Scenarios Flashcards

Question

Which action will help increase security in the AWS Cloud? A. Enable programmatic access for all IAM users. B. Use IAM users instead of IAM roles to delegate permissions. C. Rotate access keys on a reoccurring basis. D. Use inline policies instead of customer managed policies.

Answer 1

A Stateless workloads do not store any past information and start like a blank slate

Answer 2

B) PaaS removes the need to manage underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications

Answer 3

B) IAM Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies Credentials report lists all IAM users in your account and the status of their various credentials, including passwords, access keys, and multi-factor authentication (MFA) devices

Answer 4

C.AWS Glue - Amazon Athena is used for analytics and not to prepare data for analytics

Answer 5

B) Partnet solutions - Automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners

Answer 6

B, C The fundamental charges for EBS volumes are the volume type (based on performance), the storage volume in GB per month provisioned, the number of IOPS provisioned per month, the storage consumed by snapshots, and outbound data transfer

Answer 7

A - Customers can receive Savings Plan recommendations

Answer 8

D. The Operations perspective helps ensure that your cloud services are delivered at a level that meets the needs of your business

Answer 9

A,C Compute Savings - EC2, Fargate and Lambda EC2 Savings - EC2 Sagemaker Savings - Sagemaker

Answer 10

C. Amazon QuickSight Q uses natural language processing to answer your business questions quickly

Answer 11

D. Effect : Allow/Deny Principal : User Action : API Resource : ARN of resources

Answer 12

C. AWS Step Functions provides workflow orchestration.

Answer 13

C. INCORRECT: "Change the Amazon EC2 volume type to a Provisioned IOPS SSD volume" is incorrect. This will improve the underlying performance of the EBS volume but does not assist with processing (more CPU is needed, i.e. by spreading across instances). INCORRECT: "Run the application on a bare metal Amazon EC2 instance" is incorrect. Bare metal instances are used for workloads that require access to the hardware feature set (such as Intel VT-x), for applications that need to run in non-virtualized environments for licensing or support requirements, or for customers who wish to use their own hypervisor.

Answer 14

D. AWS Data Exchange is the correct answer because this service allows customers to find, subscribe to, and use third-party data in the cloud. Companies can subscribe to a diverse selection of data products provided by various data providers. The media company in this scenario can enrich their existing datasets through AWS Data Exchange by easily finding and subscribing to third-party data sources.

Answer 15

A,C INCORRECT: "Create IAM Roles and apply them to IAM groups" is incorrect. You cannot apply roles to groups, you apply policies to groups.

Answer 16

C. INCORRECT: "Internet gateways" is incorrect. You can only attach one Internet gateway to each VPC.

Answer 17

B. INCORRECT: "AWS rotate access keys on a schedule" is incorrect. AWS do not rotate your access keys.

Answer 18

D,E INCORRECT: "Embed access keys in application code" is incorrect. This is not a best practice; you should always try and avoid embedding any secret credentials and access keys in application code. Instead, it is preferable to use IAM roles to delegate permission to applications.

Answer 19

A. Amazon SES is specifically designed to help users send transactional emails, marketing messages, and other types of content to their customers. INCORRECT: "Amazon Simple Notification Service (Amazon SNS)" is incorrect. While Amazon SNS can send notifications via email, it is primarily designed to send messages to a distributed set of recipients and is not optimized for transactional emails.

Answer 20

A. An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

Answer 21

D. INCORRECT: "AWS Billing and Cost Management" is incorrect. This answer is incorrect because, while it is a tool to track your AWS usage and expenditures, it doesn’t offer the specialized functionalities for creating billing groups and defining custom billing parameters as provided by AWS Billing Conductor.

Answer 22

A, C AWS AppSync and AWS Amplify are the correct answers as both services facilitate the building of secure and scalable mobile and web applications. AWS AppSync enables the creation of flexible APIs, including options for real-time updates and offline functionalities. AWS Amplify is a set of tools and services that can be used to build scalable full-stack apps powered by AWS, also supporting real-time functionalities and offline operations

Answer 23

C. INCORRECT: "You can scale vertically without downtime" is incorrect. You cannot scale vertically without downtime. When scaling with RDS you must change the instance type, and this requires a short period of downtime while the instances’ operating system reboots.

Answer 24

D. INCORRECT: "IAM Policy" is incorrect. An IAM policy is a policy document that is used to define permissions that can be applied to users, groups and roles. You don’t apply the policy to the service, you apply it to the role. The role is then used to assign permissions to the AWS service.

Answer 25

A. Amazon S3 is the only service out of the answers which can be used for backup and restore, data lakes and archival solutions. Because S3 is an object storage service, there are lots of different use cases.

Answer 26

B. An access key ID and secret access key are used to sign programmatic requests to AWS. They are associated with an IAM user. You cannot associate an access key ID and secret access key with an IAM Group, Role or Policy.

Answer 27

D. INCORRECT: "AWS Single Sign-On" is incorrect. AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization and doesn’t use SAML.

Answer 28

B, D INCORRECT: "AWS Lambda" is incorrect. AWS Lambda is a compute service, not an automation service.

Answer 29

C. Amazon MemoryDB for Redis is the correct answer because it is a Redis-compatible, in-memory database service built on Redis architecture, which offers sub-millisecond latency, fulfilling the requirements mentioned in the question.

Answer 30

C. AWS Organizations offers Service control policies (SCPs) which are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions (API actions) for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. INCORRECT: "AWS IAM" is incorrect. AWS IAM is used for assigning permissions but SCPs in AWS Organizations are used to control which API actions are allowed in an account. You need to be granted permission in IAM and have the API allowed to be able to use the API successfully.

Answer 31

D. There is only Allow Rule in Security Groups

Answer 32

A. INCORRECT: "AWS Control Tower" is incorrect. AWS Control Tower is a service that is intended for organizations with multiple accounts and teams who are looking for the easiest way to set up their new multi-account AWS environment and govern at scale

Answer 33

D. INCORRECT: "Regional Reserved Instances" is incorrect because it does not give you the guaranteed capacity availability that On Demand Capacity reservations have, therefore it is wrong.

Answer 34

D. INCORRECT: "Convertible Reserved Instances" is incorrect. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs. However, this is not required for a right-sized server.

Answer 35

B. INCORRECT: "Edit the AWS managed policy" is incorrect. You cannot edit AWS managed policies.

Answer 36

D. Amazon ElastiCache s is a blazing fast in-memory data store that provides sub-millisecond latency to power internet-scale real-time applications. Built on open-source Redis or Memcached, ElastiCache works seamlessly with Redis or Memcached without any code changes. INCORRECT: Amazon RDS"" is incorrect. Whilst RDS is a database solution, it cannot handle single millisecond queries.

Answer 37

D. AWS AppConfig is the correct answer because it allows users to deploy application configuration changes quickly and reliably without needing to write additional code or restart services. It supports validation checks to ensure configuration data is syntactically and semantically correct before deployment, avoiding potential outages. INCORRECT: "AWS CloudFormation" is incorrect because, even though it allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications, it doesn't specialize in deploying application configurations with validation checks as described in the scenario.

Answer 38

D, E A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. There are two types of VPC endpoints: interface endpoints and gateway endpoints. With a gateway endpoint, you can access Amazon S3 or DynamoDB from your VPC However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway. For those scenarios, you must use an interface endpoint, which is available for an additional cost

Answer 39

A For enterprise - This plan supports architectural guidance contextual to your application.

Answer 40

A, C Credits are applied in the following order: Soonest expiring Least number of applicable products Oldest credit

Answer 41

A,C,E There are three best practice areas for Reliability in the cloud - Foundations, Change Management, Failure Management. Being aware of how change affects a system (change management) allows you to plan proactively, and monitoring allows you to quickly identify trends that could lead to capacity issues or SLA breaches.

Answer 42

B In most cases, there is no charge for inbound data transfer or data transfer between other AWS services within the same region

Answer 43

C. Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud

Answer 44

D. Cloud Foundations provides a guided path to help customers deploy, configure, and secure their new workloads while ensuring they are ready for on-going operations in the cloud. Cloud Foundations helps customers navigate through the decisions they need to make through curated AWS Services, AWS Solutions, Partner Solutions, and Guidance.

Answer 45

C,D INCORRECT : Amazon Elastic Compute Cloud (Amazon EC2) data transfer charges will apply for all Amazon Elastic Block Store (Amazon EBS) direct APIs for Snapshots - When using Amazon EBS direct APIs for Snapshots, additional Amazon EC2 data transfer charges will apply only when you use external or cross-region data transfers.

Answer 46

B. The company needs to create resources in the new AWS Region and then move the relevant data and applications into the new AWS Region. There is no off-the-shelf solution or service that the company can use to facilitate this transition. Incorrect option: The company should use AWS CloudFormation to move the resources (including any data and applications) from source AWS Region to destination AWS Region - AWS CloudFormation allows you to use programming languages or a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. AWS CloudFormation cannot help with moving data and applications into another Region.

Answer 47

D,E,F AWS Budgets - Cost budget, Usage budget, Reservation budget and Savings Plans budget

Answer 48

D. Sid (Optional) – Include an optional statement ID to differentiate between your statements. Effect – Use Allow or Deny to indicate whether the policy allows or denies access. Principal (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role. Action – Include a list of actions that the policy allows or denies. Resource (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached. Condition (Optional) – Specify the circumstances under which the policy grants permission.

Answer 49

D. Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN.

Answer 50

A,B DynamoDB - It's a fully managed, multi-Region, multi-master, durable database with built-in security, backup and restore, and in-memory caching for internet-scale application EFS - It is a regional service storing data within and across multiple Availability Zones (AZ) for high availability and durability. It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth

Answer 51

A. You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources such as on-premises servers. Amazon CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service. You can then easily view them, search them for specific error codes or patterns, filter them based on specific fields, or archive them securely for future analysis.

Answer 52

C,D INCORRECT : AWS Web Application Firewall (AWS WAF) lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon Route 53 - AWS Web Application Firewall (AWS WAF) is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. It does not cover Amazon Route 53, which is a Domain Name System (DNS) web service.

Answer 53

A Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. To access EFS file systems from on-premises, you must have an AWS Direct Connect or AWS VPN connection between your on-premises datacenter and your Amazon VPC. You mount an EFS file system on your on-premises Linux server using the standard Linux mount command for mounting a file system

Answer 54

D. INCORRECT : You can use both read replicas and multi-AZ deployment having single standby for improved read performance - Amazon RDS Multi-AZ with single standby can only be used to enhance durability and availability. It cannot be used to improve the read performance. Amazon RDS Multi-AZ with two readable standbys maximizes read-performance and scalability.

Answer 55

D,E AWS Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones (AZs).

Answer 56

A. INCORRECT:AWS Developer Support - AWS recommends AWS Developer Support if you are testing or doing early development on AWS and want the ability to get technical support during business hours as well as general architectural guidance as you build and test. It provides enhanced technical support by Cloud Support Associates.

Answer 57

A,E INCORRECT: IP routing - Despite its name, Amazon Route 53 does not offer IP routing. However, it can route traffic based on multiple criteria, such as endpoint health, geographic location, and latency, using routing policies.

Answer 58

A. INCORRECT:AWS Storage Gateway - AWS Storage Gateway is a set of hybrid cloud services that give you on-premises access to virtually unlimited cloud storage. Customers use AWS Storage Gateway to integrate AWS Cloud storage with existing on-site workloads so they can simplify storage management and reduce costs for key hybrid cloud storage use cases. These include moving backups to the cloud, using on-premises file shares backed by cloud storage, and providing low latency access to data in AWS for on-premises applications.

Answer 59

D,E AWS Compute Optimizer delivers recommendations for selected types of EC2 instances, EC2 Auto Scaling groups, Amazon EBS volumes, and AWS Lambda functions.

Answer 60

C,D AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures.

Answer 61

B, C Amazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to access resources from any supported device. To secure your network you would use the AWS Site-to-Site VPN. AWS Site-to-Site VPN allows you to encrypt traffic across your networks. INCORRECT: "Amazon AppStream 2.0" is incorrect. Amazon AppStream is a non-persistent desktop and application service for remotely accessing your work. The non-persistent feature of this service would make the product unsuitable.

Answer 62

C. AWS Launch Wizard is the correct choice because it offers a guided way of sizing, configuring, and deploying AWS resources for third-party applications, such as SQL Server Always On and SAP, without needing to manually identify and provision individual AWS resources. INCORRECT: "AWS Elastic Beanstalk" is incorrect because it is primarily an orchestration service for deploying infrastructure which involves a variety of AWS services. While it does handle deployment and provisioning of services, it doesn't offer a guided approach specifically designed for third-party applications like SQL Server Always On and SAP.

Answer 63

D. The company is responsible for enabling encryption on the bucket because the customer is responsible for the data within the bucket, and the way it is protected using things like Bucket Policies, permissions, and encryption.

Answer 64

A INCORRECT: "AWS Cost Explorer" is incorrect because, while it allows you to visualize, understand, and manage your AWS spending and usage over time, it does not offer resource optimization recommendations based on machine learning analyses of historical usage data.

Answer 65

A,B INCORRECT: "Operating system licensing" is incorrect as these are factors that are relevant to both on-premise and the cloud.

Answer 66

B. AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

Answer 67

A. AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for the following eight services: * Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers. * Amazon RDS. * Amazon CloudFront. * Amazon Aurora. * Amazon API Gateways. * AWS Lambda and Lambda Edge functions. * Amazon LightSail resources. * Amazon Elastic Beanstalk environments.

Answer 68

A Perform operations as code

Answer 69

C Amazon EC2 Image Builder simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises. Keeping Virtual Machine (VM) and container images up-to-date can be time-consuming, resource-intensive, and error-prone. Currently, customers either manually update and snapshot VMs or have teams that build automation scripts to maintain images. INCORRECT: AMI - An Amazon Machine Image (AMI) provides the information required to launch an instance. You must specify an AMI when you launch an EC2 instance. An Amazon Machine Image (AMI) is the basic unit of deployment in Amazon EC2 and is one of the types of images you can create with Image Builder.

Answer 70

C,D All AWS customers automatically have 24/7 access to these features of the Basic support plan: 1. One-on-one responses to account and billing questions 2. Support forums 3. Service health checks 4. Documentation, technical papers, and best practice guides

Answer 71

B. INCORRECT:Amazon EMR - Amazon EMR makes it easy to set up, operate, and scale your big data environments by automating time-consuming tasks like provisioning capacity and tuning clusters. EMR is not suitable as a real-time streaming service.

Answer 72

D. INCORRECT:Host the application directly on Amazon S3 - Amazon S3 does not support compute capacity to generate dynamic content. Only static web applications can be hosted on Amazon S3.

Answer 73

A You can use Snowcone in backpacks on first responders, or for IoT, vehicular, and drone use cases. You can execute compute applications on the edge, and you can ship the device with data to AWS for offline data transfer, or you can transfer data online with AWS DataSync from edge locations.

Answer 74

C Target Scaling - Automatically scales the capacity of your Auto Scaling group based on a target metric value E.g. : For example, let's say that you currently have an application that runs on two instances, and you want the CPU utilization of the Auto Scaling group to stay at around 50 percent when the load on the application changes. This gives you extra capacity to handle traffic spikes without maintaining an excessive number of idle resources. Step and simple scaling - Scale the capacity of your Auto Scaling group in predefined increments based on CloudWatch alarms Scheduled scaling - Automatic scaling for your application based on predictable load changes by creating scheduled actions that increase or decrease your group's desired capacity at specific times Predictive scaling - Analyzing historical load data to detect daily or weekly patterns in traffic flows

Answer 75

C,E INCORRECT OPTIONS: Amazon API Gateway creates RESTful APIs, Storage Gateway creates WebSocket APIs - Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs. AWS Storage Gateway is a hybrid storage solution offered by AWS. Amazon API Gateway does not yet support API result caching - API Gateway supports result caching. You can add caching to API calls by provisioning an API Gateway cache and specifying its size in gigabytes. If an API response is served by the cached data, it is not considered an API call for billing purposes - API calls are counted equally for billing purposes whether the response is handled by your backend operations or by the Amazon API Gateway caching operation.

Answer 76

D,E In addition to Elastic Load Balancing health checks, Elastic Beanstalk monitors resources in your environment and changes health status to red if they fail to deploy, are not configured correctly, or become unavailable. These checks confirm that: The environment's Auto Scaling group is available and has a minimum of at least one instance. The environment's security group is available and is configured to allow incoming traffic on port 80. The environment CNAME exists and is pointing to the right load balancer. In a worker environment, the Amazon Simple Queue Service (Amazon SQS) queue is being polled at least once every three minutes.

Answer 77

D,E,F INCORRECT: AWS CodeBuild is directly integrated with both AWS CodePipeline and AWS CodeCommit - AWS CodeCommit can trigger a Lambda function that in turns invokes a CodeBuild job, therefore CodeBuild has an indirect integration with CodeCommit. However, AWS CodePipeline is directly integrated with both AWS CodeBuild and AWS CodeCommit because CodePipeline can use source action integrations with CodeCommit and build action integrations with CodeBuild.

Answer 78

A INCORRECT:AWS Elastic Beanstalk - AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.

Answer 79

C,E INCORRECT: An Availability Zone (AZ) is a physical location where AWS clusters the data centers - AWS has the concept of a Region, which is a physical location around the world where AWS clusters the data centers.

Answer 80

A. Global Services: Amazon Route 53, Amazon Chime, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, Amazon WorkLink.

Answer 81

D. Amazon Detective can analyze trillions of events from multiple data sources such as Virtual Private Cloud (VPC) Flow Logs, AWS CloudTrail, and Amazon GuardDuty, and automatically creates a unified, interactive view of your resources, users, and the interactions between them over time.

Answer 82

C. There are three types of events that can be logged in CloudTrail: management events, data events, and AWS CloudTrail Insights events. By default, AWS CloudTrail logs all management events and does not include data events or Insights events. Additional charges apply for data and Insights events. All event types use the same CloudTrail JSON log format.

Answer 83

C. Amazon Elasticsearch Service is involved with operational analytics such as application monitoring, log analytics and clickstream analytics. Amazon Elasticsearch Service allows you to search, explore, filter, aggregate, and visualize your data in near real-time.

Answer 84

C,E AWS Config can be used to track the configuration state of your resources and how the state has changed over time. With CloudTrail you can audit who made what API calls on what resources at what time. This can help with identifying changes that cause reliability issues.

Answer 85

B,C Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Server certificates are SSL/TLS certificates that you can use to authenticate with some AWS services.

Answer 86

C,E To handle a higher load in your database, you can vertically scale up your master database with a simple push of a button. There are currently over 18 instance sizes that you can choose from when resizing your RDS MySQL, PostgreSQL, MariaDB, Oracle, or Microsoft SQL Server instance. For Amazon Aurora, you have 5 memory-optimized instance sizes to choose from. The wide selection of instance types allows you to choose the best resource and cost for your database server. In addition to scaling your master database vertically, you can also improve the performance of a read-heavy database by using read replicas to horizontally scale your database. RDS MySQL, PostgreSQL, and MariaDB can have up to 5 read replicas, and Amazon Aurora can have up to 15 read replicas.

Answer 87

C. Accelerated computing instances use hardware accelerators, or co-processors, to perform functions, such as floating point number calculations, graphics processing, or data pattern matching, more efficiently than is possible in software running on CPUs. Compute Optimized - media transcoding, scientific modeling, dedicated gaming servers Memory Optimized - relational database workloads, financial, actuarial, and data analytics simulation workloads, Electronic Design Automation (EDA) Storage Optimized - relational databases (MySQL, MariaDB, and PostgreSQL), and NoSQL databases (KeyDB, ScyllaDB, and Cassandra), search engines and data analytics workloads

Answer 88

C. With TTL, items in the table can be automatically expired and deleted, ensuring that data isn't retained longer than necessary

Answer 89

A,B,C Amazon Shield Advanced provides protection: Amazon CloudFront, Elastic Load Balancing, EC2 Elastic IP addresses, Route 53 hosted zones, AWS Global Accelerators

Answer 90

D. Spot Instances are an offering from AWS where you can bid for spare Amazon EC2 computing capacity. If your Spot Instance is running and the Spot price increases above your maximum price, AWS will automatically terminate your instance. The terminated instance cannot be recovered. This means that if you have not saved your work, it could potentially be lost. Therefore, it's essential to consider this factor when deciding whether to use Spot Instances for certain types of workloads.

Answer 91

A. Amazon EBS Provisioned IOPS SSD (io1/io2) is an optimal choice for latency-sensitive and high-performance workloads Amazon EBS General Purpose SSD (gp3) provides a balanced cost-performance ratio for a broad range of workloads Amazon EBS Throughput Optimized HDD (st1) is suitable for big data, data warehousing, and log processing Amazon EBS Cold HDD (sc1) is a low-cost option designed for infrequently accessed workloads. It's optimal for data archival

Answer 92

A, E M & T = General Purpose C = Compute R = Memory P = Accelerated Computing I = Storage

Answer 93

C,D Amazon Route 53 health checks monitor the health of application endpoints. In conjunction with DNS failover mechanisms, Route 53 can redirect traffic to healthy endpoints, which is critical for maintaining application availability. This approach ensures that if an application tier becomes unresponsive, traffic can be rerouted to healthy instances, either in the same or different AWS Regions. This not only enhances availability but also helps in load balancing and traffic management for the application.

Answer 94

D,E,F Security groups act as a virtual firewall for EC2 instances to control inbound and outbound traffic. Restricting traffic between layers ensures that only necessary communication is allowed. For instance, the web layer should only be able to communicate with the application layer and not directly with the database layer.

Answer 95

A,C INCORRECT : Savings Plans offer lower prices on AWS usage in exchange for committing to a consistent amount of usage (measured in $/hour) for a one- or three-year term. While Savings Plans provides flexibility in the use of AWS services, it is less efficient than Reserved Instances.

Answer 96

A,D Amazon S3 Transfer Acceleration is a feature designed to speed up the uploading of files to Amazon Simple Storage Service (S3) buckets. It works by enabling faster, more secure transfers of files over long distances between your client and an S3 bucket. This is achieved by automatically routing data through Amazon CloudFront's globally distributed edge locations, reducing the latency and increasing the transfer speed. INCORRECT:Amazon EC2 Auto Scaling ensures that you have the right number of EC2 instances available to handle your application's load. Though it can scale resources during high traffic, it doesn't specifically address the speed of content delivery to global users.

Answer 97

A. Placement Groups in Amazon EC2 are a way of placing instances on the same underlying hardware to achieve low latency or high throughput on those instances. They do not support launching instances across multiple Availability Zones in a single logical unit.

Answer 98

C. Geolocation Routing lets you route traffic based on the geographic location of your users. It is not designed for automatic failover based on health checks, but rather to customize content based on a user's location.

Answer 99

A,D Creating snapshots of EBS volumes also offers the benefit of cost-effectiveness. Instead of creating full backups of your data, EBS snapshots use an incremental backup approach. This means that when you create a snapshot, only the changed blocks since the last snapshot is stored.

Answer 100

A. INCORRECT: Data transfer from EC2 to Amazon S3 in the same region does not incur transfer costs, but this does not extend to data transfer to the Internet. Transferring data from EC2 to the internet is a separate chargeable activity, regardless of whether the data passes through Amazon S3 first.

Answer 101

C,D Amazon Redshift, it manages a cluster of servers to handle these tasks, hense is considered a server-based service.

Answer 102

D,E INCORRECT: Synchronous communication can introduce latency and dependencies between microservices, impacting performance and scalability. Asynchronous or loosely coupled communication patterns are often preferred to minimize latency and improve performance in microservices architectures.

Answer 103

B,E By inputting historical usage data, users can get a more accurate estimate of future costs, helping in budget planning and cost optimization. This capability is crucial for cloud financial management and aligns with the AWS cost optimization pillar, which emphasizes the importance of understanding and controlling where money is being spent.

Answer 104

A,C The cost of an EC2 instance is also influenced by the amount of storage capacity used. Amazon EC2 provides a variety of storage options that you can attach to your instances. Depending on the storage option used (e.g., EBS volumes, instance storage), the cost can increase as you add more storage capacity. For example, EBS volume pricing is based on the amount of storage provisioned and consumed. INCORRECT : Although the pricing for EC2 instances can vary slightly from one AWS region to another, the choice of availability zone within a region does not affect the price of EC2 instances.

Answer 105

A. INCORRECT : AWS Marketplace Management Portal is used by sellers to manage their product listings on AWS Marketplace, but It doesn't provide cost management and billing support for AWS Marketplace.

Answer 106

D. AWS CloudTrail enables governance, compliance, operational auditing, and risk auditing of your AWS account. It provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. Thus, CloudTrail can be seen as an event log for all AWS resources.

Answer 107

A,C INCORRECT : Amazon EBS provides the option to encrypt block storage volumes and snapshots, but this option is not managed by EBS itself. Instead, it uses AWS KMS for encryption, which would need to be specified by the user.

Answer 108

C,D INCORRECT:AWS Fargate integrates with both Amazon ECS (Elastic Container Service) and Amazon EKS (Elastic Kubernetes Service). This provides flexibility in choosing the orchestration service that best fits a user's needs. INCORRECT:While AWS Fargate simplifies the process of running containers, it does not natively support automatic vertical scaling. Vertical scaling typically involves increasing the capacity of a single resource, which requires manual intervention in Fargate. INCORRECT:Fargate tasks use ephemeral storage that is destroyed when the task stops. For persistent storage, integration with services like Amazon EFS is required, but Fargate doesn’t have built-in persistent storage capabilities.

Answer 109

B,D INCORRECT:Consolidating user accounts into a single AWS account would likely complicate cost tracking and could lead to security and resource contention issues. It also goes against AWS best practices for enterprise account management, which recommends using multiple accounts for better isolation and management. This approach would make it more challenging to allocate costs and manage departmental budgets effectively.

Answer 110

B. In AWS's IAM, when determining whether an action is allowed, the default is to deny access. If there's an explicit "Allow" statement, access is granted, but an explicit "Deny" statement will always override any "Allow" statement, no matter where it is found. Thus, if a user has multiple policies attached, and even if one of them allows a specific action, the presence of a "Deny" for that action in any of those policies will block access. This ensures that sensitive actions or resources can be securely locked down by administrators. INCORRECT:Exceeding service limits might prevent certain actions like creating new resources, but it doesn't result in IAM-based access being denied. Instead, users might receive a different type of error indicating the limit has been reached.

Answer 111

D,E Sticky sessions enable the load balancer to bind a user's session to a specific application instance. This ensures that all requests from a user during the session are sent to the same instance, maintaining session consistency. INCORRECT : While Amazon S3 is highly durable and suitable for storing a wide variety of data, it is not optimized for the high I/O performance required for real-time session state data. Services like ElastiCache or RDS are more appropriate for this purpose due to their ability to handle high-speed read and write operations needed for session management.

Answer 112

A,C AWS DataSync is a data transfer service that makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (EFS), or Amazon FSx for Windows File Server. AWS DataSync automatically encrypts data in transit using TLS (Transport Layer Security). This ensures the data remains confidential and tamper-proof while being moved over the internet.

Answer 113

B. S3 Multi-Region Access Points provide a singular access point to view and access data globally and automatically routing requests to data in the most optimal AWS region. INCORRECT : Amazon CloudFront with S3 as the origin can be used to deliver content globally, it acts as a content delivery network (CDN) and not a unified access point for S3 buckets across multiple regions. It's mainly designed to cache content closer to users rather than unify S3 bucket access.

Answer 114

C,E,F INCORRECT: While right-sizing services to meet capacity demands at the lowest cost is an advantage of using AWS, it is more related to cost optimization rather than agility. Agility refers to the ability to move quickly and easily, which includes rapid deployment and scaling, rather than the financial management of resources.

Answer 115

A,C TM=General Purpose RX=Memory IDH=Storage C=Compute PG=Accelerated Computing

Answer 116

C. INCORRECT: Amazon Redshift is a fast, fully managed, petabyte-scale data warehousing service that makes it simple and cost-effective to analyze all your data using your existing business intelligence tools. It's not designed for processing large-scale distributed datasets.

Answer 117

A,E Amazon QuickSight is especially useful for forecasting future expenses and identifying areas for cost optimization INCORRECT : The AWS Pricing Calculator is a tool designed to provide a basic estimate of AWS costs. It does not offer detailed analysis or forecasting capabilities

Answer 118

C,E,F INCORRECT:Long-term commitment can sometimes save money, but they are not a key benefit of AWS’s cost-saving propositions since it can also lead to overspending if the services are not fully utilized. AWS’s value is in its flexible pricing options, including on-demand pricing.

Answer 119

D,E INCORRECT: A bucket policy can be used to deny delete permissions, it is not as foolproof as S3 Object Lock. Denying delete permissions entirely would mean that after the 5-year period, manual intervention would be needed to allow deletions. Moreover, certain users like root could still override this policy.

Answer 120

C,E INCORRECT: AWS Compliance Center provides general information about various compliance programs that AWS participates in, but it doesn't offer specific reports or detailed insights into how individual AWS services affect SOC2 compliance.

Answer 121

C,E INCORRECT:In Amazon RDS, AWS manages the underlying infrastructure, including the operating system and database setup. However, the user has control over settings that are specific to the database engine they choose.

Answer 122

A,D Migrating to the latest generation of EC2 instances can provide immediate cost savings as newer instances often provide better price performance compared to older generations

Answer 123

A,C INCORRECT:AWS Direct Connect establishes a dedicated network connection from on-premises to AWS, it is not primarily designed for individual remote users' secure access to AWS VPC. It's more for dedicated connectivity and data transfer needs of an organization.

Answer 124

A. Elastic IP addresses are for use in a specific region only and can therefore only be remapped between instances within that region. You can use Elastic IP addresses to mask the failure of an instance in one Availability Zone by rapidly remapping the address to an instance in another Availability Zone.

Answer 125

B. All volumes can now be encrypted at launch time and it’s possible to set this as the default setting.

Answer 126

D. INCORRECT: "AWS CodeDeploy" is incorrect. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Lambda, and on-premises servers.

Answer 127

D,E AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all your Amazon VPCs. INCORRECT: "AWS Web Application Firewall (AWS WAF)" is incorrect because, although it integrates with AWS Firewall Manager and you can manage it using Firewall Manager, by itself it is not a centralized solution to manage firewall rules across various AWS accounts and VPCs.

Answer 128

B,C INCORRECT: "Can apply multiple roles to a single instance" is incorrect. You cannot apply multiple roles to a single instance.

Answer 129

C,E Elastic IP addresses can be easily remapped between EC2 instances in the event of a failure. Amazon Machine Images (AMIs) can be used to quickly launch replacement instances when there is a failure Amazon Resource Names (ARNs), tags and block device mappings don’t really help with fault tolerance

Answer 130

A. Private and on-premise clouds are essentially the same, though both could be managed by a third party and even could be delivered under an OPEX model by some vendors. However, they are typically more CAPEX heavy and the elasticity is limited.

Answer 131

D. APN Consulting Partners are professional services firms that help customers of all sizes design, architect, build, migrate, and manage their workloads and applications on AWS. Consulting Partners include System Integrators (SIs), Strategic Consultancies, Agencies, Managed Service Providers (MSPs), and Value-Added Resellers (VARs).

Answer 132

A,C INCORRECT : The TCO analysis for migration to AWS Cloud is typically concerned with comparing current on-premises costs to the projected costs of operating in the cloud. Since AWS operates on a pay-as-you-go model, upfront hardware investments are not applicable to cloud cost assessments.

Answer 133

B. Amazon FSx for Lustre provides a high-performance file system optimized for fast processing of workloads like machine learning, high performance computing (HPC), and big data. Offers a seamless and high-speed solution for applications like the fintech company's analytical application

Answer 134

D. INCORRECT:Deploying a new application in the new region without using an AMI of the existing EC2 instance can lead to inconsistencies between the two instances. It may also be more time-consuming and error-prone as it would involve manually setting up the EC2 instance with the required software and configuration.

Answer 135

A,C,E INCORRECT: While DynamoDB provides fast access to items in a table by specifying primary key values, it is not designed for complex queries with multiple filters and joins like a relational database. If you require complex querying capabilities, using Amazon RDS or integrating DynamoDB with a data warehouse like Amazon Redshift might be a better solution.

Answer 136

D,E AWS does not charge for an Elastic IP address if it is associated with a running instance. However, charges are incurred when these IP addresses are allocated and not associated with a running instance. This billing approach encourages the efficient use of Elastic IP addresses, aligning with AWS's pay-for-what-you-use pricing philosophy.

Answer 137

D. INCORRECT:High availability and reliability ensure that applications are available and operate as expected, but they do not directly pertain to the deployment of applications in multiple regions.

Answer 138

B,D INCORRECT : AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. Although it is a security service, it does not provide compliance monitoring or security management capabilities, which is why it is not the correct choice for an organization specifically looking to monitor compliance.

Answer 139

D,E AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)

Answer 140

B,D INCORRECT : While Reserved Instances can provide cost savings compared to On-Demand pricing, opting for full upfront payment locks the company into a long-term commitment that may not align with their changing business needs. This approach lacks flexibility and could result in over-provisioning and wasted resources if demand decreases or technology requirements change.

Answer 141

D,E The AWS Documentation website is an authoritative source of detailed technical documentation for all AWS services. It includes user guides, developer guides, API references, and tutorials that cover AWS security services and features in depth. The documentation often contains sections specifically about security, such as how to configure security settings, implement access controls, and use encryption to protect data.

Answer 142

B. Amazon MemoryDB for Redis is a Redis-compatible, fully managed, in-memory database service built on an architecture designed for durability and fault tolerance. It is designed to support applications requiring microsecond read latency and high-speed data ingestion, making it a perfect fit for a gaming application like the one described. Amazon MemoryDB supports data structures such as strings, lists, sets, sorted sets, hashes, and streams – features that will be beneficial for maintaining gaming sessions and leaderboards. It ensures high availability by replicating data across multiple Availability Zones, providing a multi-AZ fault-tolerant architecture that makes it suitable for use cases demanding high reliability and business continuity.

Answer 143

B. You can categorize and track your AWS costs on a detailed level when you activate them for cost allocation in the AWS Billing and Cost Management dashboard. This can include tracking costs associated with individual resources, specific projects, or different departments.

Answer 144

C. A hybrid cloud is a deployment model that combines the use of private cloud and public cloud resources. In a hybrid cloud environment, organizations can maintain sensitive data and applications on their private cloud while leveraging the scalability and flexibility of public cloud resources for other less sensitive, high-volume needs. This provides organizations with the ability to dynamically manage resources and increase efficiency, as they can adjust their use of public and private clouds to fit their needs.

Answer 145

B. AWS Partner Solutions (formerly AWS Quick Starts) outline the architectures for popular enterprise solutions on AWS and provide AWS CloudFormation templates to automate their deployment

Answer 146

D. The only way to reduce latency for the US users is to provision new Amazon EC2 instances in a Region closer to or in the US, OR by using Amazon CloudFront to cache copies of the content in edge locations close to the US users. In both cases, user requests will travel a shorter distance over the network, and the performance will improve.

Answer 147

C,E With AWS Snowball, you can access the compute power of the AWS Cloud locally and cost-effectively in places where connecting to the internet might not be an option

Answer 148

B. Amazon Kinesis Video Streams enables you to securely stream video from connected devices (IoT devices) to AWS for analytics, machine learning (ML), playback, and other processing

Answer 149

D. INCORRECT : “Combine On-demand Capacity Reservations with Saving Plans” is incorrect. When you combine On-demand Capacity Reservations with Saving Plans, you will be able to reduce costs significantly. But, On-demand Capacity Reservations is available only for Amazon EC2

Answer 150

B. INCORRECT:“Amazon S3 Glacier Flexible Retrieval” is incorrect. Amazon S3 Glacier Flexible Retrieval is more cost-effective than S3 One Zone-IA, but it does not provide immediate retrieval of data. With Amazon S3 Glacier Flexible Retrieval, the minimum retrieval period is 1-5 minutes.

Answer 151

B,E For RDS databases other than Aurora, RDS only supports storage auto-scaling, NOT instance auto-scaling. If you want to scale Amazon RDS instances (other than Aurora), you have two options: 1- Manual horizontal scaling (by adding read replicas) 2- Manual vertical scaling (by upgrading/downgrading an existing instance).

Answer 152

A,B INCORRECT:"It enables customers to explore the different catalogs of AWS services" is incorrect. AWS Service Catalog doesn’t contain catalogs by default. Each customer creates their own service catalog.

Answer 153

A. The AutoScaling launch configuration does not incur any charges. Thus, it will not make any difference whether it is deleted or not. Some services automatically restart resources after terminating them without notifying you, and as a result, you get unexpected charges on your bill. 1- Elastic Beanstalk: 2- AWS OpsWorks:

Answer 154

B,C "Deduplication" is incorrect. Deduplication is the process of removing duplicate data, and will do nothing to prevent data loss of data at rest. Amazon S3 provides a number of security features for the protection of data at rest, which you can use or not depending on your threat profile: 1- Permissions: Use bucket-level or object-level permissions alongside IAM policies to protect resources from unauthorized access and to prevent information disclosure, data integrity compromise or deletion. 2- Versioning: Amazon S3 supports object versions. Versioning is disabled by default. Enable versioning to store a new version for every modified or deleted object from which you can restore compromised objects if necessary. 3- Replication: 4. SSE 5. Client side encryption

Answer 155

D. AWS IAM Identity Center (Previously AWS Single Sign-On) expands the capabilities of AWS Identity and Access Management (IAM) to provide a central place that brings together the administration of users and their access to AWS accounts and cloud applications. AWS IAM Identity Center makes it easy to centrally manage access to multiple AWS accounts, business applications (such as Salesforce, Microsoft 365, and Box), and custom applications that support Security Assertion Markup Language (SAML) 2.0. AWS IAM Identity Center provides your workforce with single sign-on access to all assigned accounts and applications from one place. You can choose to manage access just to your AWS accounts, just to your cloud applications, or to both. INCORRECT:"Amazon Cognito" is incorrect. Amazon Cognito lets you easily add user sign-up and authentication to your mobile and web apps.

Answer 156

B,C Benefits of AWS X-Ray include: 1- Review request behavior : traces user requests as they travel through your entire application 2- Discover application issues 3- Improve application performance

Answer 157

C. Edge locations may or may not exist within a region. They are located in most major cities around the world. Edge locations are specifically used by CloudFront (CDN) to distribute content to global users with low latency.

Answer 158

A,D If you suspect that your account has been compromised, or if you have received a notification from AWS that the account has been compromised, perform the following tasks: 1- Change your AWS root account password and the passwords of all IAM users. 2- Delete or rotate all root and AWS Identity and Access Management (IAM) access keys. 3- Delete any potentially compromised IAM users. 4- Delete any resources on your account you didn’t create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users. 5- Respond to any notifications you received from AWS Support through the AWS Support Center.

Answer 159

A. 7- Elastic IP addresses: To ensure efficient use of Elastic IP addresses, AWS imposes a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance. While the instance is running, you are not charged for one Elastic IP address associated with the instance, but additional Elastic IPs are not free.

Answer 160

C. Provides web-based directories to make it easy for you to organize and manage all your application resources such as users, groups, locations, devices, and policies, and the rich relationships between them

Answer 161

B,D Identities on AWS include users (or user groups) and roles

Answer 162

A. AWS supports several MFA device options including Virtual MFA devices, FIDO security key, and Hardware TOTP token INCORRECT:AWS CloudHSM combines the benefits of the AWS cloud with the security of hardware security modules (HSMs). A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys

Answer 163

C. AWS Partner Paths: 1- Software Path The Software Path is for organizations that develop software that runs on or is integrated with AWS. 2- Hardware Path The Hardware Path is for organizations that develop hardware devices that work with AWS. 3- Services Path The Services Path is for organizations that deliver consulting, professional, managed, and value-added resale services. 4- Training Path The Training Path is for organizations that sell, deliver, or incorporate AWS training. 5- Distribution Path The Distribution Path is for organizations that recruit, onboard, and support their partners to resell and develop AWS solutions.

Answer 164

C,D INCORRECT:"Amazon Redshift" is incorrect. Currently, Amazon Redshift only supports Single-AZ deployments by default. INCORRECT:"Amazon EBS" is incorrect. Amazon EBS volume data is replicated across multiple servers within the same Availability Zone. Use snapshots to copy data in other AZ. Data in all Amazon S3 storage classes is redundantly stored across multiple Availability Zones (except S3 One Zone-IA). Amazon EFS data is redundantly stored across multiple Availability Zones providing better durability compared to EBS volumes.

Answer 165

C. ElastiCache for Redis power the most demanding real-time applications in Gaming, Ad-Tech, E-Commerce, Healthcare, Financial Services, and IoT.

Answer 166

C. INCORRECT:The detailed AWS usage report that is delivered directly to an Amazon S3 bucket is called "AWS Cost & Usage Report"

Answer 167

B. "ELB" is incorrect. Elastic Load Balancing (ELB) is used to distribute traffic automatically across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions.

Answer 168

C,E Some AWS services provide the option to run workloads on serverless or on server-based compute options. Amazon EMR Serverless and Amazon Redshuft Serverless

Answer 169

D,E AWS CloudEndure Disaster Recovery is an agent-based solution that lets you recover your environment from unexpected infrastructure or application outages, data corruption, ransomware, or other malicious attacks. AWS Elastic Disaster Recovery, the next generation of CloudEndure Disaster Recovery, is now the recommended service for disaster recovery to AWS

Answer 170

A. There are specific tasks that are restricted to the AWS account root user. For example, only the root user can perform the following tasks: 1- Change your account settings. This includes the account name, root user password, and email address. 2- View certain tax invoices. 3- Close your AWS account. 4- Change your AWS Support plan or Cancel your AWS Support plan. 5- Activate IAM access to the Billing and Cost Management console. By default, IAM users and roles within an AWS account can't access the Billing console pages. The AWS account root user can allow IAM users and roles access to Billing console pages by using the Activate IAM Access setting. 6- Configure an Amazon S3 bucket to enable MFA (multi-factor authentication) Delete. The AWS account owner (root account) configure MFA delete on a bucket to help ensure that the data in their bucket cannot be accidentally deleted.

Answer 171

A. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Each policy consists of: 1- Principal: Who needs access. (User) 2- Action: What action to allow or deny. (API) 3- Resource: Which resource to allow or deny the action on. (ARN) 4- Effect: What will be the effect when the user requests access - either allow or deny. 5- Condition: Which conditions must be present for the policy to take effect. For example, you might allow access only to the specific S3 buckets if the user is connecting from a specific IP range or has used multi-factor authentication at login.

Answer 172

C. By default, the AWS Management Console is organized by AWS service. But with the Resource Groups tool, you can create a custom console that organizes and consolidates information based on your project and the resources that you use. Placement Groups are logical groupings or clusters of EC2 instances within a single Availability Zone. Placement groups are recommended for applications that require low network latency, high network throughput, or both.

Answer 173

A. AWS doesn't charge usage for a stopped instance, or data transfer fees. For a stopped instance AWS will only charge you for EBS storage volumes attached to the instances.

Answer 174

D. INCORRECT:"Amazon VPC allows customers to control user interactions with all other AWS resources" is incorrect. Amazon VPC does not allow customers to control user interactions with all other AWS resources. AWS IAM is the service that allows customers to perform this function.

Answer 175

A,B "It applies advanced IAM security features automatically" is incorrect. IAM features are not applied automatically. It is the customer's responsibility to manually apply the necessary IAM features to secure their AWS resources.

Answer 176

A,B,E Rotate all access keys for all accounts also means changing them

Answer 177

D,E AWS Services listed as PCI DSS compliant means that they can be configured by customers to meet their PCI DSS requirements. It does not mean that any use of that service is automatically compliant and Only certain AWS services are in-scope for PCI compliance.

Answer 178

A,E To estimate the costs of an Amazon CloudFront distribution consider the following: - Traffic Distribution: Data transfer and request pricing varies across geographic regions, and pricing is based on the edge location through which your content is served. - Requests: The number and type of requests (HTTP or HTTPS) made and the geographic region in which the requests are made. - Data Transfer OUT: The amount of data transferred out of your Amazon CloudFront edge locations.

Answer 179

A. INCORRECT:AWS Service Catalog is incorrect. AWS Service Catalog is not used to filter AWS resources. AWS Service Catalog allows organizations to centrally manage commonly deployed IT services, and helps govern their infrastructure as code (IaC) templates.

Answer 180

A. The AWS Access Key ID and AWS Secret Access Key are your AWS credentials. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)

Answer 181

B. Its related to the performance efficiency pillar. Underprovisioned instances need to be scaled up to deliver better performance. Overprovisioned instances need to be scaled down to save on costs.

Answer 182

D,E A. is for AWS Step function B. is for AWS MQ C. is for AWS STS or Pinpoint

Answer 183

A, D Security groups accept IP address, IP address range, and security group ID as either source or destination of inbound or outbound rules Outbound MYSQL rule with IP address as source is incorrect because the source cannot be modified. Since it is outbound, you should specify the allowed destination instead.

Answer 184

C,D Amazon S3 can send event notification messages to the following destinations. Amazon SNS topics Amazon SQS queues AWS Lambda Amazon EventBridge