Incorrect exam qs Flashcards

Question

4 The security team needs to automate security vulnerability assessments throughout their development and production environments. Which service should they use to comply with this requirement? Amazon Inspector AWS Shield AWS WAF Amazon Macie

Answer 1

Amazon Inspector allows you to automate security vulnerability assessments throughout your development and deployment pipeline or against static production systems. This allows you to make security testing a more regular occurrence as part of the development and IT operations. Amazon Inspector is an API-driven service that uses an optional agent, making it easy to deploy, manage, and automate. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Amazon Inspector is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances. Hence, the correct answer in this scenario is: Amazon Inspector. AWS Shield is incorrect because this option is not a security assessment service. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. In addition, AWS Shield is mainly used to protect web applications, TCP-based applications, and UDP-based game servers against a DDoS attack. AWS WAF is incorrect since this is a web application firewall that helps protect your web applications from common web exploits such as XSS and SQL injection, and not for automated security vulnerability assessments. You use AWS WAF to create custom rules that block common attack patterns and rules that are designed for your specific application. Amazon Macie is incorrect because it is just a security service and not suitable for automated security assessment service. It uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

Answer 2

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how these data are being accessed or moved. You can use Amazon Macie to automatically detect a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers. Hence, the correct answer is: Amazon Macie. Amazon Rekognition is incorrect. Although it is a machine learning-based service like Amazon Macie, it is primarily used for image and video analysis but not for detecting personally identifiable information (PII). You can't use this to protect your sensitive data in AWS. Amazon CloudSearch is incorrect because this service cannot protect sensitive data in AWS. CloudSearch is a service in the AWS Cloud that is used to set up, manage, and scale a search solution for your website or application in AWS. Amazon SageMaker is incorrect because this service is primarily used to quickly build, train, and deploy machine learning (ML) models and not detect sensitive information in AWS.

Answer 3

AWS KMS is a managed service that easily enables you to create and control the keys used for cryptographic operations. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services. KMS is a managed service that enables you to encrypt your data easily. It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. Hence, the correct answer is: AWS KMS. AWS Systems Manager is incorrect because this service simply gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. You cannot encrypt data in your AWS resources using AWS SSM. AWS IAM is incorrect because this is just a service used to manage users, roles, and groups to AWS services and resources securely. This service does not provide a highly available HSM to encrypt data. AWS CloudHSM is incorrect because this provides hardware security modules in the AWS Cloud that you can manage and control. Remember that in the scenario, the requirement is that you must be able to manage your encryption keys without having to manage your own hardware module. A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys. If you want a managed service to create and control your encryption keys, but don't want to operate your own HSM, consider using AWS Key Management Service.

Answer 4

AWS Abuse addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents. When abuse is reported, AWS alerts customers so they can take the remediation action that is necessary. The AWS Trust & Safety team can assist you when AWS resources are used to engage in the following types of abusive behavior: Spam: You are receiving unwanted emails from an AWS-owned IP address, or AWS resources are used to spam websites or forums. Port scanning: Your logs show that one or more AWS-owned IP addresses are sending packets to multiple ports on your server, and you believe this is an attempt to discover unsecured ports. Denial-of-service (DoS) attacks: Your logs show that one or more AWS-owned IP addresses are used to flood ports on your resources with packets, and you believe that this is an attempt to overwhelm or crash your server or the software running on your server. Intrusion attempts: Your logs show that one or more AWS-owned IP addresses are used to attempt to log in to your resources. Hosting objectionable or copyrighted content: You have evidence that AWS resources are used to host or distribute illegal content or distribute copyrighted content without the consent of the copyright holder. Distributing malware: You have evidence that AWS resources are used to distribute software that was knowingly created to compromise or cause harm to computers or machines on which it is installed. Hence, the correct answer is AWS AWS Trust & Safety. Concierge Support is incorrect because this is a team of experts that quickly and efficiently assist you with your billing and account inquiries, and work with you to implement billing and account best practices so that you can focus on running your business. AWS Support API is incorrect because this is not a team in AWS, but a collection of APIs that provides programmatic access to AWS Support Center features. This is primarily used to create, manage, and close your support cases, and operationally manage your Trusted Advisor check requests and status. Architecture Support is incorrect because this is a team that guides customers on how AWS services fit together to meet a specific architecture, use-case, workload, or application.

Answer 5

AWS Identity and Access Management enable you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. IAM Users make use of access keys for long-term programmatic credentials. Access keys consist of two parts: an access key ID and a secret access key. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. Hence, the correct answer is: IAM User. IAM Role is incorrect because it does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. IAM Group is incorrect because this is basically used to group together multiple IAM users. IAM Groups let you specify permissions for multiple users, making it easier to manage the permissions for those users. An IAM Group doesn't provide a long-term programmatic credential, unlike an IAM User. IAM Policy is incorrect because this is just used to define permissions to IAM Users and Roles. IAM Policy does not have long-term credentials.

Answer 6

AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. You can provide certificates for supported AWS services either by issuing them directly with ACM or by importing third-party certificates into the ACM management system. ACM certificates can secure multiple domain names and multiple names within a domain. ACM is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. You can use IAM as a certificate manager only when you must support HTTPS connections in a region not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all Regions, but you must obtain your certificate from an external provider for use with AWS. Hence, the correct answers are: - AWS Certificate Manager - AWS Identity and Access Management All other options are incorrect because these services are not capable of storing SSL certificates. AWS Systems Manager is incorrect because this service is a management solution for hybrid cloud environments. It allows you to perform routine operations, track development, test, and production environments, and proactively act on events or other operational incidents. If you need to store SSL certificates, use ACM or AWS IAM. AWS License Manager is incorrect because this service is mainly used for managing software licenses from different vendors (Microsoft, Oracle, SAP, IBM) across AWS and on-premises environments. It is not capable of managing and storing SSL certificates. AWS Key Management Service is incorrect because this is a managed service that allows you to create and control keys used for cryptographic operations. This means that this service is not capable of storing SSL certificates. Therefore, if you need full control over the management of your keys and also to share access to the keys across your resources, then use AWS KMS.

Answer 7

AWS KMS is a managed service that enables you to create and control the keys used for cryptographic operations easily. The service provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data within your own applications or control the encryption of data across AWS services. Amazon EBS encryption uses AWS Key Management Service (AWS KMS) customer master keys (CMK) when creating encrypted volumes and snapshots. Hence, the correct answer is: AWS KMS. AWS S3 SSE is incorrect because this is a server encryption type used by Amazon S3, not EBS. AWS WAF is incorrect because this is only a web application firewall that helps protect your web applications or APIs against common web exploits. WAF is mainly used to create a traffic filter, and not for EBS encryption. AWS Shield is incorrect because this is not an encryption service. AWS Shield is a managed DDOS protection service that safeguards applications running on AWS.

Answer 8

Amazon FSx makes it easy and cost-effective to launch and run popular file systems. With Amazon FSx, you can leverage the rich feature sets and fast performance of widely-used open source and commercially licensed file systems, while avoiding time-consuming administrative tasks like hardware provisioning, software configuration, patching, and backups. It provides cost-efficient capacity and high levels of reliability, and it integrates with other AWS services so that you can manage and use the file systems in cloud-native ways. Amazon FSx provides you with two file systems to choose from: 1. Amazon FSx for Windows File Server provides fully managed file storage that is accessible over the industry-standard Server Message Block (SMB) protocol. 2. Amazon FSx for Lustre makes it easy and cost-effective to launch and run the world’s most popular high-performance file system, Lustre. Hence, the correct answer is: Amazon FSx. Amazon S3 is incorrect because this is just an object storage service. You can't use this as a centralized Windows File Server. Amazon EFS is incorrect. Although it is a shared file system storage, EFS only supports Linux workloads. Amazon EBS is incorrect. An EBS volume can only be accessed by multiple EC2 instances if it is a Provisioned IOPS EBS volume. A more suitable option here is to use Amazon FSx for Windows File Server.

Answer 9

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once. Without a central hub, the network complexity increases with scale. You must maintain routing tables within each VPC and connect to each onsite location using separate network gateways. But if you use a centralized hub, your network is more streamlined and scalable. AWS Transit Gateway routes all traffic to and from each VPC or VPN, and you have one place to manage and monitor it all. Hence, the correct answer is: AWS Transit Gateway. AWS Client VPN is incorrect because this is just a VPN service used to securely access your AWS resources and resources in your on-premises network. You can't use AWS Client VPN to connect and manage multiple VPCs. VPC Peering is incorrect. Although this service could connect two or more VPCs, it is not appropriate to use if you are managing multiple VPC peering connections and on-premises networks at scale. AWS Direct Connect is incorrect because this is a dedicated network connection from your on-premises to AWS. Direct Connect doesn't support the peering between VPCs unless it is associated with Transit Gateway.

Answer 10

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to set up or manage, and you can start analyzing data immediately. You don’t even need to load your data into Athena, it works directly with data stored in S3. Amazon Redshift Spectrum allows you to query and retrieve structured and semistructured data from files in Amazon S3 without having to load the data into Amazon Redshift tables. Much of the processing occurs in the Redshift Spectrum layer, and most of the data remain in Amazon S3. Multiple clusters can concurrently query the same dataset in Amazon S3 without the need to make copies of the data for each cluster. Hence, the correct answers are: - Amazon Athena - Amazon Redshift Spectrum Amazon MQ is incorrect because this is a message broker service for Apache ActiveMQ. This service is mainly used to migrate your existing RabbitMQ message brokers to AWS without having to rewrite code. Amazon Neptune is incorrect because this is a fully managed graph database service. You cannot use this service to query the data stored in Amazon S3. Amazon Elasticache is incorrect because this is an in-memory data store and caching service. Elasticache lets you create multiple replicas of a Redis primary. This allows you to scale database reads and to have highly available clusters.

Answer 11

Amazon Redshift is a fully-managed petabyte-scale cloud-based data warehouse product designed for large-scale data set storage and analysis. It allows you to run complex analytic queries against terabytes to petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution. Amazon Redshift has a feature of deepest integration with your data lake and AWS services. It lets you quickly and simply work with your data in open formats, including Avro, CSV, Grok, Amazon Ion, JSON, ORC, Parquet, RCFile, RegexSerDe, Sequence, Text, and TSV. Hence, the correct answer is: Amazon Redshift. Amazon DynamoDB is incorrect because it is a NoSQL Database Service and not a cloud-based data warehouse for online analytic processing (OLAP) and business intelligence (BI) applications. DynamoDB is used for key-value and document database that delivers single-digit millisecond performance. It can also store the metadata of assets such as images, pages, and links, but this service does not natively support SQL. Amazon S3 is incorrect because this is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon S3 is not a cloud-based data warehouse. It is primarily used for static website hosting, data storage, and archiving. Amazon Neptune is incorrect because this is a Graph Database service that makes it easy for you to build and run applications that work with highly connected datasets. It is mainly used for recommendation engines, fraud detection, knowledge graphs, drug discovery, and network security but not for running complex analytic queries.

Answer 12

Amazon ElastiCache allows you to seamlessly set up, run, and scale popular open-Source compatible in-memory data stores in the cloud. Build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores. The different types of ElastiCache services are: ElastiCache for Redis - it is a blazing fast in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications. ElastiCache for Memcached- a Memcached-compatible in-memory key-value store service that can be used as a cache or a data store. ElastiCache for Redis Global Database - you can write to your ElastiCache for Redis cluster in one region and have the data available to be read from two other cross-region replica clusters, thereby enabling low-latency reads and disaster recovery across regions. Hence, the correct answers are: - ElastiCache for Redis - ElastiCache for Memcached All the other options are incorrect since these are not a type of service in Amazon ElastiCache: - Amazon ElastiCache for Apache Spark - Amazon ElastiCache for Apache Kafka - Amazon ElastiCache for Apache Ignite

Answer 13

AWS Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS, based on AWS best practices for security and high availability. These accelerators reduce hundreds of manual procedures into just a few steps, so you can build your production environment quickly and start using it immediately. Quick Starts provides automated reference deployments for key workloads on the AWS Cloud via CloudFormation templates. Each Quick Start launches, configures and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability. Hence, the correct answer is: AWS Quick Starts. AWS Systems Manager Automation is incorrect because it doesn't provide you with automated reference deployments for key workloads. Systems Manager Automation only simplifies the common maintenance and deployment tasks of EC2 instances and other AWS resources. AWS Config is incorrect because it does not provide automated reference deployments in AWS via CloudFormation templates. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. You can use AWS Config as your framework for creating and deploying governance and compliance rules across your AWS accounts and regions. AWS OpsWorks is incorrect because this is not a reference deployment service. OpsWorks is a configuration management service that helps customers configure and operate applications, both on-premises and in the AWS Cloud, using Chef and Puppet.

Answer 14

AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. With CodeBuild, you don’t need to provision, manage, and scale your own build servers. CodeBuild scales continuously and processes multiple builds concurrently, so your builds are not left waiting in a queue. CodeBuild provides these benefits: Fully managed – CodeBuild eliminates the need to set up, patch, update, and manage your own build servers. On-demand – CodeBuild scales on-demand to meet your build needs. You pay only for the number of build minutes you consume. Out of the box – CodeBuild provides preconfigured build environments for the most popular programming languages. All you need to do is point to your build script to start your first build. Hence, the correct answer is: AWS CodeBuild. AWS CodeDeploy, AWS CodePipeline, and AWS CodeCommit are all incorrect because these services are not suitable to build and test applications in AWS Cloud. CodeDeploy is primarily used to automate code deployments to any instance, including EC2 instances and instances running on-premises. CodePipeline is a continuous delivery service while CodeCommit is a fully-managed source control service.

Answer 15

AWS Support Plans offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. All support plans offer 24x7 access to customer service, AWS documentation, whitepapers, and support forums. For technical support and more resources to plan, deploy, and improve your AWS environment, you can select a support plan that best aligns with your AWS use case. In addition to what is available with Basic Support, Business Support provides: AWS Support API - Let you create support cases and add correspondence to them throughout investigations of your issues and interactions with the AWS Support staff. AWS Trusted Advisor - Access to the full set of Trusted Advisor checks and guidance to provision your resources following best practices to help reduce costs, increase performance and fault tolerance, and improve security. AWS Personal Health Dashboard- Access to the 7 core Trusted Advisor checks and guidance to provision your resources following best practices to increase performance and improve security. Enhanced Technical Support - 24x7 access to Cloud Support Engineers via phone, chat, and email. You can have an unlimited number of contacts that can open an unlimited amount of cases. Hence, the correct answer is: Business support plan. Enterprise is incorrect. Although it will provide you AWS Support API access, this support plan is more expensive than the Business support plan. Basic and Developer are both incorrect because these support plans don't offer access to AWS Support API for programmatic case management.

Answer 16

Amazon MQ is a managed message broker service for Apache ActiveMQ that makes it easy to set up and operate message brokers in the cloud. Amazon MQ manages the administration and maintenance of ActiveMQ, a popular open-source message broker. You can also get direct access to the ActiveMQ console and industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket. With Amazon MQ, you can easily move from any message broker that uses these standards to Amazon MQ because you don’t have to rewrite any messaging code in your applications. Hence, the correct answer is: Amazon MQ. Amazon Simple Email Service is incorrect because this is only a cloud-based email sending service and not a message broker service for Apache ActiveMQ. Amazon SES is designed to help digital marketers and application developers send marketing, notification, and transactional emails. Amazon Chime is incorrect because this is simply a communications service that lets you meet, chat, and place business calls inside and outside your organization, all using a single application. This service is not suitable for setting up a message broker service. Amazon WorkMail is incorrect because this is just a service to manage your corporate email infrastructure and eliminates the need for up-front investments to license and provision on-premises email servers. This service does not provide direct access to the ActiveMQ console and industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket.

Answer 17

AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS. Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance. AWS Organizations benefits are: - Centrally Manage Policies across Multiple AWS Accounts - Automate AWS Account Creation and Management - Consolidate Billing across Multiple AWS Accounts - Govern Access to AWS Services, Resources, and Regions - Configure AWS Services Across Multiple Accounts Hence, the correct options that correctly describe AWS Organizations are: - Automate AWS account creation and management - Centrally manage policies across multiple AWS accounts The option that says: Ability to create IAM Roles is incorrect because this is a feature of AWS IAM and not AWS Organizations. It uses roles to delegate access to users, applications, or services that don't normally access your AWS resources. The option that says: Allow Active Directory access controls is incorrect because it is not a benefit of AWS Organizations. This option is related to AWS Managed Microsoft AD. The option that says: Records AWS API calls is incorrect because this function is under AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in your AWS environment. AWS Organizations do not provide an event history of your AWS account.

Answer 18

S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Because it delivers low latency and high throughput, S3 Standard is appropriate for a wide variety of use cases, including cloud applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics. The S3 Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead. It works by storing objects in two access tiers: one-tier optimized for frequent access and another lower-cost tier optimized for infrequent access. The S3 Standard-IA and S3 One Zone-IA storage classes are designed for long-lived and infrequently accessed data. (IA stands for infrequent access.) S3 Standard-IA and S3 One Zone-IA objects are available for millisecond access (same as the S3 Standard storage class). Amazon S3 charges a retrieval fee for these objects, so they are most suitable for infrequently accessed data. Both the S3 Standard and S3 Intelligent-Tiering storage classes do not have retrieval fees. Hence, the correct answers are: - S3 Standard - S3 Intelligent-Tiering S3 Glacier Deep Archive, S3 Standard-IA, and S3 One Zone-IA are all incorrect since these storage tiers have object retrieval fees.

Answer 19

AWS Fargate is a serverless compute engine for containers. Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design. Fargate lets you define your application content, networking, storage, and scaling requirements. There is no provisioning, patching, cluster capacity management, or any infrastructure management required. Hence, the correct answer is: AWS Fargate. Amazon FSx is incorrect because this is primarily used as a file system for Windows-based applications. Amazon ECS is incorrect because by using this service, you still need to manage your own EC2 instances where your containers are hosted. Amazon EC2 is incorrect since you still need to provision and manage your Docker containers that are hosted in these EC2 instances.

Answer 20

Proactive Technical Account Management | Access to online self-paced labs

Answer 21

Standard Reserved Instance Reserved Instances provide you with a significant discount compared to On-Demand instance pricing. In addition, when Reserved Instances are assigned to a specific Availability Zone, they provide a capacity reservation, giving you additional confidence in your ability to launch instances when you need them. Standard Reserved Instances provide you with a significant discount compared to On-Demand instance pricing and can be purchased for a 1-year or 3-year term. The average discount off On-Demand instances varies based on your term and chosen payment options. Customers have the flexibility to change the Availability Zone, the instance size, and networking type of their Standard Reserved Instances. Convertible Reserved Instances provide you with a significant discount compared to On-Demand Instances and can be purchased for a 1-year or 3-year term. Purchase Convertible Reserved Instances if you need additional flexibility, such as the ability to use different instance families, operating systems, or tenancies over the Reserved Instance term. As a general rule, Standard RI provides more savings than Convertible RI, which means that the former is the cost-effective option. The All Upfront option provides you with the largest discount compared with the other types. Opting for a longer compute reservation, such as the 3-year term, gives us a greater discount as opposed to a shorter 1-year renewable term. Scheduled RIs are available to launch within the time windows you reserve. This option allows you to match your capacity reservation to a predictable recurring schedule that only requires a fraction of a day, a week, or a month. However, these are not suitable if you have a steady-state workload running continuously for 1 to 3 years. Hence, the correct answer is: Standard Reserved Instance. Scheduled Reserved Instance is incorrect because this type of instance pricing option is not suitable if you have a steady-state workload running continuously for 1 to 3 years. Convertible Reserved Instance is incorrect. Although it is suitable to process steady-state workloads, this is actually more expensive compared with Standard Reserved Instance. Dedicated Instance is incorrect because this is actually more expensive than Reserved Instances. With a Dedicated Instance, you can pay for instances that run on single-tenant hardware by the hour.

Answer 22

AWS Support offers a range of plans that provide access to tools and expertise that support the success and operational health of your AWS solutions. All support plans provide 24x7 access to customer service, AWS documentation, whitepapers, and support forums. For technical support and more resources to plan, deploy, and improve your AWS environment, you can select a support plan that best aligns with your AWS use case. AWS Support offers five support plans: Basic, Developer, Business, Enterprise On-Ramp, and Enterprise. The Basic plan is free of charge and offers support for account and billing questions and service limit increases. The other plans offer an unlimited number of technical support cases with pay-by-the-month pricing and no long-term contracts, providing the level of support that meets your needs. All AWS customers automatically have around-the-clock access to these features of the Basic support plan: - Customer Service: one-on-one responses to account and billing questions - Support forums - Service health checks - Documentation, whitepapers, and best-practice guides The cheapest support plan that offers technical support with an unlimited amount of cases that can be opened is the Developer support plan. Additionally, it provides you access to the 7 core Trusted Advisor checks and the Personal Health Dashboard, where you get a personalized view of the health of AWS services, and alerts when your resources are impacted. Hence, the correct answer is: Developer. Basic is incorrect because this support plan does not offer Technical Support cases. Business and Enterprise are both incorrect because these support plans are more expensive than the Developer plan.

Answer 23

Secure AWS data centers from environmental hazards | Introduce updates and patches to EC2 hypervisors

Answer 24

Cloud computing is the on-demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform via the Internet with pay-as-you-go pricing. Whether you are running applications that share photos to millions of mobile users or you’re supporting the critical operations of your business, a cloud services platform provides rapid access to flexible and low-cost IT resources. With cloud computing, you don’t need to make large upfront investments in hardware and spend a lot of time on the heavy lifting of managing that hardware. Instead, you can provision exactly the right type and size of computing resources you need to power your newest bright idea or operate your IT department. You can access as many resources as you need, almost instantly, and only pay for what you use. One of the advantages of cloud computing is that instead of having to invest heavily in data centers and servers before you know how you’re going to use them, you can pay only when you consume computing resources, and pay only for how much you consume. Hence, the correct answer is: Trade capital expense for variable expense. The option that says: Capital expense is traded for operational expense is incorrect because capital expense is actually not traded for operational expense, since you still handle operations. The option that says: Variable expense is traded for capital expense is incorrect because it should be the other way around. The option that says: Operational expense is traded for variable expense is incorrect because you do not trade operational expense for variable expense since you still handle the operations of your company.

Answer 25

Placement Groups The AWS Global Infrastructure delivers a cloud infrastructure companies can depend on—no matter their size, changing needs, or challenges. The AWS Global Infrastructure is designed and built to deliver the most flexible, reliable, scalable, and secure cloud computing environment with the highest quality global network performance available today. Every component of the AWS infrastructure is designed and built for redundancy and reliability, from regions to networking links to load balancers to routers and firmware. AWS provides a more extensive global footprint than any other cloud provider, and it opens up new Regions faster than other providers. To support its global footprint and ensure customers are served across the world, AWS maintains multiple geographic regions, including Regions in North America, South America, Europe, Asia Pacific, and the Middle East. Each AWS Region provides full redundancy and connectivity to the network. Unlike other cloud providers, who define a region as a single data center, at AWS Regions consist of multiple Availability Zones, each of which is a fully isolated partition of the AWS infrastructure that consists of discrete data centers, each with redundant power, networking, and connectivity, and each housed in separate facilities. An Availability Zone gives customers the ability to operate production applications and databases that are more highly available, fault-tolerant, and scalable than would be possible from a single data center. All AZs are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZs. The network performance is sufficient to accomplish synchronous replication between AZs. A placement group is just a logical grouping of instances within a single Availability Zone that benefit from low network latency, high network throughput. Hence, the correct answer is: Placement group. All other options are incorrect because the AWS Global Infrastructure is consists of Region, Availability Zones, and Edge Locations.

Answer 26

Infrastructure as a Service, sometimes abbreviated as IaaS, contains the basic building blocks for cloud IT and typically provides access to networking features, computers (virtual or on dedicated hardware), and data storage space. Infrastructure as a Service provides you with the highest level of flexibility and management control over your IT resources and is most similar to existing IT resources that many IT departments and developers are familiar with today. Amazon EC2 is one of the IaaS solutions offered by AWS. Hence, the correct answer is: Amazon EC2.

Answer 27

AWS should reiterate that the customer is responsible for the security of their applications in the Cloud. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. While the customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. It is the customer's responsibility to secure their infrastructure through various available security services. Customers can use different network and firewall configurations such as Security Groups, Network ACLs, AWS WAF, AWS Shield Advanced, Client/Server-Side encryption, and many others. Hence, the correct answer is: AWS should reiterate that the customer is responsible for the security of their applications in the Cloud. The option that says: AWS should secure their infrastructure better to reduce these kinds of incidents is an incorrect choice since the customer is at fault for not securing their applications against the SQL injection attack. AWS continuously secures and updates its infrastructure, but this does not include customer applications. The option that says: AWS and the customer should contact a third-party auditor to verify the incident is incorrect because this is not the responsibility of AWS. The customer can do this for an audit of their own system if they wish to. The option that says: AWS should not be liable for the damages since the customer should have properly patched the EC2 instance is incorrect. Although it is true that AWS is not responsible for the damages incurred, it is not the best answer among the options. AWS should reiterate to the customer how the responsibilities in the Cloud are shared between them.

Answer 28

Create an IAM user with admin privileges instead of using root You use an access key (an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account root user access key. The access key for your AWS account root user gives full access to all your resources for all AWS services, including your billing information. You cannot reduce the permissions associated with your AWS account root user access key. Therefore, protect your root user access key like you would your credit card numbers or any other sensitive secret. As indicated in the Security Best Practices whitepaper, you should not use your root account to administer your account. You should instead create an IAM user with administrative privileges that will be used as the administrator of your AWS account. Hence, the correct answer is: Create an IAM user with admin privileges instead of using root.

Answer 29

When you want to provide AWS services permissions to do certain actions When you have outside entities that need to perform specific actions in your AWS account You can use IAM roles to delegate access to users, applications, or services that don't normally have access to your AWS resources. For example, you might want to grant users in your AWS account access to resources they don't usually have, or grant users in one AWS account access to resources in another account. Sometimes you want to give AWS access to users who already have identities defined outside of AWS, such as in your corporate directory. If you need constant access to your AWS account or a GUI such as the AWS Management Console, it is better to use IAM users instead since they provide long-term credentials for logging in to your account. Entities such as account handlers and administrators should have their own IAM accounts instead as well to be more efficient in their work. Hence, the correct answers are: - When you want to provide AWS services permissions to do certain actions. - When you have outside entities that need to perform specific actions in your AWS account. All the other options are incorrect since these are more suitable for IAM users: - If you have employees who will constantly need access to your AWS resources. - When you need a GUI to interact with your AWS environment. - When you need an administrator to handle the AWS account for you.

Answer 30

AWS SDK Access keys You use can AWS SDKs to programmatically interact with your AWS resources. Using access keys, which are unique identifiers for your IAM user, you can connect to your resources in a secure manner. The AWS Access Key ID and AWS Secret Access Key are your AWS credentials. They are associated with an AWS Identity and Access Management (IAM) user or role that determines what permissions you have. Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). If you don't have access keys, you can create them from the AWS Management Console. As a best practice, do not use the AWS account root user access keys for any task where it's not required. Instead, create a new administrator IAM user with access keys for yourself. Hence, the correct answers are: - AWS SDK - Access keys AWS Management Console is incorrect because when you are programmatically interacting with AWS, you use APIs (and not your web browser) to send and receive messages. Account username and password is incorrect because you only need your credentials if you are accessing the AWS Management Console on your web browser. AWS Lambda is incorrect. Although you can control your other AWS resources using Lambda via their respective APIs, you still need to set up the required IAM role in order for your function to work.

Answer 31

All the best practices of AWS policies, architecture, and operational processes built to satisfy your requirements. Security at AWS is a top priority. Today, AWS protects millions of active customers around the world, from large enterprises and government organizations to start-ups and non-profits. AWS customers inherit all of the benefits of their security controls, including best practices for security policies, architecture, and operational processes validated against external assurance frameworks. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. While the customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. Hence, the correct answer is: All the best practices of AWS policies, architecture, and operational processes built to satisfy your requirements. The option that says: All the hardware and software that you provision in the AWS cloud is incorrect because AWS retains full control of their physical infrastructure. The option that says: All the data you store in and retrieve from AWS is incorrect because AWS does not take ownership of your data, to begin with, so there is nothing to inherit for this section. The option that says: All the responsibilities in enforcing security and compliance policies of your organization are your responsibilities is incorrect because AWS handles security of the cloud, while the customer handles security in the cloud. All the responsibilities in enforcing the security and compliance policies of your organization.

Answer 32

AWS CodeStar enables you to quickly develop, build, and deploy applications on AWS. AWS CodeStar provides a unified user interface, enabling you to easily manage your software development activities in one place. With AWS CodeStar, you can set up your entire continuous delivery toolchain in minutes, allowing you to start releasing code faster. AWS CodeStar makes it easy for your whole team to work together securely, allowing you to easily manage access and add owners, contributors, and viewers to your projects. Each AWS CodeStar project comes with a project management dashboard, including an integrated issue tracking capability powered by Atlassian JIRA Software. With the AWS CodeStar project dashboard, you can easily track progress across your entire software development process, from your backlog of work items to teams’ recent code deployments. AWS CodeStar makes it easy for you to set up your entire development and continuous delivery toolchain for coding, building, testing, and deploying your application code. To start a project, you can choose from a variety of AWS CodeStar templates for Amazon EC2, AWS Lambda, and AWS Elastic Beanstalk. You have the option to choose AWS CodeCommit or GitHub to use as your project’s source control. You also have the option to edit your source code using one of several options including AWS Cloud9, Microsoft Visual Studio, or Eclipse. After you make your selections the underlying AWS services are provisioned in minutes, allowing you to quickly start coding and deploying your applications. Hence, the correct answer is AWS CodeStar. AWS CodeBuild is incorrect because this is just a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy. AWS CodeCommit is incorrect because this is simply a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories. AWS CodePipeline is incorrect because this basically helps you automate your release pipelines for fast and reliable application and infrastructure updates. It doesn't provide an entire development and continuous delivery toolchain for coding, building, testing, and deploying your application code, unlike AWS CodeStar.

Answer 33

Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. You can run Amazon RDS for Oracle under two different licensing models – “License Included” and “Bring-Your-Own-License (BYOL)”. The “BYOL” model is designed for customers who prefer to use existing Oracle database licenses or purchase new licenses directly from Oracle. Hence, the correct answer is: Oracle. All other options are incorrect because these database engines do not currently support the BYOL model. - PostgreSQL - MS SQL - MySQL

Answer 34

Performance Service Limits AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices. It inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps. Whether establishing new workflows, developing applications, or as part of ongoing improvement, take advantage of the recommendations provided by Trusted Advisor on a regular basis to help keep your solutions provisioned optimally. Trusted Advisor includes an ever-expanding list of checks in the following five categories: Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill. Security – identification of security settings that could make your AWS solution less secure. Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and over-utilized resources. Performance – recommendations that can help to improve the speed and responsiveness of your applications. Service Limits – recommendations that will tell you when service usage is more than 80% of the service limit. Since your instances are experiencing high usage, it is best to perform some performance checks and see if they are underprovisioned. Since auto-scaling instances are not adding new ones, you might have hit your limit on the number of instances for the region. Hence, the correct answers are: - Performance - Service Limits

Answer 35

Have the customer directly upload the sprites to S3 Standard - Infrequent Access. Amazon S3 offers a range of storage classes designed for different use cases. These include S3 Standard for general-purpose storage of frequently accessed data; S3 Intelligent-Tiering for data with unknown or changing access patterns; S3 Standard-Infrequent Access (S3 Standard-IA) and S3 One Zone-Infrequent Access (S3 One Zone-IA) for long-lived, but less frequently accessed data; and Amazon S3 Glacier (S3 Glacier) and Amazon S3 Glacier Deep Archive (S3 Glacier Deep Archive) for long-term archive and digital preservation. Amazon S3 also offers capabilities to manage your data throughout its lifecycle. Once an S3 Lifecycle policy is set, your data will automatically transfer to a different storage class without any changes to your application. S3 Standard-IA is for data that is accessed less frequently but requires rapid access when needed. S3 Standard-IA offers high durability, high throughput, and low latency of S3 Standard, with a low per GB storage price and per GB retrieval fee. Since sprites are rarely accessed (and after accessing them they are stored on the user's phone), using the S3 IA storage class is the best storage type to use. Hence, the correct answer is: Have the customer directly upload the sprites to S3 Standard - Infrequent Access.

Answer 36

An AWS resource can be a Global, Regional, or Zonal service. A Global service means that it covers all of the AWS Regions across the globe, while a regional service means that a resource is only applicable to one specific region at a time. A regional service may or may not have the ability to replicate the same resource to another region. Lastly, a Zonal service can only exist in one Availability Zone. You don't need to memorize the scope of all of the AWS services as long as you know the pattern. There are actually only a handful of services that are considered global services such as IAM, STS Route 53, CloudFront, and WAF. For Zonal services, the examples are EC2 Instance and EBS Volumes where they are tied to the Availability Zone where they were launched. Take note that although EBS Volumes are considered as a zonal service, the EBS snapshots are considered as a regional since it is not tied to a specific Availability Zone. The rest of the services are regional in scope. Amazon Route 53 and AWS WAF are both global services such that they are not dependent on the Region in which they were launched. This can be verified by signing in to an AWS Console and viewing the area where the Regions are typically located. Hence, the correct answers are: - Amazon Route 53 - AWS WAF AWS Lambda, AWS CloudTrail, and Amazon VPC are all incorrect because these are region-specific services. You can only find your resources in the regions in which you created them. This means that the location you select matters when creating these resources.

Answer 37

In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses as web services—now commonly known as cloud computing. One of the key benefits of cloud computing is the opportunity to replace upfront capital infrastructure expenses with low variable costs that scale with your business. With the cloud, businesses no longer need to plan for and procure servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up hundreds or thousands of servers in minutes and deliver results faster. Whether you are using it to run applications that share photos to millions of mobile users or to support business-critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources. With cloud computing, you don’t need to make large upfront investments in hardware and spend a lot of time on the heavy lifting of managing that hardware. Instead, you can provision exactly the right type and size of computing resources you need to power your newest idea or operate your IT department. You can access as many resources as you need, almost instantly, and only pay for what you use. One of the best practices to perform in the Cloud is to have disposable resources instead of fixed servers. Therefore, you can easily provision resources when you need them and take them down when you don't in the Cloud, and this is the advantage you receive compared to having servers on-premises. Hence, the correct answer is: The ability to provision resources only when you need them. The option that says: Physical servers are managed by AWS for you is incorrect because this is not the main compelling advantage on why you should shift to the cloud rather than have your unused servers sit in your data center collecting dust. The option that says: The ability to pay for only what you use is incorrect because cost optimization is not the requirement in the scenario. The option that says: AWS has automated services for you is incorrect since this option is not related to the concerns of the given scenario. Also, moving your resources to AWS enables you to deploy additional resources only when you need them.

Answer 38

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS – both physical locations that are directly connected to the AWS global infrastructure, as well as other AWS services. CloudFront works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing, or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the user experience. Lastly, if you use AWS origins such as Amazon S3, Amazon EC2, or Elastic Load Balancing, you don’t pay for any data transferred between these services and CloudFront. You can get started with the Content Delivery Network in minutes, using the same AWS tools that you're already familiar with: APIs, AWS Management Console, AWS CloudFormation, CLIs, and SDKs. Amazon's CDN offers a simple, pay-as-you-go pricing model with no upfront fees or required long-term contracts, and support for the CDN is included in your existing AWS Support subscription. Hence, the correct answer is: Amazon CloudFront. Amazon S3 is incorrect because this can only directly serve static objects. This means that you can't use this service to serve dynamic web content to users globally. Amazon Route 53 is incorrect because this is just a DNS service offered by AWS and hence, it is not a suitable service to use for this scenario. AWS Elastic Load Balancer is incorrect because this just automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. It cannot serve content to users globally without a source behind it.

Answer 39

AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. Your applications connect to the service through a virtual machine or hardware gateway appliance using standard storage protocols, such as NFS, SMB, and iSCSI. The gateway connects to AWS storage services, such as Amazon S3, Amazon S3 Glacier, Amazon S3 Glacier Deep Archive, Amazon EBS, and AWS Backup, providing storage for files, volumes, snapshots, and virtual tapes in AWS. Hybrid cloud storage means your data can be used on-premises and stored durably in AWS Cloud storage services, including Amazon S3, Amazon S3 Glacier, Amazon S3 Glacier Deep Archive, and Amazon EBS. Once data is moved to AWS, you can apply AWS compute, machine learning, and big data analytics services to it. Additionally, you can leverage the full AWS portfolio of security and management services including AWS Backup, AWS KMS, AWS Identity and Access Management (IAM), SNS workflows, Amazon CloudWatch and AWS CloudTrail. Hence, the correct answer is: AWS Storage Gateway. AWS Direct Connect is incorrect because this is primarily used in order for you to establish private connectivity between AWS and your datacenter, office, or colocation environment. Although it provides a more consistent network connection to AWS, it does not extend your storage capability, unlike Storage Gateway. AWS Snowball Edge is incorrect because this is just an edge computing and data transfer device provided by the AWS Snowball service. It has onboard storage and compute power that provides select AWS services for use in edge locations. Since it is stated in the scenario that no migration will be done, this is not the best solution to go for. AWS Backup is incorrect. Although this service can allow your local data center to free up additional storage space, the data must first be migrated to AWS Cloud since AWS Backup doesn't have any local components running on-premises. You can integrate AWS Backup with AWS Storage Gateway to meet the requirements, but using the former alone is not enough.

Answer 40

The Well-Architected Framework has been developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. This is based on five pillars namely: 1. Operational Excellence 2. Security 3. Reliability 4. Performance Efficiency 5. Cost Optimization Cost Optimization focuses on avoiding un-needed costs. Key topics include understanding and controlling where money is being spent, selecting the most appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without overspending. Hence, the correct answer is Cost optimization. Performance efficiency is incorrect because this pillar focuses on using IT and computing resources efficiently. Key topics include selecting the right resource types and sizes based on workload requirements, monitoring performance, and making informed decisions to maintain efficiency as business needs evolve. Operational Excellence is incorrect because this pillar focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures. Reliability is incorrect because this pillar focuses on the ability to prevent and quickly recover from failures to meet business and customer demand.

Answer 41

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services while the customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. AWS does its best to reduce the cost of its operations and infrastructures each year. This reduction in cost translates to the customer such that the customer also receives lower prices for using AWS resources. Research also shows that it is almost always cheaper to run your workloads in the cloud because of the flexibility of the cloud and pricing discounts than to run them locally. It is always one of the priorities of AWS to remain cost-effective in the market while offering quality services to its customers. Hence, the correct answer is: AWS introduces cost reductions each year in their services. All other options are incorrect because these do not specifically tackle equipment expenditures or are unproven statements. - You can easily scale and manage the number of resources running in your cloud environment. - AWS makes sure that physical devices are continuously secured and monitored. - AWS uses the cheapest possible equipment for their data centers so that they do not charge expensive fees.

Answer 42

Amazon Lightsail is a PaaS solution for users who need a simple virtual private server (VPS) solution. Lightsail provides developers compute, storage, and networking capacity and capabilities to deploy and manage websites and web applications in the cloud. Lightsail includes everything you need to launch your project quickly – a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP – for a low, predictable monthly price. Lightsail offers a range of operating system and application templates that are automatically installed when you create a new Lightsail instance. Application templates include WordPress, Drupal, Joomla!, Magento, Redmine, LAMP, Nginx (LEMP), MEAN, Node.js, and more. Hence, the correct answer is: Amazon Lightsail. Amazon Elastic Beanstalk is another PaaS solution of AWS. This is not the correct answer, however, because you would have to deploy and set up your own WordPress application first. Elastic Beanstalk does not offer a simple solution to quickly set up a functional WordPress website in minutes, unlike Lightsail. Amazon GameLift is incorrect because you can't use this service to deploy applications. Amazon GameLift is a dedicated game server hosting solution that deploys, operates, and scales cloud servers for multiplayer games. AWS Glue is incorrect because this is a serverless ETL (extract, transform, and load) service that makes it simple and cost-effective to categorize your data, clean it, enrich it, and move it reliably between various data stores and data streams. This service is not for setting up a WordPress site.

Answer 43

Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts in your department or company, as well as obtain a detailed cost report for each individual AWS account associated with your paying account. Consolidated Billing may also lower your overall costs since the rolled-up usage across all of your accounts could help you reach lower-priced volume tiers more quickly. For billing purposes, AWS treats all the accounts in the organization as if they were one account. Some services, such as Amazon EC2 and Amazon S3, have volume pricing tiers across certain usage dimensions that give you lower prices the more you use the service. With consolidated billing, AWS combines the usage from all accounts to determine which volume pricing tiers to apply, giving you a lower overall price whenever possible. AWS then allocates each linked account a portion of the overall volume discount based on the account's usage. Hence, the correct answer is: Amazon S3. AWS CloudTrail, Amazon CloudFront, and Amazon SNS are not supported under the Consolidated Billing volume discount feature since they do not have volume pricing tiers of their own in the first place.

Answer 44

AWS Marketplace is a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage third-party software and services that customers need to build solutions and run their businesses. AWS Marketplace includes thousands of software listings from popular categories such as security, networking, storage, machine learning, business intelligence, database, and DevOps. AWS Marketplace also simplifies software licensing and procurement with flexible pricing options and multiple deployment methods. If you need a specific stack or business solution for your application, then there is a good chance that someone already offers it in the AWS Marketplace. This migration strategy is known as Repurchasing. Hence, the correct answer is: Try to look for an AMI in the AWS Marketplace that provides a similar setup to her application stack. The option that says: Create a Docker image of the application and launch Docker in the EC2 instances is incorrect because this approach is not the best way to go if you're having trouble with configuration and initialization. The licensing may also affect how quickly you can migrate your stack onto AWS. Search for an AMI in the Marketplace and see if there is any available. Doing so might relieve the customer of her troubles in the migration process. The option that says: Use AWS Application Discovery Service to create an exact copy of the application in EC2 is incorrect because this option does not automatically migrate your applications onto AWS for you. Setup a VPN connection from her local network to her AWS VPC, which essentially means that her work is now running in the Cloud is incorrect because this option is not the best solution for this scenario. There might be reasons why the customer wants to migrate the applications onto Amazon EC2, such as reduced costs, higher availability, etc.

Answer 45

In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses as web services—now commonly known as cloud computing. One of the key benefits of cloud computing is the opportunity to replace upfront capital infrastructure expenses with low variable costs that scale with your business. With the cloud, businesses no longer need to plan for and procure servers and other IT infrastructure weeks or months in advance. Instead, they can instantly spin up hundreds or thousands of servers in minutes and deliver results faster. Whether you are using it to run applications that share photos to millions of mobile users or to support business-critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources. With cloud computing, you don’t need to make large upfront investments in hardware and spend a lot of time on the heavy lifting of managing that hardware. Instead, you can provision exactly the right type and size of computing resources you need to power your newest idea or operate your IT department. You can access as many resources as you need, almost instantly, and only pay for what you use. There are six advantages of using Cloud Computing: 1. Trade capital expense for variable expense – Instead of having to invest heavily in data centers and servers before you know how you’re going to use them, you can pay only when you consume computing resources, and pay only for how much you consume. 2. Benefit from massive economies of scale – By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices. 3. Stop guessing capacity – Eliminate guessing on your infrastructure capacity needs. When you make a capacity decision prior to deploying an application, you often end up either sitting on expensive idle resources or dealing with limited capacity. With cloud computing, these problems go away. You can access as much or as little capacity as you need, and scale up and down as required with only a few minutes’ notice. 4. Increase speed and agility – In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes. This results in a dramatic increase in agility for the organization since the cost and time it takes to experiment and develop is significantly lower. 5. Stop spending money running and maintaining data centers – Focus on projects that differentiate your business, not the infrastructure. Cloud computing lets you focus on your own customers, rather than on the heavy lifting of racking, stacking, and powering servers. 6. Go global in minutes – Easily deploy your application in multiple regions around the world with just a few clicks. This means you can provide lower latency and a better experience for your customers at a minimal cost. Hence, the correct answer is: Benefit from massive economies of scale.

Answer 46

An AWS resource can be a Global, Regional, or Zonal service. A Global service means that it covers all of the AWS Regions across the globe, while a regional service means that a resource is only applicable to one specific region at a time. A regional service may or may not have the ability to replicate the same resource to another region. Lastly, a Zonal service can only exist in one Availability Zone. You don't need to memorize the scope of all of the AWS services as long as you know the pattern. There are actually only a handful of services that are considered global services such as IAM, STS Route 53, CloudFront, and WAF. For Zonal services, the examples are EC2 Instance and EBS Volumes where they are tied to the Availability Zone where they were launched. Take note that although EBS Volumes are considered as a zonal service, the EBS snapshots are considered as a regional since it is not tied to a specific Availability Zone. The rest of the services are regional in scope. Amazon Route 53 and AWS WAF are both global services such that they are not dependent on the Region in which they were launched. This can be verified by signing in to an AWS Console and viewing the area where the Regions are typically located. Hence, the correct answers are: - Amazon Route 53 - AWS WAF AWS Lambda, AWS CloudTrail, and Amazon VPC are all incorrect because these are region-specific services. You can only find your resources in the regions in which you created them. This means that the location you select matters when creating these resources.

Answer 47

AWS Wavelength combines the high bandwidth and ultra-low latency of 5G networks with AWS compute and storage services to enable developers to innovate and build a whole new class of applications. Wavelength Zones are AWS infrastructure deployments that embed AWS compute and storage services within telecommunications providers’ datacenters at the edge of the 5G network, so application traffic can reach application servers running in Wavelength Zones without leaving the mobile providers’ network. You use Wavelength when you need to deploy high-performance applications that can be accessed by mobile end-users and devices that require single-digit millisecond latency. Hence, the correct answer is: AWS Wavelength. AWS Cloud9 is incorrect because this service is a cloud-based IDE that lets you write, run, and debug your code with just a browser. AWS Amplify is incorrect because this is just a set of tools and frameworks that accelerate the development of mobile and web applications on AWS. AWS Control Tower is incorrect because this is a service that makes it easy to set up and govern a secure, multi-account AWS environment based on industry best practices.

Answer 48

Amazon S3 Amazon S3 provides a simple web service interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. Using this web service, you can easily build applications that make use of Internet storage. Since Amazon S3 is highly scalable and you only pay for what you use, you can start small and grow your application as you wish, with no compromise on performance or reliability. Hence, the correct answer is: Amazon S3. Amazon EFS is incorrect because this is an NFS file storage solution used together with EC2 instances or other virtual servers. It is definitely not a cheap service given its pricing mechanics. Amazon EBS is incorrect because this is a volume storage solution that requires a running EC2 instance, and so is not easily scalable. Although EBS volumes can be used for object storage, they need to be attached to instances for you to store and retrieve objects. This can also add unnecessary charges to your billing. AWS Storage Gateway is incorrect because this is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. It lets you connect your local data storage to Amazon S3 using an appliance for a cost and hence, is not as cost effective as using Amazon S3 alone.

Answer 49

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for database instances. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption. Hence, the correct answer is: Running your RDS instance with multi-AZ enabled. The option that says: Running spot instances for your EC2 workloads is incorrect because Spot instances can be terminated anytime without warning which makes it not suitable for workloads that need high availability. The option that says: Using SQS to decouple messages is incorrect because this is just an example of decoupling systems to make them more fault-tolerant. It also provides better durability for your messages since this is an inherent SQS characteristic. This option does not exactly exhibit high availability practice. The option that says: Running CloudFront for the static website in your S3 bucket is incorrect because this just allows your content to become globally available while at the same time enhancing delivery speeds. This option does not exactly exhibit high availability practice.

Answer 50

If you enable Cost Explorer, you automatically get Amazon EC2, Amazon RDS, ElastiCache, Amazon ES, and Amazon Redshift Reserved Instance (RI) purchase recommendations that could help you reduce your costs. RIs provide a discounted hourly rate (up to 75%) compared to On-Demand pricing. Cost Explorer generates your RI recommendations using the following process: - Identifies your On-Demand Instance usage for a service during a specific time period - Collects your usage into categories that are eligible for an RI - Simulates every combination of RIs in each category of usage - Identifies the best number of each type of RI to purchase to maximize your estimated savings For example, Cost Explorer automatically aggregates your Amazon EC2 Linux, shared tenancy, and c4 family usage in the US West (Oregon) Region and recommends that you buy size-flexible regional RIs to apply to the c4 family usage. Cost Explorer recommends the smallest size instance in an instance family. This makes it easier to purchase a size-flexible RI. Cost Explorer also shows the equal number of normalized units so that you can purchase any instance size that you want. For this example, your RI recommendation would be for c4.large because that is the smallest size instance in the c4 instance family. Cost Explorer recommendations are based on a single account or organization usage of the past seven, 30, or 60 days. Cost Explorer ignores usage that is already covered by an RI. Amazon EC2, ElastiCache, Amazon ES, and Amazon Redshift recommendations are for RIs scoped to Region, not Availability Zones, and your estimated savings reflects the application of those RIs to your usage. Amazon RDS recommendations are scoped to either Single-AZ or Multi-AZ RIs. Cost Explorer updates your recommendations at least once every 24 hours. Hence, the correct answer is: AWS Cost Explorer. AWS Billing Dashboard, AWS Budgets, and AWS Cost and Usage report are all incorrect since these tools do not provide Reserved Instance (RI) purchase recommendations, unlike AWS Cost Explorer.

Answer 51

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. If you want your instance in a public subnet to communicate with the Internet over IPv4, it must have a public IPv4 address or an Elastic IP address (IPv4). Hence, the correct answer is: Availability zone. Both AWS Regions and Edge locations are incorrect because subnets are not directly correlated with these two. Server is incorrect because subnets are part of a VPC within the AWS global network. Subnets are not bound by servers in any way.

Answer 52

Enterprise environments are often a mix of cloud, on-premises data centers, and edge locations. Hybrid cloud architectures help organizations integrate their on-premises and cloud operations to support a broad spectrum of use cases using a common set of cloud services, tools, and APIs across on-premises and cloud environments. Customers can seamlessly integrate their on-premises and cloud storage, networking, identity management, and security policies to enable use cases such as data center extension to the cloud, backup, and disaster recovery to the cloud, and hybrid data processing. AWS offers services that integrate application deployment and management across on-premises and cloud environments for a robust hybrid architecture. Below are the following services that you can use to manage or deploy applications to your servers running on-premises: OpsWorks – AWS OpsWorks is a configuration management service that helps customers configure and operate applications, both on-premises and in the AWS Cloud, using Chef and Puppet. CodeDeploy – AWS CodeDeploy automates code deployments to any instance, including Amazon EC2 instances and instances running on-premises. AWS CodeDeploy makes it easier to rapidly release new features, avoids downtime during application deployment, and handles the complexity of updating applications. Hence, the correct answer in this scenario is AWS OpsWorks. Both AWS CloudFormation and AWS Elastic Beanstalk are incorrect because these services can only deploy applications to your AWS resources and not to the servers located in your on-premises data center. AWS Systems Manager is incorrect because although you can remotely operate and deploy packages/scripts to your on-premises servers with this one, this service is still not suitable to be used for deploying your web application. It also doesn't have a feature to easily rollback your deployments unlike OpsWorks. This service is primarily used to automate maintenance and deployment tasks on Amazon EC2 and on-premises instances, or automatically apply patches, updates, and configuration changes across any resource group.

Answer 53

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth. Amazon EFS provides secure access for thousands of connections for Amazon EC2 instances and on-premises servers simultaneously using a traditional file permissions model, file locking capabilities, and hierarchical directory structure via the NFSv4 protocol. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN. Amazon EFS is designed to provide massively parallel shared access to thousands of Amazon EC2 instances, enabling your applications to achieve high levels of aggregate throughput and IOPS with consistent low latencies. Hence, Amazon EFS is the correct answer. Amazon S3 is incorrect. First, it is meant specifically for object storage, and second, EFS can serve a fleet of EC2 instances better than S3 as file storage. Amazon Storage Gateway is incorrect because this service simply provides a file interface into Amazon Simple Storage Service (Amazon S3) and is a combination of storage service and a virtual software appliance. This service is meant for local software hosted on your on-premises data center which requires connection to S3. It is not meant to serve a fleet of EC2 instances. Amazon Redshift is incorrect because this is a data warehousing service offered by AWS. It cannot be used for file storage.

Answer 54

The Well-Architected Framework has been developed to help cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications. This is based on five pillars namely: 1. Operational Excellence 2. Security 3. Reliability 4. Performance Efficiency 5. Cost Optimization The performance efficiency pillar focuses on using IT and computing resources efficiently. It focuses on the ability to use computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technologies evolve. Hence, the correct answer is: Performance efficiency. Operational Excellence is incorrect because this pillar focuses on running and monitoring systems to deliver business value and continually improving processes and procedures. Reliability is incorrect because this pillar focuses on the ability to prevent and quickly recover from failures to meet business and customer demand. Cost optimization is incorrect because this pillar focuses on avoiding un-needed costs by choosing the right services for the job and by right-sizing them.

Answer 55

Use Amazon SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be available. SQS lets you decouple application components so that they run and fail independently, increasing the overall fault tolerance of the system. Multiple copies of every message are stored redundantly across multiple availability zones so that they are available whenever needed. Hence, the correct answers: - If you need to decouple certain parts of your system for better fault tolerance - If you require a durable storage for your application events or messages If you need to submit push notifications to your event subscribers is incorrect. If you need to submit push notifications, you should use Amazon SNS instead. When you have to automate certain tasks in your workflow is incorrect. If you need to automate certain workflows in AWS, you should use Amazon SWF. When your application requires the use of industry-standard messaging protocols for message delivery is incorrect. If your messaging service requires the use of certain protocols, try using Amazon MQ.

Answer 56

Use AWS Application Migration Service to migrate on-premises workloads to AWS. AWS Application Migration Service (MGN) is the primary migration service recommended for lift and shift migrations to AWS. AWS Application Migration Service simplifies and expedites your migration to AWS by automatically converting your source servers from physical, virtual, or cloud infrastructure to run natively on AWS. It further simplifies your migration and reduces costs by enabling you to use the same automated process for a wide range of applications, without changes to applications, their architecture, or the migrated servers. AWS MGN provides the following key benefits: – Simplify operations and get better insights with AWS MGN integration with AWS IAM, Amazon CloudWatch, AWS CloudTrail, and other AWS services. – Maintain normal business operations throughout the replication process. Also, continuous replication makes it easy to conduct non-disruptive tests and shortens cutover windows. – Lift and shift any application from any source infrastructure that runs supported operating systems. The requirement for this scenario is to coordinate large-scale server migrations. To accomplish this requirement, you can use AWS Application Migration Service to automate the migration of your on-premises workloads to the AWS Cloud. You can also track the status of migration in the AWS MGN dashboard. Hence, the correct answer is: Use AWS Application Migration Service to migrate on-premises workloads to AWS. The option that says: Use AWS Database Migration Service to migrate on-premises workloads to AWS is incorrect because AWS DMS is mainly used for migrating databases from on-premises to AWS. You cannot use this service to orchestrate and track large-scale server migrations. The option that says: Use AWS Migration Hub to track the progress of migrations is incorrect because AWS Migration Hub can only monitor application migrations. The requirement in the scenario is to coordinate large-scale server migrations. Therefore, you need to use AWS Application Migration Service. The option that says: Use Amazon CloudWatch to monitor the migration process is incorrect because you can’t use Amazon CloudWatch to monitor the server migration process. Instead, use AWS MGN to track the progress of server migrations.

Answer 57

An Availability Zone is an isolated location within an AWS region. A Local Zone is an extension of an AWS Region in geographic proximity to your users. An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault-tolerant, and scalable than would be possible from a single data center. AWS Local Zones are managed and supported by AWS, bringing you all of the elasticity, scalability, and security benefits of the cloud. Each AWS Local Zone location is an extension of an AWS Region where you can run your latency-sensitive applications using AWS services such as Amazon Elastic Compute Cloud, Amazon Virtual Private Cloud, Amazon Elastic Block Store, Amazon File Storage, and Amazon Elastic Load Balancing in geographic proximity to end-users. Hence, the correct option is: An Availability Zone is an isolated location within an AWS region. A Local Zone is an extension of an AWS Region in geographic proximity to your users. The option that says: An Availability Zone is a separate geographic area. A Local Zone delivers cached content to the closest location to reduce latency for users is incorrect because this describes an AWS Region and Edge Location respectively. AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area while an Edge Location delivers cached content to the closest location to reduce latency for users. The option that says: An Availability Zone delivers cached content to the closest location to reduce latency for users. A Local Zone is an extension of an AWS Region in geographic proximity to your users is incorrect because the first statement describes an Edge Location. An Availability Zone is an isolated location within an AWS region and it doesn’t deliver cached content. The option that says: An Availability Zone is an extension of an AWS Region in geographic proximity to your users. A Local Zone is an isolated location within an AWS region is incorrect because the descriptions for the Local Zone and Availability Zone are swapped.

Answer 58

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval to a few services only. Permitted Services – You're welcome to conduct security assessments against AWS resources that you own if they make use of the services listed below. Take note that AWS is constantly updating this list: - Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers - Amazon RDS - Amazon CloudFront - Amazon Aurora - Amazon API Gateways - AWS Lambda and Lambda Edge functions - Amazon Lightsail resources - Amazon Elastic Beanstalk environments Prohibited Activities – The following activities are prohibited at this time: - DNS zone walking via Amazon Route 53 Hosted Zones - Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS - Port flooding - Protocol flooding - Request flooding (login request flooding, API request flooding) Hence, the correct answers are: - Amazon RDS - Amazon Aurora All other options are incorrect since they are not included in the list shown above. - Amazon S3 - AWS Identity and Access Management (IAM) - AWS Security Token Service (STS)

Answer 59

AWS Device Farm is an application testing service that lets you improve the quality of your web and mobile apps by testing them across an extensive range of desktop browsers and real mobile devices; without having to provision and manage any testing infrastructure. AWS Mobile Hub is a service that enables even a novice to easily deploy and configure mobile app backend features using a range of powerful AWS services. Hence, the correct answers are: - AWS Device Farm - AWS Mobile Hub AWS Ground Station is incorrect since this service is for controlling satellite communications and processing data using satellites. Amazon Lumberyard is incorrect because this is a game engine service for creating games. Take note that you need to test out a new mobile app on multiple devices. Therefore, this service won't help you accomplish the task. AWS Security Bulletin is incorrect because this AWS service is a security announcement provider service. This means that you can't use this service to test mobile apps on multiple devices.

Answer 60

Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that combines the performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases. Amazon Aurora is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases. It provides the security, availability, and reliability of commercial databases at 1/10th the cost. Amazon Aurora is fully managed by Amazon Relational Database Service (RDS), which automates time-consuming administration tasks like hardware provisioning, database setup, patching, and backups. Amazon Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 128TB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs). Hence, the correct answer is: Amazon Aurora. Amazon Redshift is incorrect because this is a data warehousing solution which is best for OLAP workloads. Amazon DynamoDB is incorrect. Although this service is highly scalable, this is primarily used for nonrelational databases. Amazon ElastiCache is incorrect because this is a service that lets you deploy and run Memcached or Redis cache server nodes in the cloud.

Answer 61

Amazon S3 Glacier and S3 Glacier Deep Archive are designed to be the lowest-cost Amazon S3 storage classes, allowing you to archive large amounts of data at a very low cost. This makes it feasible to retain all the data you want for use cases like data lakes, analytics, IoT, machine learning, compliance, and media asset archiving. You pay only for what you need, with no minimum commitments or up-front fees. Amazon S3 Glacier and S3 Glacier Deep Archive are a secure, durable, and extremely low-cost Amazon S3 cloud storage classes for data archiving and long-term backup. They are designed to deliver 99.999999999% durability, and provide comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements. To keep costs low yet suitable for varying retrieval needs, Amazon S3 Glacier provides three options for access to archives, from a few minutes to several hours, and S3 Glacier Deep Archive provides two access options ranging from 12 to 48 hours. Hence, the correct answer is: Amazon Glacier. Amazon S3 is incorrect because this type of storage service costs more than Glacier. Amazon EBS is incorrect because this is a type of block storage that is not suitable to be used for database backups. It is also more expensive than Glacier. Amazon EFS is incorrect because this is a type of POSIX-compliant file storage suitable to be used as a file system and not for storing backups.

Answer 62

AWS Batch is a regional service that simplifies running batch jobs across multiple Availability Zones within a region. You can create AWS Batch compute environments within a new or existing VPC. After a compute environment is up and associated with a job queue, you can define job definitions that specify which Docker container images to run your jobs. Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN. An AWS resource can be a Global, Regional or a Zonal service. A Global service means that it covers all of the AWS Regions across the globe, while a regional service means that a resource is only applicable to one specific region at a time. A regional service may or may not have the ability to replicate the same resource to another region. Lastly, a Zonal service can only exist in one Availability Zone. You don't need to memorize the scope of all of the AWS services as long as you know the pattern. There are actually only a handful of services that are considered as global services such as IAM, STS, Route 53, CloudFront and WAF. For Zonal services, the examples are EC2 Instance and EBS Volumes where they are tied to the Availability Zone where they were launched. Take note that although EBS Volumes are considered as a zonal service, the EBS snapshots are considered as a regional since it is not tied to a specific Availability Zone. The rest of the services are regional in scope. Hence, the correct answers are: Amazon EFS and AWS Batch. AWS Security Token Service and Amazon Route 53 are incorrect because these are considered as global services. Amazon EC2 is incorrect because this is considered as a zonal service since it is tied to a particular Availability Zone where it was launched.

Answer 63

Deploying workloads on Amazon Web Services (AWS) helps streamline time-to-market, increase business efficiency, and enhance user performance for many organizations. But as you capitalize on this strategy, it is important to understand your role in securing your AWS environment. Based on the AWS Shared Responsibility Model, AWS provides a data center and network architecture built to meet the requirements of the most security-sensitive organizations, while you are responsible for securing services built on top of this infrastructure, notably including network traffic from remote networks. This customer/AWS shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between AWS and its customers, so is the management, operation and verification of IT controls shared. AWS can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment that may previously have been managed by the customer. As every customer is deployed differently in AWS, customers can take advantage of shifting management of certain IT controls to AWS which results in a (new) distributed control environment. Customers can then use the AWS control and compliance documentation available to them to perform their control evaluation and verification procedures as required. Below are examples of controls that are managed by AWS, AWS Customers and/or both. Inherited Controls: Controls which a customer fully inherits from AWS. - Physical and Environmental controls Shared Controls: Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include: - Patch Management: AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications. - Configuration Management: AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications. - Awareness & Training: AWS trains AWS employees, but a customer must train their own employees. Customer Specific: Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: - Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments. Hence, the correct answer is Service and Communications Protection or Zone Security. Both Configuration Management and Awareness & Training are incorrect because they are considered as shared controls between AWS and the customer. Patching of the host operating system is incorrect because this is the responsibility of AWS. Take note that the customer is responsible for managing and patching the guest OS, not the host operating system.

Answer 64

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance with virtually unlimited storage space. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics. Amazon S3 provides easy-to-use management features so you can organize your data and configure finely-tuned access controls to meet your specific business, organizational, and compliance requirements. Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world. Amazon S3 gives any developer access to the same highly scalable, highly available, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of websites. Amazon S3 provides customers with highly durable storage infrastructure. It has a Versioning feature that offers an additional level of protection by providing a means of recovery when customers accidentally overwrite or delete objects. This allows you to easily recover from unintended user actions and application failures. You can also use Versioning for data retention and archiving. Hence, the correct options that correctly describe Amazon S3 are: - A storage service with virtually unlimited space - A highly durable object storage infrastructure The option that says: A durable, high throughput file system is incorrect because this describes the Amazon Elastic File System (EFS) instead of Amazon S3. Amazon EFS is a fully-managed service that makes it easy to set up, scale, and cost-optimize file storage in the Amazon Cloud. The option that says: A high-performance block storage service is incorrect because this describes Amazon Elastic Block Storage (EBS) instead of Amazon S3. Amazon Elastic Block Store (EBS) is an easy to use, high-performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction-intensive workloads at any scale. The option that says: A hybrid cloud storage service is incorrect because this describes AWS Storage Gateway instead of Amazon S3. AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure. The term "hybrid" refers to the connection of your on-premises data center to AWS.

Answer 65

CloudEndure Disaster Recovery is a tool that minimizes downtime and data loss by providing fast, reliable recovery of physical, virtual, and cloud-based servers into AWS Cloud. You can also use CloudEndure Disaster Recovery to protect your most critical SQL databases thanks to the continuous replication of your machines into a low-cost staging area in your target AWS account and preferred Region. In the case of a disaster, CloudEndure Disaster Recovery can automatically launch your machines in their fully provisioned state in minutes. Hence, the correct answer is: CloudEndure. AWS Server Migration Service is incorrect because this service cannot migrate bare metal servers. It is also not the best solution for this scenario, since we are not performing a migration. AWS Database Migration Service is incorrect because this service cannot migrate bare metal servers. It is also not the best solution for this scenario, since we are not performing a migration. AWS Migration Hub is incorrect because this service is for monitoring the state of your migrations. It does not handle disaster recovery.

Answer 66

You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources. CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis. CloudWatch Logs enables you to see all of your logs, regardless of their source, as a single and consistent flow of events ordered by time, and you can query them and sort them based on other dimensions, group them by specific fields, create custom computations with a powerful query language, and visualize log data in dashboards. This service has the following features: Monitor Logs from Amazon EC2 Instances – You can use CloudWatch Logs to monitor applications and systems using log data. For example, CloudWatch Logs can track the number of errors that occur in your application logs and send you a notification whenever the rate of errors exceeds a threshold you specify. CloudWatch Logs uses your log data for monitoring; so, no code changes are required. For example, you can monitor application logs for specific literal terms (such as "NullReferenceException") or count the number of occurrences of a literal term at a particular position in log data (such as "404" status codes in an Apache access log). When the term you are searching for is found, CloudWatch Logs reports the data to a CloudWatch metric that you specify. Log data is encrypted while in transit and while it is at rest. Monitor AWS CloudTrail Logged Events – You can create alarms in CloudWatch and receive notifications of particular API activity as captured by CloudTrail and use the notification to perform troubleshooting. Log Retention – By default, logs are kept indefinitely and never expire. You can adjust the retention policy for each log group, keeping the indefinite retention, or choosing retention periods between 10 years and one day. Archive Log Data – You can use CloudWatch Logs to store your log data in highly durable storage. The CloudWatch Logs agent makes it easy to quickly send both rotated and non-rotated log data off of a host and into the log service. You can then access the raw log data when you need it. Log Route 53 DNS Queries – You can use CloudWatch Logs to log information about the DNS queries that Route 53 receives. Hence, the correct answers are: monitor application logs from Amazon EC2 Instances and adjust the retention policy for each log group. The option that says: record AWS Management Console actions and API calls is incorrect because this refers to CloudTrail and not CloudWatch Logs. The option that says: create alarms that automatically stop, terminate, reboot, or recover your EC2 instances is incorrect because this is actually a task that can be accomplished by CloudWatch Alarms. The option that says: store your log data at absolutely no charge is incorrect because this service is not entirely free and you still have to pay for your usage.