From Tests Flashcards

Question 1

Q

What networking components will allow IPv6 data to communicate between a VPC and the internet? [Select 2]

Direct Connect
Internet Gateway
NAT
Egress-Only Internet Gateway

Answer

A

Internet Gateway
Egress only

Only two components allow VPC to internet communication using IPv6 addresses and those are “Internet Gateways” and “Egress-Only Internet Gateways”. “NAT Instances” and “NAT Gateways” explicitly do not support IPv6 traffic and a “Direct Connection” carries data between a Data Centre and an AWS VPC, but does not travel over the Internet.

Question 2

Q

Which two things can you define using the Transforms section of the CloudFormation template?

To specify the use of the Serverless Application Model for Lambda deployments
To transform API responses to a supported format
To re-use code located in S3
To convert between YAML and JSON format templates

Answer

A

To specify the use of the Serverless Application Model for Lambda deployments
To re-use code located in S3

Question 3

Q

In an IAM policy, what action does IAM:PassRole relate to?

Passing a role to an AWS service to assign temporary permissions to the service
Passing a role to an IAM user
Passing a role to another AWS account
Associating a role with an EC2 instance

Answer

A

Passing a role to an AWS service to assign temporary permissions to the service
Passing a role to another AWS account

The IAM:PassRole allows any affected entity to pass roles to AWS services or Accounts, granting them permission to assume the role. The list of roles able to be passed on by an entity to other services or accounts can be restricted with the Resources element of the IAM policy statement.

Question 4

Q

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data and secrets management. Which of the following AWS services natively support the Parameter Store?

Answer

A

EC2, Lambda, CloudFormation

Question 5

Q

If you are using Memcached as your caching engine, what parameter should be adjusted if you find that the overhead pool is less than 50MB?

Answer

A

Memcached_Connections_Overhead

Question 6

Q

You are trying to copy a custom AMI which has been shared by another account. The AMI has been encrypted. What steps will you need to take to successfully copy the AMI?

Answer

A

The sharing account must share the underlying EBS snapshot as well as the original encryption key used to encrypt it. Copy the EBS snapshot and re-encrypt it using your own key, then register it as an AMI

Question 7

Q

You are trying to copy a shared AMI which has an associated billingProducts code. What are the correct steps?

Answer

A

Launch an EC2 instance using the shared AMI and create a new AMI from the instance

Question 8

Q

You have been asked to enable encryption at rest on your existing EFS file system. What should you do?

Answer

A

Explain that it is not possible to encrypt an existing EFS file system.

Question 9

Q

The security team have asked you to provide them with details of all the IAM users in your account and the status of their credentials including passwords, access keys and registered MFA devices. What is the best way to approach this?

Answer

A

Generate a credential report either using the AWS CLI or from the AWS console

Question 10

Q

What networking components will allow IPv6 data to communicate between a VPC and the internet?

Answer

A

Only two components allow VPC to internet communication using IPv6 addresses and those are “Internet Gateways” and “Egress-Only Internet Gateways”. “NAT Instances” and “NAT Gateways” explicitly do not support IPv6 traffic and a “Direct Connection” carries data between a Data Centre and an AWS VPC, but does not travel over the Internet.

Question 11

Q

Which of the following S3 operations are examples of bucket level actions?

Answer

A

CreateBucket,DeleteBucket,ListBucket

Question 12

Q

During a security audit your team has been asked by the auditor whether the Cloud allows for packet capture in the same way as a fiber tap can work in your old data center. What should you tell them?

Answer

A

Yes, VPC Traffic Mirroring supports direct access to the network packets flowing through your VPC by allowing you to mirror and forward them to another network interface in the same or another VPC in the same or another account

Amazon VPC traffic mirroring makes it easy for customers to replicate network traffic to and from an Amazon EC2 instance and forward it to out-of-band security and monitoring appliances for use-cases such as content inspection, threat monitoring, and troubleshooting

Question 13

Q

You are a security administrator for your company’s AWS account. You have enabled CloudTrail for all regions in your master account, and all API calls are centrally logged into an S3 bucket. You have downloaded those logs with the GetObject API call to perform some advanced analytics to inform a security policy. When you look at the CloudTrail activity, you notice that the API calls GetObject are not logged in CloudTrail. How would you troubleshoot this issue?

Answer

A

Logging data events is turned off by default. Configure S3 data events in CloudTrail trails.

Question 14

Q

An insurance company has a monolithic application hosted in an EC2 instance and a serverless application hosted in AWS Lambda. After a few months of running the application, the customers have raised multiple delays and performance issues from the applications. The Operations Engineer responsible has mentioned that the latency issues might have been caused by code-level performance issues and the Head of Operations has instructed the team to add code-level monitoring support. How can the team accomplish this?

Answer

A

Use AWS X-Ray for both the monolithic application code and the serverless application code.

Question 15

Q

You are a SysOps Administrator setting up a VPN connection between your on-premises data center and with AWS. You currently have an Amazon VPC setup with a Virtual Private Gateway. You have installed a customer gateway to your on-prem data center and router for your on-premises network is showing status OK. When you try to connect the EC2 instance in your Amazon VPC to a virtual machine in your data center it does not work. How should you set up the route table in the Amazon VPC?

Answer

A

Configure a route to the virtual private gateway.

Question 16

Q

You would like to run a Lambda function at the same time every night. Which of the following tools could you use to configure this?

Answer

A

Schedule an event in CloudWatch to trigger the function.

You can create rules that self-trigger on an automated schedule in CloudWatch Events using cron or rate expressions.

Question 17

Q

Which of the following is part of the failover process for a Multi-Availability Zone RDS instance

Answer

A

The DNS record for the RDS endpoint is changed from primary to standby.

Question 18

Q

The engineering team of a FinTech company has migrated their on-premise application to AWS and has decided to use AWS DynamoDB to store the records and a combination of EC2 instances and Lambda functions for the data processing requirements. The Chief Security Officer of the company has mandated that the DynamoDB table is accessed without the use of access keys and secrets. How can the engineering team accomplish this?

Create and associate IAM resource policies to the EC2 Instances. Create and associate IAM roles to the Lambda functions.
Create and associate IAM roles to the EC2 Instances. Create and associate Cognito roles to the Lambda functions.
Create and associate IAM roles to the EC2 Instances and Lambda functions.
Create and associate IAM roles to the EC2 Instances. Create and associate IAM resource policies to the Lambda functions.

Answer

A

Create and associate IAM roles to the EC2 Instances and Lambda functions.

IAM roles allow EC2 instances and similar resources such as Lambda functions to perform operations on other resources without the need for access keys and secrets.

Question 19

Q

Your Dev team in Ireland needs an AMI that was created in us-east-1. The Irish Dev team have a copy of the AMI and are attempting to use it to launch instances in eu-west-1, however they are unable to make it work. Which of the following is the most likely cause of the problem?

The Dev team does not have launch permissions to use the AMI to launch instances.
You cannot use AMIs created by a different account
The Dev team has failed to manually re-create the launch permissions.
The US based account which created the AMI has not shared it with the Ireland based account.

Answer

A

The Dev team has failed to manually re-create the launch permissions.

Copying a source AMI results in an identical but distinct target AMI with its own unique identifier. AWS does not copy launch permissions, user-defined tags, or Amazon S3 bucket permissions from the source AMI to the new AMI. After the copy operation is complete, you must apply launch permissions manually.

Question 20

Q

You need to create a new trail in AWS CloudTrail service. You want the new trail to capture all management events through AWS API or console. The trail should also capture the data events that are performed within the resources. Which types of resources can be configured in the trail for the data events? (Select TWO.)

S3 buckets.
EC2 EBS volumes.
Lambda Functions.
RDS instances
DynamoDB tables.

Answer

A

S3 buckets.

Lambda Functions

With CloudTrail, you can collect data events that happen within the resources of S3 or Lambda Function. Data events are disabled by default. You can explicitly add the supported resource types when configuring a trail.

Question 21

Q

You need to update the AMI in your EC2 Auto Scaling launch configuration. Which of the following statements are true? Select three.

Changing the launch configuration of an Auto Scaling group doesn’t affect existing instances.
Changing the launch configuration of an Auto Scaling group triggers existing instances to be relaunched using the new configuration.
The existing launch configuration cannot be modified so a new one must be created.
You can specify multiple launch configurations for an EC2 Auto Scaling group at a time.
The launch configuration can be modified freely so there is no need to create a new one.
You can only specify one launch configuration for an EC2 Auto Scaling group at a time.

Answer

A

Changing the launch configuration of an Auto Scaling group doesn’t affect existing instances.

The existing launch configuration cannot be modified so a new one must be created.

You can only specify one launch configuration for an EC2 Auto Scaling group at a time.

Question 22

Q

You are providing a storage solution for a customer. The customer requires a scalable, secure, and highly available network file system accessed by EC2 instances to support highly parallelized workloads and performance needs of big data and analytics. What AWS storage solution would you build for your customer?

Create an EFS file accessible by EC2 via mount targets in each Region. Control traffic flow between Amazon EFS and EC2 instances using NACLs.
Create an EFS file accessible by EC2 via mount targets in each Availability Zone. Control traffic flow between Amazon EFS and EC2 instances using NACLs.
Create an EFS file accessible by EC2 via mount targets in each Region. Control traffic flow between Amazon EFS and EC2 instances using security groups.
Create an EFS file accessible by EC2 via mount targets in each Availability Zone. Control traffic flow between Amazon EFS and EC2 instances using security groups.

Answer

A

Create an EFS file accessible by EC2 via mount targets in each Availability Zone. Control traffic flow between Amazon EFS and EC2 instances using security groups.

Question 23

Q

Which of the following distinguishes two CloudWatch metrics that are in the same
namespace and have the same name?
A. Timestamp
B. Data point
C. Dimension
D. Region

Answer

A

CloudWatch uses dimensions to identify metrics that have the same name and are
within the same namespace. Me

Question 24

Q

You update a CloudWatch metric with a timestamp of 10:00:30 and a value of 98.
You then update the same metric with a timestamp of 10:00:59 and a timestamp of 97.
Assuming the metric is a regular-resolution metric, what will CloudWatch do?
A. Record the first value and ignore the second value.
B. Record the second value and overwrite the first value.
C. Record both values.
D. Store the average of the two values.

Answer

A

B. CloudWatch can store regular-resolution metrics at no less than 1-minute resolution.
Therefore, updating a metric at 10:00:30 and then again at 10:00:59 will result in
CloudWatch storing only the second value.

Question 25

Q

A week ago, you created a CloudWatch alarm to monitor the CPUUtilization metric on
an EC2 instance. Yesterday, the alarm briefly entered an INSUFFICIENT_DATA state and
then went back to an OK state. What is a possible reason for this?
A. The alarm was paused.
B. The instance was terminated.
C. The CPU utilization went above the alarm threshold.
D. The instance was stopped and restarted.

Answer

A

D. The instance being stopped and restarted would explain the momentary lack of CPU
utilization data

Question 26

Q

Which of the following can you use to proactively alert you to possible excess resource
utilization in your AWS account?
A. CloudTrail
B. AWS Budgets
C. CloudWatch Events
D. Cost Explorer
E. AWS Config

Answer

A

B. AWS Budgets can alert you via email if your bill exceeds a specified amount—a good
indicator of excessive resource utilization

Question 27

Q

You’re running a relational database on an EC2 instance backed by an EBS gp2 volume.
Recently, as the frequency of writes to the database has increased, database performance
has suffered. CPU and memory utilization remain at less than 50%, even during peak
usage. Which of the following should you look at to determine where the bottleneck is?
A. Volume queue length
B. Network utilization
C. The number of EBS snapshots being stored
D. Provisioned IOPS

Answer

A

A. The volume queue length metric measures the total number of read and write
operation requests waiting for completion. If this has increased and remains high, it’s
a good indication that the volume isn’t able to sustain enough IOPS. Because it’s a gp2
volume, the number of IOPS depends on the size allocated for the volume

Question 28

Q

Which of the following Relational Database Service (RDS) instance classes offers
dedicated bandwidth for storage volumes?
A. Burst-capable
B. Memory-optimized
C. Standard
D. Network-optimized

Answer

A

. B. Memory-optimized instances have dedicated bandwidth for EBS storage. Standard
instances are not EBS optimized

Question 29

Q

If you enable automatic snapshots, how many days will RDS retain them by default?

Question 30

Q

. You’ve configured CloudTrail to log all management events in all regions. How long will
these logs be retained by default?

Answer

A

Indefinitely
CloudTrail logs can be stored in S3 buckets or CloudWatch Logs. By default, S3
and CloudWatch Logs don’t delete any files or logs automatically

Question 31

Q

You want to create an alarm to monitor the VolumeReadOps metric for an EBS volume.
The metric is stored with a 5-minute resolution. You need the alarm to trigger as soon as
the metric crosses a threshold. What period should you use?

Answer

A

B. The period should be greater than or equal to the resolution of the metric. In this case,
you want the alarm to trigger as soon as the metric crosses a threshold, so you should set
the period to 5 minutes

Question 32

Q

Four hours ago, you configured a CloudWatch alarm to monitor CPU utilization on an
EC2 instance, but today the alarm is in an INSUFFICIENT_DATA state. Which of the
following could explain this? (Choose two.)
A. The instance was restarted.
B. The instance is stopped.
C. The CPU utilization hasn’t crossed the alarm threshold.
D. The alarm period hasn’t elapsed yet

Answer

A

The instance is stopped.

The alarm period hasn’t elapsed yet.

Question 33

Q

You want to be alerted if the average CPU utilization of an instance exceeds 90% or if the
instance is stopped for more than 5 minutes. Which of will achieve this with
minimal effort?

Answer

A

Create a single alarm to monitor the CPUUtilization metric.

Configure the alarm to treat missing data as breaching.

Question 34

Q

You have an account limit of 10,000 customer master KMS keys. How many files can you
store using SSE-KMS encryption before having to request a limit increase?

Answer

A

There is no practical limit to the number of files you can store in S3. The KMS key
limit applies to the number of customer master keys, but you can use the same key to
encrypt each file in S3.

Question 35

Q

One DynamoDB read capacity unit (RCU) will allow you to read, per second, one item up
to what size? (Choose two.)
A. Anything between 1 and 8 KB using a strongly or eventually consistent read
B. 2 KB using a strongly consistent read
C. 4 KB using a strongly consistent read
D. 8 KB using an eventually consistent read

Answer

A

One RCU gets you a strongly consistent read per second of an item up to 4 KB in
size, or two weakly consistent reads per second of 4 KB each

Question 36

Q

Approximately how many in-flight messages can you have in a standard SQS queue?

Question 37

Q

Approximately how many in-flight messages can you have in a FIFO SQS queue?

Question 38

Q

Which of the following offers the lowest priced transfer up to 1 GB per month?
A. They are all the same.
B. S3 Standard
C. S3 One Zone-Infrequent Access
D. S3 Standard-Infrequent Access

Answer

A

S3 standard charges nothing for data transfer up to 1 GB per month. S3 One Zone-IA
and Standard-IA charge US$0.01 per GB.

Question 39

Q

Which is best for seeing how your AWS bill has changed over time?
A. Cost and Usage Reports
B. Cost Explorer
C. Budgets
D. Trusted Advisor

Answer

A

Cost Explorer lets you analyze your costs and usage for the preceding 13 months.

Question 40

Q

What’s the maximum number of AWS Budgets custom budgets you can create for free?

Question 41

Q

You’re running a set of applications in a single AWS region. You want to expand these
applications to an additional region but need to determine how much it will cost. Which can help you?

Answer

A

. Simple Monthly Calculator

Question 42

Q

(Monitoring)
. Your supervisor has asked you if there is a way to create reports with billing data so that
they can view billing by usage, or the cost per individual log group. What should you tell
your boss?
A. Yes. AWS allows you to get this information with detailed billing.
B. Yes. AWS allows you to get this information with basic billing.
C. No. AWS does not allow you to get this information.
D. No. AWS does not give you the ability to create reports in this way

Answer

A

A. Yes. AWS allows you to get this information with detailed billing.

Detailed billing was made available to AWS customers back in December 2016.
Detailed billing gives customers the ability to create reports to review usage in the AWS
account, or the cost associated with individual log groups. There’s no such thing as basic
billing

Question 43

Q

(Monitoring)
You are the system administrator in charge of getting your organization’s AWS
environment set up. You want to enable billing alerts, but when you log in with your IAM
account, you are unable to do so. Why can’t you create the billing alert?
A. Your IAM account doesn’t have the necessary permissions; you need more access.
B. You can’t set up billing alerts in AWS; you have to arrange them with your technical
account manager.
C. You need to be signed in with the AWS account’s root user credentials to enable
billing alerts.
D. It is not possible to set up billing alerts in AWS

Answer

A

To enable billing alerts, you must be logged in as the root user for the AWS account.

Question 44

Q

(Monitoring)
. What are the valid statuses you can get from the Amazon EC2 health checks? (Choose
two.)
A. Pass
B. Fail
C. OK
D. Impaired
E. Offline

Answer

A

When a health check is run on an Amazon EC2 instance, you can get types of
statuses. OK means that all of the health checks have passed. If any of the health checks
fail, then the status displayed is Impaired.

Question 45

Q

(Monitoring)

You don’t like the status checks and the alerting done from the status checks that exist on
Amazon EC2. You want to disable the status checks in favor of another solution. How can
you disable the Amazon EC2 status checks?

A. You can disable them by turning off the monitoring in the Amazon EC2 instance.
B. You can disable them by installing the Amazon CloudWatch Logs agent and then
disabling them through the agent.
C. You can’t disable them; they are part of Amazon EC2.
D. You can’t disable them; they are part of Amazon EC2. You can disable the alerts that
trigger off of the status checks.

Answer

A

As the status checks themselves are a part of the Amazon EC2 instances, you can’t
disable them. You can, however, disable the CloudWatch alarms that utilize the status
checks to trigger.

Question 46

Q

(Monitoring)

How long are statistics retained in Amazon CloudWatch?

A. 6 months
B. 12 months
C. 15 months
D. 30 months

Answer

A

15 months

Question 47

Q

(Monitoring)

Your security team has mandated that you need to avoid using service accounts unless
absolutely necessary because of the overhead in managing password rotation. You want to
deploy the Amazon CloudWatch Logs agent. What could you use to authenticate the agent
that is not a service account?

A. Access keys
B. AWS IAM
C. Active Directory
D. There isn’t any option other than a service account

Answer

A

You can use access keys to authenticate the Amazon CloudWatch Logs agent instead
of a username and password.

As the access key is still tied to a username, you may want
to check with your security team that it meets their criteria. While access keys are created
in AWS IAM, AWS IAM is not a granular enough response to satisfy this question. While
you can link your Active Directory environment to AWS, this is still not getting away
from the need for service accounts.

Question 48

Q

(Monitoring)

How would you set a custom metric to use high resolution?

A. Set MetricResolution to 1 using the PutMetricRequest API.
B. Set StorageRetention to 1 using the PutMetricRequest API.
C. Set StorageResolution to 1 using the PutMetricRequest API.
D. Set MetricRetention to 1 using the PutMetricRequest API.

Answer

A

Set StorageResolution to 1 using the PutMetricRequest API.

Question 49

Q

(Monitoring)

Your boss wants to use high-resolution metrics because they want to be able to get data
every 15 seconds. They are concerned about additional cost from using high-resolution
metrics. What should you tell your boss?

A. High-resolution metrics are more expensive.
B. High-resolution metrics are less expensive.
C. High-resolution metrics cost the same as standard.
D. You can’t do 15-second periods with high resolution.

Answer

A

High-resolution metrics don’t cost any more or any less than standard-resolution
metrics. You can do 1-, 5-, 10-, 15-, 30-, and 60-second intervals with high resolution.

Question 50

Q

(Monitoring)

You work for a financial institution and you need to parse your log data for account
numbers. You have a regex query built that has been used in other solutions. How can you
parse your log data for the regex that will find account numbers?

A. Amazon CloudWatch Metric Filters
B. AWS Management Console
C. Amazon CloudWatch
D. Amazon Kinesis

Answer

A

Amazon Kinesis allows you to connect your log stream and process the logs using the
regex that you wanted to search on. Amazon CloudWatch Metric Filters do not support
regex. Neither Amazon CloudWatch nor the AWS Management Console give you the
ability to search by regex

Question 51

Q

(Monitoring)

You want to ensure that AWS Config is enabled for all three regions that your
organization is using. How would you enable AWS Config for all three regions?

A. It is automatically enabled for all regions.
B. You need to enable it once for all regions.
C. You need to enable it once per region.
D. You can’t use AWS Config for that many regions.

Answer

A

C. AWS Config is not enabled by default. You need to enable it once per region for any
region you want to have monitored.

Question 52

Q

(Monitoring)

You currently have 145 individual AWS Config rules built for your organization’s
environment. You need to make 10 more rules for new criteria that your legal team wants
you to monitor for. Will you be able to create 10 more rules?

A. Yes, you can create unlimited rules.
B. Yes, but you will need to request an increase on the limit from AWS.
C. No, because you can’t have more than 150 rules.
D. No, because you can’t add more rules.

Answer

A

B. Yes, but you will need to request an increase on the limit from AWS.

With AWS Config, you are limited to 150 rules

Question 53

Q

(Monitoring)

Your boss wants you to set up a periodic rule in AWS Config, and they want it to run
every 6 hours. How should you respond to this request?

A. Set up the periodic rule for 3 hours because you can’t set it to 6.
B. Set up the periodic rule to run every 6 hours.
C. Set up the periodic rule to run every 12 hours because you can’t set it to 6.
D. Tell your boss that AWS Config can only do change-triggered rules.

Answer

A

You can set periodic rules to run every 1, 3, 6, 12, or 24 hours. So your response
should be to set up the rule to run every 6 hours.

Question 54

Q

(Monitoring)

You have AWS Config configured in your AWS account. You have added a security group
to an Amazon EC2 instance. Which resources will have changes recorded in AWS Config?

A. Amazon EC2 instance
B. The security group
C. Primary resource and related resources
D. All of these

Answer

A

D. When you add a security group to an Amazon EC2 instance, AWS Config records
changes for the Amazon EC2 instance, the security group, primary resources, and related
resources.

Question 55

Q

(Monitoring)

Your Operations Center team would like to know what kinds of things AWS Config can
record. What should you include in your response?

A. All of the following options
B. OS patches
C. Application installations
D. Network configuration

Answer

A

A. You can tell your Operations Center team that AWS Config can record OS patches,
application installations, network configurations, and really any change that is made to
the systems.

Question 56

Q

(Monitoring)

You have a new person in Accounting who is in charge of paying for your AWS account
charges. They have asked you if there is a way to see what the charges are so far. Where
should you tell them to go?

A. AWS Budgets
B. AWS Management Console
C. AWS Billing and Cost Management Dashboard
D. AWS Trusted Advisor

Answer

A

C. The AWS Billing and Cost Management Dashboard will allow them to monitor what
the current spend is now and even sort by service.

Question 57

Q

(Monitoring)

Your accounting department likes the view that the Billing and Cost Management
Dashboard gives them, but they don’t want to have to go to each individual AWS account
to view billing for the entire organization. What should you implement to allow them to
view billing for the entire organization?

A. AWS Trusted Advisor
B. AWS Organizations
C. AWS Management Console
D. AWS Budgets

Answer

A

B. AWS Organizations allows your accounting department to view billing and cost
information for all of the AWS accounts in your organization.

Question 58

Q

(Monitoring)

Your boss wants to view the current amount due on your AWS account. Where should you
tell your boss to look?

A. AWS Management Console
B. AWS Trusted Advisor
C. AWS Budgets
D. AWS Cost Explore

Answer

A

D. AWS Cost Explorer monitors the current amount due on your AWS account

Question 59

Q

(Monitoring)

Your security department wants to know which processes are running on open ports.
How can you give them this information? (Choose two.)

A. Run a scan from Amazon Inspector.
B. Run a scan with Amazon GuardDuty.
C. Use AWS WAF.
D. Install the Amazon Inspector agent

Answer

A

Install the Amazon Inspector agent.

Run a scan from Amazon Inspector.

Question 60

Q

(Monitoring)

You have been asked to create your own rules packages for Amazon Inspector assessment
templates to use. How do you create a rules package?
A. You can’t create rules packages.
B. Create the rules package inside of the Amazon Inspector Dashboard.
C. Create the rules package inside of the AWS Config Dashboard.
D. Create the rules package inside of the AWS Systems Manager Dashboard.

Answer

A

A. Only the rules provided by AWS are allowed to be used for assessment runs, so you
can’t create rules packages.

Question 61

Q

(Monitoring)

What is the benefit of the Run Command in AWS Systems Manager?

A. Provides console access to the system without the need for remote access ports to be
open
B. Provides console access to Linux hosts via SSH
C. Provides automation of tasks so long as remote access ports are open
D. Provides automation of tasks without the need for remote access

Answer

A

D. The Run Command provides a way to automate common administrative tasks without
the need for remote access provided by opening up SSH or RDP or by using bastion
hosts

Question 62

Q

(Monitoring)

What is the benefit of the Session Manager in AWS Systems Manager?

A. Allows remote console sessions via an interactive web browser with no need to open
inbound ports
B. Allows remote console sessions via an interactive web browser once the necessary
ports are open
C. Allows configuration management and tracking
D. Allows management of APIs

Answer

A

A. Session Manager within AWS Systems Manager allows remote console sessions via an
interactive web browser with no need to open inbound ports or use bastion hosts to access
your systems

Question 63

Q

(Monitoring)

What is the benefit of the Patch Manager in AWS Systems Manager?

A. Patch management and reporting for Windows systems only
B. Patch management and reporting for Linux systems only
C. Patch management and reporting for AWS systems only
D. Patch management and reporting for on-prem and AWS systems

Answer

A

D. AWS Systems Manager Patch Manager provides patch management and reporting for
both Linux and Windows systems on-prem and in the cloud.

Question 64

Q

(Monitoring)

What is the benefit of the State Manager in AWS Systems Manager?

A. Backs up system state for on-prem and AWS resources
B. Backs up system state for AWS resources only
C. Provides configuration management for on-prem and AWS resources
D. Provides configuration management for AWS resources only

Answer

A

C. Provides configuration management for on-prem and AWS resources

Answer 61

A

B. With Amazon Athena, you can query data across a multitude of AWS services,
including AWS CloudTrail, Amazon CloudFront, Elastic Load Balancer, Amazon Virtual
Private Cloud, Amazon CloudFormation, AWS Glue Data Catalog, Amazon QuickSight,
and IAM

Answer 62

A

A. Amazon GuardDuty not only identifies threats on your network, it can automatically
respond to those threats as well

Identifying stale user accounts or users/groups with
excessive permissions is something that should be done by your IAM team, utilizing AWS
IAM.

Automated security assessments are performed by Amazon Inspector.

Answer 63

A

Amazon GuardDuty can support multiple AWS accounts, giving visibility across your
enterprise

Answer 64

A

A. Scaling events can be triggered by schedule. The schedule is not created in Amazon
CloudWatch, and you don’t need an alarm from Amazon CloudWatch to scale.

Answer 65

A

B. If minimum capacity is set to 0 and there is no load, then it is entirely possible for you
to have 0 instances.
If you leave desired capacity blank, then the minimum capacity is
used.
If maximum capacity is set to 1, then your Auto Scaling group can have up to one
EC2 instance.
If autoscaling wasn’t available in your region, you wouldn’t have been able
to set up your ASG in the first place

Answer 66

A

B. Since you need to avoid downtime, your best option is to manually terminate the
old instances so they are relaunched using the new launch configuration. This allows
you to control how many instances are offline and avoid downtime.

If you set the desired
capacity to zero, you may cause an outage, so this would not be a great solution if the
most important factor is to avoid an outage.

You can’t set the launch configuration per
instance.

Since you need to refresh your instances now, waiting for them to age out is not
a good solution.

Answer 67

A

A. Launch templates use versioning to track changes. You can’t enable versioning on
launch configurations directly. Manually numbering launch configurations is not easily
scalable and would be error prone

Answer 68

A

B. There are five different ways to subscribe to an SNS topic. They are:

AWS Lambda,
Amazon Simple Queue Service (SQS)
HTTP and HTTPS,
email,
SMS text.

Answer 69

A

C. You can’t use the same function because AWS Lambda is based on region.
You can,
however, copy the function to the other region

Answer 70

A

C. Host-based routing will allow you to route traffic based in the domain name in the
request. Content-based routing routes traffic based on the content of the request. Pathbased routing will route traffic based on the URL path that is in the HTTP header.

Answer 71

A

B. Path-based routing will route traffic based on the URL path that is in the HTTP
header. Host-based routing will allow you to route traffic based in the domain name in
the request. Content-based routing routes traffic based on the content of the request.

Answer 72

A

The user data field can be used in conjunction with Auto Scaling groups to configure
your EC2 instances.

Answer 73

A

B. One of the most common use cases for a template parameter in CloudFormation is to
specify the instance type and size at the time of creation

Answer 74

A

aws cloudformation create-stack.

Answer 75

A

D. Elastic Beanstalk supports multiple languages, including
Go
Java,
.NET, 
Node.js,
PHP, 
Python,
Ruby.

It also supports Docker web applications.

Answer 76

A

C. By using rolling with additional batch, you ensure that you are operating at full
capacity, which will not impact performance as the supervisor requested. Rolling with
additional batch is a less expensive option than immutable as you are only spinning
up instances to cover the systems that are being taken offline as opposed to all of the
instances as you would do if immutable was being used.

Answer 77

A

B. Since the application will not suffer at 50% capacity later in the evening and your
supervisor wants to keep costs down, rolling is the best option. Since no new instances are
provisioned, this keeps the cost down, and you can specify that only 50% of the instances
are getting updated at any point in time.

Answer 78

A

A. Since this is a development environment and it is considered acceptable to have
downtime, all at once is the best deployment policy. It is the fastest method, and the cost
is kept down since no new instances are spun up.

Answer 79

A

B. If a health check URL is not configured, then instances are marked as healthy as soon
as they accept a TCP connection. The services the application relies on may not be up and
responding by then. It is unlikely that instances are being marked healthy incorrectly. If
the application has issues, it wouldn’t start working after a slightly longer time frame; this
appears to be an issue of dependencies not being met.

Answer 80

A

A. The command that is being used requires the Elastic Beanstalk CLI to be installed.

Answer 81

A

B. Each AWS account can have a total of 40 database instances. To be able to go over the
40, which is a soft limit, you would need to contact AWS and request that the limit be
raised.

Answer 82

A

B. If you are using MySQL in Amazon RDS, then you may only have five read replicas at
any time.

In this case, five read replicas is not a soft limit,
so you can’t request a limit increase.

Answer 83

A

C. In general, it is a bad idea to disable automatic backups. One of the few exceptions
is when you are loading a large amount of data.

Answer 84

A

B. When using Amazon ECS, you can use container registries inside of AWS and outside
of AWS. So you could use your existing container registry in Docker Hub, and in fact
Docker Hub is used by default

Answer 85

A

C. AWS Batch uses containers to execute batch jobs. To take advantage of AWS Batch,
you must install the Amazon ECS (Elastic Container Service) Agent on your compute
resources.

Answer 86

A

A. Occasionally a reboot is needed after granting permissions to the user accounts so that
they can access the Docker daemon without sudo

Answer 87

A

D. You would need to enable VPC peering on the Lightsail account page, and from there
Lightsail will configure everything for you.

Answer 88

A

A, D. With EBS volumes, you have a choice between either client-level encryption, which
is done by the operating system, or volume-level encryption, which is managed by AWS

Answer 89

A

B, D. Amazon S3 buckets can be either virtual-hosted-style or path-style.

Virtual-hostedstyle includes the bucket name as part of the domain name in the URL.

Using path-style,
the bucket name is not part of the domain name in the URL. The other two options were
made up for this question.

Answer 90

A

B. While the snapshots are stored in Amazon S3, they are not directly accessible. You
must use the Amazon EC2 API to work with the snapshots.

Answer 91

A

C. AWS DataSync is built for this use case. It allows you to sync your existing filesystems
with your Amazon EFS filesystem and can work over the Internet or via an AWS Direct
Connect/AWS VPN connection.

Answer 92

A

In Amazon EFS, these are called age-off policies

Expiration policies are used in Amazon S3.

Answer 93

A

B. Files smaller than 128 KB in size will not be moved by Amazon EFS Lifecycle
Managemen

Answer 94

A

B, C. VPC security groups can be used to specify which systems or IP ranges are allowed
to access your file shares. IAM policies can be applied to the filesystem.

Answer 95

A

C. Amazon EFS Access Points allow you to use an operating system user or group to
access a particular shared directory as their root directory. You can further enforce this
by adding an IAM policy on to the access point.

Answer 96

A

B. SSE-C allows you to maintain control over your keys while still allowing Amazon S3
to handle the actual encryption process. This simplifies administration as you don’t need
to implement a client-side encryption library; you can instead leverage the tools provided
by AWS

Answer 97

A

D. The Amazon S3 Encryption client allows you to maintain control of your keys and
take advantage of client-side encryption libraries.

Answer 98

A

A. By default, you have access to AWS Shield Standard. You can pay to upgrade to AWS
Shield Advanced if desired. AWS Shield provides protection from DDoS attacks.

Answer 99

A

C. You should set up an CNAME record with your domain name and point it to the
CloudFront distribution address

Answer 100

A

D. Amazon S3 notifications can be tied into Amazon SNS, Amazon SQS, or AWS
Lambda. Amazon CloudWatch does not have the same level of integration into S3 that the
other three do.

Answer 101

A

C. Amazon S3 doesn’t put a limit on file size, but Amazon CloudFront has a limit for
single files, which is 20 GB. That would explain why you can upload the file to Amazon
S3 with no issue and why it is not being delivered by Amazon CloudFront.

Answer 102

A

. B. To prepare your source host to transfer data to the AWS Snowball device, you will
need to install the AWS Snowball client. This handles the encryption and compression of
the data as well as the transfer to the AWS Snowball device

Answer 103

A

C. AWS Snowball data is encrypted with a key stored in AWS KMS.

The best answer to give them is that the data on the AWS Snowball device is encrypted
with an AES-256 bit key and that the private key is not stored on the AWS Snowball
device, it is managed by AWS KMS.

Answer 104

A

A. To set up AWS Snowball, you need the AWS Snowball client as well as the job manifest
file and the job manifest unlock code. There is no unlock code for the AWS Snowball
client.

Answer 105

A

B, C. To safeguard your data in Amazon EFS, you can use the AWS Backup Service or
the EFS-to-EFS backup solution. Enabling lifecycle management doesn’t safeguard data; it
simply helps reduce cost. EFS-to-S3 backup doesn’t exist.

Answer 106

A

A. Data at rest in Amazon EFS is protected by AWS KMS if you create the filesystem to
use encryption.

Answer 107

A

D. Data in transit from and to Amazon EFS is automatically encrypted, and the keys are
managed by Amazon EFS.

Answer 108

A

D. The customer master key (CMK) must be in an enabled state or the users will not have
access to the contents of the filesystem. The process is seamless to users; they don’t need
to know how to decrypt data

Answer 109

A

D. From the moment the automatic rotation of keys is enabled, the key will be rotated
every 365 days.

Answer 110

A

B. The action s3:DeleteObjectVersion deletes a file, regardless of whether versioning
is enabled. s3:PutObject creates a file. s3:DeleteObject and s3:RemoveObject aren’t
valid actions.

Answer 111

A

D. The condition operator DateLessThan returns true if the date and time at policy
evaluation precedes the date and time specified in the key’s value. In this case, the value
is 2021-01-01T00:00:00Z, which is the ISO 8601 representation of January 1, 2021 at
0:00 Universal Coordinated Time (UTC). The aws:CurrentTime key requires the time
to be specified in ISO 8601 format.

DateBefore is not a valid condition operator

The
aws:epochTime key requires the time to be specified in Unix epoch time.

Answer 112

A

C. The Condition element is not required in a resource-based policy. The other elements
are required.

Answer 113

A

Import an AWS managed policy.
Use the AWS CLI to import a JSON policy document.
Use the Visual editor in the AWS Management Console.

A, B, C. To create a new IAM policy, you can import it from an AWS managed policy,
import an existing policy document using either the AWS CLI or the AWS Management
Console, or use the Visual editor to create a policy from scratch. You can’t import a policy
document from an S3 bucket. When you create an IAM user, it has no default policy
attached

Answer 114

A

D. NACLs are stateless and require an outbound rule to explicitly allow return traffic on
an ephemeral port. Because the ephemeral port range varies by operating system, creating
an outbound NACL rule allowing all traffic is sufficient. Security groups are stateful and
thus don’t require an explicit outbound rule to permit return traffic.

Answer 115

A

C. Cognito allows you to grant application users temporary access to services in your
AWS account.

Answer 116

A

A, B. STS provides short-term credentials consisting of an unencrypted access key ID, a
secret access key, and a token.

Answer 117

A

C. You can attach up to 10 managed policies to an IAM principal.

Answer 118

A

C. The maximum session duration for a role is 12 hours. The minimum can be as little as
15 minutes.

Answer 119

A

B. The default credential lifetime for an IAM role is 1 hour.

Answer 120

A

C, D. Because users already have department tags, the easiest way to grant them access
according to their tags is to create a single managed policy and use the Condition policy
element. For example, including the following element under a policy statement would
apply the permissions in the statement only to those with a department tag with a value
of marketing:
“Condition”:{“StringEquals”: {“aws:ResourceTag/department”: “marketing”}}

Answer 121

A

A, B. Terminating the instance and launching a new one is a valid next step. Logging into
the instance using SSM Session Manager is also a possibility. Importing an existing SSH
key pair into the instance is an option only after you’ve gained access to the instance. You
can’t RDP into an Amazon Linux 2 instanc

Answer 122

A

B. Because KMS generates and stores the contents of the master key and doesn’t allow
customers to ever see it, AWS is solely responsible for protecting it from release.

Answer 123

A

A, B. Once you schedule a key deletion you can’t use the key during the waiting period.
And once the key is deleted, any data encrypted using it will be permanently lost. KMS
doesn’t prevent the deletion just because an AWS service is using the key. You can cancel a
scheduled deletion.

Answer 124

A

A, B. Enabling automatic key rotation will cause KMS to annually rotate the keys that it
generated.
You must manually rotate imported keys, which entails creating new ones and
updating the applications to point to them.

Aliases make this process easier. Instead of
updating the application to reference the key by its ARN or key ID, you reference the key
by its alias. You then update the key’s alias to point to the new key’s ID.

Answer 125

A

B. A disabled key can’t be rotated automatically. Manually rotating a key requires
creating a new key and using it in place of the original one, and disabling the original key
has no effect on this process. A disabled key can be deleted. Disabling a customer master
key doesn’t delete any data key

Answer 126

A

C. 99.95 percent

Answer 127

A

A, C. ACM will automatically renew a public certificate if two conditions are met:
First, the certificate must be associated with an AWS service such as an application load
balancer. Second, ACM must be able to validate domain ownership using email or DNS
validation. Email validation is only good for 825 days, but DNS validation will remain
valid as long as the appropriate records exist in the domain’s DNS.

Answer 128

A

D. Because ACM is a regional service, you’d have to create a new certificate in the other
region

Answer 129

A

A, B, E. There are three possible causes:
First, the user may have IAM permissions
boundaries set that prevent access to KMS or S3.

Second, the S3 bucket policy may not
grant the user access to any objects in the bucket.

Finally, the key policy may not allow
the user to use the key.

There’s no such thing as an object policy. The settings in the user’s
IAM policy permissions are correct according to the question.

Answer 130

A

B. AWS owned CMKs are used by multiple AWS customers. AWS managed CMKs and
customer managed CMKs are for use by only one customer. There’s no such thing as a
data CMK.

Answer 131

A

B. Usage of KMS keys, whether they’re in a custom store or the default key store, are
tracked in CloudTrail logs.

Answer 132

A

A, B.

KMS custom key stores use CloudHSM in different availability zones.
Alternatively,
you could create your own CloudHSM cluster in multiple availability zones.

Using
multiple regions wouldn’t provide redundancy for keys since keys are specific to a region.
Storing duplicate keys wouldn’t necessarily provide high availability if the keys are stored
in a CloudHSM cluster in just one availability zone.

Answer 133

A

B. You can’t assume an IAM role while operating as the root user. You must use an IAM
user instead. There is no CLI session limit, the root user credentials can be used with the
CLI, and the root user has full access to all AWS services.

Answer 134

A

C, D. A trust policy is a resource-based policy and therefore does require specifying a
principal.

Answer 135

A

B. The principal can’t be a wildcard in a trust policy. It can be an AWS service or a
principal in the same account or another account. The effect in a trust policy statement
can be Allow or Deny

Answer 136

A

C. EC2 throttles outbound traffic on TCP port 25, the port commonly used for the
Simple Mail Transfer Protocol (SMTP). Only the root user can make a request to have this
throttle removed

Answer 137

A

A. DynamoDB server-side and KMS encryption encrypts the entire table. If you want to
encrypt only a subset of the table, such encryption must take place outside of DynamoDB.

Answer 138

A

B. Because resource-based policies apply to a resource, they can restrict the access of
users who don’t have an AWS account, such as anonymous users. Resource-based policies
are not necessarily more restrictive, they can’t be used to restrict the root user, and they
don’t replace identity-based policies.

Answer 139

A

C. The canonical user ID is a 64-character string that can be used to identify an AWS
account in an S3 bucket policy.

Creating an IAM role and providing the ARN would
permit the vendor to grant that role access, but they’d still need either your AWS account
number or canonical user ID.

Answer 140

A

D. All regions support Signature version 4.

Answer 141

A

B. The signing key is used to sign requests. The secret access key is used to create a
signing key, which is valid for up to 7 days.

Answer 142

A

D. The command aws s3api list-buckets is the only one that will list the canonical
user ID

Answer 143

A

B, D. CodeDeploy deploys EC2/on-premises applications from an S3 bucket, so the
instances need access to list and get buckets and files from S3.

They don’t need access to
the CodeDeploy or Auto Scaling services.

Answer 144

A

A, D.
You can set a password policy to enforce password expiration and require an
administrator to reset expired passwords

A policy can’t require MFA or set a maximum
length

Answer 145

A

A. IAM doesn’t offer lockout policies that lock out a user after a number of failed login
attempts

Answer 146

A

B. A token obtained from a regional STS endpoint is valid in all regions.

Answer 147

A

A, D. Once a region is disabled, EC2 instances running in it continue to incur charges.
You can’t make changes to resources in a disabled region.

You need to enable the region
and then terminate the EC2 instances. STS has no bearing on whether the region is
enabled or disabled.

Answer 148

A

B. Cognito can create IAM roles to define permissions for users. STS provides temporary
credentials in exchange for a Cognito token but doesn’t control user permissions. OpenID
Connect is an authentication framework used by some identity providers.

Answer 149

A

A, C. You can grant only specific users access to change their password by creating
and applying an identity-based policy that grants them permission to perform the
iam:ChangePassword action against their own IAM user resource, which is specified by
its ARN in the format arn:aws:iam::account-id:user/${aws:username}. A password
policy allowing users to change their own passwords would apply to all users. It’s not
possible to implement a password policy requiring users to create a random password, and
even if it were, it wouldn’t be necessary for allowing users to change their own passwords

Answer 150

A

B. When assuming a role, you can specify a managed session policy to restrict the
permissions granted to the session.

Access control policies apply only to cross-account
access.

An IAM permissions boundary is an identity-based policy, which in this case
would apply to the role and hence would impact every application that assumes the role.

There’s no such thing as a session control policy.

Answer 151

A

B. You would need to specify the excepted instance as NotResource. There’s no need to
use the NotAction element. You can’t use Condition to specify an instance. Principal and
NotPrincipal have no effect in an identity-based policy.

Answer 152

A

B. AssumeRole and GetSessionToken are the only actions that support MFA.

Answer 153

A

C, D.
Configuring ELB health checks to monitor the web service and then using that
health check in the Auto Scaling group will ensure that any instance on which the web
service fails will be replaced.

Using an EC2 health check will only look at the system
status and instance status, but not the status of the web service. There is no UDP health
check.

Answer 154

A

A, D.

A simple basic resource record or a multivalue answer resource record without
a health check will always return the public IP address of the instance.

A simple alias
resource record can’t point directly to an instance.
A simple resource record doesn’t use
health checks.

Answer 155

A

B, D.
Simply giving the instances a public IP address and permitting inbound HTTPS
access is sufficient and requires minimal effort. Using a VPN is a possibility but would
require implementing NAT to overcome the IP addressing conflicts and would entail a lot
more effort.

Answer 156

A

A. An elastic network interface must have only one primary private IP address.
It can
have a secondary private IP address, but it must be from the same subnet as the primary.

An ENI can be associated with multiple elastic IP addresses.
It doesn’t have to be attached
to an instance but can be created separately.

Answer 157

A

B. Adding a secondary VPC CIDR of 172.31.1.0/24 is the easiest option. You can’t add
a secondary CIDR that overlaps with the existing CIDR as 172.31.0.0/16 does. You also
can’t change the VPC CIDR. Creating a new VPC for the additional application instances
is possible but would require more effort than just adding a secondary CIDR.

Answer 158

A

D. A Direct Connect link to AWS provides consistent latency. It doesn’t necessarily
provide higher bandwidth or reduced cost over an Internet VPN connection. Direct
Connect doesn’t provide data encryption.

Answer 159

A

B. Direct Connect can improve the security of this configuration by bypassing the public
Internet. All AWS services, including S3, use HTTPS for their public endpoints.
A VPN connection can’t be configured between a remote site and S3.
A VPC endpoint only
connects a VPC to an AWS service via a private network, bypassing the Internet.

Answer 160

A

A. You must advertise at least one public IP prefix to use a public virtual interface. A
public ASN isn’t required. You can use a public ASN if you have one; otherwise, you can
use a private ASN between 64512 and 65534. Jumbo frames aren’t supported on public
virtual interfaces, and even if they were, enabling jumbo frames wouldn’t be required.

Answer 161

A

B. AWS assigns you a /125 IPv6 CIDR that you and AWS must use to set up an IPv6
BGP peering session. You may not specify your own IPv6 addresses. You may also have a
simultaneous IPv4 BGP peering session.

Answer 162

A

A. BGP MD5 authentication settings must match both on the Direct Connect side and
on your router

Answer 163

A

A. The private hostname is ip-10-9-13-37.ec2.internal. In the US East 1 region, the
hostname suffix is ec2.internal, while in other regions it follows the format region
.compute.internal.

Answer 164

A

B. If enableDnsHostnames is set to true, then instances with a public IP address will
receive a public DNS hostname. If enableDnsSupport is enabled, the Amazon DNS server
is enabled. The other two options aren’t valid attributes

Answer 165

A

B. If enableDnsSupport is set to true, then instances in a VPC can use the Amazon DNS
server to resolve the Amazon-provided private hostname of another instance in the VPC.
If enableDnsHostnames is set to true, then instances with a public IP address will receive
a public DNS hostname.

Answer 166

A

D. The first four addresses and last address of a subnet are reserved and can’t be assigned
to an instance.

Answer 167

A

A. An instance screen shot of a Windows instance can reveal whether the instance is at
the logon screen (and hopefully ready to accept RDP connections) or at another screen
where it wouldn’t be ready to accept RDP connections, such as the recovery console
screen, the boot manager screen, the Windows update screen, the Getting Ready screen,
the Chkdsk screen, or the Sysprep screen

Answer 168

A

C. Removing all outbound rules for the instance’s subnet’s NACL will stop all outbound
traffic from the instance. Removing security group rules that allow outbound access
or adding an outbound NACL rule denying access to TCP port 22 wouldn’t prevent
an inbound SSH connection or cause it to drop. You can’t add a deny rule to a security
group.

Answer 169

A

D. The errors indicate that you’re reaching the instance but it doesn’t recognize your
credentials as valid. Entering the wrong passphrase for the private SSH key or using an
SSH key that grants other users or groups read/write permissions will result in the SSH
client not even attempting the connection. This leaves an incorrect username as the only
possible answer.

Answer 170

A

A. You need to allow ICMPv4 Echo Requests inbound to the instance. An ICMPv6 Echo
Reply is what the instance would send in response to the ping. Elastic IP addresses are
IPv4 addresses, so there’s no need to add rules for ICMPv6.

Answer 171

A

D. An outbound NACL rule that denies ICMPv4 Echo Replies would block the response
to the Echo Request.

Answer 172

A

A. AWS uses the addresses
169.254.169.250, 
169.254.169.251,
169.254.169.254 for
Windows activation.

Answer 173

A

C. To add an alternative domain name to a distribution you must specify a valid TLS
certificate issued by a trusted CA, and the certificate must contain the alternative domain
name.

Answer 174

A

D. RTMP uses TCP port 1935 by default.

CloudFront RTMP distributions don’t support
RTMFP, which uses UDP port 1935. The fact that some users can view the videos indicates
that the distributions for the media player and video files are configured correctly.

Answer 175

A

B. RTMPT tunnels RTMP over TCP port 80. RTMP distributions can’t be converted to
HTTP/HTTPS distributions. CloudFront doesn’t use security groups

Answer 176

A

A metric contains a timestamp and a value. It may also contain a unit of measure and
dimension. A metric exists within a namespace, which acts as a container for metrics

Answer 177

A

D. Data points stored at 1-hour resolution are deleted after 15 months.

Answer 178

A

D. To graph the exact data points, specify the Sum statistic and set the period equal to the
metric’s resolution, which is 1 minute.

Answer 179

A

D. Using the Standard storage class for frequently accessed files is ideal. Standard-IA has
a slightly lower availability and a higher cost for GET requests. Moving the files to Glacier
would also negatively impact availability. Enabling versioning wouldn’t reduce costs but
might increase costs. There’s not much else you can do to reduce costs except to delete
unneeded files from the bucket.

Answer 180

A

C, D. AWS Config and CloudWatch Events can monitor S3 for new buckets and alert
you when they’re created or deleted. CloudTrail can log the API events but won’t do any
alerting. S3 server logging won’t log bucket creation events.

Answer 181

A

B. Memory-optimized instances have dedicated bandwidth for EBS storage

Answer 182

A

A. CloudTrail logs can be stored in S3 buckets or CloudWatch Logs. By default, S3
and CloudWatch Logs don’t delete any files or logs automatically. Therefore, any logs
CloudTrail stores will remain indefinit

Answer 183

A

A, B. Retention periods are set per log group. To have separate retention periods for
different log streams, the streams have to be in different log groups. Exporting CloudTrail
logs to an S3 bucket can preserve the existing logs but won’t affect retention moving
for

Answer 184

A

B, D. The instance being stopped would preclude EC2 from sending any CPU utilization
metrics. If the alarm period were set to something greater than 4 hours—such as 6 hours
or a day—then that would also explain the INSUFFICIENT_DATA state.

Answer 185

A

D. Using CloudWatch to graph the BucketSizeBytes metric will give you the data with
minimal effort.

Answer 186

A

C. 120,000

Answer 187

A

B. 20,000

Answer 188

A

C. You can access the query engine that powers Cost Explorer via the API for a cost of
US$0.01 per request.

Answer 189

A

C. ECS will let you run the application in Docker containers at a lower cost than on EC2
instances.

Answer 190

A

B. Standard-IA storage is the lowest cost option. Creating a lifecycle policy to transition
files to Standard-IA will leave a 6-month gap before the files are moved to the lower-cost
storage. Versioning will store more data, increasing costs. S3 Intelligent-Tiering incurs a
monthly monitoring and fee per object.1

Answer 191

A

B. A scheduled Spot Instance request can automatically generate a Spot Instance request
daily for a specified duration, such as 4 hours.

A persistent Spot Instance request will
create a new Spot Instance request as soon as the instance from the previous request
terminates.
A one-time Spot Instance request will launch an instance only once, not daily.
An instance reservation will cost more than using Spot Instance requests.

Answer 192

A

B. VPN CloudHub allows you to use a VPC for transit between two connected sites.
A transit gateway lets you route traffic between VPCs and a VPN. The other options are
feasible but cost more.

Answer 193

A

A, C. Sending CloudTrail logs to S3 and using S3 Select to search them is cheaper than
using CloudWatch Logs. CloudTrail event history stores only 90 days of events.

Answer 194

A

B. Logging S3 data events using CloudTrail will do the trick.
Enabling S3 server logging
may not log every request. S3 GET requests are data events, not management events. S3 is
not a global service.

Answer 195

A

D. CloudFront offers 50 GB data transfer out for the first year in the free tier.

Answer 196

A

C, D. It’s free to use CodeDeploy to deploy to EC2 instances. You can automate the
process with CodePipeline, which lets you have one free active pipeline per month.
CodeBuild isn’t free. CodeCommit is a Git repository with options under the free tier but
isn’t necessary in this case since the developers will be pushing updates to an S3 bucket.

Answer 197

A

C. CodeDeploy can perform a rolling application upgrade on one or more instances
at a time. Using CloudFormation to do the upgrade would require doing an all-at-once
switchover.

Answer 198

A

B, C. Creating an Internet gateway and default route and assigning an elastic IP address
is the most cost-effective option. A NAT gateway will incur charges. Using AWS Patch
Manager to download the updates will still require the instance to have Internet access

Answer 199

A

B. If the maximum Spot price you’ve set consistently meets or exceeds the on-demand
price, the instance will run indefinitely

Answer 200

A

C. Upgrading the instance type and creating a read replica are comparable options
pricewise but upgrading is much quicker in part because it doesn’t require reconfiguring
the application to use a read replica.

Answer 201

A

C. The minimum required utilization for a scheduled instance is 1200 hours per year

Answer 202

A

A. Set the Rollback on failure radio button to No in the CloudFormation console
C. Use the –disable-rollback flag with the AWS CLI

Answer 203

A

B. Passing a role to another AWS account
D. Passing a role to an AWS service to assign temporary permissions to the service

Explanation
The IAM:PassRole allows any affected entity to pass roles to AWS services or Accounts, granting them permission to assume the role. The list of roles able to be passed on by an entity to other services or accounts can be restricted with the Resources element of the IAM policy statement.

Answer 204

A

C. Use the drift detection action.

Answer 205

A

B. Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key.

In this scenario, you will need to rotate the CMK manually. When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Take note that you cannot enable automatic key rotation for a CMK with imported key material but you can manually rotate a CMK with imported key material.

Remember that automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. To meet the strict security compliance requirements, you must rotate the keys manually.

Answer 206

A

Relaunch the template to create a new stack.

The ROLLBACK_COMPLETE status indicates the successful removal of one or more stacks after a failed stack creation or after an explicitly canceled stack creation. Any resources that were created during the create stack action are deleted.

This status exists only after a failed stack creation. It signifies that all operations from the partially created stack have been appropriately cleaned up. When in this state, only a delete operation can be performed.

INCORRECT: “Perform an update-stack action on the failed stack” is incorrect. You cannot update a stack in the ROLLBACK_COMPLETE state.

Answer 207

A

Create a public subnet in each AZ for the ALB, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

Answer 208

A

Import new key material into a new CMK, update the key alias to point to the new CMK.

When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Also, you cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.

Answer 209

A

With Amazon ElastiCache Memcached engine you cannot modify the node type. The way to scale up is to create a new cluster and specify the new node type. You can then update the endpoint configuration in your application to point to the new endpoints and then delete the old cache cluster.

CORRECT: “Create a new cache cluster with a new node type using the CreateCacheCluster API “ is the correct answer.

Answer 210

A

An AWS virtual private network (VPN) connection can be configured to encrypt data over the shared, hybrid network connection. This ensures encryption in-transit and if you don’t have a certificate you can create a pre-shared key.

AWS KMS can be used to manage encryption keys that can be used for data encryption. In this case the keys would then be used outside of KMS to actually encrypt the data.

CORRECT: “Configure an AWS VPN between the on-premises data center and AWS” is the correct answer.

CORRECT: “Use AWS KMS to manage the encryption keys used for data encryption” is the correct answer.

Answer 211

A

Explanation
If the health checks exceed UnhealthyThresholdCount consecutive failures, the load balancer takes the target out of service. The load balancer continues to send health checks. When the health checks exceed HealthyThresholdCount consecutive successes, the load balancer puts the target back in service.

CORRECT: “The load balancer will continue to perform the health check on the EC2 instance” is the correct answer.

CORRECT: “The load balancer will take the EC2 instance out of service” is also a correct answer.

Answer 212

A

With Elastic Volumes, you can dynamically modify the size, performance, and volume type of your Amazon EBS volumes without detaching them.

Use the following process when modifying a volume:

(Optional) Before modifying a volume that contains valuable data, it is a best practice to create a snapshot of the volume in case you need to roll back your changes.

Request the volume modification.

Monitor the progress of the volume modification.

If the size of the volume was modified, extend the volume’s file system to take advantage of the increased storage capacity.

CORRECT: “Use the Elastic Volumes feature to modify the volume size” is the correct answer.

Answer 213

A

Amazon S3 is a public service and there are two ways you can connect to it from EC2 instances with only private IP addresses. The first option is to deploy a NAT gateway in a public subnet and configure routes to the NAT gateway in the subnets where the instances are running.

The second option is to create a VPC endpoint of the gateway endpoint type. This VPC endpoint requires that you configure the route tables with an entry pointing to the gateway and will enable access to S3 using only private IP addresses.

CORRECT: “Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately” is the correct answer.

CORRECT: “Create a VPC endpoint in the VPC and configure the route tables appropriately” is also a correct answer.

Answer 214

A

Explanation
The most cost-effective record type to use is an alias record. Route 53 doesn’t charge for alias queries to AWS resources and this includes to Amazon CloudFront distributions. You can create an alias record that uses the www.mywebapp.com domain name and points to the Amazon CloudFront distribution. This will enable users to access the distribution using the custom domain name.

CORRECT: “Create an Alias record in Amazon Route 53 that points to the CloudFront distribution URL” is the correct answer.

Answer 215

A

You might need to shutdown or reboot your VM for maintenance, such as when applying a patch to your hypervisor. Before you shutdown the VM, you must first stop the gateway.

For file gateway, you just shutdown your VM.
For volume and tape gateways, stop the gateway, reboot the VM, then start the gateway.

CORRECT: “Stop the gateway, reboot the virtual machine, then restart the gateway” is the correct answer.

Answer 216

A

The AWS Cost and Usage Report contains the most comprehensive set of data about your AWS costs and usage, including additional information regarding AWS services, pricing, and reservations. By using the AWS Cost and Usage report, you can gain a wealth of reservation-related insights about the Amazon Resource Name (ARN) for a reservation, the number of reservations, the number of units per reservation, and more. It can help you do the following:

Calculate savings – Each hourly line item of usage contains the discounted rate that was charged, as well as the public On-Demand rate for that usage type at that time. You can quantify your savings by calculating the difference between the public On-Demand rates and the rates you were charged.

Track the allocation of Reserved Instance discounts – Each line item of usage that receives a discount contains information about where the discount came from. This makes it easier to trace which instances are benefitting from specific reservations.

CORRECT: “AWS Cost and Usage report” is the correct answer.

Answer 217

A

The AWS generated tags createdBy is a tag that AWS defines and applies to supported AWS resources for cost allocation purposes. After the tag is activated, AWS starts applying the tag to resources that are created after the AWS generated tags was activated.

The AWS generated tags is available only in the Billing and Cost Management console and reports, and doesn’t appear anywhere else in the AWS console, including the AWS Tag Editor. The createdBy tag does not count towards your tags per resource limit.

CORRECT: “Activate the createdBy tag in the account” is the correct answer.

CORRECT: “Analyze the usage with Cost Explorer” is the correct answer.

Answer 218

A

The following are a few reasons why an instance might immediately terminate:

You’ve reached your EBS volume limit.
An EBS snapshot is corrupt.
The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption.
The instance store-backed AMI that you used to launch the instance is missing a required part (an image.part.xx file).

CORRECT: “The root EBS volume is encrypted and the Administrator does not have permissions to access the KMS key for decryption” is the correct answer.

Answer 219

A

Explanation
The AWS Config restricted-common-ports check is used to check whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. The rule is COMPLIANT when the IP addresses for inbound TCP connections are restricted to the specified ports. This rule applies only to IPv4.

CORRECT: “Use AWS Config to enable the restricted-common-ports rule and add port 80 to the parameters” is the correct answer

Answer 220

A

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the internet from initiating an IPv6 connection with your instances.

A route must be added to the route table pointing to the gateway. For IPv6 the target should be configured as ::/0 which is the equivalent of the 0.0.0.0/0 (IPv4) address.

CORRECT: “Create an egress-only internet gateway and add a route to the route table pointing to the gateway for the target ::/0” is the correct answer.

Answer 221

A

You can use AWS Trusted Advisor’s Service Limit Dashboard to determine whether the service limits for EC2 instances have been reached. This is one possible cause of the issue. Additionally, the Administrator can check CloudTrail logs to view the results of the RunInstances requests. If a permissions issue exists this will be identified.

CORRECT: “Use AWS Trusted Advisor to check if service limits have been reached” is the correct answer.

CORRECT: “Use AWS CloudTrail to check the result of RunInstances requests” is also a correct answer.

Answer 222

A

This solution can be implemented by adding an automatic remediation to the AWS Config access-keys-rotated rule. This AWS Config rule checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days.

The automatic remediation can be configured to execute an AWS Systems Manager automation document that resolves the IAM user name and then disables and creates new access keys using the API.

CORRECT: “Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation” is the correct answer.

Answer 223

A

It is possible to create an Alias record that points to a resource in another account. In this case the fully qualified domain name of the ALB must be obtained and then entered when creating the record set. This is the most cost-effective option as you do not pay for Alias records and there is minimal configuration required.

CORRECT: “Create an alias record in the hosted zone pointing to the Application Load Balancer” is the correct answer.

Answer 224

A

The AWS Config encrypted-volumes rule Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key.

CORRECT: “Use AWS Config to configure the encrypted-volumes managed rule and specify the key ID of the CMK” is the correct answer.

Answer 225

A

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console. Also, you can consume the Enhanced Monitoring JSON output from Amazon CloudWatch Logs in a monitoring system of your choice. You can enable and disable Enhanced Monitoring using the AWS Management Console, AWS CLI, or RDS API.

CORRECT: “Enable enhanced monitoring and view the metrics in the RDS console.” is the correct answer.

Answer 226

A

You create a CloudWatch custom metric and build an alarm on this to scale your ASG

The metric “requests per minute” is not an AWS metric, hence it needs to be a custom metric

Answer 227

A

SNI (Server Name Indication) is a feature allowing you to expose multiple SSL certs if the client supports it. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Answer 228

A

B.Multiple files with flexible column structure

Cost & Usage reports can have multiple files which consists of data files for usage, separate file for discounts if any & a manifest file listing data files in a report. Columns in Cost & Usage Reports can be added or removed based upon customer requirements.

Answer 229

A

B.Initiate an archive retrieval job specifying archive ID & using Bulk retrieval option.

Answer 230

A

B. BucketB has SSE-KMS encryption enabled which is not supported.

For logs to be delivered in the target bucket, it should have bucket encryption as SSE-S3 & not as SSE-KMS. While enabling Server access logs, Source & Target bucket can be on the same bucket or different bucket & logs are delivered with few hours after enabling logs

Answer 231

A

A. Request users from the master account to modify the Threat list to include this IP address.

Amazon GuardDuty can be used to include custom IP addresses for generating findings to detect malicious activities. Amazon GuardDuty maintains two types of list: Trusted IP list & Threat List. Trusted IP List consists of IP address which is whitelisted & Amazon GuardDuty do not generate any findings for this IP address. Threat List consist list of the malicious IP address for which Amazon GuardDuty generates findings.

Answer 232

A

D. Enterprise

Answer 233

A

C. Create a private hosted zone & resource record set for EFS mount target IP address.

DNS resolution is not supported while mounting EFS which is accessed over another VPC. To mount an EFS, either an IP address needs to be used or a private hosted zone can be created in Route 53.

Answer 234

A

C. Enable AWS Config in us-east-1 to check configuration changes made to EC2 instance & specify S3 bucket to collect AWS CloudTrail logs which will capture user activity.

AWS Config can be enabled per region to track & notify for configuration changes made to AWS resources. AWS CloudTrail which is enabled when an account is created can be used to record API calls made by users to AWS resources. It saves all these activities log in a specified Amazon S3 bucket.

Answer 235

A

A. Create an organization & organizational unit.
C. Invite an external account to join your organization.
D. Pay all charges accrued by all the accounts in its organization.

Answer 236

A

By default, ALB considers last value within query parameters while invoking Lambda Function. In case of multiple query parameters, Multi-value headers need to be enabled to pass all query parameters values to Lambda function.

Answer 237

A

AWS Lambda uses Condition keys to specify additional permission controls for Lambda function. Following condition keys are supported in IAM policies,

a. lambda:VpcIds - To allow or deny specific VPC to be used by Lambda functions.
b. lambda: SubnetIds- To allow or deny specific subnet in a VPC to be used by Lambda functions.
c. lambda:SecurityGroupIds- To allow or deny specific security groups to be used by Lambda functions.

Answer 238

A

A. Create a Cloudfront origin access identity

C. Ensure that only the Cloudfront origin access identity has access to read objects from the S3 bucket.

Answer 239

A

D. Allow Incoming from Source 10.0.1.0/24 on port 443

Answer 240

A

B. Add an exponential backoff between the calls to the createStack API

The error is happening because the create stack API is creating too many resources at the same time. You can add some delayed between the requests using a concept called exponential backoff

Answer 241

A

Cross Zone Load Balancing

Answer 242

A

Server Name Indication (SNI)

Answer 243

A

Increase the EBS volume size

EBS IOPS peaks at 16,000 IOPS. or equivalent 5334 GB.

Answer 244

A

Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name

Answer 245

A

PostgreSQL

Answer 246

A

Aurora Global Database

Global Databases allow you to have cross region replication

Answer 247

A

Create a Read Replica in the same AZ and run the analytics workload on the replica database

this will minimize cost because the data won’t have to move across AZ

Answer 248

A

Create a Read Replica in a different region and enable multi-AZ on the main database

Answer 249

A

Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service.

Answer 250

A

Use Aurora Serverless

Answer 251

A

Configure the Amazon Redshift cluster to automatically copy snapshots of a cluster to another region.

You can configure Amazon Redshift to automatically copy snapshots (automated or manual) for a cluster to another region. When a snapshot is created in the cluster’s primary region, it will be copied to a secondary region; these are known respectively as the source region and destination region.

Answer 252

A

Configure an IAM role and an IAM Policy to access the bucket.

Set up a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens.

The question refers to one of the common scenarios for temporary credentials in AWS. Temporary credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and IAM roles. In this example, it is called enterprise identity federation considering that you also need to set up a single sign-on (SSO) capability.

The correct answers are:

Setup a Federation proxy or an Identity provider
Setup an AWS Security Token Service to generate temporary tokens
Configure an IAM role

Answer 253

A

If you need to remove a file from CloudFront edge caches before it expires, you can do one of the following:

Invalidate the file from edge caches. The next time a viewer requests the file, CloudFront returns to the origin to fetch the latest version of the file.
Use file versioning to serve a different version of the file that has a different name.

Answer 254

A

Integrate CloudWatch Events with EBS.

Set up Lambda functions to copy the snapshots to another region.

Amazon EBS emits notifications based on Amazon CloudWatch Events for a variety of snapshot and encryption status changes. With CloudWatch Events, you can establish rules that trigger programmatic actions in response to a change in snapshot or encryption key state. For example, when a snapshot is created, you can trigger an AWS Lambda function to share the completed snapshot with another account or copy it to another region for disaster-recovery purposes.

Answer 255

A

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an instance’s security groups). You can’t delete a default security group.

Answer 256

A

C. Shut down the instance. Create an AMI from the instance. Start a new
instance from the AMI in the other AZ.

You need to create an AMI because it is the root volume. The AMI can be deployed into any AZ.

Answer 257

A

D. Stop the instance, create an AMI, launch a new instance with
tenancy=dedicated, and terminate the old instance.

Answer 258

A

B. Creating daily RDS backups

Answer 259

A

B. 6 Reserved Instances and 12 On-Demand Instances

You can’t use spot instances as the payments can take up to four
minutes. Spot instances might get terminated with a two-minute
warning, which could mean you would lose transactions.

Answer 260

A

C. Launch EC2 instances through CloudFormation and then perform
configuration management with your Ansible scripts.

There is no service in AWS for Ansible. Simply launch EC2
instances and manage them like you do on-premise servers.

Answer 261

A

D. Marko#cloud

can’t be used in IAM usernames.

Answer 262

A

C. Delete the five instances in the cluster placement group and redeploy with
10 instances.

The number of instances in a placement group can only be defined
at startup time.

Answer 263

A

B. We would need to implement cross-region bucket replication on the
mission-critical data to meet the SLA.

Brainscape's Knowledge GenomeTM

From Tests Flashcards

Brainscape's Knowledge Genome^TM