElastiCache is incorrect because it cannot route user traffic to the optimal endpoint. ElastiCache is primarily used to improve web applications’ performance by allowing you to retrieve information from a fast, managed, in-memory system, instead of relying entirely on slower disk-based databases.
Amazon CloudFront is incorrect. Although CloudFront uses the AWS global network, this is best used for HTTP use cases and securing access over your endpoints. CloudFront uses Edge Locations to cache content while Global Accelerator uses Edge Locations to find an optimal pathway to the nearest regional endpoint. In addition, CloudFront is not capable of providing static Anycast IP addresses.
Amazon Route 53 is incorrect because it doesn’t use a static Anycast IP address to minimize the latency for end-users. Route 53 is a highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services. Also, Route 53 is mainly used to translate specific domain names into their corresponding IP addresses.
Which of the following provides you the most granular data about your AWS costs and usage and also load that information into Amazon Athena, Amazon Redshift, AWS QuickSight, or a tool of your choice?
AWS Budgets
AWS Cost Explorer
Consolidated Billing
AWS Cost and Usage report
The Cost and Usage Report is your one-stop-shop for accessing the most granular data about your AWS costs and usage.
Which type of Elastic Load Balancer supports path-based routing, host-based routing, and bi-directional communication channels using WebSockets?
Classic Load Balancer
Network Load Balancer
Application Load Balancer
Both Application Load Balancer and Network Load Balancer
Application Load Balancers support path-based routing, host-based routing, WebSockets and support for containerized applications
Which of the following is the most cost-effective AWS Support Plan to use if you need access to AWS Support API for programmatic case management?
Basic
Business
Developer
Enterprise
Business
Both Basic and Developer support plans are incorrect since these types do not have access to the AWS Support API.
Users from different parts of the globe are complaining about the slow performance of the newly launched photo-sharing website in loading their high-resolution images. Which combination of AWS services should you use to serve the files with lowest possible latency? (Select TWO.)
AWS Storage Gateway Amazon Glacier Amazon S3 Amazon CloudFront Amazon Elastic File System
– Amazon S3
– Amazon CloudFront
AWS Storage Gateway is incorrect because this is just a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage in AWS.
Amazon Elastic File System is incorrect because this is not a suitable service to use to store static content unlike S3. It is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. In addition, you can’t directly connect it to CloudFront, unlike S3.
Amazon Glacier is incorrect because this is primarily used for data archival with usually a long data retrieval time. Like EFS, you can’t directly connect it to CloudFront too, unlike Amazon S3.
A company has enlisted the help of TDojo Consulting Co. to assist them in designing an AWS disaster recovery solution for their on-premises bare metal servers and SQL databases. The implementation has to be robust, fast, and simple to use. It should also prevent any type of data loss from occurring. The company would like to keep track of the status of the migration.
Which tool should the team adopt for the DR solution?
AWS Migration Hub
CloudEndure
AWS Database Migration Service
AWS Server Migration Service
CloudEndure Disaster Recovery is a tool that minimizes downtime and data loss by providing fast, reliable recovery of physical, virtual, and cloud-based servers into AWS Cloud.
AWS Server Migration Service is incorrect because this service cannot migrate bare metal servers. It is also not the best solution for this scenario, since we are not performing a migration.
AWS Database Migration Service is incorrect because this service cannot migrate bare metal servers. It is also not the best solution for this scenario, since we are not performing a migration.
AWS Migration Hub is incorrect because this service is for monitoring the state of your migrations. It does not handle disaster recovery.
Which of the following are the things that Amazon CloudWatch Logs can accomplish? (Select TWO.)
Create alarms that automatically stop, terminate, reboot, or recover your EC2 instances.
Record AWS Management Console actions and API calls.
Adjust the retention policy for each log group.
Store your log data at absolutely no charge.
Monitor application logs from Amazon EC2 Instances.
Monitor application logs from Amazon EC2 Instances.
Adjust the retention policy for each log group.
You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources.
The option that says: record AWS Management Console actions and API calls is incorrect because this refers to CloudTrail and not CloudWatch Logs.
The option that says: create alarms that automatically stop, terminate, reboot, or recover your EC2 instances is incorrect because this is actually a task that can be accomplished by CloudWatch Alarms.
The option that says: store your log data at absolutely no charge is incorrect because this service is not entirely free and you still have to pay for your usage.
Which AWS services should you use to store rapidly changing data with low read and write latencies? (Select TWO.)
Amazon RDS Amazon AppStream 2.0 AWS Snowball Amazon EBS Amazon S3
Amazon EBS and Amazon RDS
Which service allows you to add powerful visual analysis feature to your applications that enables you to search, verify, and organize millions of images?
Amazon SageMaker
Amazon CloudSearch
Amazon Rekognition
Amazon Macie
Amazon Rekognition.
Amazon Macie is incorrect because it is a security service and not suitable for visual analysis. It uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
Amazon SageMaker is incorrect because this is a service that provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly in AWS.
Amazon CloudSearch is incorrect because this service is used to set up, manage, and scale a search solution for your website or application in AWS.
Which service allows you to add powerful visual analysis feature to your applications that enables you to search, verify, and organize millions of images?
Amazon SageMaker
Amazon CloudSearch
Amazon Rekognition
Amazon Macie
Amazon Rekognition.
Amazon Macie is incorrect because it is a security service and not suitable for visual analysis. It uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
Amazon SageMaker is incorrect because this is a service that provides every developer and data scientist with the ability to build, train, and deploy machine learning models quickly in AWS.
Amazon CloudSearch is incorrect because this service is used to set up, manage, and scale a search solution for your website or application in AWS.
A new AWS customer needs to deploy up to 100 t3a.large EC2 instances on their recently launched VPC, which is way beyond the default service limit. What should they do so they can launch their additional instances?
Use AWS Trusted Advisor to increase the default service limits for EC2 instances.
Do nothing. You can directly launch 100 t3a.large EC2 instances at the same time since AWS will automatically increase your service limit for you.
Create a case in the AWS Support Center page and request a service limit increase.
Enable Enhanced Networking.
Create a case in the AWS Support Center page and request a service limit increase.
A new AWS customer needs to deploy up to 100 t3a.large EC2 instances on their recently launched VPC, which is way beyond the default service limit. What should they do so they can launch their additional instances?
Use AWS Trusted Advisor to increase the default service limits for EC2 instances.
Do nothing. You can directly launch 100 t3a.large EC2 instances at the same time since AWS will automatically increase your service limit for you.
Create a case in the AWS Support Center page and request a service limit increase.
Enable Enhanced Networking.
Create a case in the AWS Support Center page and request a service limit increase.
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources? (Select TWO.)
AWS Security Token Service (STS) Amazon Aurora Amazon RDS Amazon S3 AWS Identity and Access Management (IAM)
– Amazon RDS
– Amazon Aurora
You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources? (Select TWO.)
AWS Security Token Service (STS) Amazon Aurora Amazon RDS Amazon S3 AWS Identity and Access Management (IAM)
– Amazon RDS
– Amazon Aurora
Which service does AWS use to notify you when AWS is experiencing events that may impact you?
AWS Personal Health Dashboard
AWS Service Health Dashboard
Amazon SNS
AWS Support Center
AWS Personal Health Dashboard
A company needs to troubleshoot an issue on their serverless application which is composed of an API Gateway, Lambda function, and a DynamoDB database. Which service should they use to trace user requests as they travel through their entire application?
AWS CloudTrail
Amazon CloudWatch
Amazon Inspector
AWS X-Ray
AWS X-Ray.
Amazon CloudWatch is incorrect. Although you can troubleshoot the issue by checking the logs, it is still better to use AWS X-Ray as it enables you to analyze and debug your serverless application more effectively.
Amazon Inspector is incorrect because this is primarily used for EC2 and not for Lambda.
AWS CloudTrail is incorrect because this will only enable you to track all API calls to your Lambda, DynamoDB, and SNS. It is still better to use AWS X-Ray to debug your application.
Which of the following cloud best practices reinforces the use of the Service-Oriented Architecture (SOA) design principle?
Implement elasticity.
Think parallel.
Design for failure.
Decouple your components.
Decouple your components
A customer currently has a Basic support plan and they are planning to use the Infrastructure Event Management, Well-Architected Reviews and Operations Reviews features in AWS. What should they do in order to access these features in the most cost-effective manner?
None since these features are already included in their Basic support plan.
Upgrade to Developer support plan.
Upgrade to Business support plan.
Upgrade to Enterprise support plan.
Upgrade to Enterprise support plan.
Which of the following should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?
Amazon Cognito User Pool
Amazon Cognito Sync
Amazon Cognito Identity Pool
AWS Single Sign-On
Amazon Cognito Identity Pool.
Amazon Cognito User Pool is incorrect because a user pool is a user directory in Amazon Cognito. In addition, it doesn’t enable access to unauthenticated identities. You have to use an Identity Pool instead.
Amazon Cognito Sync is incorrect because this is a client library that enables cross-device syncing of application-related user data.
AWS Single Sign-On is incorrect because this service lets you centrally manage SSO access to multiple AWS accounts. It also does not allow any “guest” or unauthenticated access, unlike Amazon Cognito.
Which of the following should you use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication?
Amazon Cognito User Pool
Amazon Cognito Sync
Amazon Cognito Identity Pool
AWS Single Sign-On
Amazon Cognito Identity Pool.
Amazon Cognito User Pool is incorrect because a user pool is a user directory in Amazon Cognito. In addition, it doesn’t enable access to unauthenticated identities. You have to use an Identity Pool instead.
Amazon Cognito Sync is incorrect because this is a client library that enables cross-device syncing of application-related user data.
AWS Single Sign-On is incorrect because this service lets you centrally manage SSO access to multiple AWS accounts. It also does not allow any “guest” or unauthenticated access, unlike Amazon Cognito.
Which of the following is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
AWS Shield
Amazon GuardDuty
Amazon Macie
AWS WAF
Amazon GuardDuty
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?
Set your S3 buckets to private so that objects are not publicly readable/writable
Configure MFA delete on the S3 bucket.
Create access control policies so that only you can perform S3-related actions
Set up stricter IAM policies that will prevent users from deleting S3 objects
Configure MFA delete on the S3 bucket.
The option that says: Set up stricter IAM policies that will prevent users from deleting S3 objects is incorrect because you can prevent unwanted deletion by removing the permission from IAM Users. However, in this case, the issue is caused by unauthorized access to the account which had the capability of deleting objects. This will totally restrict the authorized users from deleting necessary objects.
The option that says: Create access control policies so that only you can perform S3-related actions is incorrect because this will not prevent unauthorized access to AWS accounts.
The option that says: Set your S3 buckets to private so that objects are not publicly readable/writable is incorrect because this is unrelated to the issue in this case.
There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge. What can be done to prevent unauthorized deletion of your S3 objects?
Set your S3 buckets to private so that objects are not publicly readable/writable
Configure MFA delete on the S3 bucket.
Create access control policies so that only you can perform S3-related actions
Set up stricter IAM policies that will prevent users from deleting S3 objects
Configure MFA delete on the S3 bucket.
The option that says: Set up stricter IAM policies that will prevent users from deleting S3 objects is incorrect because you can prevent unwanted deletion by removing the permission from IAM Users. However, in this case, the issue is caused by unauthorized access to the account which had the capability of deleting objects. This will totally restrict the authorized users from deleting necessary objects.
The option that says: Create access control policies so that only you can perform S3-related actions is incorrect because this will not prevent unauthorized access to AWS accounts.
The option that says: Set your S3 buckets to private so that objects are not publicly readable/writable is incorrect because this is unrelated to the issue in this case.
Which of the following tasks fall under the sole responsibility of AWS based on the shared responsibility model?
Implementing IAM policies
Patch Management
Physical and environmental controls
Applying Amazon S3 bucket policies
Physical and environmental controls.
Implementing IAM policies and Applying Amazon S3 bucket policies are both incorrect because these are the responsibilities of the customer and not AWS.
Patch Management is incorrect because this is actually a shared control between AWS and the customer.
Which of the following are the best practices that can help secure your AWS resources using the AWS Identity and Access Management (IAM) service? (Select TWO.)
Grant most privilege.
Lock away your AWS account root user access keys.
Grant least privilege.
Use Bastion Hosts.
Use Inline Policies instead of Customer Managed Policies.
– Grant Least Privilege
– Lock away your AWS account root user access keys
Which of the following are the best practices that can help secure your AWS resources using the AWS Identity and Access Management (IAM) service? (Select TWO.)
Grant most privilege.
Lock away your AWS account root user access keys.
Grant least privilege.
Use Bastion Hosts.
Use Inline Policies instead of Customer Managed Policies.
– Grant Least Privilege
– Lock away your AWS account root user access keys
Which of the following policies grant the necessary permissions required to access your Amazon S3 resources? (Select TWO.)
Bucket policies Network access control policies Object policies Routing policies User policies
– Bucket policies
– User policies
A space agency is using Amazon S3 to store their high-resolution satellite images and videos everyday. Which of the following should they do to minimize the upload time?
Enable Cross-Origin Resource Sharing (CORS)
Use the Multipart upload API
Upload the images and videos using the BatchWriteItem API
Shift to S3 Intelligent-Tiering storage class
Use the Multipart Upload API.
The option that says: Use the BatchWriteItem API is incorrect because this is a DynamoDB API action and not S3.
The option that says: Shift to S3 Intelligent-Tiering storage class is incorrect because this is primarily used to optimize your storage costs automatically based on your data access patterns without performance impact or operational overhead.
The option that says: Enable Cross-Origin Resource Sharing (CORS) is incorrect because this is only applicable for client web applications that are loaded in one domain to interact with resources in a different domain.
A space agency is using Amazon S3 to store their high-resolution satellite images and videos everyday. Which of the following should they do to minimize the upload time?
Enable Cross-Origin Resource Sharing (CORS)
Use the Multipart upload API
Upload the images and videos using the BatchWriteItem API
Shift to S3 Intelligent-Tiering storage class
Use the Multipart Upload API.
The option that says: Use the BatchWriteItem API is incorrect because this is a DynamoDB API action and not S3.
The option that says: Shift to S3 Intelligent-Tiering storage class is incorrect because this is primarily used to optimize your storage costs automatically based on your data access patterns without performance impact or operational overhead.
The option that says: Enable Cross-Origin Resource Sharing (CORS) is incorrect because this is only applicable for client web applications that are loaded in one domain to interact with resources in a different domain.
Which of the following is a data transport solution that accelerates moving terabytes to petabytes of data into and out of AWS using appliances with on-board storage and compute capabilities?
AWS Snowcone
Lambda@Edge
AWS Snowball Edge
AWS Snowmobile
AWS Snowball Edge.
AWS Snowmobile is incorrect because this is primarily used to migrate tens of petabytes to exabytes of data in batches to the cloud.
AWS Snowcone is incorrect. Although it is a data transport solution like Snowball Edge, it is not suitable for moving terabytes to petabytes of data. Take note that the usable storage for Snowcone is only 8 TB.
Lambda@Edge is incorrect because this is just a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency
Which of the following is a data transport solution that accelerates moving terabytes to petabytes of data into and out of AWS using appliances with on-board storage and compute capabilities?
AWS Snowcone
Lambda@Edge
AWS Snowball Edge
AWS Snowmobile
AWS Snowball Edge.
AWS Snowmobile is incorrect because this is primarily used to migrate tens of petabytes to exabytes of data in batches to the cloud.
AWS Snowcone is incorrect. Although it is a data transport solution like Snowball Edge, it is not suitable for moving terabytes to petabytes of data. Take note that the usable storage for Snowcone is only 8 TB.
Lambda@Edge is incorrect because this is just a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency
What is the most secure way to provide applications temporary access to your AWS resources?
Create an IAM policy that allows the application to access the resources, and attach the policy to the application
Create an IAM role and have the application assume the role
Create an IAM group that has access to the resources, and add the application there
Create an IAM user with access keys and assign it to the application
Create an IAM role and have the application assume the role.
The option that says: Create an IAM user with access keys and assign it to the application is incorrect because an IAM User is primarily used for long-term credentials, not for temporary access.
The option that says: Create an IAM group that has access to the resources, and add the application there is incorrect because an IAM Group does not provide temporary access credentials.
The option that says: Create an IAM policy that allows the application to access the resources, and attach the policy to the application is incorrect because IAM policies are not entities that have credentials in AWS.
Which of the following actions will AWS charge you for?
Network charges for the transfer of data from your data center to S3 through a VPN
Provisioning elastic IPs and attaching them to running EC2 instances
Setting up additional VPCs in your account
Transfer of EC2 files between two AWS Regions
Transfer of EC2 files between two AWS Regions.
The option that says: Network charges for the transfer of data from your data center to S3 through a VPN is incorrect because the data coming in from your data center to AWS does not incur you charges.
The option that says: Provisioning Elastic IPs and attaching them to running EC2 instances is incorrect because Elastic IPs are only charged if they are not attached to running instances.
The option that says: Setting up additional VPCs in your account is incorrect because VPCs are free to use in AWS.
Which of the following actions will AWS charge you for?
Network charges for the transfer of data from your data center to S3 through a VPN
Provisioning elastic IPs and attaching them to running EC2 instances
Setting up additional VPCs in your account
Transfer of EC2 files between two AWS Regions
Transfer of EC2 files between two AWS Regions.
The option that says: Network charges for the transfer of data from your data center to S3 through a VPN is incorrect because the data coming in from your data center to AWS does not incur you charges.
The option that says: Provisioning Elastic IPs and attaching them to running EC2 instances is incorrect because Elastic IPs are only charged if they are not attached to running instances.
The option that says: Setting up additional VPCs in your account is incorrect because VPCs are free to use in AWS.
A company wants to launch a Microsoft SQL Server database in AWS. The database instance should only be managed by the company’s DBA and must be accessible via RDP. A standard license for SQL Server is required but the company is not yet sure how much CPU and memory to allocate to the database.
Which option gives the most convenience and flexibility to determine the best database size while still being cost-effective?
Launch an Amazon Aurora database that runs MS SQL Server. Buy a Standard MSSQL license from the AWS License Manager service.
Use a Windows Server with SQL Server Standard bundled AMI so you won’t need to buy and manage your own license.
Launch an RDS instance that runs MS SQL Server Standard. Purchase a Standard MSSQL license and store it in the AWS Managed Services (AMS).
Launch an EC2 instance and install MS SQL Server. Purchase a Standard MSSQL license from Microsoft and apply it to the database you installed.
Use a Windows Server with SQL Server Standard bundled AMI so you won’t need to buy and manage your own license.
The option that says: Launch an EC2 instance and install MS SQL Server. Purchase a Standard MSSQL license from Microsoft and apply it to the database you installed is incorrect since this is not the most convenient method of launching an MS SQL Server in AWS. You typically use this solution if you already have a SQL Server license and you prefer to BYOL (bring your own license).
The option that says: Launch an RDS instance that runs MS SQL Server Standard. Purchase a Standard MSSQL license and store it in the AWS Managed Services (AMS) is incorrect. It is explicitly stated in the scenario that the database instance should only be managed by the company’s DBA and must be accessible via RDP. You cannot directly establish an RDS connection to an Amazon RDS database. In addition, Amazon RDS costs more than Amazon EC2 because the infrastructure is managed by AWS.
The option that says: Launch an Amazon Aurora database that runs MS SQL Server. Buy a Standard MSSQL license from the AWS License Manager service is incorrect since Amazon Aurora does not support MS SQL Server. Moreover, you cannot directly buy software licenses from the AWS License Manager service. This is just used to easily manage your software licenses from various vendors such as Microsoft, SAP, Oracle, and IBM across AWS and on-premises environments.
Which of the following is true regarding the Business support plan in AWS?
Provides a 1-hour response time support if your production system got impaired
Provides a 15-minute response time support if your business-critical system goes down
Provides a 15-minute response time support if your production system goes down
Provides a 1-hour response time support if your production system goes down
Provides a 1-hour response time support if your production system goes down.
The option that says: Provides a 15-minute response time support if your production system goes down is incorrect because the Business support plan only provides a 1-hour response time and not 15 minutes.
The option that says: Provides a 15-minute response time support if your business-critical system goes down is incorrect because this high level of support is only available for Enterprise support plan.
The option that says: Provides a 1-hour response time support if your production system got impaired is incorrect because the Business support plan only gives you a 4-hour response time and not an hour in the event that your production system got impaired.
Agility is one of the benefits of using cloud computing that provides customer with what advantage?
Allows you to trade capital expense for variable expense.
Avoid overprovisioning of your infrastructure to ensure you have enough capacity to handle your business operations at the peak level of activity.
Focus your valuable IT resources on developing applications that differentiate your business rather than managing infrastructure and data centers.
Easily deploy your application in multiple physical locations around the world with just a few clicks.
Focus your valuable IT resources on developing applications that differentiate your business rather than managing infrastructure and data centers.
Agility is one of the benefits of using cloud computing that provides customer with what advantage?
Allows you to trade capital expense for variable expense.
Avoid overprovisioning of your infrastructure to ensure you have enough capacity to handle your business operations at the peak level of activity.
Focus your valuable IT resources on developing applications that differentiate your business rather than managing infrastructure and data centers.
Easily deploy your application in multiple physical locations around the world with just a few clicks.
Focus your valuable IT resources on developing applications that differentiate your business rather than managing infrastructure and data centers.
Which of the following statements is true for AWS CloudTrail?
CloudTrail is disabled by default for newly created AWS accounts
When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default
CloudTrail charges you for every management event trail created
CloudTrail is able to capture application error logs from your EC2 instances
When you create a trail in the AWS Management Console, the trail applies to all AWS Regions by default.
The option that says: CloudTrail is disabled by default for newly created AWS accounts is incorrect because AWS CloudTrail is now enabled by default for ALL CUSTOMERS and will provide visibility into the past seven days of account activity without the need for you to configure a trail in the service to get started.
The option that says: CloudTrail is able to capture application error logs from your EC2 is incorrect because CloudTrail actually does not capture error logs in your EC2 instances. You may instead use CloudWatch Logs for this purpose.
The option that says: CloudTrail charges you for every management event trail created is incorrect because actually, CloudTrail does not charge you for your first management trail, but only the additional management trails you create after the first one.
Which service lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers, or custom URIs?
AWS Trusted Advisor
Network ACLs
Security Group
AWS WAF
AWS WAF
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Which of the following best describes what an account alias is in IAM?
Your IAM root username
The name AWS assigns to your account
The numerical value of your account ID
A substitute for an account ID in the web address for your account
A substitute for an account ID in the web address for your account
A company is using Amazon S3 to store their static media contents such as photos and videos. Which of the following should you use to provide specific users access to the bucket?
SSH key
Security Group
Network Access Control List
Bucket Policy
Bucket Policy.
Security Group is incorrect because this is primarily used as a virtual firewall for your EC2 instances, and not S3 buckets, to control inbound and outbound traffic.
SSH key is incorrect because this is only used if you want to establish an SSH connection to your EC2 instances and not for S3 buckets.
Network Access Control List is incorrect because this is just an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. This has nothing to do with providing users access to your S3 bucket.
What is the best way to keep track of all activities made in your AWS account?
Set up MFA logging to know who is currently in your environment
Use Amazon CloudWatch Logs to log all activities
Create a multi-region trail in AWS CloudTrail
Use LDAP authentication on your AWS account
Create a multi-region trail in AWS CloudTrail.
Using Amazon Cloudwatch Logs is incorrect since this service is not related to user actions in your account. CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.
Setting up MFA is incorrect because it will not tell you exactly who performed what in your AWS account.
Using LDAP authentication on your AWS account is incorrect because not all company supports it. Access logging can be done from the company’s side however, this cannot capture the actions performed within the AWS account.
Which of the following is true if you store your data in AWS?
You are the owner of the data you store in AWS
AWS has the right to review any data stored for potential threats
All data are stored durably and redundantly in different AZs
Encryption is required for all data at rest and in transit
You are the owner of the data you store in AWS.
Which of the following security group rules are valid? (Select TWO.)
Outbound HTTPS rule with hostname as destination
Outbound MYSQL rule with IP address as source
Inbound HTTP rule with security group ID as source
Inbound TCP rule with instance ID as source
Inbound RDP rule with an address range as source
Inbound HTTP rule with security group ID as source and Inbound RDP rule with an address range as source.
Inbound TCP rule with instance ID as source and Outbound HTTPS rule with hostname as destination are both incorrect because Instance IDs or hostnames are not valid values.
Outbound MYSQL rule with IP address as source is incorrect because the source cannot be modified. Since it is outbound, you should specify the allowed destination instead.
Customer wants to further secure his network beyond security groups and network access control lists. Which of the services below can be used to provide the additional security features? (Select TWO.)
Amazon SQS AWS WAF AWS Key Management Service Amazon GuardDuty AWS Single Sign-On
– Amazon GuardDuty
– AWS WAF
Amazon SQS is incorrect because this is not a security service. This is a messaging service that allows you to decouple applications and provides more durability for your messages.
AWS Single Sign-On is incorrect because this service only allows you to centrally manage SSO access to multiple AWS accounts and business applications. SSO does not protect your network from potential security threats, but it does provide additional access security for your AWS account.
AWS KMS or Key Management Service is incorrect because this is a central repository for encryption keys in your account. It is not used to protect your network from potential security threats. KMS is useful if you have data that you need to encrypt, and you want a central location where you can manage your keys.
You noticed that you cannot reach one of your EC2 web servers behind an ELB whenever you enter the DNS name of your load balancer. Which of the following should you first check to gain more insight on the issue?
AWS Config
Amazon CloudWatch
AWS CloudTrail
ELB Health Check
This is verified by the ELB health checks that you can see in your ELB dashboard, which determines whether an instance is healthy or not.
Amazon CloudWatch is incorrect because this is just used to monitor your AWS resources and collect information in the form of logs, metrics, and events. Although this service can prove useful for investigation, it is not the first thing you should check in this scenario.
AWS CloudTrail is incorrect because this simply provides an event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. Although this service can prove useful for investigation, it is not the first thing you should check in this scenario.
AWS Config is incorrect because it just continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. This service will not help you very much in your investigation of the issue.
Which of the following services allows you to purchase Reserved Instances? (Select TWO.)
AWS Elastic Beanstalk AWS Batch Amazon EKS Amazon EC2 Amazon RDS
Amazon EC2 and RDS.
In which of the following occasions should you use the Amazon SQS in your application system? (Select TWO.)
When your application requires the use of industry-standard messaging protocols for message delivery
If you require a durable storage for your application events or messages
When you have to automate certain tasks in your workflow
If you need to decouple certain parts of your system for better fault tolerance
If you need to submit push notifications to your event subscribers
– If you need to decouple certain parts of your system for better fault tolerance
– If you require a durable storage for your application events or messages
Which of the following infrastructure correlates to a VPC’s subnet?
Availability zone
Region
Edge location
Server
Each subnet must reside entirely within one Availability Zone
How can you easily and securely copy your infrastructure to another AWS Region?
Take an EBS snapshot on all your storage devices and copy them to the new region
Create a golden AMI which you can use to redeploy your instances to the new region
Enable RDS multi-AZ to have a similar database instance running in the new region
Create a CloudFormation template and deploy it in the new region
Create a CloudFormation template and deploy it in the new region.
You wish to host a static website of your own in AWS at a low cost. Which service should be used for this purpose?
Amazon EC2
Amazon S3 Standard
Amazon Elastic Load Balancer
Amazon S3 Infrequent Access
Amazon S3 Standard.
Amazon EC2 is incorrect because using this will not be as cost-effective as using Amazon S3 Standard for static website hosting. This is because there are other costs to consider when using EC2 instances, such as EBS volumes.
You have a fleet of on-premises servers that require a centralized scalable and durable file storage. It should be able to support massive parallel access. Which of the following is the most appropriate service to use?
Amazon S3
Amazon Storage Gateway – File Gateway
Amazon EFS
Amazon Redshift
Amazon EFS is the correct answer.
Amazon S3 is incorrect. First, it is meant specifically for object storage, and second, EFS can serve a fleet of EC2 instances better than S3 as file storage.
Amazon Storage Gateway is incorrect because this service simply provides a file interface into Amazon Simple Storage Service (Amazon S3) and is a combination of storage service and a virtual software appliance. This service is meant for local software hosted on your on-premises data center which requires connection to S3. It is not meant to serve a fleet of EC2 instances.
Amazon Redshift is incorrect because this is a data warehousing service offered by AWS. It cannot be used for file storage.
Which of the following practices demonstrate operational excellence in AWS cloud? (Select TWO.)
Use serverless applications such as AWS Lambda
Perform monthly game days on your AWS environment
Monitor EC2 metric consumption and adjust the instance type accordingly
Launching your infrastructure manually via the Console
Deploy small, incremental changes to your production servers using AWS CodeDeploy
Deploy small, incremental changes to your production servers using AWS CodeDeploy and Perform monthly game days on your AWS environment.
The option that says: Launching your infrastructure manually via the console is incorrect because this is not a notable best practice under operational excellence. In the cloud, it is preferred to automate majority of the tasks to achieve a predictable and constant result.
The option that says: Using serverless applications such as AWS Lambda is incorrect because this is more of a design principle that focuses on performance efficiency and not operational excellence. Serverless is a very useful tool that steers away from traditional server management and lets you focus more on your applications and services.
The option that says: Monitoring EC2 consumption and adjusting your instance type accordingly is incorrect because this is more related to the performance efficiency pillar. Underprovisioned instances need to be scaled up to deliver better performance. Overprovisioned instances need to be scaled down to save on costs.
Your organization would like to boost productivity by improving business communication channels and customer service experience. Which of the following AWS applications would you suggest? (Select TWO.)
Amazon Connect AWS Transfer Family Amazon Chime Amazon Workspaces AWS Marketplace
– Amazon Chime
– Amazon Connect
AWS Transfer Family is incorrect because this tool is used for recurring business-to-business file transfers to Amazon S3 and Amazon EFS using SFTP, FTPS, and FTP protocols.
AWS Marketplace is incorrect because this is a sales channel for ISVs and Consulting Partners to sell their solutions to AWS customers.
Amazon Workspaces is incorrect because this is a fully managed desktop virtualization service for Windows and Linux, and is not related to business communications or customer service.
Which of the following is the most cost-effective service to use if you want to coordinate multiple AWS services into serverless workflows?
Amazon SWF
AWS Lambda
AWS Step Functions
AWS Batch
AWS Step Functions provides serverless orchestration for modern applications.
Amazon SWF is incorrect because it is just a fully-managed state tracker and task coordinator service. It does not provide serverless orchestration to multiple AWS resources.
AWS Lambda is incorrect because although this service is used for serverless computing, it does not provide a direct way to coordinate multiple AWS services into serverless workflows.
AWS Batch is incorrect because this is primarily used to efficiently run hundreds of thousands of batch computing jobs in AWS.
Which of the following should you set up in order to connect your AWS VPC network to your local network via an IPsec tunnel?
An on-premises NAT gateway device connected to your VPC’s Internet Gateway
A VPN gateway in your VPC connected to the Customer Gateway in your on-premises network
A NAT gateway in your private subnet connected to your on-premises network
VPC Peering connection between your on-premises network and VPC
An Amazon VPC VPN connection links your data center (or network) to your Amazon Virtual Private Cloud (VPC)
The option that says: VPC Peering connection between your on-premises network and VPC is incorrect because VPC Peering connects two different VPCs for inter-VPC communication. It does not connect your local network via IPsec VPN.
The option that says: A NAT gateway in your private subnet connected to your on-premises network is incorrect because a NAT Gateway is primarily used to allow EC2 instances launched in your private subnet to be able to connect to the public Internet, but disallows external servers to establish Internet connection to the VPC.
The option that says: An on-premises NAT gateway device connected to your VPC’s Internet Gateway is incorrect because as mentioned above, a NAT Gateway is not a suitable service/network device to be used here.
Which of the following provides you access to Reserved Instance (RI) purchase recommendations based on your past usage and indicate potential opportunities for savings as compared to On-Demand usage?
AWS Budgets
AWS Cost Explorer
AWS Cost and Usage report
AWS Billing Dashboard
AWS Cost Explorer.
AWS Billing Dashboard, AWS Budgets, and AWS Cost and Usage report are all incorrect since these tools do not provide Reserved Instance (RI) purchase recommendations, unlike AWS Cost Explorer.
What service acts as a firewall for your EC2 instances?
VPC
Elastic Network Interface
Security Group
Network ACL
security Group.
Which AWS service lets you provision either Windows or Linux desktops in just a few minutes and can scale easily to provide thousands of desktops to workers?
Amazon Workspaces
AWS Systems Manager
AWS Cloud9
AWS Organizations
Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution where you provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe.
AWS Cloud9 is incorrect because this is simply a cloud-based integrated development environment (IDE) that lets you write, run, and debug your code with just a browser. It includes a code editor, debugger, and terminal.
Which type of Elastic Load Balancer allows you to forward the incoming request to a target group with a Lambda function as a target?
Application Load Balancer
Network Load Balancer
Classic Load Balancer
Gateway Load Balancer
Application Load Balancer
Which of the following services allow you to mask downtime of your application by rerouting your traffic to healthy instances? (Select TWO.)
Amazon Route 53 AWS ELB VPC Route tables AWS App Mesh AWS EC2 Auto Scaling
AWS ELB and Amazon Route 53 help mask downtime by redirecting traffic to your healthy instances and allowing failover to your secondary systems. This is achieved through a combination of different health checks, routing policies, and failover policies.
AWS EC2 Auto Scaling, and VPC Route Tables do not help mask downtime by rerouting traffic to healthy backend servers.
How can your RDS production instances be more cost-effective when they will be used for a long period of time?
You can stop your RDS instances when idle to prevent AWS from charging you during this time
You can easily backup, terminate, and restore RDS instances when you need them
You can avail of reserved instances to get discounts on your instance costs
AWS does not charge you when your RDS is idle
Amazon RDS Reserved Instances give you the option to reserve a DB instance for a one or three year term and in turn receive a significant discount compared to the On-Demand Instance pricing for the DB instance.
The option that says: You can stop your RDS instances when idle to prevent AWS from charging you during this time is not the best way to save money as it entails more effort than required to do so. It is still better to opt for reserved instances for your RDS database cluster instead.
The option that says: You can easily backup, terminate, and restore RDS instances when you need them is not the best solution. There is too much effort involved.
The option that says: AWS does not charge you when your RDS is idle is incorrect. Idle time or not, once your RDS instance is running, AWS charges you for it.
You have a large number of log files that will be archived in AWS for a long time and should have a retrieval time of 12 hours or less. Which service is the most cost-effective storage class for this purpose?
Amazon S3 Glacier Deep Archive
Amazon S3 Standard-IA
Amazon S3 Glacier
Amazon EBS Cold HDD
S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice in a year.
Amazon S3 Standard-IA is incorrect because this costs more than Glacier and Glacier Deep Archive. This storage type takes into consideration that you will still need to retrieve your objects in a timely manner, although infrequently.
Amazon S3 Glacier is incorrect because it is already mentioned in the scenario that the retrieval option should be within 12 hours and thus, Glacier Deep Archive can provide a more cost-effective option than the Glacier class including the capability to retrieve the data within the mentioned timeframe.
Amazon EBS Cold HDD is incorrect because this is not the best nor the cheapest choice for archival. You use Cold HDD if you have infrequent workloads that require consistent throughput. EBS volumes need to be used along with EC2 instances for you to have access to the files stored in it.
