From Tests Flashcards

Question

A week ago, you created a CloudWatch alarm to monitor the CPUUtilization metric on an EC2 instance. Yesterday, the alarm briefly entered an INSUFFICIENT_DATA state and then went back to an OK state. What is a possible reason for this? A. The alarm was paused. B. The instance was terminated. C. The CPU utilization went above the alarm threshold. D. The instance was stopped and restarted.

Answer 1

D. The instance being stopped and restarted would explain the momentary lack of CPU utilization data

Answer 2

B. AWS Budgets can alert you via email if your bill exceeds a specified amount—a good indicator of excessive resource utilization

Answer 3

A. The volume queue length metric measures the total number of read and write operation requests waiting for completion. If this has increased and remains high, it’s a good indication that the volume isn’t able to sustain enough IOPS. Because it’s a gp2 volume, the number of IOPS depends on the size allocated for the volume

Answer 4

. B. Memory-optimized instances have dedicated bandwidth for EBS storage. Standard instances are not EBS optimized

Answer 5

Indefinitely CloudTrail logs can be stored in S3 buckets or CloudWatch Logs. By default, S3 and CloudWatch Logs don’t delete any files or logs automatically

Answer 6

B. The period should be greater than or equal to the resolution of the metric. In this case, you want the alarm to trigger as soon as the metric crosses a threshold, so you should set the period to 5 minutes

Answer 7

The instance is stopped. | The alarm period hasn’t elapsed yet.

Answer 8

Create a single alarm to monitor the CPUUtilization metric. Configure the alarm to treat missing data as breaching.

Answer 9

There is no practical limit to the number of files you can store in S3. The KMS key limit applies to the number of customer master keys, but you can use the same key to encrypt each file in S3.

Answer 10

One RCU gets you a strongly consistent read per second of an item up to 4 KB in size, or two weakly consistent reads per second of 4 KB each

Answer 11

S3 standard charges nothing for data transfer up to 1 GB per month. S3 One Zone-IA and Standard-IA charge US$0.01 per GB.

Answer 12

Cost Explorer lets you analyze your costs and usage for the preceding 13 months.

Answer 13

. Simple Monthly Calculator

Answer 14

A. Yes. AWS allows you to get this information with detailed billing. Detailed billing was made available to AWS customers back in December 2016. Detailed billing gives customers the ability to create reports to review usage in the AWS account, or the cost associated with individual log groups. There’s no such thing as basic billing

Answer 15

To enable billing alerts, you must be logged in as the root user for the AWS account.

Answer 16

When a health check is run on an Amazon EC2 instance, you can get types of statuses. OK means that all of the health checks have passed. If any of the health checks fail, then the status displayed is Impaired.

Answer 17

As the status checks themselves are a part of the Amazon EC2 instances, you can’t disable them. You can, however, disable the CloudWatch alarms that utilize the status checks to trigger.

Answer 18

You can use access keys to authenticate the Amazon CloudWatch Logs agent instead of a username and password. As the access key is still tied to a username, you may want to check with your security team that it meets their criteria. While access keys are created in AWS IAM, AWS IAM is not a granular enough response to satisfy this question. While you can link your Active Directory environment to AWS, this is still not getting away from the need for service accounts.

Answer 19

Set StorageResolution to 1 using the PutMetricRequest API.

Answer 20

High-resolution metrics don’t cost any more or any less than standard-resolution metrics. You can do 1-, 5-, 10-, 15-, 30-, and 60-second intervals with high resolution.

Answer 21

Amazon Kinesis allows you to connect your log stream and process the logs using the regex that you wanted to search on. Amazon CloudWatch Metric Filters do not support regex. Neither Amazon CloudWatch nor the AWS Management Console give you the ability to search by regex

Answer 22

C. AWS Config is not enabled by default. You need to enable it once per region for any region you want to have monitored.

Answer 23

B. Yes, but you will need to request an increase on the limit from AWS. With AWS Config, you are limited to 150 rules

Answer 24

You can set periodic rules to run every 1, 3, 6, 12, or 24 hours. So your response should be to set up the rule to run every 6 hours.

Answer 25

D. When you add a security group to an Amazon EC2 instance, AWS Config records changes for the Amazon EC2 instance, the security group, primary resources, and related resources.

Answer 26

A. You can tell your Operations Center team that AWS Config can record OS patches, application installations, network configurations, and really any change that is made to the systems.

Answer 27

C. The AWS Billing and Cost Management Dashboard will allow them to monitor what the current spend is now and even sort by service.

Answer 28

B. AWS Organizations allows your accounting department to view billing and cost information for all of the AWS accounts in your organization.

Answer 29

D. AWS Cost Explorer monitors the current amount due on your AWS account

Answer 30

Install the Amazon Inspector agent. | Run a scan from Amazon Inspector.

Answer 31

A. Only the rules provided by AWS are allowed to be used for assessment runs, so you can’t create rules packages.

Answer 32

D. The Run Command provides a way to automate common administrative tasks without the need for remote access provided by opening up SSH or RDP or by using bastion hosts

Answer 33

A. Session Manager within AWS Systems Manager allows remote console sessions via an interactive web browser with no need to open inbound ports or use bastion hosts to access your systems

Answer 34

D. AWS Systems Manager Patch Manager provides patch management and reporting for both Linux and Windows systems on-prem and in the cloud.

Answer 35

C. Provides configuration management for on-prem and AWS resources

Answer 36

B. With Amazon Athena, you can query data across a multitude of AWS services, including AWS CloudTrail, Amazon CloudFront, Elastic Load Balancer, Amazon Virtual Private Cloud, Amazon CloudFormation, AWS Glue Data Catalog, Amazon QuickSight, and IAM

Answer 37

A. Amazon GuardDuty not only identifies threats on your network, it can automatically respond to those threats as well Identifying stale user accounts or users/groups with excessive permissions is something that should be done by your IAM team, utilizing AWS IAM. Automated security assessments are performed by Amazon Inspector.

Answer 38

Amazon GuardDuty can support multiple AWS accounts, giving visibility across your enterprise

Answer 39

A. Scaling events can be triggered by schedule. The schedule is not created in Amazon CloudWatch, and you don’t need an alarm from Amazon CloudWatch to scale.

Answer 40

B. If minimum capacity is set to 0 and there is no load, then it is entirely possible for you to have 0 instances. If you leave desired capacity blank, then the minimum capacity is used. If maximum capacity is set to 1, then your Auto Scaling group can have up to one EC2 instance. If autoscaling wasn’t available in your region, you wouldn’t have been able to set up your ASG in the first place

Answer 41

B. Since you need to avoid downtime, your best option is to manually terminate the old instances so they are relaunched using the new launch configuration. This allows you to control how many instances are offline and avoid downtime. If you set the desired capacity to zero, you may cause an outage, so this would not be a great solution if the most important factor is to avoid an outage. You can’t set the launch configuration per instance. Since you need to refresh your instances now, waiting for them to age out is not a good solution.

Answer 42

A. Launch templates use versioning to track changes. You can’t enable versioning on launch configurations directly. Manually numbering launch configurations is not easily scalable and would be error prone

Answer 43

B. There are five different ways to subscribe to an SNS topic. They are: - AWS Lambda, - Amazon Simple Queue Service (SQS) - HTTP and HTTPS, - email, - SMS text.

Answer 44

C. You can’t use the same function because AWS Lambda is based on region. You can, however, copy the function to the other region

Answer 45

C. Host-based routing will allow you to route traffic based in the domain name in the request. Content-based routing routes traffic based on the content of the request. Pathbased routing will route traffic based on the URL path that is in the HTTP header.

Answer 46

B. Path-based routing will route traffic based on the URL path that is in the HTTP header. Host-based routing will allow you to route traffic based in the domain name in the request. Content-based routing routes traffic based on the content of the request.

Answer 47

The user data field can be used in conjunction with Auto Scaling groups to configure your EC2 instances.

Answer 48

B. One of the most common use cases for a template parameter in CloudFormation is to specify the instance type and size at the time of creation

Answer 49

aws cloudformation create-stack.

Answer 50

``` D. Elastic Beanstalk supports multiple languages, including Go Java, .NET, Node.js, PHP, Python, Ruby. ``` It also supports Docker web applications.

Answer 51

C. By using rolling with additional batch, you ensure that you are operating at full capacity, which will not impact performance as the supervisor requested. Rolling with additional batch is a less expensive option than immutable as you are only spinning up instances to cover the systems that are being taken offline as opposed to all of the instances as you would do if immutable was being used.

Answer 52

B. Since the application will not suffer at 50% capacity later in the evening and your supervisor wants to keep costs down, rolling is the best option. Since no new instances are provisioned, this keeps the cost down, and you can specify that only 50% of the instances are getting updated at any point in time.

Answer 53

A. Since this is a development environment and it is considered acceptable to have downtime, all at once is the best deployment policy. It is the fastest method, and the cost is kept down since no new instances are spun up.

Answer 54

B. If a health check URL is not configured, then instances are marked as healthy as soon as they accept a TCP connection. The services the application relies on may not be up and responding by then. It is unlikely that instances are being marked healthy incorrectly. If the application has issues, it wouldn’t start working after a slightly longer time frame; this appears to be an issue of dependencies not being met.

Answer 55

A. The command that is being used requires the Elastic Beanstalk CLI to be installed.

Answer 56

B. Each AWS account can have a total of 40 database instances. To be able to go over the 40, which is a soft limit, you would need to contact AWS and request that the limit be raised.

Answer 57

B. If you are using MySQL in Amazon RDS, then you may only have five read replicas at any time. In this case, five read replicas is not a soft limit, so you can’t request a limit increase.

Answer 58

C. In general, it is a bad idea to disable automatic backups. One of the few exceptions is when you are loading a large amount of data.

Answer 59

B. When using Amazon ECS, you can use container registries inside of AWS and outside of AWS. So you could use your existing container registry in Docker Hub, and in fact Docker Hub is used by default

Answer 60

C. AWS Batch uses containers to execute batch jobs. To take advantage of AWS Batch, you must install the Amazon ECS (Elastic Container Service) Agent on your compute resources.

Answer 61

A. Occasionally a reboot is needed after granting permissions to the user accounts so that they can access the Docker daemon without sudo

Answer 62

D. You would need to enable VPC peering on the Lightsail account page, and from there Lightsail will configure everything for you.

Answer 63

A, D. With EBS volumes, you have a choice between either client-level encryption, which is done by the operating system, or volume-level encryption, which is managed by AWS

Answer 64

B, D. Amazon S3 buckets can be either virtual-hosted-style or path-style. Virtual-hostedstyle includes the bucket name as part of the domain name in the URL. Using path-style, the bucket name is not part of the domain name in the URL. The other two options were made up for this question.

Answer 65

B. While the snapshots are stored in Amazon S3, they are not directly accessible. You must use the Amazon EC2 API to work with the snapshots.

Answer 66

C. AWS DataSync is built for this use case. It allows you to sync your existing filesystems with your Amazon EFS filesystem and can work over the Internet or via an AWS Direct Connect/AWS VPN connection.

Answer 67

In Amazon EFS, these are called age-off policies Expiration policies are used in Amazon S3.

Answer 68

B. Files smaller than 128 KB in size will not be moved by Amazon EFS Lifecycle Managemen

Answer 69

B, C. VPC security groups can be used to specify which systems or IP ranges are allowed to access your file shares. IAM policies can be applied to the filesystem.

Answer 70

C. Amazon EFS Access Points allow you to use an operating system user or group to access a particular shared directory as their root directory. You can further enforce this by adding an IAM policy on to the access point.

Answer 71

B. SSE-C allows you to maintain control over your keys while still allowing Amazon S3 to handle the actual encryption process. This simplifies administration as you don’t need to implement a client-side encryption library; you can instead leverage the tools provided by AWS

Answer 72

D. The Amazon S3 Encryption client allows you to maintain control of your keys and take advantage of client-side encryption libraries.

Answer 73

A. By default, you have access to AWS Shield Standard. You can pay to upgrade to AWS Shield Advanced if desired. AWS Shield provides protection from DDoS attacks.

Answer 74

C. You should set up an CNAME record with your domain name and point it to the CloudFront distribution address

Answer 75

D. Amazon S3 notifications can be tied into Amazon SNS, Amazon SQS, or AWS Lambda. Amazon CloudWatch does not have the same level of integration into S3 that the other three do.

Answer 76

C. Amazon S3 doesn’t put a limit on file size, but Amazon CloudFront has a limit for single files, which is 20 GB. That would explain why you can upload the file to Amazon S3 with no issue and why it is not being delivered by Amazon CloudFront.

Answer 77

. B. To prepare your source host to transfer data to the AWS Snowball device, you will need to install the AWS Snowball client. This handles the encryption and compression of the data as well as the transfer to the AWS Snowball device

Answer 78

C. AWS Snowball data is encrypted with a key stored in AWS KMS. The best answer to give them is that the data on the AWS Snowball device is encrypted with an AES-256 bit key and that the private key is not stored on the AWS Snowball device, it is managed by AWS KMS.

Answer 79

A. To set up AWS Snowball, you need the AWS Snowball client as well as the job manifest file and the job manifest unlock code. There is no unlock code for the AWS Snowball client.

Answer 80

B, C. To safeguard your data in Amazon EFS, you can use the AWS Backup Service or the EFS-to-EFS backup solution. Enabling lifecycle management doesn’t safeguard data; it simply helps reduce cost. EFS-to-S3 backup doesn’t exist.

Answer 81

A. Data at rest in Amazon EFS is protected by AWS KMS if you create the filesystem to use encryption.

Answer 82

D. Data in transit from and to Amazon EFS is automatically encrypted, and the keys are managed by Amazon EFS.

Answer 83

D. The customer master key (CMK) must be in an enabled state or the users will not have access to the contents of the filesystem. The process is seamless to users; they don’t need to know how to decrypt data

Answer 84

D. From the moment the automatic rotation of keys is enabled, the key will be rotated every 365 days.

Answer 85

B. The action s3:DeleteObjectVersion deletes a file, regardless of whether versioning is enabled. s3:PutObject creates a file. s3:DeleteObject and s3:RemoveObject aren’t valid actions.

Answer 86

D. The condition operator DateLessThan returns true if the date and time at policy evaluation precedes the date and time specified in the key’s value. In this case, the value is 2021-01-01T00:00:00Z, which is the ISO 8601 representation of January 1, 2021 at 0:00 Universal Coordinated Time (UTC). The aws:CurrentTime key requires the time to be specified in ISO 8601 format. DateBefore is not a valid condition operator The aws:epochTime key requires the time to be specified in Unix epoch time.

Answer 87

C. The Condition element is not required in a resource-based policy. The other elements are required.

Answer 88

- Import an AWS managed policy. - Use the AWS CLI to import a JSON policy document. - Use the Visual editor in the AWS Management Console. A, B, C. To create a new IAM policy, you can import it from an AWS managed policy, import an existing policy document using either the AWS CLI or the AWS Management Console, or use the Visual editor to create a policy from scratch. You can’t import a policy document from an S3 bucket. When you create an IAM user, it has no default policy attached

Answer 89

D. NACLs are stateless and require an outbound rule to explicitly allow return traffic on an ephemeral port. Because the ephemeral port range varies by operating system, creating an outbound NACL rule allowing all traffic is sufficient. Security groups are stateful and thus don’t require an explicit outbound rule to permit return traffic.

Answer 90

C. Cognito allows you to grant application users temporary access to services in your AWS account.

Answer 91

A, B. STS provides short-term credentials consisting of an unencrypted access key ID, a secret access key, and a token.

Answer 92

C. You can attach up to 10 managed policies to an IAM principal.

Answer 93

C. The maximum session duration for a role is 12 hours. The minimum can be as little as 15 minutes.

Answer 94

B. The default credential lifetime for an IAM role is 1 hour.

Answer 95

C, D. Because users already have department tags, the easiest way to grant them access according to their tags is to create a single managed policy and use the Condition policy element. For example, including the following element under a policy statement would apply the permissions in the statement only to those with a department tag with a value of marketing: "Condition":{"StringEquals": {"aws:ResourceTag/department": "marketing"}}

Answer 96

A, B. Terminating the instance and launching a new one is a valid next step. Logging into the instance using SSM Session Manager is also a possibility. Importing an existing SSH key pair into the instance is an option only after you’ve gained access to the instance. You can’t RDP into an Amazon Linux 2 instanc

Answer 97

B. Because KMS generates and stores the contents of the master key and doesn’t allow customers to ever see it, AWS is solely responsible for protecting it from release.

Answer 98

A, B. Once you schedule a key deletion you can’t use the key during the waiting period. And once the key is deleted, any data encrypted using it will be permanently lost. KMS doesn’t prevent the deletion just because an AWS service is using the key. You can cancel a scheduled deletion.

Answer 99

A, B. Enabling automatic key rotation will cause KMS to annually rotate the keys that it generated. You must manually rotate imported keys, which entails creating new ones and updating the applications to point to them. Aliases make this process easier. Instead of updating the application to reference the key by its ARN or key ID, you reference the key by its alias. You then update the key’s alias to point to the new key’s ID.

Answer 100

B. A disabled key can’t be rotated automatically. Manually rotating a key requires creating a new key and using it in place of the original one, and disabling the original key has no effect on this process. A disabled key can be deleted. Disabling a customer master key doesn’t delete any data key

Answer 101

C. 99.95 percent

Answer 102

A, C. ACM will automatically renew a public certificate if two conditions are met: First, the certificate must be associated with an AWS service such as an application load balancer. Second, ACM must be able to validate domain ownership using email or DNS validation. Email validation is only good for 825 days, but DNS validation will remain valid as long as the appropriate records exist in the domain’s DNS.

Answer 103

D. Because ACM is a regional service, you’d have to create a new certificate in the other region

Answer 104

A, B, E. There are three possible causes: First, the user may have IAM permissions boundaries set that prevent access to KMS or S3. Second, the S3 bucket policy may not grant the user access to any objects in the bucket. Finally, the key policy may not allow the user to use the key. There’s no such thing as an object policy. The settings in the user’s IAM policy permissions are correct according to the question.

Answer 105

B. AWS owned CMKs are used by multiple AWS customers. AWS managed CMKs and customer managed CMKs are for use by only one customer. There’s no such thing as a data CMK.

Answer 106

B. Usage of KMS keys, whether they’re in a custom store or the default key store, are tracked in CloudTrail logs.

Answer 107

A, B. KMS custom key stores use CloudHSM in different availability zones. Alternatively, you could create your own CloudHSM cluster in multiple availability zones. Using multiple regions wouldn’t provide redundancy for keys since keys are specific to a region. Storing duplicate keys wouldn’t necessarily provide high availability if the keys are stored in a CloudHSM cluster in just one availability zone.

Answer 108

B. You can’t assume an IAM role while operating as the root user. You must use an IAM user instead. There is no CLI session limit, the root user credentials can be used with the CLI, and the root user has full access to all AWS services.

Answer 109

C, D. A trust policy is a resource-based policy and therefore does require specifying a principal.

Answer 110

B. The principal can’t be a wildcard in a trust policy. It can be an AWS service or a principal in the same account or another account. The effect in a trust policy statement can be Allow or Deny

Answer 111

C. EC2 throttles outbound traffic on TCP port 25, the port commonly used for the Simple Mail Transfer Protocol (SMTP). Only the root user can make a request to have this throttle removed

Answer 112

A. DynamoDB server-side and KMS encryption encrypts the entire table. If you want to encrypt only a subset of the table, such encryption must take place outside of DynamoDB.

Answer 113

B. Because resource-based policies apply to a resource, they can restrict the access of users who don’t have an AWS account, such as anonymous users. Resource-based policies are not necessarily more restrictive, they can’t be used to restrict the root user, and they don’t replace identity-based policies.

Answer 114

C. The canonical user ID is a 64-character string that can be used to identify an AWS account in an S3 bucket policy. Creating an IAM role and providing the ARN would permit the vendor to grant that role access, but they’d still need either your AWS account number or canonical user ID.

Answer 115

D. All regions support Signature version 4.

Answer 116

B. The signing key is used to sign requests. The secret access key is used to create a signing key, which is valid for up to 7 days.

Answer 117

D. The command aws s3api list-buckets is the only one that will list the canonical user ID

Answer 118

B, D. CodeDeploy deploys EC2/on-premises applications from an S3 bucket, so the instances need access to list and get buckets and files from S3. They don’t need access to the CodeDeploy or Auto Scaling services.

Answer 119

A, D. You can set a password policy to enforce password expiration and require an administrator to reset expired passwords A policy can’t require MFA or set a maximum length

Answer 120

A. IAM doesn’t offer lockout policies that lock out a user after a number of failed login attempts

Answer 121

B. A token obtained from a regional STS endpoint is valid in all regions.

Answer 122

A, D. Once a region is disabled, EC2 instances running in it continue to incur charges. You can’t make changes to resources in a disabled region. You need to enable the region and then terminate the EC2 instances. STS has no bearing on whether the region is enabled or disabled.

Answer 123

B. Cognito can create IAM roles to define permissions for users. STS provides temporary credentials in exchange for a Cognito token but doesn’t control user permissions. OpenID Connect is an authentication framework used by some identity providers.

Answer 124

A, C. You can grant only specific users access to change their password by creating and applying an identity-based policy that grants them permission to perform the iam:ChangePassword action against their own IAM user resource, which is specified by its ARN in the format arn:aws:iam::account-id:user/${aws:username}. A password policy allowing users to change their own passwords would apply to all users. It’s not possible to implement a password policy requiring users to create a random password, and even if it were, it wouldn’t be necessary for allowing users to change their own passwords

Answer 125

B. When assuming a role, you can specify a managed session policy to restrict the permissions granted to the session. Access control policies apply only to cross-account access. An IAM permissions boundary is an identity-based policy, which in this case would apply to the role and hence would impact every application that assumes the role. There’s no such thing as a session control policy.

Answer 126

B. You would need to specify the excepted instance as NotResource. There’s no need to use the NotAction element. You can’t use Condition to specify an instance. Principal and NotPrincipal have no effect in an identity-based policy.

Answer 127

B. AssumeRole and GetSessionToken are the only actions that support MFA.

Answer 128

4. C, D. Configuring ELB health checks to monitor the web service and then using that health check in the Auto Scaling group will ensure that any instance on which the web service fails will be replaced. Using an EC2 health check will only look at the system status and instance status, but not the status of the web service. There is no UDP health check.

Answer 129

A, D. A simple basic resource record or a multivalue answer resource record without a health check will always return the public IP address of the instance. A simple alias resource record can’t point directly to an instance. A simple resource record doesn’t use health checks.

Answer 130

B, D. Simply giving the instances a public IP address and permitting inbound HTTPS access is sufficient and requires minimal effort. Using a VPN is a possibility but would require implementing NAT to overcome the IP addressing conflicts and would entail a lot more effort.

Answer 131

A. An elastic network interface must have only one primary private IP address. It can have a secondary private IP address, but it must be from the same subnet as the primary. An ENI can be associated with multiple elastic IP addresses. It doesn’t have to be attached to an instance but can be created separately.

Answer 132

B. Adding a secondary VPC CIDR of 172.31.1.0/24 is the easiest option. You can’t add a secondary CIDR that overlaps with the existing CIDR as 172.31.0.0/16 does. You also can’t change the VPC CIDR. Creating a new VPC for the additional application instances is possible but would require more effort than just adding a secondary CIDR.

Answer 133

D. A Direct Connect link to AWS provides consistent latency. It doesn’t necessarily provide higher bandwidth or reduced cost over an Internet VPN connection. Direct Connect doesn’t provide data encryption.

Answer 134

B. Direct Connect can improve the security of this configuration by bypassing the public Internet. All AWS services, including S3, use HTTPS for their public endpoints. A VPN connection can’t be configured between a remote site and S3. A VPC endpoint only connects a VPC to an AWS service via a private network, bypassing the Internet.

Answer 135

A. You must advertise at least one public IP prefix to use a public virtual interface. A public ASN isn’t required. You can use a public ASN if you have one; otherwise, you can use a private ASN between 64512 and 65534. Jumbo frames aren’t supported on public virtual interfaces, and even if they were, enabling jumbo frames wouldn’t be required.

Answer 136

B. AWS assigns you a /125 IPv6 CIDR that you and AWS must use to set up an IPv6 BGP peering session. You may not specify your own IPv6 addresses. You may also have a simultaneous IPv4 BGP peering session.

Answer 137

A. BGP MD5 authentication settings must match both on the Direct Connect side and on your router

Answer 138

A. The private hostname is ip-10-9-13-37.ec2.internal. In the US East 1 region, the hostname suffix is ec2.internal, while in other regions it follows the format region .compute.internal.

Answer 139

B. If enableDnsHostnames is set to true, then instances with a public IP address will receive a public DNS hostname. If enableDnsSupport is enabled, the Amazon DNS server is enabled. The other two options aren’t valid attributes

Answer 140

B. If enableDnsSupport is set to true, then instances in a VPC can use the Amazon DNS server to resolve the Amazon-provided private hostname of another instance in the VPC. If enableDnsHostnames is set to true, then instances with a public IP address will receive a public DNS hostname.

Answer 141

D. The first four addresses and last address of a subnet are reserved and can’t be assigned to an instance.

Answer 142

A. An instance screen shot of a Windows instance can reveal whether the instance is at the logon screen (and hopefully ready to accept RDP connections) or at another screen where it wouldn’t be ready to accept RDP connections, such as the recovery console screen, the boot manager screen, the Windows update screen, the Getting Ready screen, the Chkdsk screen, or the Sysprep screen

Answer 143

C. Removing all outbound rules for the instance’s subnet’s NACL will stop all outbound traffic from the instance. Removing security group rules that allow outbound access or adding an outbound NACL rule denying access to TCP port 22 wouldn’t prevent an inbound SSH connection or cause it to drop. You can’t add a deny rule to a security group.

Answer 144

D. The errors indicate that you’re reaching the instance but it doesn’t recognize your credentials as valid. Entering the wrong passphrase for the private SSH key or using an SSH key that grants other users or groups read/write permissions will result in the SSH client not even attempting the connection. This leaves an incorrect username as the only possible answer.

Answer 145

A. You need to allow ICMPv4 Echo Requests inbound to the instance. An ICMPv6 Echo Reply is what the instance would send in response to the ping. Elastic IP addresses are IPv4 addresses, so there’s no need to add rules for ICMPv6.

Answer 146

D. An outbound NACL rule that denies ICMPv4 Echo Replies would block the response to the Echo Request.

Answer 147

``` A. AWS uses the addresses 169.254.169.250, 169.254.169.251, 169.254.169.254 for Windows activation. ```

Answer 148

C. To add an alternative domain name to a distribution you must specify a valid TLS certificate issued by a trusted CA, and the certificate must contain the alternative domain name.

Answer 149

D. RTMP uses TCP port 1935 by default. CloudFront RTMP distributions don’t support RTMFP, which uses UDP port 1935. The fact that some users can view the videos indicates that the distributions for the media player and video files are configured correctly.

Answer 150

B. RTMPT tunnels RTMP over TCP port 80. RTMP distributions can’t be converted to HTTP/HTTPS distributions. CloudFront doesn’t use security groups

Answer 151

A metric contains a timestamp and a value. It may also contain a unit of measure and dimension. A metric exists within a namespace, which acts as a container for metrics

Answer 152

D. Data points stored at 1-hour resolution are deleted after 15 months.

Answer 153

D. To graph the exact data points, specify the Sum statistic and set the period equal to the metric’s resolution, which is 1 minute.

Answer 154

D. Using the Standard storage class for frequently accessed files is ideal. Standard-IA has a slightly lower availability and a higher cost for GET requests. Moving the files to Glacier would also negatively impact availability. Enabling versioning wouldn’t reduce costs but might increase costs. There’s not much else you can do to reduce costs except to delete unneeded files from the bucket.

Answer 155

C, D. AWS Config and CloudWatch Events can monitor S3 for new buckets and alert you when they’re created or deleted. CloudTrail can log the API events but won’t do any alerting. S3 server logging won’t log bucket creation events.

Answer 156

B. Memory-optimized instances have dedicated bandwidth for EBS storage

Answer 157

A. CloudTrail logs can be stored in S3 buckets or CloudWatch Logs. By default, S3 and CloudWatch Logs don’t delete any files or logs automatically. Therefore, any logs CloudTrail stores will remain indefinit

Answer 158

A, B. Retention periods are set per log group. To have separate retention periods for different log streams, the streams have to be in different log groups. Exporting CloudTrail logs to an S3 bucket can preserve the existing logs but won’t affect retention moving for

Answer 159

B, D. The instance being stopped would preclude EC2 from sending any CPU utilization metrics. If the alarm period were set to something greater than 4 hours—such as 6 hours or a day—then that would also explain the INSUFFICIENT_DATA state.

Answer 160

D. Using CloudWatch to graph the BucketSizeBytes metric will give you the data with minimal effort.

Answer 161

C. 120,000

Answer 162

C. You can access the query engine that powers Cost Explorer via the API for a cost of US$0.01 per request.

Answer 163

C. ECS will let you run the application in Docker containers at a lower cost than on EC2 instances.

Answer 164

B. Standard-IA storage is the lowest cost option. Creating a lifecycle policy to transition files to Standard-IA will leave a 6-month gap before the files are moved to the lower-cost storage. Versioning will store more data, increasing costs. S3 Intelligent-Tiering incurs a monthly monitoring and fee per object.1

Answer 165

B. A scheduled Spot Instance request can automatically generate a Spot Instance request daily for a specified duration, such as 4 hours. A persistent Spot Instance request will create a new Spot Instance request as soon as the instance from the previous request terminates. A one-time Spot Instance request will launch an instance only once, not daily. An instance reservation will cost more than using Spot Instance requests.

Answer 166

B. VPN CloudHub allows you to use a VPC for transit between two connected sites. A transit gateway lets you route traffic between VPCs and a VPN. The other options are feasible but cost more.

Answer 167

A, C. Sending CloudTrail logs to S3 and using S3 Select to search them is cheaper than using CloudWatch Logs. CloudTrail event history stores only 90 days of events.

Answer 168

B. Logging S3 data events using CloudTrail will do the trick. Enabling S3 server logging may not log every request. S3 GET requests are data events, not management events. S3 is not a global service.

Answer 169

D. CloudFront offers 50 GB data transfer out for the first year in the free tier.

Answer 170

C, D. It’s free to use CodeDeploy to deploy to EC2 instances. You can automate the process with CodePipeline, which lets you have one free active pipeline per month. CodeBuild isn’t free. CodeCommit is a Git repository with options under the free tier but isn’t necessary in this case since the developers will be pushing updates to an S3 bucket.

Answer 171

C. CodeDeploy can perform a rolling application upgrade on one or more instances at a time. Using CloudFormation to do the upgrade would require doing an all-at-once switchover.

Answer 172

B, C. Creating an Internet gateway and default route and assigning an elastic IP address is the most cost-effective option. A NAT gateway will incur charges. Using AWS Patch Manager to download the updates will still require the instance to have Internet access

Answer 173

B. If the maximum Spot price you’ve set consistently meets or exceeds the on-demand price, the instance will run indefinitely

Answer 174

C. Upgrading the instance type and creating a read replica are comparable options pricewise but upgrading is much quicker in part because it doesn’t require reconfiguring the application to use a read replica.

Answer 175

C. The minimum required utilization for a scheduled instance is 1200 hours per year

Answer 176

A. Set the Rollback on failure radio button to No in the CloudFormation console C. Use the --disable-rollback flag with the AWS CLI

Answer 177

B. Passing a role to another AWS account D. Passing a role to an AWS service to assign temporary permissions to the service Explanation The IAM:PassRole allows any affected entity to pass roles to AWS services or Accounts, granting them permission to assume the role. The list of roles able to be passed on by an entity to other services or accounts can be restricted with the Resources element of the IAM policy statement.

Answer 178

C. Use the drift detection action.

Answer 179

B. Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key. In this scenario, you will need to rotate the CMK manually. When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Take note that you cannot enable automatic key rotation for a CMK with imported key material but you can manually rotate a CMK with imported key material. Remember that automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. To meet the strict security compliance requirements, you must rotate the keys manually.

Answer 180

Relaunch the template to create a new stack. The ROLLBACK_COMPLETE status indicates the successful removal of one or more stacks after a failed stack creation or after an explicitly canceled stack creation. Any resources that were created during the create stack action are deleted. This status exists only after a failed stack creation. It signifies that all operations from the partially created stack have been appropriately cleaned up. When in this state, only a delete operation can be performed. INCORRECT: "Perform an update-stack action on the failed stack" is incorrect. You cannot update a stack in the ROLLBACK_COMPLETE state.

Answer 181

Create a public subnet in each AZ for the ALB, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

Answer 182

Import new key material into a new CMK, update the key alias to point to the new CMK. When you import key material into a CMK, the CMK is permanently associated with that key material. You can reimport the same key material, but you cannot import different key material into that CMK. Also, you cannot enable automatic key rotation for a CMK with imported key material. However, you can manually rotate a CMK with imported key material.

Answer 183

With Amazon ElastiCache Memcached engine you cannot modify the node type. The way to scale up is to create a new cluster and specify the new node type. You can then update the endpoint configuration in your application to point to the new endpoints and then delete the old cache cluster. CORRECT: "Create a new cache cluster with a new node type using the CreateCacheCluster API " is the correct answer.

Answer 184

An AWS virtual private network (VPN) connection can be configured to encrypt data over the shared, hybrid network connection. This ensures encryption in-transit and if you don’t have a certificate you can create a pre-shared key. AWS KMS can be used to manage encryption keys that can be used for data encryption. In this case the keys would then be used outside of KMS to actually encrypt the data. CORRECT: "Configure an AWS VPN between the on-premises data center and AWS" is the correct answer. CORRECT: "Use AWS KMS to manage the encryption keys used for data encryption" is the correct answer.

Answer 185

Explanation If the health checks exceed UnhealthyThresholdCount consecutive failures, the load balancer takes the target out of service. The load balancer continues to send health checks. When the health checks exceed HealthyThresholdCount consecutive successes, the load balancer puts the target back in service. CORRECT: "The load balancer will continue to perform the health check on the EC2 instance" is the correct answer. CORRECT: "The load balancer will take the EC2 instance out of service" is also a correct answer.

Answer 186

With Elastic Volumes, you can dynamically modify the size, performance, and volume type of your Amazon EBS volumes without detaching them. Use the following process when modifying a volume: (Optional) Before modifying a volume that contains valuable data, it is a best practice to create a snapshot of the volume in case you need to roll back your changes. Request the volume modification. Monitor the progress of the volume modification. If the size of the volume was modified, extend the volume's file system to take advantage of the increased storage capacity. CORRECT: "Use the Elastic Volumes feature to modify the volume size" is the correct answer.

Answer 187

Amazon S3 is a public service and there are two ways you can connect to it from EC2 instances with only private IP addresses. The first option is to deploy a NAT gateway in a public subnet and configure routes to the NAT gateway in the subnets where the instances are running. The second option is to create a VPC endpoint of the gateway endpoint type. This VPC endpoint requires that you configure the route tables with an entry pointing to the gateway and will enable access to S3 using only private IP addresses. CORRECT: "Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately" is the correct answer. CORRECT: "Create a VPC endpoint in the VPC and configure the route tables appropriately" is also a correct answer.

Answer 188

Explanation The most cost-effective record type to use is an alias record. Route 53 doesn't charge for alias queries to AWS resources and this includes to Amazon CloudFront distributions. You can create an alias record that uses the www.mywebapp.com domain name and points to the Amazon CloudFront distribution. This will enable users to access the distribution using the custom domain name. CORRECT: "Create an Alias record in Amazon Route 53 that points to the CloudFront distribution URL" is the correct answer.

Answer 189

You might need to shutdown or reboot your VM for maintenance, such as when applying a patch to your hypervisor. Before you shutdown the VM, you must first stop the gateway. - For file gateway, you just shutdown your VM. - For volume and tape gateways, stop the gateway, reboot the VM, then start the gateway. CORRECT: "Stop the gateway, reboot the virtual machine, then restart the gateway" is the correct answer.

Answer 190

The AWS Cost and Usage Report contains the most comprehensive set of data about your AWS costs and usage, including additional information regarding AWS services, pricing, and reservations. By using the AWS Cost and Usage report, you can gain a wealth of reservation-related insights about the Amazon Resource Name (ARN) for a reservation, the number of reservations, the number of units per reservation, and more. It can help you do the following: Calculate savings – Each hourly line item of usage contains the discounted rate that was charged, as well as the public On-Demand rate for that usage type at that time. You can quantify your savings by calculating the difference between the public On-Demand rates and the rates you were charged. Track the allocation of Reserved Instance discounts – Each line item of usage that receives a discount contains information about where the discount came from. This makes it easier to trace which instances are benefitting from specific reservations. CORRECT: "AWS Cost and Usage report" is the correct answer.

Answer 191

The AWS generated tags createdBy is a tag that AWS defines and applies to supported AWS resources for cost allocation purposes. After the tag is activated, AWS starts applying the tag to resources that are created after the AWS generated tags was activated. The AWS generated tags is available only in the Billing and Cost Management console and reports, and doesn't appear anywhere else in the AWS console, including the AWS Tag Editor. The createdBy tag does not count towards your tags per resource limit. CORRECT: "Activate the createdBy tag in the account" is the correct answer. CORRECT: "Analyze the usage with Cost Explorer" is the correct answer.

Answer 192

The following are a few reasons why an instance might immediately terminate: - You've reached your EBS volume limit. - An EBS snapshot is corrupt. - The root EBS volume is encrypted and you do not have permissions to access the KMS key for decryption. - The instance store-backed AMI that you used to launch the instance is missing a required part (an image.part.xx file). CORRECT: "The root EBS volume is encrypted and the Administrator does not have permissions to access the KMS key for decryption" is the correct answer.

Answer 193

Explanation The AWS Config restricted-common-ports check is used to check whether the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. The rule is COMPLIANT when the IP addresses for inbound TCP connections are restricted to the specified ports. This rule applies only to IPv4. CORRECT: "Use AWS Config to enable the restricted-common-ports rule and add port 80 to the parameters" is the correct answer

Answer 194

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents the internet from initiating an IPv6 connection with your instances. A route must be added to the route table pointing to the gateway. For IPv6 the target should be configured as ::/0 which is the equivalent of the 0.0.0.0/0 (IPv4) address. CORRECT: "Create an egress-only internet gateway and add a route to the route table pointing to the gateway for the target ::/0" is the correct answer.

Answer 195

You can use AWS Trusted Advisor’s Service Limit Dashboard to determine whether the service limits for EC2 instances have been reached. This is one possible cause of the issue. Additionally, the Administrator can check CloudTrail logs to view the results of the RunInstances requests. If a permissions issue exists this will be identified. CORRECT: "Use AWS Trusted Advisor to check if service limits have been reached" is the correct answer. CORRECT: "Use AWS CloudTrail to check the result of RunInstances requests" is also a correct answer.

Answer 196

This solution can be implemented by adding an automatic remediation to the AWS Config access-keys-rotated rule. This AWS Config rule checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is NON_COMPLIANT if the access keys have not been rotated for more than maxAccessKeyAge number of days. The automatic remediation can be configured to execute an AWS Systems Manager automation document that resolves the IAM user name and then disables and creates new access keys using the API. CORRECT: "Use an AWS Config rule to identify noncompliant keys. Create a custom AWS Systems Manager Automation document for remediation" is the correct answer.

Answer 197

It is possible to create an Alias record that points to a resource in another account. In this case the fully qualified domain name of the ALB must be obtained and then entered when creating the record set. This is the most cost-effective option as you do not pay for Alias records and there is minimal configuration required. CORRECT: "Create an alias record in the hosted zone pointing to the Application Load Balancer" is the correct answer.

Answer 198

The AWS Config encrypted-volumes rule Checks whether the EBS volumes that are in an attached state are encrypted. If you specify the ID of a KMS key for encryption using the kmsId parameter, the rule checks if the EBS volumes in an attached state are encrypted with that KMS key. CORRECT: "Use AWS Config to configure the encrypted-volumes managed rule and specify the key ID of the CMK" is the correct answer.

Answer 199

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console. Also, you can consume the Enhanced Monitoring JSON output from Amazon CloudWatch Logs in a monitoring system of your choice. You can enable and disable Enhanced Monitoring using the AWS Management Console, AWS CLI, or RDS API. CORRECT: "Enable enhanced monitoring and view the metrics in the RDS console." is the correct answer.

Answer 200

You create a CloudWatch custom metric and build an alarm on this to scale your ASG The metric "requests per minute" is not an AWS metric, hence it needs to be a custom metric

Answer 201

SNI (Server Name Indication) is a feature allowing you to expose multiple SSL certs if the client supports it. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

Answer 202

B.Multiple files with flexible column structure Cost & Usage reports can have multiple files which consists of data files for usage, separate file for discounts if any & a manifest file listing data files in a report. Columns in Cost & Usage Reports can be added or removed based upon customer requirements.

Answer 203

B.Initiate an archive retrieval job specifying archive ID & using Bulk retrieval option.

Answer 204

B. BucketB has SSE-KMS encryption enabled which is not supported. For logs to be delivered in the target bucket, it should have bucket encryption as SSE-S3 & not as SSE-KMS. While enabling Server access logs, Source & Target bucket can be on the same bucket or different bucket & logs are delivered with few hours after enabling logs

Answer 205

A. Request users from the master account to modify the Threat list to include this IP address. Amazon GuardDuty can be used to include custom IP addresses for generating findings to detect malicious activities. Amazon GuardDuty maintains two types of list: Trusted IP list & Threat List. Trusted IP List consists of IP address which is whitelisted & Amazon GuardDuty do not generate any findings for this IP address. Threat List consist list of the malicious IP address for which Amazon GuardDuty generates findings.

Answer 206

D. Enterprise

Answer 207

C. Create a private hosted zone & resource record set for EFS mount target IP address. DNS resolution is not supported while mounting EFS which is accessed over another VPC. To mount an EFS, either an IP address needs to be used or a private hosted zone can be created in Route 53.

Answer 208

C. Enable AWS Config in us-east-1 to check configuration changes made to EC2 instance & specify S3 bucket to collect AWS CloudTrail logs which will capture user activity. AWS Config can be enabled per region to track & notify for configuration changes made to AWS resources. AWS CloudTrail which is enabled when an account is created can be used to record API calls made by users to AWS resources. It saves all these activities log in a specified Amazon S3 bucket.

Answer 209

A. Create an organization & organizational unit. C. Invite an external account to join your organization. D. Pay all charges accrued by all the accounts in its organization.

Answer 210

By default, ALB considers last value within query parameters while invoking Lambda Function. In case of multiple query parameters, Multi-value headers need to be enabled to pass all query parameters values to Lambda function.

Answer 211

AWS Lambda uses Condition keys to specify additional permission controls for Lambda function. Following condition keys are supported in IAM policies, a. lambda:VpcIds - To allow or deny specific VPC to be used by Lambda functions. b. lambda: SubnetIds- To allow or deny specific subnet in a VPC to be used by Lambda functions. c. lambda:SecurityGroupIds- To allow or deny specific security groups to be used by Lambda functions.

Answer 212

A. Create a Cloudfront origin access identity | C. Ensure that only the Cloudfront origin access identity has access to read objects from the S3 bucket.

Answer 213

D. Allow Incoming from Source 10.0.1.0/24 on port 443

Answer 214

B. Add an exponential backoff between the calls to the createStack API The error is happening because the create stack API is creating too many resources at the same time. You can add some delayed between the requests using a concept called exponential backoff

Answer 215

Cross Zone Load Balancing

Answer 216

Server Name Indication (SNI)

Answer 217

Increase the EBS volume size EBS IOPS peaks at 16,000 IOPS. or equivalent 5334 GB.

Answer 218

Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name

Answer 219

PostgreSQL

Answer 220

Aurora Global Database Global Databases allow you to have cross region replication

Answer 221

Create a Read Replica in the same AZ and run the analytics workload on the replica database this will minimize cost because the data won't have to move across AZ

Answer 222

| Create a Read Replica in a different region and enable multi-AZ on the main database

Answer 223

Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service.

Answer 224

Use Aurora Serverless

Answer 225

Configure the Amazon Redshift cluster to automatically copy snapshots of a cluster to another region. You can configure Amazon Redshift to automatically copy snapshots (automated or manual) for a cluster to another region. When a snapshot is created in the cluster’s primary region, it will be copied to a secondary region; these are known respectively as the source region and destination region.

Answer 226

Configure an IAM role and an IAM Policy to access the bucket. Set up a Federation proxy or an Identity provider, and use AWS Security Token Service to generate temporary tokens. The question refers to one of the common scenarios for temporary credentials in AWS. Temporary credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and IAM roles. In this example, it is called enterprise identity federation considering that you also need to set up a single sign-on (SSO) capability. The correct answers are: - Setup a Federation proxy or an Identity provider - Setup an AWS Security Token Service to generate temporary tokens - Configure an IAM role

Answer 227

If you need to remove a file from CloudFront edge caches before it expires, you can do one of the following: - Invalidate the file from edge caches. The next time a viewer requests the file, CloudFront returns to the origin to fetch the latest version of the file. - Use file versioning to serve a different version of the file that has a different name.

Answer 228

Integrate CloudWatch Events with EBS. Set up Lambda functions to copy the snapshots to another region. Amazon EBS emits notifications based on Amazon CloudWatch Events for a variety of snapshot and encryption status changes. With CloudWatch Events, you can establish rules that trigger programmatic actions in response to a change in snapshot or encryption key state. For example, when a snapshot is created, you can trigger an AWS Lambda function to share the completed snapshot with another account or copy it to another region for disaster-recovery purposes.

Answer 229

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an instance's security groups). You can't delete a default security group.

Answer 230

C. Shut down the instance. Create an AMI from the instance. Start a new instance from the AMI in the other AZ. You need to create an AMI because it is the root volume. The AMI can be deployed into any AZ.

Answer 231

D. Stop the instance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance.

Answer 232

B. Creating daily RDS backups

Answer 233

B. 6 Reserved Instances and 12 On-Demand Instances You can't use spot instances as the payments can take up to four minutes. Spot instances might get terminated with a two-minute warning, which could mean you would lose transactions.

Answer 234

C. Launch EC2 instances through CloudFormation and then perform configuration management with your Ansible scripts. There is no service in AWS for Ansible. Simply launch EC2 instances and manage them like you do on-premise servers.

Answer 235

D. Marko#cloud can't be used in IAM usernames.

Answer 236

C. Delete the five instances in the cluster placement group and redeploy with 10 instances. The number of instances in a placement group can only be defined at startup time.

Answer 237

B. We would need to implement cross-region bucket replication on the mission-critical data to meet the SLA.