MyCloudGuru Practice Exam

Question 1

Design Resilient Architectures

You are working as a Solutions Architect in a large healthcare organization. You have many Auto Scaling groups that you need to create. One requirement is that you need to reuse some software licenses and therefore need to use dedicated hosts on EC2 instances in your Auto Scaling groups. What step must you take to meet this requirement?

A) Create the Dedicated Host EC2 instances, and then add them to an existing Auto Scaling group.

B) Use a launch template with your Auto Scaling group and select the Dedicated Host option.

C) Create your launch configuration, but manually change the instances to Dedicated Hosts in the EC2 console.

D_ Make sure your launch configurations are using Dedicated Hosts.

Answer 1

B) Use a launch template with your Auto Scaling group and select the Dedicated Host option.

In addition to the features of Amazon EC2 Auto Scaling that you can configure by using launch templates, launch templates provide more advanced Amazon EC2 configuration options. For example, you must use launch templates to use Amazon EC2 Dedicated Hosts. Dedicated Hosts are physical servers with EC2 instance capacity that are dedicated to your use. While Amazon EC2 Dedicated Instances also run on dedicated hardware, the advantage of using Dedicated Hosts over Dedicated Instances is that you can bring eligible software licenses from external vendors and use them on EC2 instances.

If you currently use launch configurations, you can specify a launch template when you update an Auto Scaling group that was created using a launch configuration.

To create a launch template to use with an Auto Scaling group, create the template from scratch, create a new version of an existing template, or copy the parameters from a launch configuration, running instance, or other template.

Question 2

Specify Secure Applications and Architectures

You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true about NACLs?

A)The default configuration of the default NACL is Deny, and the default configuration of a custom NACL is Allow.

B) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Allow.

C) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.

D) The default configuration of the default NACL is Deny, and the default configuration of a custom NACL is Deny.

Answer 2

C) The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.

Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

Question 3

Specify Secure Applications and Architectures

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. The consultant has launched several instances, created security groups, and has associated security groups with instances. The consultant wants to change the security groups for an instance. Which statement is true?

A) You can change the security groups for an instance when the instance is in the pending or stopped state.

B) You can change the security groups for an instance when the instance is in the running or stopped state.

C) You can’t change security groups. Create a new instance and attach the desired security groups.

D) You can’t change the security groups for an instance when the instance is in the running or stopped state.

Answer 3

B) You can change the security groups for an instance when the instance is in the running or stopped state.

After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state.

Question 4

Design Resilient Architectures

You have two EC2 instances running in the same VPC, but in different subnets. You are removing the secondary ENI from an EC2 instance and attaching it to another EC2 instance. You want this to be fast and with limited disruption. So you want to attach the ENI to the EC2 instance when it’s running. What is this called?

A) synchronous attach

B) warm attach

C) cold attach

D) hot attach

Answer 4

D) hot attach

Here are some best practices for configuring network interfaces. You can attach a network interface to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach). You can detach secondary network interfaces when the instance is running or stopped. However, you can’t detach the primary network interface. You can move a network interface from one instance to another if the instances are in the same Availability Zone and VPC but in different subnets. When launching an instance using the CLI, API, or an SDK, you can specify the primary network interface and additional network interfaces. Launching an Amazon Linux or Windows Server instance with multiple network interfaces automatically configures interfaces, private IPv4 addresses, and route tables on the operating system of the instance. A warm or hot attach of an additional network interface may require you to manually bring up the second interface, configure the private IPv4 address, and modify the route table accordingly. Instances running Amazon Linux or Windows Server automatically recognize the warm or hot attach and configure themselves. Attaching another network interface to an instance (for example, a NIC teaming configuration) cannot be used as a method to increase or double the network bandwidth to or from the dual-homed instance. If you attach two or more network interfaces from the same subnet to an instance, you may encounter networking issues such as asymmetric routing. If possible, use a secondary private IPv4 address on the primary network interface instead.

Question 5

Design Cost-Optimized Architectures

You work for a Defense contracting company. The company develops software applications which perform intensive calculations in the area of Mechanical Engineering related to metals for ship building. The company competes for and wins contracts that typically range from 1 year to up to 5 years. These long-term contracts mean that the duration of your need for EC2 instances can be matched to the length of these contracts, and then extended if necessary. The main requirement is consistent performance for the duration of the contract. Which EC2 purchasing option provides the best value, given these long-term contracts?

A) On-Demand

B) Reserved

C) Spot

D) Dedicated Host

Answer 5

B) Reserved

Longer-term contracts such as this are ideally suited to gain maximum value by using reserved instances.

Amazon EC2 provides the following purchasing options to enable you to optimize your costs based on your needs: On-Demand Instances – Pay, by the second, for the instances that you launch. Savings Plans – Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and region, for a term of 1 or 3 years. Scheduled Instances – Purchase instances that are always available on the specified recurring schedule, for a one-year term. Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.

Question 6

Design Cost-Optimized Architectures

You have joined a newly formed software company as a Solutions Architect. It is a small company, and you are the only employee with AWS experience. The owner has asked for your recommendations to ensure that the AWS resources are deployed to proactively remain within budget. Which AWS service can you use to help ensure you don’t have cost overruns for your AWS resources?

A) AWS Budgets

B) Cost Explorer

C) Inspector

D) Billing and Cost Management

Answer 6

A) AWS Budgets

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define. And remember the keyword, proactively. With AWS Budgets, we can be proactive about attending to cost overruns before they become a major budget issue at the end of the month or quarter. Budgets can be tracked at the monthly, quarterly, or yearly level, and you can customize the start and end dates. You can further refine your budget to track costs associated with multiple dimensions, such as AWS service, linked account, tag, and others. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic. You can also use AWS Budgets to set a custom reservation utilization target and receive alerts when your utilization drops below the threshold you define. RI utilization alerts support Amazon EC2, Amazon RDS, Amazon Redshift, and Amazon ElastiCache reservations. Budgets can be created and tracked from the AWS Budgets dashboard, or via the Budgets API.

Question 7

Define Performance Architectures

A software company is developing an online “learn a new language” application. The application will be designed to teach up to 20 different languages for native English and Spanish speakers. It should leverage a service that is capable to keep up with 24,000 read units per second and 3,300 write units per second, and scale for spikes and off-peak. The application will also need to store user progress data. Which AWS service would meet these requirements?

A) DynamoDB

B) RDS

C) S3

D) EBS

Answer 7

A) DynamoDB

Duolingo uses Amazon DynamoDB to store 31 billion items in support of an online learning site that delivers lessons for 80 languages. The U.S. startup reaches more than 18 million monthly users around the world who perform more than six billion exercises using the free Duolingo lessons. The company relies heavily on Amazon DynamoDB not just for its highly scalable database, but also for high performance that reaches 24,000 read units per second and 3,300 write units per second. In addition, Duolingo uses a range of other AWS services such as Amazon EC2, based on the latest Intel Xeon Processor Family, for compute Amazon ElastiCache to increase performance; Amazon S3 for storing image-related data; and Amazon Relational Database Service (Amazon RDS) for permanent data storage. Moving forward, Duolingo plans on leveraging AWS Elastic Beanstalk and AWS Lambda for its microservices architecture, as well as Amazon Redshift for its data analytics.

Question 8

Specify Secure Applications and Architectures

Your company has gone through an audit with a focus on data storage. You are currently storing historical data in Amazon Glacier. One of the results of the audit is that a portion of the infrequently-accessed historical data must be able to be accessed immediately upon request. Where can you store this data to meet this requirement?

A) Store the data in EBS

B) Leave infrequently-accessed data in Glacier.

C) S3 Standard-IA

D) S3 Standard

Answer 8

C) S3 Standard-IA

S3 Standard-IA is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard, with a low-per-GB storage price and per GB retrieval fee. This combination of low cost and high performance make S3 Standard-IA ideal for long-term storage, backups, and as a data store for disaster recovery files. S3 Storage Classes can be configured at the object level and a single bucket can contain objects stored across S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, and S3 One Zone-IA. You can also use S3 Lifecycle policies to automatically transition objects between storage classes without any application changes.

Question 9

Design Cost-Optimized Architectures

You are working in a large healthcare facility which uses EBS volumes on most of the EC2 instances. The CFO has approached you about some cost savings and it has been decided that some of the EC2 instances and EBS volumes would be deleted. What step can be taken to preserve the data on the EBS volumes and keep the data available on short notice?

A) Move the data to Amazon S3.

B) Take point-in-time snapshots of your Amazon EBS volumes.

C) Store the data in CloudFormation user data.

D) Archive the data to Glacier.

Answer 9

B) Take point-in-time snapshots of your Amazon EBS volumes.

You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data. When you delete a snapshot, only the data unique to that snapshot is removed. Each snapshot contains all of the information that is needed to restore your data (from the moment when the snapshot was taken) to a new EBS volume.

Question 10

Define Performance Architectures

You are designing an architecture which will house an Auto Scaling Group of EC2 instances. The application hosted on the instances is expected to be extremely popular. Forecasts for traffic to this site expect very high traffic and you will need a load balancer to handle tens of millions of requests per second while maintaining high throughput at ultra low latency. You need to select the type of load balancer to front your Auto Scaling Group to meet this high traffic requirement. Which load balancer will you select?

A) You will need an Application Load Balancer to meet this requirement.

B) You will need a Classic Load Balancer to meet this requirement.

C) All the AWS load balancers meet the requirement and perform the same.

D) You will select a Network Load Balancer to meet this requirement.

Answer 10

D) You will select a Network Load Balancer to meet this requirement.

If extreme performance is needed for your application, AWS recommends that you use a Network Load Balancer. Network Load Balancer operates at the connection level (Layer 4), routing connections to targets (Amazon EC2 instances, microservices, and containers) within Amazon VPC, based on IP protocol data. Ideal for load balancing of both TCP and UDP traffic, Network Load Balancer is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. It is integrated with other popular AWS services such as Auto Scaling, Amazon EC2 Container Service (ECS), Amazon CloudFormation, and AWS Certificate Manager (ACM).

Question 11

Design Cost-Optimized Architectures

You are consulting for a state agency focused on the state lottery. You have been given a task to have 2,000,000 bar codes created as quickly as possible. This will require EC2 instances and an average CPU utilization of 70% for each of them. So you plan to spin up 10 EC2 instances to create the bar codes. You estimate that the instances will complete the job from around 11pm to 1am. You don’t want the instances sitting idle for up to 9 hours until the next morning. What can you do to terminate these instances when they are done?

A) Write a cron job which queries the instance status. If a certain status is met, have the cron job kick off CloudFormation to terminate the existing instance, and create a new instance from a template.

B) Write a Python script which queries the instance status. Also write a Lambda function which can be triggered upon a certain status and terminate the instance.

C) Write a cron job which queries the instance status. Also write a Lambda function which can be triggered upon a certain status and terminate the instance.

D) You can create a CloudWatch alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 4 hours, and terminates the instance.

Answer 11

D) You can create a CloudWatch alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 4 hours, and terminates the instance.

Adding Terminate Actions to Amazon CloudWatch Alarms: You can create an alarm that terminates an EC2 instance automatically when a certain threshold has been met (as long as termination protection is not enabled for the instance). For example, you might want to terminate an instance when it has completed its work, and you don’t need the instance again. If you might want to use the instance later, you should stop the instance instead of terminating it. For information about enabling and disabling termination protection for an instance, see Enabling Termination Protection for an Instance

Question 12

Design Resilient Architectures

A financial institution has an application that produces huge amounts of actuary data, which is ultimately expected to be in the terabyte range. There is a need to run complex analytic queries against terabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution. Which service will best meet this requirement?

A) RDS

B) Elasticache

C) DynamoDB

D) Redshift

Answer 12

D) Redshift

Amazon Redshift is a fast, fully-managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It enables you to run complex analytic queries against terabytes to petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution. Most results come back in seconds. With Redshift, you can start small for just $0.25 per hour with no commitments and scale-out to petabytes of data for $1,000 per terabyte per year, less than a tenth of the cost of traditional on-premises solutions. Amazon Redshift also includes Amazon Redshift Spectrum, allowing you to run SQL queries directly against exabytes of unstructured data in Amazon S3 data lakes. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, Amazon Ion, JSON, ORC, Parquet, RCFile, RegexSerDe, Sequence, Text, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Question 13

Specify Secure Applications and Architectures

You are about to configure two EC2 instances in your VPC. The instances will be in different subnets, but in the same Availability Zone. The first instance will house the main company website and will need to be able to communicate with the database that will be housed on the second instance. What steps can you take to make sure the instances will be able to communicate properly? Choose two.

A) Put the instances in the same placement group.

B) Make sure all security groups allow communication between the app and database on the correct port using the proper protocol.

C) Configure a Virtual Private Gateway.

D) Make sure the NACL allows communication between the two subnets.

E) Make sure each instance has an elastic IP address.

Answer 13

B) Make sure all security groups allow communication between the app and database on the correct port using the proper protocol.

The proper ingress on both the security groups and NACL need to be configured to allow communication between these instances.

D) Make sure the NACL allows communication between the two subnets.

The proper ingress on both the Security Groups and NACL need to be configured to allow communication between these instances.

Question 14

Define Performance Architectures

An Application Load Balancer is fronting an Auto Scaling Group of EC2 instances, and the instances are backed by an RDS database. The Auto Scaling Group has been configured to use the Default Termination Policy. You are testing the Auto Scaling Group and have triggered a scale-in. Which instance will be terminated first?

A) The instance for which the load balancer stops sending traffic.

B) The longest running instance.

C) The instance launched from the oldest launch configuration.

D) The Auto Scaling Group will randomly select an instance to terminate.

Answer 14

C) The instance launched from the oldest launch configuration.

The ASG is using the Default Termination Policy. The default termination policy is designed to help ensure that your instances span Availability Zones evenly for high availability. The default policy is kept generic and flexible to cover a range of scenarios. The default termination policy behavior is as follows: Determine which Availability Zones have the most instances, and at least one instance that is not protected from scale in. Determine which instances to terminate so as to align the remaining instances to the allocation strategy for the on-demand or spot instance that is terminating. This only applies to an Auto Scaling Group that specifies allocation strategies. For example, after your instances launch, you change the priority order of your preferred instance types. When a scale-in event occurs, Amazon EC2 Auto Scaling tries to gradually shift the on-demand instances away from instance types that are lower priority. Determine whether any of the instances use the oldest launch template or configuration: [For Auto Scaling Groups that use a launch template] Determine whether any of the instances use the oldest launch template unless there are instances that use a launch configuration. Amazon EC2 Auto Scaling terminates instances that use a launch configuration before instances that use a launch template. [For Auto Scaling Groups that use a launch configuration] Determine whether any of the instances use the oldest launch configuration. After applying all of the above criteria, if there are multiple unprotected instances to terminate, determine which instances are closest to the next billing hour. If there are multiple unprotected instances closest to the next billing hour, terminate one of these instances at random.

Question 15

Define Performance Architectures

A large financial institution is gradually moving their infrastructure and applications to AWS. The company has data needs that will utilize all of RDS, DynamoDB, Redshift, and ElastiCache. Which description best describes Amazon Redshift?

A) Cloud-based relational database.

B) Can be used to significantly improve latency and throughput for many read-heavy application workloads.

C) Near real-time complex querying on massive data sets.

D) Key-value and document database that delivers single-digit millisecond performance at any scale.

Answer 15

C) Near real-time complex querying on massive data sets.

Amazon Redshift is a fast, fully-managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against terabytes to petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance storage, and massively parallel query execution. Most results come back in seconds. With Redshift, you can start small for just $0.25 per hour with no commitments and scale out to petabytes of data for $1,000 per terabyte per year, less than a tenth the cost of traditional on-premises solutions. Amazon Redshift also includes Amazon Redshift Spectrum, allowing you to run SQL queries directly against exabytes of unstructured data in Amazon S3 data lakes. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, Amazon Ion, JSON, ORC, Parquet, RCFile, RegexSerDe, Sequence, Text, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Question 16

Define Performance Architectures

A professional baseball league has chosen to use a key-value and document database for storage, processing, and data delivery. Many of the data requirements involve high-speed processing of data such as a Doppler radar system which samples the position of the baseball 2000 times per second. Which AWS data storage can meet these requirements?

A) S3

B) DynamoDB

C) RDS

D) Redshift

Answer 16

B) DynamoDB

Amazon DynamoDB is a NoSQL database that supports key-value and document data models, and enables developers to build modern, serverless applications that can start small and scale globally to support petabytes of data and tens of millions of read and write requests per second. DynamoDB is designed to run high-performance, internet-scale applications that would overburden traditional relational databases.

Question 17

Define Performance Architectures

A gaming company is designing several new games which focus heavily on player-game interaction. The player makes a certain move and the game has to react very quickly to change the environment based on that move and to present the next decision for the player in real-time. A tool is needed to continuously collect data about player-game interactions and feed the data into the gaming platform in real-time. Which AWS service can best meet this need?

A) AWS Lambda

B) Kinesis Data Analytics

C) Kinesis Data Streams

D) AWS IoT

Answer 17

C) Kinesis Data Streams

Kinesis Data Streams can be used to continuously collect data about player-game interactions and feed the data into your gaming platform. With Kinesis Data Streams, you can design a game that provides engaging and dynamic experiences based on players’ actions and behaviors

Question 18

Specify Secure Applications and Architectures

A new startup company decides to use AWS to host their web application. They configure a VPC as well as two subnets within the VPC. They also attach an internet gateway to the VPC. In the first subnet, they create the EC2 instance which will host their web application. They finish the configuration by making the application accessible from the Internet. The second subnet hosts their database and they don’t want the database accessible from the Internet. Which statement best describes this scenario?

A) The web server is in a private subnet, and the database server is in a public subnet. The public subnet has a route to the internet gateway in the route table.

B) The web server is in a private subnet, and the database server is in a private subnet. A third subnet has a route to the Internet Gateway, which allows internet access.

C) The web server is in a public subnet, and the database server is in a public subnet. The public subnet has a route to the internet gateway in the route table.

D) The web server is in a public subnet, and the database server is in a private subnet. The public subnet has a route to the internet gateway in the route table.

Answer 18

D) The web server is in a public subnet, and the database server is in a private subnet. The public subnet has a route to the internet gateway in the route table.

An internet gateway is a horizontally-scaled, redundant, and highly available VPC component that allows communication between your VPC and the Internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. To enable access to or from the Internet for instances in a subnet in a VPC, you must do the following:
Attach an internet gateway to your VPC.
Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
Ensure that instances in your subnet have a globally-unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.

Question 19

Design Resilient Architectures

You suspect that one of the AWS services your company is using has gone down. How can you check on the status of this service?

A) Amazon Inspector

B) AWS Trusted Advisor

C) AWS Organizations

D) AWS Personal Health Dashboard

Answer 19

D) AWS Personal Health Dashboard

Correct. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view of the performance and availability of the AWS services underlying your AWS resources. The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility and guidance to help quickly diagnose and resolve issues.

Question 20

Define Performance Architectures

A large, big-box hardware chain is setting up a new inventory management system. They have developed a system using IoT sensors which captures the removal of items from the store shelves in real-time and want to use this information to update their inventory system. The company wants to analyze this data in the hopes of being ahead of demand and properly managing logistics and delivery of in-demand items.

Which AWS service can be used to capture this data as close to real-time as possible, while being able to both transform and load the streaming data into Amazon S3 or Elasticsearch?

A) Amazon Aurora

B) Kinesis Data Firehose

C) Kinesis Streams

D) Redshift

Answer 20

B) Kinesis Data Firehose

Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near-real-time analytics with existing business intelligence tools and dashboards you’re already using today. It is a fully-managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, transform, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security.

Question 21

Design Resilient Architectures

Your company has recently converted to a hybrid cloud environment and will slowly be migrating to a fully AWS cloud environment. The AWS side is in need of some steps to prepare for disaster recovery. A disaster recovery plan needs to be drawn up and disaster recovery drills need to be performed for compliance reasons. The company wants to establish Recovery Time and Recovery Point Objectives. The RTO and RPO can be pretty relaxed. The main point is to have a plan in place, with as much cost savings as possible. Which AWS disaster recovery pattern will best meet these requirements?

A) Multi Site

B) Warm Standby

C) Pilot Light

D) Backup and restore

Answer 21

D) Backup and restore

This is the least expensive option and cost is the overriding factor.

Question 22

Specify Secure Applications and Architectures

Several S3 Buckets have been deleted and a few EC2 instances have been terminated. Which AWS service can you use to determine who took these actions?

A) AWS CloudWatch

B) Trusted Advisor

C) AWS Inspector

D) AWS CloudTrail

Answer 22

D) AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command-line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting.

Question 23

Specify Secure Applications and Architectures

A new startup company decides to use AWS to host their web application. They configure a VPC as well as two subnets within the VPC. They also attach an internet gateway to the VPC. In the first subnet, they create the EC2 instance which will host their web application. They finish the configuration by making the application accessible from the Internet. The second subnet has an instance hosting a smaller, secondary application. But this application is not currently accessible from the Internet. What could be potential problems?

A) The EC2 instance is not attached to an internet gateway.

B) The second subnet does not have a route in the route table to the internet gateway.

C) The second subnet does not have a route in the route table to the virtual private gateway.

D) The second subnet does not have a public IP address.

E) The EC2 instance does not have a public IP address.

Answer 23

B) The second subnet does not have a route in the route table to the internet gateway.

E) The EC2 instance does not have a public IP address.

To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:
Attach an internet gateway to your VPC.
Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.

Question 24

Specify Secure Applications and Architectures

An organization of about 100 employees has performed the initial setup of users in IAM. All users except administrators have the same basic privileges. But now it has been determined that 50 employees will have extra restrictions on EC2. They will be unable to launch new instances or alter the state of existing instances. What will be the quickest way to implement these restrictions?

A) Create an IAM Role for the restrictions. Attach it to the EC2 instances.

B) Create the appropriate policy. Create a new group for the restricted users. Place the restricted users in the new group and attach the policy to the group.

C) Create the appropriate policy. With only 20 users, attach the policy to each user.

D) Create the appropriate policy. Place the restricted users in the new policy.

Answer 24

B) Create the appropriate policy. Create a new group for the restricted users. Place the restricted users in the new group and attach the policy to the group.

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies. IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM user, you can choose to allow console or programmatic access. If console access is allowed, the IAM user can sign in to the console using a user name and password. Or if programmatic access is allowed, the user can use access keys to work with the CLI or API.

Question 25

Define Performance Architectures

An application is hosted on an EC2 instance in a VPC. The instance is in a subnet in the VPC, and the instance has a public IP address. There is also an internet gateway and a security group with the proper ingress configured. But your testers are unable to access the instance from the Internet. What could be the problem?

A) Make sure the instance has a private IP address.

B) A NAT gateway needs to be configured.

C) A virtual private gateway needs to be configured.

D) Add a route to the route table, from the subnet containing the instance, to the Internet Gateway.

Answer 25

D) Add a route to the route table, from the subnet containing the instance, to the Internet Gateway.

The question doesn’t state if the subnet containing the instance is public or private. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
In your subnet route table, you can specify a route for the internet gateway to all destinations not explicitly known to the route table (0.0.0.0/0 for IPv4 or ::/0 for IPv6). Alternatively, you can scope the route to a narrower range of IP addresses. For example, the public IPv4 addresses of your company’s public endpoints outside of AWS, or the elastic IP addresses of other Amazon EC2 instances outside your VPC. To enable communication over the Internet for IPv4, your instance must have a public IPv4 address or an Elastic IP address that’s associated with a private IPv4 address on your instance. Your instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The internet gateway logically provides the one-to-one NAT on behalf of your instance so that when traffic leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IPv4 address or elastic IP address of your instance and not its private IP address. Conversely, traffic that’s destined for the public IPv4 address or elastic IP address of your instance has its destination address translated into the instance’s private IPv4 address before the traffic is delivered to the VPC. To enable communication over the Internet for IPv6, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the range of the subnet. IPv6 addresses are globally unique, and therefore public by default.

Question 26

Design Resilient Architectures

You have configured an Auto Scaling Group of EC2 instances fronted by an Application Load Balancer and backed by an RDS database. You want to begin monitoring the EC2 instances using CloudWatch metrics. Which metric is not readily available out of the box?

A) DiskReadOps

B) NetworkIn

C) CPU utilization

D) Memory utilization

Answer 26

D) Memory utilization

Memory utilization is not available as an out of the box metric in CloudWatch. You can, however, collect memory metrics when you configure a custom metric for CloudWatch. Types of custom metrics that you can set up include:

Memory utilization
Disk swap utilization
Disk space utilization
Page file utilization
Log collection

Question 27

Define Performance Architectures

A team member has been tasked to configure four EC2 instances for four separate applications. These are not high-traffic apps, so there is no need for an Auto Scaling group. The instances are all in the same public subnet and each instance has an EIP address, and all of the instances have the same security group. But none of the instances can send or receive internet traffic. You verify that all the instances have a public IP address. You also verify that an internet gateway has been configured. What is the most likely issue?

A) The route table is corrupt.

B) Each instance needs its own security group.

C) You are using the default NACL.

D) There is no route in the route table to the internet gateway (or it has been deleted).

Answer 27

D) There is no route in the route table to the internet gateway (or it has been deleted).

The question details all of the configuration needed for internet access, except for a route to the IGW in the route table. This is definitely a key step in any checklist for internet connectivity. It is quite possible to have a subnet with the ‘Public’ attribute set but no route to the internet in the assigned route table. (Test it yourself.) This may have been a setup error, or someone may have altered the shared route table for a special case instead of creating a new route table for the special case.

Question 28

Design Cost-Optimized Architectures

You are put in charge of your company’s Disaster Recovery planning. As part of this plan, you intend to create all of the company infrastructure with CloudFormation templates. The templates can then be saved in another region and used to launch a new environment in case of disaster. What determines the costs associated with CloudFormation templates?

A) There is a cost per template and discounts for over 100 templates.

B) There is no cost for templates, but when deployed, the resources created may accumulate charges.

C) It depends whether the resources in the template are in the free tier.

D) The distance of the region from the home region.

Answer 28

B) There is no cost for templates, but when deployed, the resources created may accumulate charges.

There is no additional charge for using AWS CloudFormation with resource providers in the following namespaces: AWS::, Alexa::, and Custom::*. In this case you pay for AWS resources (such as Amazon EC2 instances, Elastic Load Balancing load balancers, etc.) created using AWS CloudFormation as if you created them manually. You only pay for what you use, as you use it; there are no minimum fees and no required upfront commitments. When you use resource providers with AWS CloudFormation outside the namespaces mentioned above, you incur charges per handler operation. Handler operations are create, update, delete, read, or list actions on a resource.

Question 29

Design Resilient Architectures

You have taken over management of several instances in the company AWS environment. You want to quickly review scripts used to bootstrap the instances at runtime. A URL command can be used to do this. What can you append to the URL http://169.254.169.254/latest/ to retrieve this data?

A) instance-demographic-data/

B) meta-data/

C) instance-data/

D) user-data/

Answer 29

D) user-data/

When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives.

Question 30

Design Resilient Architectures

A software company has created an application to capture service requests from users and also enhancement requests. The application is deployed on an Auto Scaling group of EC2 instances fronted by an Application Load Balancer. The Auto Scaling group has scaled to maximum capacity, but there are still requests being lost. The cost of these instances should remain the same. What step can the company take to ensure requests aren’t lost?

A) Use larger instances in the Auto Scaling group.

B) Use a Network Load Balancer instead for faster throughput.

C) Use an SQS queue with the Auto Scaling group to capture all requests.

D) Use spot instances to save money.

Answer 30

C) Use an SQS queue with the Auto Scaling group to capture all requests.

There are some scenarios where you might think about scaling in response to activity in an Amazon SQS queue. For example, suppose that you have a web app that lets users upload images and use them online. In this scenario, each image requires resizing and encoding before it can be published. The app runs on EC2 instances in an Auto Scaling group, and it’s configured to handle your typical upload rates. Unhealthy instances are terminated and replaced to maintain current instance levels at all times. The app places the raw bitmap data of the images in an SQS queue for processing. It processes the images and then publishes the processed images where they can be viewed by users. The architecture for this scenario works well if the number of image uploads doesn’t vary over time. But if the number of uploads changes over time, you might consider using dynamic scaling to scale the capacity of your Auto Scaling group.

Question 31

Define Performance Architectures

You have multiple EC2 instances housing applications in a VPC in a single Availability Zone. Your EC2 workloads need low-latency network performance, high network throughput, and a tightly-coupled node-to-node communication. What’s the best measure you can do to ensure this throughput?

A) Use Auto Scaling Groups

B) Increase the size of the instances

C) Use Elastic Network Interfaces

D) Launch your instances in a cluster placement group

Answer 31

D) Launch your instances in a cluster placement group

A cluster placement group is a logical grouping of instances within a single Availability Zone. A cluster placement group can span peered VPCs in the same Region. Instances in the same cluster placement group enjoy a higher per-flow throughput limit for TCP/IP traffic and are placed in the same high-bisection bandwidth segment of the network.

Question 32

Design Resilient Architectures

A database outage has been very costly to your organization. You have been tasked with configuring a more highly-available architecture. The main requirement is that the chosen architecture needs to meet an aggressive RTO in case of disaster. You have decided to use an RDS Multi-AZ deployment. How is the replication handled for RDS Multi-AZ?

A) Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.

B) You can configure a standby replica in a different Availability Zone and send traffic synchronously or asynchronously depending on your cost considerations.

C) Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Region.

D) Amazon RDS automatically provisions and maintains an asynchronous standby replica in a different Availability Zone.

Answer 32

A) Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Amazon RDS uses several different technologies to provide failover support. Multi-AZ deployments for MariaDB, MySQL, Oracle, and PostgreSQL DB instances use Amazon’s failover technology. SQL Server DB instances use SQL Server Database Mirroring (DBM) or Always On Availability Groups (AGs). In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption.

Question 33

Design Resilient Architectures

An accounting company has big data applications for analyzing actuary data. The company is migrating some of its services to the cloud, and for the foreseeable future, will be operating in a hybrid environment. They need a storage service that provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. Which AWS service can meet these requirements?

A) Glacier

B) EBS

C) S3

D) EFS

Answer 33

D) EFS

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision, and manage capacity to accommodate growth. Amazon EFS offers two storage classes: the Standard storage class, and the Infrequent Access storage class (EFS IA). EFS IA provides price/performance that’s cost-optimized for files not accessed every day. By simply enabling EFS Lifecycle Management on your file system, files not accessed according to the lifecycle policy you choose will be automatically and transparently moved into EFS IA.

Question 34

Specify Secure Applications and Architectures

Your company needs to deploy an application in the company AWS account. The application will reside on EC2 instances in an Auto Scaling Group fronted by an Application Load Balancer. The company has been using Elastic Beanstalk to deploy the application due to limited AWS experience within the organization. The application now needs upgrades and a small team of subcontractors have been hired to perform these upgrades. Which web service can be used to provide users that you authenticate with short-term security credentials that can control access to your AWS resources?

A) Presigned URLs

B) AWS STS

C) IAM user accounts

D) IAM Group

Answer 34

B) AWS STS

AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use. You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them. Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.

Question 35

Design Cost-Optimized Architectures

The CFO of your company approaches you and inquires about cutting costs in your AWS account. One area you are able to identify for cost cutting is in S3. There is data in S3 that is very rarely used and has only been retained for audit purposes. You decide to archive this data to a cheaper storage solution. Which AWS solution would meet this requirement?

A) Write a cron job to archive the data to DynamoDB.

B) Use a lifecycle policy to archive the data to Redshift.

C) Use a lifecycle policy to archive the data to Glacier.

D) Use a lifecycle policy to archive the data to Amazon SQS.

Answer 35

C) Use a lifecycle policy to archive the data to Glacier.

Using S3 Lifecycle configuration, you can transition objects to the S3 Glacier or S3 Glacier Deep Archive storage classes for archiving. When you choose the S3 Glacier or S3 Glacier Deep Archive storage class, your objects remain in Amazon S3. You cannot access them directly through the separate Amazon S3 Glacier service.

Question 36

Define Performance Architectures

You work for an advertising company that has a real-time bidding application. You are also using CloudFront on the front end to accommodate a worldwide user base. Your users begin complaining about response times and pauses in real-time bidding. What is the best service that can be used to reduce DynamoDB response times by an order of magnitude (milliseconds to microseconds)?

A) DAX

B) DynamoDB Auto Scaling

C) ElastiCache

D) CloudFront Edge Caches

Answer 36

A) DAX

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second. While DynamoDB offers consistent single-digit millisecond latency, DynamoDB with DAX takes performance to the next level with response times in microseconds for millions of requests per second for read-heavy workloads. With DAX, your applications remain fast and responsive, even when a popular event or news story drives unprecedented request volumes your way. No tuning required.

Question 37

Define Performance Architectures

A Solutions Architect has been assigned the task of helping the company development optimize the performance of their web application. End users have been complaining about slow response times. The Solutions Architect has determined that improvements can be realized by adding ElastiCache to the solution. What can ElastiCache do to improve performance?

A) Delivers up to 10x performance improvement from milliseconds to microseconds or even at millions of requests per second.

B) Cache frequently accessed data in-memory.

C) Offload some of the write traffic to the database.

D) Queue up requests and allow the processor time to catch-up.

Answer 37

B) Cache frequently accessed data in-memory.

Amazon ElastiCache allows you to seamlessly set up, run, and scale popular open-Source compatible, in-memory data stores in the cloud. Build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores. Amazon ElastiCache is a popular choice for real-time use cases like caching, session stores, gaming, geospatial services, real-time analytics, and queuing.

Question 38

Design Resilient Architectures

You have been tasked with designing a strategy for backing up EBS volumes attached to an instance-store-backed EC2 instance. You have been asked for an executive summary on your design, and the executive summary should include an answer to the question, “What can an EBS volume do when snapshotting the volume is in progress”?

A) The volume can only accommodate reads while a snapshot is in progress.

B) The volume can not be used while a snapshot is in progress.

C) The volume can be used normally while the snapshot is in progress.

D) The volume can only accommodate writes while a snapshot is in progress.

Answer 38

C) The volume can be used normally while the snapshot is in progress.

You can create a point-in-time snapshot of an EBS volume and use it as a baseline for new volumes or for data backup. If you make periodic snapshots of a volume, the snapshots are incremental; the new snapshot saves only the blocks that have changed since your last snapshot. Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume.

Question 39

Design Cost-Optimized Architectures

After an IT Steering Committee meeting, you have been put in charge of configuring a hybrid environment for the company’s compute resources. You weigh the pros and cons of various technologies, such as VPN and Direct Connect, and based on the requirements you have decided to configure a VPN connection. What features and advantages can a VPN connection provide?

A) It provides a network connection between two VPCs that can route traffic using IPv4 or IPv6.

B) It provides a private, dedicated network connection between an on-premises network and the VPC.

C) It enables you to securely connect your on-premises network to your Amazon VPC reusing existing VPN equipment, processes, and internet connections.

D) It provides a cost-effective, private network connection that bypasses the internet.

Answer 39

C) It enables you to securely connect your on-premises network to your Amazon VPC reusing existing VPN equipment, processes, and internet connections.

AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks. Amazon VPC provides the option of creating an IPsec VPN connection between your remote networks and Amazon VPC over the internet, allowing you to reuse existing VPN equipment, processes, and internet connections.

Question 40

Design Resilient Architectures

Your application is housed on an Auto Scaling Group of EC2 instances. The application is backed by the Multi-AZ MySQL RDS database and an additional read replica. You need to simulate some failures for disaster recovery drills. Which event will not cause an RDS to perform a failover to the standby replica?

A) Compute unit failure on primary

B) Read replica failure

C) Storage failure on primary

D) Loss of network connectivity to primary

Answer 40

B) Read replica failure

When you provision a Multi-AZ DB instance, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention.
Amazon RDS handles failovers automatically so you can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur:

An Availability Zone outage
The primary DB instance fails
The DB instance’s server type is changed
The operating system of the DB instance is undergoing software patching
A manual failover of the DB instance was initiated using Reboot with failover
There are several ways to determine if your Multi-AZ DB instance has failed over:

DB event subscriptions can be set up to notify you by email or SMS that a failover has been initiated. For more information about events, see Using Amazon RDS Event Notification.
You can view your DB events by using the Amazon RDS console or API operations.
You can view the current state of your Multi-AZ deployment by using the Amazon RDS console and API operations.

Question 41

Design Cost-Optimized Architectures

Your company is storing stack traces for application errors in an S3 Bucket. The engineers using these stack traces review them when addressing application issues. It has been decided that the files only need to be kept for four weeks then they can be purged. How can you meet this requirement in S3?

A) Configure the S3 Lifecycle rules to purge the files after a month.

B) Create a bucket policy to purge the rules after one month.

C) Add an S3 Lifecycle rule to archive these files to Glacier after one month.

D) Write a cron job to purge the files after one month.

Answer 41

A) Configure the S3 Lifecycle rules to purge the files after a month.

To manage your objects so that they are stored cost-effectively throughout their lifecycle, configure their Amazon S3 Lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects. There are two types of actions:

Transition actions define when objects transition to another storage class. For example, you might choose to transition objects to the S3 Standard-IA storage class 30 days after you created them, or archive objects to the S3 Glacier storage class one year after creating them.

Expiration actions define when objects expire. Amazon S3 deletes expired objects on your behalf.

The lifecycle expiration costs depend on when you choose to expire objects.

Question 42

Design Resilient Architectures

A new startup company decides to use AWS to host their web application. They configure a VPC as well as two subnets within the VPC. They also attach an internet gateway to the VPC. In the first subnet, they create an EC2 instance to host a web application. There is a network ACL and a security group, which both have the proper ingress and egress to and from the internet. There is a route in the route table to the internet gateway. The EC2 instances added to the subnet need to have a globally unique IP address to ensure internet access. Which is not a globally unique IP address?

A) Private IP address

B) Elastic IP address

C) Public IP address

D) IPv6 address

Answer 42

A) Private IP address

Public IPv4 address, elastic IP address, and IPv6 address are globally unique addresses. The IPv4 addresses known for not being unique are private IPs. These are found in the following ranges: from 10.0.0.0 to 10.255.255.255, from 172.16.0.0 to 172.31.255.255, and from 192.168.0.0 to 192.168.255.255.

Question 43

Design Resilient Architectures

You are working for a large financial institution and preparing for disaster recovery and upcoming DR drills. A key component in the DR plan will be the database instances and their data. An aggressive Recovery Time Objective (RTO) dictates that the database needs to be synchronously replicated. Which configuration can meet this requirement?

A) Amazon RDS Multi-AZ Deployments (Non-Aurora)

B) Amazon RDS Multi-Region Deployments (Aurora)

C) AWS Lambda to trigger a CloudFormation template launch in another Region

D) Amazon RDS read replicas

Answer 43

A) Amazon RDS Multi-AZ Deployments (Non-Aurora)

When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB instance failure. Multi-AZ deployments have synchronous replication (Non-Aurora) and asynchronous replication (Aurora).

Question 44

Design Resilient Architectures

You are working as a Solutions Architect in a large healthcare organization. You have many Auto Scaling Groups that utilize launch configurations. Many of these launch configurations are similar yet have subtle differences. You’d like to use multiple versions of these launch configurations. An ideal approach would be to have a default launch configuration and then have additional versions that add additional features. Which option best meets these requirements?

A) Store the launch configurations in S3 and turn on versioning.

B) Use launch templates instead.

C) Simply create the needed versions. Launch configurations already have versioning.

D) Create the launch configurations in CloudFormation and version the templates accordingly.

Answer 44

B) Use launch templates instead.

A launch template is similar to a launch configuration, in that it specifies instance configuration information. Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template. With versioning, you can create a subset of the full set of parameters and then reuse it to create other templates or template versions. For example, you can create a default template that defines common configuration parameters and allow the other parameters to be specified as part of another version of the same template.

Question 45

Specify Secure Applications and Architectures

A consultant is hired by a small company to configure an AWS environment. The consultant begins working with the VPC and launching EC2 instances within the VPC. The initial instances will be placed in a public subnet. The consultant begins to create security groups. What is true of security groups?

A) Security groups act at the instance level, not the subnet level.

B) Security groups are stateless.

C) Security groups act at the subnet level, not the instance level.

D) Security groups act at the VPC level, not the instance level.

Answer 45

A) Security groups act at the instance level, not the subnet level.

The following are the basic characteristics of security groups for your VPC:
There are quotas on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. For more information, see Amazon VPC quotas.
You can specify allow rules, but not deny rules.
You can specify separate rules for inbound and outbound traffic.
When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
Security groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Question 46

Design Resilient Architectures

A small startup company has begun using AWS for all of its IT infrastructure. The company has two AWS Solutions Architects, and they are very proficient with AWS deployments. They want to choose a deployment service that best meets the given requirements. Those requirements include version control of their infrastructure documentation and granular control of all of the services to be deployed. Which AWS service would best meet these requirements?

A) CloudFormation

B) OpsWorks

C) Elastic Beanstalk

D) Terraform

Answer 46

A) CloudFormation

CloudFormation is infrastructure as code, and the CloudFormation feature of templates allows this infrastructure as code to be version controlled. While it can be argued that both OpsWorks and Elastic Beanstalk provide some granular control of services, this is not the main feature of either. Both OpsWorks and Elastic Beanstalk, to varying degrees, allow some detailed configuration. How is AWS CloudFormation different from AWS Elastic Beanstalk? These services are designed to complement each other. AWS Elastic Beanstalk provides an environment to deploy and run applications in the cloud. It is integrated with developer tools and provides a one-stop experience for you to manage the lifecycle of your applications. AWS CloudFormation is a convenient provisioning mechanism for a broad range of AWS and third-party resources. It supports the infrastructure needs of many different types of applications, such as existing enterprise applications, legacy applications, applications built using a variety of AWS resources, and container-based solutions (including those built using AWS Elastic Beanstalk). AWS CloudFormation supports Elastic Beanstalk application environments as one of the AWS resource types. This allows you, for example, to create and manage an AWS Elastic Beanstalk–hosted application along with an RDS database to store the application data. In addition to RDS instances, any other supported AWS resource can be added to the group as well.

Question 47

Define Performance Architectures

Your team has provisioned Auto Scaling groups in a single Region. The Auto Scaling groups, at max capacity, would total 40 EC2 instances between them. However, you notice that the Auto Scaling groups will only scale out to a portion of that number of instances at any one time. What could be the problem?

A) The associated load balancer can serve only 20 instances at one time.

B) There is a vCPU-based On-Demand Instance limit per Region.

C) You can have only 20 instances per region. This is a hard limit.

D) You can have only 20 instances per Availability Zone.

Answer 47

B) There is a vCPU-based On-Demand Instance limit per Region.

Your AWS account has default quotas, formerly referred to as limits, for each AWS service. Unless otherwise noted, each quota is Region specific. You can request increases for some quotas, and other quotas cannot be increased. Remember that each EC2 instance can have a variance of the number of vCPUs, depending on its type and your configuration, so it’s always wise to calculate your vCPU needs to make sure you are not going to hit quotas easily. Service Quotas is an AWS service that helps you manage your quotas for over 100 AWS services from one location. Along with looking up the quota values, you can also request a quota increase from the Service Quotas console.

Question 48

Specify Secure Applications and Architectures

You are working for a startup company with a small number of employees. The company expects rapid growth and you have been assigned to configure existing users and onboard new users with IAM privileges and logins. You intend to create IAM groups for the company departments and add new users to the appropriate group when you onboard them. You begin creating policies to assign permissions and attach them to the appropriate group. What is the best practice when giving users permissions in IAM policies?

A) Use the principle of least privilege.

B) Create a policy for each department head granting root access.

C) Use the principle of top-down privilege.

D) Grant all permissions to each AWS service the user will work with.

Answer 48

A) Use the principle of least privilege.

When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks. Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.

Question 49

Design Cost-Optimized Architectures

You have been tasked with migrating an application and the servers it runs on to the company AWS cloud environment. You have created a checklist of steps necessary to perform this migration. A subsection in the checklist is security considerations. One of the things that you need to consider is the shared responsibility model. Which option does AWS handle under the shared responsibility model?

A) Physical hardware infrastructure

B) Client-side data encryption

C) User Authentication

D) Firewall configuration

Answer 49

A) Physical hardware infrastructure

Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility for, and management of, the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment.

AWS responsibility “Security of the Cloud”: AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.

Question 50

Design Resilient Architectures

Your company has performed a Disaster Recovery drill which failed to meet the Recovery Time Objective (RTO) desired by executive management. The failure was due in large part by the amount of time taken to restore proper functioning on the database side. You have given management a recommendation of implementing synchronous data replication for the RDS database to help meet the RTO. Which of these options can perform synchronous data replication in RDS?

A) RDS Multi-AZ

B) AWS Database Migration

C) Read Replicas

D) DAX

Answer 50

A) RDS Multi-AZ

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for RDS database (DB) instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB instance, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention.

Question 51

Design Resilient Architectures

Your company has decided to migrate a SQL Server database to a newly-created AWS account. Which service can be used to migrate the database?

A) DynamoDB

B) AWS RDS

C) Elasticache

D) Database Migration Service

Answer 51

D) Database Migration Service

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from the most widely used commercial and open-source databases.

AWS Database Migration Service supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora. With AWS Database Migration Service, you can continuously replicate your data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift and Amazon S3. Learn more about the supported source and target databases.

Question 52

Specify Secure Applications and Architectures

A small company has nearly 200 users who already have AWS accounts in the company AWS environment. A new S3 bucket has been created which will allow roughly a third of all users access to sensitive information in the bucket. What is the most time efficient way to get these users access to the bucket?

A) Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.

B) Create a new role which will grant permissions to the bucket. Create a group and attach the role to that group. Add the users to this group.

C) Create a new policy which will grant permissions to the bucket. Create a role and attach the policy to that role. Add the users to this role.

D) Create a new bucket policy granting the appropriate permissions and attach it to the bucket.

Answer 52

A) Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that user’s permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups. Note that a group is not truly an “identity” in IAM because it cannot be identified as a Principal in a permission policy. It is simply a way to attach policies to multiple users at one time. Following are some important characteristics of groups:
A group can contain many users, and a user can belong to multiple groups.
Groups can’t be nested; they can contain only users, not other groups.
There’s no default group that automatically includes all users in the AWS account. If you want to have a group like that, you need to create it and assign each new user to it.
There’s a limit to the number of groups you can have, and a limit to how many groups a user can be in. For more information, see IAM and STS Limits.

Question 53

Design Resilient Architectures

A software company has created an application to capture service requests from users and also enhancement requests. The application is deployed on an Auto Scaling Group of EC2 instances fronted by an Application Load Balancer. The Auto Scaling Group has scaled to maximum capacity, but there are still requests being lost. The company has decided to use SQS with the Auto Scaling Group to ensure all messages are saved and processed. What is an appropriate metric for auto scaling with SQS?

A) cpu utilization

B) backlog per user

C) backlog per instance

D) backlog per hour

Answer 53

C) backlog per instance

The issue with using a CloudWatch Amazon SQS metric like ApproximateNumberOfMessagesVisible for target tracking is that the number of messages in the queue might not change proportionally to the size of the Auto Scaling Group that processes messages from the queue. That’s because the number of messages in your SQS queue does not solely define the number of instances needed. The number of instances in your Auto Scaling Group can be driven by multiple factors, including how long it takes to process a message and the acceptable amount of latency (queue delay). The solution is to use a backlog per instance metric with the target value being the acceptable backlog per instance to maintain. You can calculate these numbers as follows: Backlog per instance: To calculate your backlog per instance, start with the ApproximateNumberOfMessages queue attribute to determine the length of the SQS queue (number of messages available for retrieval from the queue). Divide that number by the fleet’s running capacity, which for an Auto Scaling Group is the number of instances in the InService state, to get the backlog per instance.

Question 54

Define Performance Architectures

A travel company has deployed a website in a single Amazon RDS DB instance. The database is very read-heavy and may have some latency issues at certain times of the year. What can you do to scale beyond the compute or I/O capacity of your single DB instance?

A) Place CloudFront in front of the Database

B) Configure RDS Multi-AZ

C) Configure multi-Region RDS

D) Add read replicas

Answer 54

D) Add read replicas

Amazon RDS Read Replicas provide enhanced performance and durability for RDS database (DB) instances. They can be within an Availability Zone, Cross-AZ, or Cross-Region, and make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server as well as Amazon Aurora.

Question 55

Define Performance Architectures

You work for a large healthcare provider as an AWS lead architect. There is a need to collect data in real-time from devices throughout the organization. The data will include log and event data from sources such as servers, desktops, and mobile devices. The data initially captured will be technical device data, but the goal is to expand the effort to collecting clinical data in real-time from handheld devices used by nurses and doctors. Which AWS service best meets this requirement?

A) AWS Redshift

B) Kinesis Data Streams

C) AWS Lambda

D) Kinesis Video Streams

Answer 55

B) Kinesis Data Streams

Kinesis Data Streams can be used to collect log and event data from sources such as servers, desktops, and mobile devices. You can then build Kinesis applications to continuously process the data, generate metrics, power live dashboards, and emit aggregated data into stores such as Amazon S3.

Question 56

Define Performance Architectures

Your company is slowly migrating to the cloud and is currently in a hybrid environment. The server team has been using Puppet for deployment automations. The decision has been made to continue using Puppet in the AWS environment if possible. If possible, which AWS service provides integration with Puppet?

A) Elastic Beanstalk

B) CloudFormation

C) AWS OpsWorks

D) This is not possible. The AWS Developer Tools suite can handle automations.

Answer 56

C) AWS OpsWorks

AWS OpsWorks for Puppet Enterprise is a fully-managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management. OpsWorks also maintains your Puppet master server by automatically patching, updating, and backing up your server. OpsWorks eliminates the need to operate your own configuration management systems or worry about maintaining its infrastructure. OpsWorks gives you access to all of the Puppet Enterprise features, which you manage through the Puppet console. It also works seamlessly with your existing Puppet code.

Question 57

Specify Secure Applications and Architectures

You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:

100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
What function does the * All Traffic Deny rule perform?

A) The * specifies that it is an example rule.

B) This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.

C) It is there in case no other rules are defined.

D) Traffic will be denied from specified IP addresses.

Answer 57

B) This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.

The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.

Question 58

Design Cost-Optimized Architectures

You are managing data storage for your company, and there are many EBS volumes. Your management team has given you some new requirements. Certain metrics on the EBS volumes need to be monitored, and the database team needs to be notified by email when certain metric thresholds are exceeded. Which AWS services can be configured to meet these requirements?

A) SQS

B) SNS

C) SWF

D) SES

E) CloudWatch

Answer 58

B) SNS

CloudWatch can be used to monitor the volume, and SNS can be used to send emails to the Ops team. Amazon SNS is for messaging-oriented applications, with multiple subscribers requesting and receiving “push” notifications of time-critical messages via a choice of transport protocols, including HTTP, Amazon SQS, and email.

E) CloudWatch

CloudWatch can be used to monitor the volume, and SNS can be used to send emails to the Ops team. Amazon SNS is for messaging-oriented applications, with multiple subscribers requesting and receiving “push” notifications of time-critical messages via a choice of transport protocols, including HTTP, Amazon SQS, and email.

Question 59

Specify Secure Applications and Architectures

Your architecture consists of an Application Load Balancer front, an Auto Scaling Group of EC2 instances, backed by an RDS database. Your security team has notified you of cross-site scripting attacks and also SQL injection attacks on the application. You have been asked to take steps to quickly mitigate these attacks. What steps should you take?

A) Configure Amazon GuardDuty to prevent these attacks.

B) Use Amazon Inspector to detect these attacks and manually block the IP addresses from which these attacks come.

C) Immediately block the offending IP addresses on the NACL.

D) Using the AWS WAF service, set up rules which block SQL injection, and cross-site scripting attacks. Associate the rules to the ALB.

Answer 59

D) Using the AWS WAF service, set up rules which block SQL injection, and cross-site scripting attacks. Associate the rules to the ALB.

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

At the simplest level, AWS WAF lets you choose one of the following behaviors:

Allow all requests except the ones that you specify – This is useful when you want CloudFront or an Application Load Balancer to serve content for a public website, but you also want to block requests from attackers.
Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.
Count the requests that match the properties that you specify – When you want to allow or block requests based on new properties in web requests, you first can configure AWS WAF to count the requests that match those properties without allowing or blocking those requests. This lets you confirm that you didn’t accidentally configure AWS WAF to block all the traffic to your website. When you’re confident that you specified the correct properties, you can change the behavior to allow or block requests.

Question 60

Define Performance Architectures

You have just been hired by a large organization which uses many different AWS services in their environment. Some of the services which handle data include: RDS, Redshift, ElastiCache, DynamoDB, S3, and Glacier. You have been instructed to configure a web application using stateless web servers. Which services can you use to handle session state data?

A) Amazon Redshift

B) Amazon RDS

C) Amazon DynamoDB

D) Amazon S3 Glacier

E) Amazon ElastiCache

Answer 60

B) Amazon RDS

Amazon RDS can store session state data. It is slower than Amazon DynamoDB, but may be fast enough for some situations.

C) Amazon DynamoDB

E) Amazon ElastiCache

Elasticache and DynamoDB can both be used to store session data.

Question 61

Design Cost-Optimized Architectures

You have been assigned the review of the security in your company AWS cloud environment. Your final deliverable will be a report detailing potential security issues. One of the first things that you need to describe is the responsibilities of the company under the shared responsibility model. Which measure is the customer’s responsibility?

A) EC2 instance OS Patching

B) Managing underlying network infrastructure

C) Physical security of data centers

D) Virtualization infrastructure

Answer 61

A) EC2 instance OS Patching

Security and compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility for, and management of, the guest operating system (including updates and security patches), other associated application software, and the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose, as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.

Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.

Question 62

Define Performance Architectures

You have been assigned to create an architecture which uses load balancers to direct traffic to an Auto Scaling Group of EC2 instances across multiple Availability Zones. The application to be deployed on these instances is a life insurance application which requires path-based and host-based routing. Which type of load balancer will you need to use?

A) Network Load Balancer

B) Classic Load Balancer

C) Any type of load balancer will meet these requirements.

D) Application Load Balancer

Answer 62

D) Application Load Balancer

Only the Application Load Balancer can support path-based and host-based routing. Using an Application Load Balancer instead of a Classic Load Balancer has the following benefits:

Support for path-based routing. You can configure rules for your listener that forward requests based on the URL in the request. This enables you to structure your application as smaller services, and route requests to the correct service based on the content of the URL.
Support for host-based routing. You can configure rules for your listener that forward requests based on the host field in the HTTP header. This enables you to route requests to multiple domains using a single load balancer.
Support for routing based on fields in the request, such as standard and custom HTTP headers and methods, query parameters, and source IP addresses.
Support for routing requests to multiple applications on a single EC2 instance. You can register each instance or IP address with the same target group using multiple ports.
Support for redirecting requests from one URL to another.
Support for returning a custom HTTP response.
Support for registering targets by IP address, including targets outside the VPC for the load balancer.
Support for registering Lambda functions as targets.
Support for the load balancer to authenticate users of your applications through their corporate or social identities before routing requests.
Support for containerized applications. Amazon Elastic Container Service (Amazon ECS) can select an unused port when scheduling a task and register the task with a target group using this port. This enables you to make efficient use of your clusters.
Support for monitoring the health of each service independently, as health checks are defined at the target group level and many CloudWatch metrics are reported at the target group level. Attaching a target group to an Auto Scaling group enables you to scale each service dynamically based on demand.
Access logs contain additional information and are stored in compressed format.
Improved load balancer performance.

Question 63

Define Performance Architectures

Your company has asked you to look into some latency issues with the company web app. The application is backed by an AWS RDS database. Your analysis has determined that the requests made of the application are very read heavy, and this is where improvements can be made. Which service can you use to store frequently accessed data in-memory?

A) EBS

B) ElastiCache

C) DAX

D) DynamoDB

Answer 63

B) ElastiCache

Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases. There are two types of ElastiCache available: Memcached and Redis.

Question 64

Specify Secure Applications and Architectures

A small startup is beginning to configure IAM for their organization. The user logins have been created and now the focus will shift to the permissions to grant to those users. An admin starts creating identity-based policies. To which item can an identity-based policy not be attached?

A) groups

B) resources

C) roles

D) users

Answer 64

B) resources

Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys. For a list of services that support resource-based policies, see AWS services that work with IAM.

Question 65

Design Resilient Architectures

Several instances you are creating have a specific data requirement. The requirement states that the data on the root device needs to persist independently from the lifetime of the instance. After considering AWS storage options, which is the simplest way to meet these requirements?

A) Send the data to S3 using S3 lifecycle rules.

B) Store the data on the local instance store.

C) Store your root device data on Amazon EBS and set the DeleteOnTermination attribute to false using a block device mapping.

D) Create a cron job to migrate the data to S3.

Answer 65

C) Store your root device data on Amazon EBS and set the DeleteOnTermination attribute to false using a block device mapping.

An Amazon EBS-backed instance can be stopped and later restarted without affecting data stored in the attached volumes. By default, the root volume for an AMI backed by Amazon EBS is deleted when the instance terminates. You can change the default behavior to ensure that the volume persists after the instance terminates. To change the default behavior, set the DeleteOnTermination attribute to false using a block device mapping.