Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS > SysOps Administrator > Flashcards

SysOps Administrator Flashcards

(287 cards)

Start Studying
1
Q

When configuring an Elastic Load Balancer, it is possible to register targets using…

A

Instance ID and a Private IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you protect mission-critical resources deployed as a CloudFormation stack from being unintentionally updated or deleted during a stack update?

A

Use a Stack Policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Load balancer best suited for load balancing of HTTP and HTTPS traffic and routing traffic based on the content of the request.

A

Application Load Balancer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Load Balancer designed for extreme performance and is capable of handling millions of requests per second while maintaining ultra-low latencies.

A

Network Load Balancer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which EBS volume types are suitable for use as a boot volume?

A

Provisioned IOPS SSD (io2) and General Purpose SSD (gp2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which deployment strategy involves the creation of another environment to safely deploy a new version of your application without impacting your production environment?

A

The blue/green deployment strategy is a type of immutable deployment which also requires creation of another environment. Once the new environment is up and passed all tests, traffic is shifted to this new deployment. Crucially the old environment, that is, the “blue” environment, is kept idle in case a rollback is needed.” Reference Documentation: Immutable and Blue/Green Deployment (https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/immutable-and-bluegreen-deployment.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which deployment strategy allows you to deploy a new version of your application in batches?

A

“With rolling deployment, the fleet is divided into batches so that all of the fleet isn’t upgraded at once. During the deployment process two software versions, new and old, are running on the same fleet. This method allows a zero-downtime update. If the deployment fails, only the updated portion of the fleet will be affected.” Reference Documentation: Rolling Deployment (https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/rolling-deployment.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

You are a SysOps Administrator supporting 1000s of Linux servers. Your manager asks you to install the latest operating system and security-related patches on each server. What is the best approach to complete this task as quickly and efficiently as possible?

A

Use Systems Manager Patch Manager to patch the instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You would like to load balance traffic to your application that is running on multiple EC2 instances. Each instance has multiple private IP addresses associated with it, and you would like to load balance traffic to different IP addresses on the same instance, using the same port. How can you do this using an Application Load Balancer?

A

You can register the target using the private IP address that you would like to route the traffic to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which AWS service would you use to automate the process of creating and maintaining AMI Images?

A

EC2 Image Builder automates and simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows images for use with EC2 and on-premises. Reference Documentation: EC2 Image Builder (https://aws.amazon.com/image-builder/)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are planning to deploy a production database to EC2 and need to choose the best storage type. You anticipate that you will need a maximum of 20,000 IOPS during peak times, but an average of 8,000 - 10,000 IOPS. Which of the following storage options should you choose?

A

Provisioned IOPS provides high performance for mission-critical, low-latency, or high-throughput workloads, delivering a maximum of 64,000 IOPS per volume. Reference Documentation: Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which AWS service can you use to manage, configure, and provision AWS infrastructure as YAML or JSON code?

A

CloudFormation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which EBS volume types CANNOT be used as a boot volume?

A

Cold HDD (sc1) is suitable for less frequently accessed data and Throughput Optimized HDD (st1) is suitable for Big data, data warehouses, and ETL (Extract, Transform, and Load) workloads. Both of these cannot be used as a boot volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which Elastic Load Balancer status codes indicates a server-side error?

A

HTTP 5XX

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which EBS volume type is most suitable for boot disks and general applications, e.g., web server or application server?

A

General Purpose SSD (gp2) is suitable for boot disks and general applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are supporting a website consisting of a number of EC2 instances behind an Elastic Load Balancer. You would like to capture detailed information relating to incoming HTTP and HTTPS requests to your Elastic Load Balancer. All of this data is highly sensitive and will need to be encrypted. Which of the following should you do?

A

Enable Elastic Load Balancer access logs, it capture information relating to incoming requests to your Elastic Load Balancer. Access logging is not enabled by default and you will need to enable it yourself. When you enable logging, the logs are encrypted and stored in an S3 bucket and decrypted when you access them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You would like to find a solution to connect to private instances in your VPC from an untrusted network using SSH or RDP. Which of the following options is the best approach?

A

You should configure a bastion in the public subnet so that it is reachable from the internet. Then allow the bastion to SSH / RDP to your private instances. You should then be able to connect to the bastion from the untrusted network and from there, SSH / RDP to your private instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You are planning to deploy a big data solution that will run on EC2. You expect that the workload will be highly throughput-intensive and the data will be accessed on a daily basis by a team of data analysts. Which of the following EBS options should you choose for this solution?

A

Throughput Optimized HDD volumes are suitable for throughput-intensive workloads like big data, data warehouses, and log processing. These volumes are throughput-focused and are optimized for this use case. Reference Documentation: Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html#hard-disk-drives)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following can you use to protect critical CloudFormation stack resources from unintentional updates and mistakes caused by human error?

A

A Stack policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You are using CloudFormation to deploy 5 new EC2 instances in us-east-1. Your stack deployment has failed with a “Resource limit exceeded” error. Which of the following options will help enable your stack to successfully deploy?

A

Delete any unnecessary EC2 instances in us-east-1 that are no longer required and request a limit/quota increase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Which deployment strategy allows you to test a new version of your application with a small proportion of real customers before you roll it out to everybody, and acts as an early warning system to help surface issues with your new deployment?

A

Canary deployment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You are using CloudFormation to provision some new EC2 instances. Which section of the CloudFormation template enables you to input custom values like the name of an existing EC2 key pair to enable SSH access to your new EC2 instances?

A

The Parameters section of the CloudFormation template enables you to input custom values like the name of an existing EC2 key pair to enable SSH access to new EC2 instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You are the team lead for a Linux SysOps Support team. Your CTO has asked you to suggest a solution to automate the configuration management of all of your production and development EC2 instances, which are all running Amazon Linux 2. The solution needs to be compatible with Puppet because your team is already familiar with using Puppet. Which of the following would you suggest?

A

OpsWorks is an automated configuration management service compatible with Puppet and Chef.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What describes a bastion host?

A
  • It provides access to a private network from an external network.
  • It is used to mitigate the risk of allowing connections from external networks to instances launched in private subnets of your VPC.
  • It allows you to safely administer EC2 instances without exposing them to the internet.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Which section of a CloudFormation template is mandatory?
Resources are the stack resources and their properties, such as an EC2 instance or an S3 bucket. The resources section of the template is mandatory.
26
You have been tasked with creating a number of new EC2 and RDS instances. Some of the new instances need to be created in your Production account and must be in the us-east-1 Region, and some instances need to be in your Development account and should be created in the eu-west-1 Region. How can you create these stacks using a single operation?
CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation.
27
How can you create multiple CloudFormation stacks across multiple AWS accounts and Regions using a single operation?
CloudFormation StackSets enable you to create, update, or delete stacks across multiple accounts and Regions with a single operation. Reference Documentation: Working with AWS CloudFormation StackSets (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
28
Which feature let's an IPv4 address of an end user connecting to your website which is behind an Elastic Load balancer?
X-Forwarded-For HTTP request header
29
Which feature let's you get the IPv4 address of your end user?
X-Forwarded-For header.
30
You have been asked to suggest a solution to automate the configuration management of all production and development EC2 instances, which are running Amazon Linux 2. The solution must be compatible with Chef, which is widely used in your organization, and there has already been a lot of investment in Chef training for your engineering team. Which of the following options would you suggest?
OpsWorks
31
Which ELB feature captures detailed information relating to incoming requests to your Elastic Load Balancer, enabling you to analyze traffic patterns?
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues
32
You are a SysOps Administrator supporting 100s of servers. Your manager asks you to run a command to check the network configuration on each server. Which of the following is the best approach to complete this task as quickly, easily, and securely as possible?
Use Systems Manager Run Command to query the network configuration on each instance simultaneously.
33
In a CloudFormation template, which section is used to define input values?
The Parameters section is used to define input values to pass to your template at runtime when you create or update a stack.
34
What function has the section Conditions from the CloudFormation template?
Conditions are used to "control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update. For example, you could conditionally create a resource that depends on whether the stack is for a production or test environment.
35
Which of the following CloudWatch metrics enables you to determine the time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received?
TargetResponseTime is the time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received.
36
Which aws service is compatible with Puppet and Chef, enables you to manage your application configuration, and models your application as a stack consisting of multiple layers (e.g., database, web server, application, load balancer, etc.)?
OpsWorks Stacks
37
Which Elastic Load Balancer CloudWatch metric would you use to determine the number of targets that are considered unhealthy?
UnHealthyHostCount
38
Which setup is required to the CloudWatch Agent in order to be able to monitor the specified metric?
Disk usage percentage of an Elastic Block Store volume. This would require the installation of the CloudWatch Agent, which can collect the metric.
39
A fellow administrator had created a CloudTrail for your company's AWS account. Your company now would like to store all CloudTrail logs indefinitely and your head of security has asked if there is a way to verify that the CloudTrail logs have not been modified or deleted. Which of the following could you do to help you determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it?
Enable log file integrity validation in CloudTrail You can use CloudTrail log file integrity validation to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it.
40
Which AWS service continuously monitors the configuration of your AWS resources for compliance with a desired state that you define?
AWS Config is a fully managed service that provides you with a resource inventory, configuration history, and configuration change notifications to assist with security and governance.
41
Which AWS service is designed to allow you to easily configure event-driven systems and define tasks that can be run on a predefined schedule?
EventBridge allows you to easily configure event-driven systems and define tasks that can be run on a predefined schedule. EventBridge uses the same underlying technology as CloudWatch Events.
42
A log event consists of an event message and a timestamp. A log stream is a sequence of log events from the same source. A log group is a group of log streams that share the same retention and access control settings. This statement belongs to which AWS Service?
Amazon CloudWatch
43
Which of the following is NOT sent to CloudWatch by all EC2 instances by default? CPU utilization Status check Memory usage Disk read operations
Memory usage metrics are operating system-level metrics and are NOT collected by default. Operating system-level metrics require the CloudWatch agent to be installed on your EC2 instance.
44
You would like to query and analyze application log data stored in CloudWatch Logs. Which of the following services can be used to do this? CloudWatch Logs Insights CloudWatch metric filter CloudWatch agent
CloudWatch Logs Insights is designed to allow you to interactively query and analyze data stored in CloudWatch Logs.
45
Which of the following can be used to automatically detect warnings, errors, or HTTP status codes in your application log files? CloudWatch Logs Insights CloudWatch metric filter CloudWatch agent
You can search and filter the log data coming into CloudWatch Logs by creating metric filters. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs then uses these metric filters to transform log data into numerical CloudWatch metrics that you can graph or set an alarm on.
46
Which of the following can be installed on your EC2 instances to enable you to collect internal system-level metrics and logs and send them to CloudWatch? CloudWatch Logs Insights CloudWatch metric filter CloudWatch agent
The CloudWatch agent enables you to collect internal system-level metrics from EC2 and on-premises systems, as well as collect logs from Amazon EC2 instances and on-premises servers, running either Linux or Windows Server. Reference: Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent
47
Which AWS service can be configured to respond to state changes generated by AWS Config by sending an SNS notification?
EventBridge is an event bus that receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. For example, it can receive events from Config and route the events to SNS to send out notifications.
48
AWS Config integrates with which service to perform automatic remediation of non-compliant resources?
Systems Manager is the operations hub for AWS, allowing you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. It is used by AWS Config to automate tasks that are triggered during a remediation action.
49
Which feature of CloudWatch allows you to create a cross-Regional, custom view of the metrics and alarms that are meaningful to you?
CloudWatch dashboards let you monitor your resources in a single view, even those resources that are spread across different Regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources.
50
You are supporting a simple Lambda function and would like to be automatically alerted every time there is an error with your function. How could you configure this?
You can search and filter the log data coming into CloudWatch Logs by creating metric filters. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs uses these metric filters to turn log data into numerical CloudWatch metrics that you can graph or set an alarm on.
51
Which AWS service provides a detailed audit trail of user activity in your AWS account, including who, when, what, where, source IP, request parameters, and response?
CloudTrail records user activity in your account and delivers log files to an S3 bucket.
52
Which AWS service provides a dashboard view of the service availability status of all AWS services per Region?
The AWS Health Dashboard publishes up-to-the-minute information on service availability for all AWS services on a per-Region basis.
53
You would like to monitor the Apache logs from several different EC2 instances so that you can be aware of any error messages that appear in the logs. Which component will give you this functionality?
The CloudWatch agent enables you to collect internal system-level metrics from EC2 and on-premises systems, as well as collect system and application logs from Amazon EC2 instances and on-premises servers.
54
By default, how many days of event history are stored in CloudTrail?
90 days. CloudTrail will only show the results of the CloudTrail Event history for the current Region you are viewing for the last 90 days. To record the data for longer than 90 days, you will need to configure a CloudTrail trail.
55
You work in IT support, supporting a busy e-commerce website. You would like to be alerted if you are approaching the service limit/quota for any AWS services so that you can request an increase before the limit is reached. Which combination of AWS services can you use to configure automatic alerts and notifications to your team?
CloudWatch can be used to monitor your service quotas/limits, alert you in the dashboard, and notify you using Amazon Simple Notification Service (Amazon SNS) if the CloudWatch alarm is triggered.
56
You would like to view only the CPU utilization data for your production EC2 instances, and you want the metrics to be collected at 1-minute intervals and displayed in a single view. How should you configure this?
By default, EC2 instances are configured with basic monitoring enabled, which sends data to CloudWatch at 5-minute intervals. To collect data at 1-minute intervals, you will need to enable detailed monitoring.
57
Which of the following features of CloudWatch can be used to centralize operating system and application logs from your EC2 instances?
CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.
58
Which AWS service can receive events and respond by triggering a CloudWatch alarm to send you an SNS notification?
EventBridge receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. It can receive events from CloudWatch and route the events to SNS to send out notifications. EventBridge was formerly known as CloudWatch Events.
59
Log events
Event message and timestamp
60
Log stream
Sequence of log events, e.g. an Apache log from a specific host. Must belong to log group.
61
Log group
Group log streams together, centrally manage retention, monitoring and access control settings. No limit on the number of log streams in a log group.
62
Filter for specific phrases in your logs, e.g. warnings, errors, or HTTP status codes.
Metric filters
63
Use Case
Receive CloudWatch alerts for specific errors, warnings, or messages in your log files.
64
This can include EC2 CPU utilization, Elastic Load Balancer latency, or even the changes on your AWS bill.
Alarms
65
You can set appropriate thresholds to trigger the alarms and actions to be taken if an alarm state is reached.
Thresholds
66
Provides information about changes in the health of AWS resources.
AWS Health
67
Can send health events to EventBridge (was CloudWatch Events)
Eventbridge
68
Records user activity in your AWS account. Records events related to creation, modification, or deletion of resources (such as IAM usersm S3 buckets, and EC2 instances) Enabled by default when you create your AWS account.
AWS Cloudtrail
69
Represents the desired configuration for a specific resource.
Config rule
70
AWS provides over 180 managed rules for pre-defined common best practices (you can also create your own).
Managed rules
71
The following components list belong to which AWS service? Configuration Monitoring Dashboard Rules Conformance packs Automatic Remediation
AWS Config
72
AWS Config component that... Continuously monitors the config. of yours AWS resources for compliance with a desired state that you define.
Configuration Monitoring
73
AWS Config component that... Provides an inventory, and shows compliance and non-compliance.
Dashboard
74
AWS Config component that... Define the desired state of your resource configuration.
Rules
75
AWS Config component that... A set of rules managed as one, e.g. Operational Best Practices for S3, EC2, IAM
Conformance packs
76
AWS Config component that... Remediates non-compliant resources by triggering an action that you define, e.g. stop or terminate a non-compliant instance.
Automatic Remediation
77
Which service allows you to easily configure event-driven systems and define tasks that can be run on a pre-defined schedule. The same underlying technology as CloudWatch Events.
Eventbridge
78
Provides information about changes in the health of the AWS resources.
AWS Health
79
AWS service designed to allow you to interactively query and analyze data stored in CloudWatch Logs. But it will not atm send alerts.
CloudWatch Logs Insights
80
AWS service that is an event bus that receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. For example, it can receive events from Config and route the events to SNS to send out notifications.
EventBridge
81
Objects Up to 5 TB in Size
Amazon S3 Objects size
82
All AWS accounts share the S3 namespace. Each S3 bucket name is globally unique.
S3 buckets: Universal Namespace
83
When you upload a file to an S3 bucket, you receive an HTTP 200 code if the upload was successful
Amazon S3: Uploading files
84
S3 is a key-value data store, True or False?
True
85
Which S3 detail is.... The name of the object, for example: Ralphie.jpg
S3 key
86
Which S3 detail is.... Important for storing multiple versions of the same object.
S3 Version ID
87
Which S3 detail is.... Data about the data you are storing, e.g., content-type, last-modified, etc.
S3 Metadata
88
Which S3 detail is.... This is the data itself, which is made up of a sequence of bytes.
S3 Value
89
You can set default encryption on a bucket to encrypt all new objects when they are stored in the bucket.
Secure your data with Server-side encryption
90
Define which AWS accounts or groups are granted access and the type of access. You ca attach S3 ACLs to individual objects within a bucket.
Secure your data with Access Control Lists (ACLs)
91
S3 bucket policies specify what actions are allowed or denied (e.g., allow user Alice to PUT but not DELETE objects in the bucket)
Secure your data with Bucket Policies
92
Which actions are need in the S3 Bucket Policy to allow public access?
GetObject GetObjectVersion
93
With versioning enabled, S3 stores multiple versions of the same object, allowing you to revert to a previous version of an object. It is NOT enabled by default.
S3 Versioning
94
An additional layer of protection to S3 versioning. Requires versioning to be enabled. A physical or virtual MFA device is used to generate an authentication code, which is used to authenticate delete requests.
S3: MFA Delete
95
S3 Encryption Options for: - SSL/TLS - HTTPS
ENCRYPTION IN TRANSIT
96
S3 Encryption Options for: - SSE-S3: S3-managed keys, using AES 256-bit encryption - SSE-KMS: AWS Key Mgmt Service-managed keys - SSE-C: Customer-provided keys
ENCRYPTION AT REST: Server-side Encryption
97
S3 Encryption Options for: You encrypt the files yourself before you upload them into S3.
ENCRYPTION AT REST: Client-side Encryption
98
[Managed Network File System.] Highly available and scalable. [Std NFS Protocol] Used by Linux systems EFS is for Linux-based workloads only [Multiple EC2 Instances Can Access] -at once. This cannot be done w/EBS. [Lifecycle Mgmt] Any files in your file system that are not accessed for a period of time will automatically move to the EFS IA storage class (per GB retrieval fee). [Encryption]
Amazon EFS
99
Advanced EFS: Throughput modes The following definition is for... "The def. mode. Sclaes as your file system grows. Supports periodic bursting to cater for peaks."
Bursting
100
Advanced EFS: Throughput modes The following definition is for... "Optionally define throughput that you want. For apps that consistently need high performance."
Provisioned Throughput
101
Advanced EFS: Throughput modes The following definition is for... "A bend of read requests and write requests. Read operations are metered at a 1:3 ratio of write requests."
Metered Throughput
102
When you create an EFS file system, you will need at least 1 _________ (used by EC2 instances to mount the file system).
Mount target
103
Default-burstable throughput Throughput is determined by the amount of storage you have. Minimum 100 MiB/s All file systems get a minimum of 100 MiB/s of burstable throughput. 100 MiB/s per TiB Standard class file systems greater than 1 TiB in size can burst to 100 MiB/s per TiB of data stored.
Advanced EFS
104
If you're using an EFS One Zone storage class, you can only create one mount target in the same AZ as your EFS file system. True or False?
True
105
Incurs data access charges for the instance located in a different AZ to the mount target. True or False?
True
106
For EFS Std (which includes multi-AZ resilience), you can create a mount target in each AVZ in an AWS Region. True or False?
True
107
Is an interactive query service. And have the below features: - Serverless, pay per query/per TB scanned. - Easy. No need to set up complex ETL processes. - Integrated. Works directly with data stored on S3.
Amazon Athena
108
Which AWS service is the following? A widely used open-source data analysis technology enabling you to get real-time insights from your data. > Analyze your business data to gain insights and make better business decisions. > Search application, infrastructure, and security logging to understand how your systems are operating.
ElasticSearch
109
Which AWS service is the following? Deploys and administrates your own ElasticSearch cluster. Formerly known as Amazon ElasticSearch Service. > HW provisioning, configuringthe Elasticsearch cluster. > SW installation, patching. > Failure recovery, automated, backups, and monitoring.
Amazon OpenSearch Service
110
Which AWS service is the following? > Fully Managed [ElasticSearch] Based on open-source technology. > Compatible [Industry Std Tool] Compatible w/std ElasticSearch open-source APIs, Logstash, and Kibana. > Integrated [AWS Services] Ingest data directly from CloudWatch Logs and Kinesis Data Firehose. From S3, and DynamoDB using Lambda. > Use Cases [Real-Time Analytics] Log analytics, app monitoring, security analytics, Business data analytics.
Amazon OpenSearch Service
111
OpenSearch Service Deployment that... "Offload cluster mgmt tasks like health checks and maintain routing and cluster state."
3 Dedicated Master Nodes
112
OpenSearch Service Deployment that... "Store the data in shards and perform searches, query requests, and CRUD operations."
Data Nodes Deployed in Multiple of 3
113
OpenSearch Service Deployment that... "Distribute the data nodes equally across 3 AZs for the highest availability."
Deploy Across 3 AZs
114
Use cases: It helps you understand how you are using your S3 storage. You decide which metadata to include in the report. Which AWS Service has the before use cases?
S3 Inventory
115
Which AWS service has the following definition... "A flat file, consists of an inventory of all objects stored in your bucket, including objects metadata. Supported formats: CSV, Apache ORC, Apache Parquet Daily/Weekly schedule."
S3 Inventory
116
What is Storage Gateway?
An on-premises appliance installed in your own data center, allowing you to integrate your on-premises IT environment with AWS-based storage.
117
Which type of storage gateway is?... Store all your data locally. Use AWS storage as a backup. Uses the industry std iSCSI protocol.
Volume Gateway - Stored Mode
118
Which type of storage gateway is?... A virtual tape library which enables low-cost data archiving to Glacier.
Tape Gateway
119
Which type of storage gateway is?... Files are stored as objects in S3. They are accessed using an NFS or SMB mount point, like a file system mount backed by S3.
File Gateway
120
Which type of storage gateway is?... Files are stored in Amazon FSx for Windows File Server, and accessed using the SMB protocol.
FSx Gateway
121
Which type of storage gateway is?... S3 is your primary storage. Frequently accessed data is cached locally by your Storage Gateway using on-premises storage. Data is accessed using the industry std iSCSI protocol.
Volume Gateway - Cached Mode
122
Which AWS service has the bellow description? A managed service that provides backup and restore services for data stored in various data stores (compute, storage and databases). Integrated with AWS services centrally: S3, FSx, EC2 instances, EBS volumes, RDS, Dynamo DB, VMware on-premises, and more.
AWS backup
123
Why is Version ID used for?
Allows you to store multiple versions of the same object.
124
Pre-signed URL is a feature that applies to which AWs Service?
Amazon S3
125
What is a Pre-signed URL?
Is a URL with temporary access to S3 objects that are private. Anyone with the pre-signed URL will be able to access the object. It can only be created using the AWS CLI or SDK. By defualt, expires after 1 hour, but it's configurable (--expires-in 300).
126
Which of the following is a method to control access to objects stored in S3? 1- Access Control Lists and Bucket policy 2- Security group 3- Access Control Lists and Security group
1. You can use Access Control Lists (ACLs) and Bucket policies to selectively grant permissions to users and groups of users. ACLs allow you to manage access to buckets and objects. Bucket policies are used to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it.
127
Your company stores a large amount of data in S3 and following a recent audit, it has been discovered that some files have been accidentally deleted. You have been asked to find a solution to protect against accidental or malicious deletion of data stored in S3. What is the best solution?
Configure MFA delete. With MFA (multi-factor authentication) delete enabled, a valid code from your MFA device is required to permanently delete an S3 object. This helps to protect against accidental or malicious deletion of data stored in S3.
128
What happens when a delete request is made to an object in an S3 bucket with versioning enabled?
A delete marker is applied, instead of permanently deleting the object. S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new version ID.
129
What is the recommended minimum production deployment for an Amazon Elasticsearch Service cluster?
3 dedicated master nodes and 3 data nodes distributed across 3 Availability Zones.
130
Which of the following can be used to restrict access to an S3 bucket for a specific IP address range?
Bucket policy
131
Which of the following represents the file formats that S3 Inventory can produce an inventory of S3 objects in?
S3 Inventory can produce reports in CSV, Apache Parquet, and Apache ORC formats.
132
Last week you configured a new Amazon Elasticsearch Service cluster. Testing has just been completed and the development team is happy because you configured the cluster with a public endpoint, making it very easy for them to connect their applications and test systems. However this morning, the security architect has informed you that the data being stored in Elasticsearch is highly confidential, and it is forbidden to store this kind of data on a system that is exposed to the public internet. He has asked to use a private VPC instead. You need to suggest a way forward, which of the following solutions do you recommend? A - You should create a new Amazon Elasticsearch domain in a private VPC. Migrate the data from the original cluster and delete the original cluster. B - Remove the public access settings from the public endpoint. Configure access from the private VPC only.
It's Option A. Explanation: If you create a domain with a public endpoint, you can’t later place it within a VPC. Therefore, you will need to create a new Amazon Elasticsearch domain in a private VPC. Migrate the data from the original cluster and delete the original cluster.
133
What is one way to protect objects stored in S3 from being accidentally deleted?
With MFA delete, a valid code from your MFA device is required in order to permanently delete an object in S3. This provides an additional layer of security against accidental deletions.
134
You have application servers installed in each Availability Zone in us-east-1, and you would like to use EFS to share state information and configuration files between all your application servers. You are planning to use EFS Standard storage class. How many EFS mount targets should you create? A - Create 3 mount targets to give you 2 backup targets in the event of a failure. B - Create a mount target in each Availability Zone.
It's Option B. It is recommended that you access an EFS file system using a mount target within the same Availability Zone for performance and cost reasons. Therefore, you should create a mount target for each of the Availability Zones where your application servers are located.
135
You have been asked to provide a report that lists all the objects within an S3 bucket, and includes the following metadata: object size, last modified, multipart upload, replication status, and encryption status. Which AWS service is the best approach to get this data?
S3 inventory is used to generate a flat file that consists of an inventory of all the objects stored in your bucket, including object metadata like object size, last modified, multipart upload, replication status, and encryption status.
136
Which AWS service can be used to run queries on S3 data using standard SQL (Structured Query Language)?
Athena is a query service that supports standard SQL (Structured Query Language). It is very easy to use. Simply point Athena to the data you want to query in S3, define a table schema, and query your data using standard SQL.
137
In the S3 URL https://fayecloudguru.s3.us-east-1.amazonaws.com/Ralphie.jpeg, what are the names of the bucket and the object?
S3 URLs use the following format: In this S3 URL: the bucket name is fayecloudguru and the object name, or key-name, is Ralphie.jpg.
138
Which AWS service can be used to continuously monitor the configuration of your S3 buckets to check that public read and write access is prohibited?
AWS Config provides managed rules which can be enabled to monitor the configuration of your S3 buckets and check that public read and write access is prohibited.
139
You are considering using S3 to host your static website. Which steps will you need to take in order to enable this?
If you want to enable static web hosting, you will need to enable static web hosting in your bucket properties, enable public read access in the bucket permissions, and update the object ACL to grant public read access for the objects in your bucket.
140
You run a static website for a busy interior design business, using 2 EC2 instances behind an Elastic Load Balancer. You would like to focus more time on running the business than administering, maintaining, and patching EC2 instances. You would also like to reduce the monthly cost of running the website. Which of the following is an easy and cost-effective alternative way to host your static web content?
You can use S3 to host a static website, including static content and client-side scripts.
141
You have a large number of files that you plan to store in S3 Standard storage class. You would like to transition each object to the S3 Standard-IA storage class 30 days after the object was created. How can you do this in S3?
You can use S3 lifecycle rules to manage your objects so that they are stored cost effectively throughout their lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects based on the object creation date.
142
AWS Backup is a service that enables you to do which tasks?
It is possible to perform on-demand backups with AWS Backup. It is possible to perform daily backups with AWS Backup. It is possible to perform monthly backups with AWS Backup.
143
Where does AWs backups stores the data?
AWS Backup stores backups in an AWS hosted vault.
144
Which attribute of an S3 object enables you to add data about the data you are storing? For example, Content-Type?
Metadata is a set of name-value pairs with which you can store information regarding the object. You can assign metadata, for example, Content-Type, when you upload the object.
145
Which AWS service the following statement best describes? "...is an interactive query service that makes it easy to analyze data in S3 using standard SQL."
Athena
146
Which of the following statements about Amazon Elastic File System (EFS) is NOT correct? Option 1: Amazon EFS can be accessed by multiple EC2 instances simultaneously, and is great for applications which need to access shared files, e.g., a shared configuration file or state information. Oiption 2 Amazon EFS supports encryption of data in transit and at rest. You can enable encryption in transit when you mount the file system. You can enable encryption at rest either when you first create an EFS file system or at any time afterward.
Option 2
147
You would like to configure scheduled backups for your EFS file system using AWS Backup. Which of the following correctly describes the process you should follow? A. Create a backup plan defining when and how you want to back up the EFS file system, assign the EFS file system to the backup plan, and then after the first backup has completed, it will appear in the backup vault. B. Create a backup vault and assign the EFS file system to the vault, create a backup plan defining when and how you want to back up the EFS file system, and then after the first backup has completed, it will appear in the EFS file system.
Option A. To configure a scheduled backup, you must create a backup plan and then assign the resource you want to back up. The backups will appear in the backup vault..
148
which AWS service best describes the functionality? With versioning enabled, a delete request applies a delete marker, instead of permanently deleting the object, and multiple versions of an object can be stored in the same bucket.
S3 versioning
149
You are using EFS to provide a shared file system for your high performance applications. However, users are reporting that the file system is slow to respond and this is causing issues for your applications. What can you do to improve performance?
Configure the EFS file system to use Provisioned Throughput. As a rule of thumb, if you need more throughput than you are getting with the default Bursting Throughput, then switch to Provisioned Throughput.
150
Which of the following is NOT an encryption at rest method that is supported by S3? SSL/TLS SSE-C SSE-KMS SSE-S3
SSL/TLS is supported by S3. It is encryption in transit — it is not encryption at rest. Therefore, this is the correct answer.
151
Which feature of Amazon Elastic File System can be used to optimize performance for file systems of <1TiB that need to provide a throughput of 500 MiB/s?
Provisioned Throughput
152
Which S3 storage class is suitable for archiving data that needs to be accessed a few times a month and needs to be accessible within a few hours or minutes?
Amazon S3 Glacier Flexible Retrieval is the ideal storage class for data that needs to be accessed a few times a month and retrieved within a few hours or minutes. This storage class offers a secure, durable, and low-cost solution for data archiving and long-term backup, with flexible retrieval options to balance speed and cost effectively. It's designed for data that doesn't require immediate access but needs the flexibility to retrieve large sets of data at no cost, supporting retrieval in minutes or free bulk retrievals in 5-12 hours.
153
Which of the following is the best solution to protect against accidental or malicious deletion of data stored in S3?
Configure MFA delete and enable S3 versioning.
154
You are deploying an Amazon Elasticsearch Service cluster which is going to be used by mission-critical production systems. You estimate that you will need 6 data nodes, distributed equally across 3 AZs. How many dedicated master nodes should you configure?
For production workloads, it is best practice to use 3 dedicated master nodes. Reference
155
Which AWS service is a fully managed service that enables interactive log analytics, real-time application monitoring, website search, and more?
Amazon OpenSearch Service (previously called Amazon Elasticsearch Service) is a fully managed service that enables interactive log analytics, real-time application monitoring, website search, and more.
156
You would like to encrypt all objects stored in an S3 bucket using an encryption key that you manage yourself outside of AWS. Which of the following encryption options will allow you to do this?
With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys yourself and S3 manages the encryption process.
157
Which of the following is suitable to store in S3?
S3 is object-based storage. You can store virtually any kind of data in any format, as long as it can be managed as an object. This includes HTML files and JPEG files.
158
You are storing a number of files in S3. Your bucket permissions do not allow public read access. You would like to provide access to your Finance Team users who are on the 10.0.12.0/24 subnet, which is a secure network. The team should only be able to access the files from the secure network. Which of the following should you do?
Configure a bucket policy to restrict access to only the specific IP address range used by the Finance Team.
159
Which of the following statements is NOT correct in relation to S3 versioning?
"With S3 versioning enabled, a valid code from your registered MFA device is required in order to permanently delete an S3 object." With S3 versioning enabled, it is possible to permanently delete an S3 object by specifying the object version ID in the DELETE request. Therefore, this statement is not correct.
160
Which of the following AWS services enables real-time analytics of system and application log files, security event logging, business data analytics, and is based on open-source technology?
Amazon OpenSearch Service helps perform such things as: interactive log analytics, real-time application monitoring, website search. OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch. Amazon OpenSearch support for 19 versions of Elasticsearch and visualizations via OpenSearch Dashboards and many Kibana versions.
161
What is one method to control access to objects stored in S3?
You can use Access Control Lists (ACLs) to selectively grant permissions to users and groups of users.
162
Which S3 storage class is suitable for archiving data for a financial services company that needs to retain data sets for 7-10 years or longer to meet regulatory compliance requirements? The CTO has stated that a retrieval time of up to 12 hours is acceptable and they prefer to use the most cost-effective option.
S3 Glacier Deep Archive is designed for long-term retention of data that may be accessed once or twice in a year. "It is designed for customers — particularly those in highly-regulated industries, such as the Financial Services, Healthcare, and Public Sectors — that retain data sets for 7-10 years or longer to meet regulatory compliance requirements." Retrieval time is within 12 hours, and Glacier Deep Archive is the most cost effective option.
163
Which of the following is a secure mechanism for providing temporary access to an S3 object that is private?
Pre-signed URL
164
You are planning to deploy a production Amazon Elasticsearch Service cluster which is required by a new team of data analysts. As part of your planning, you have asked the data analysts if the Elasticsearch domain needs to have a public endpoint and be accessible from the public internet, or if it must only be accessed from within a private VPC. Is this question important, and if so, why?
You can only configure the public endpoint, or configure the domain in a VPC, when you first create an Amazon Elasticsearch domain. You cannot change these network configuration settings later.
165
Tags created, defined, and applied to resources by you.
User-Defined CATs
166
Tags created, defined, and applied to resources by AWS for supported resources.
AWS-Generated CATs
167
Allows you to visualize, view, and analyze your AWS usage cost
Cost Explorer
168
Reports on aggregated costs across all AWS services.
Reporting: Cost and Usage
169
Reports on the utilization and coverages of your AWS Saving Plans.
Reporting: Saving Plans
170
Reports on the utilization and coverages of your AWS Reservations.
Reporting: Reservations
171
Type of Budget: Track your AWS costs against a specified dollar amount.
Cost
172
Type of Budget: Monitor your usage of one or more specified usage types or usage type groups.
Usage
173
Type of Budget: Track your utilization or coverage associated with your Saving Plans.
Saving Plans
174
Type of Budget: Monitor the utilization or coverage reservations associated with your reservations for specified services.
Reservation
175
Collect a specific of usage type filters into one filter.
Usage Type Groups
176
What measures the UTILIZATION of saving plans?
Measures unused and under-utilized saving plans.
177
What measures the COVERAGE of saving plans?
Measures how much instance usage is covered by saving plans.
178
Allows you to create and manage budgets to improve costs for account usage.
AWS Budgets
179
Are services for which AWS is responsible for managing the infrastructure and SW updates. Using this type of services within AWS increases performance while reducing operational support and costs.
Managed Services
180
Which AWS service is? A ML-based recommendation service which helps you optimize the... Performance, Cost, of your compute resources.
AWS Compute Optimizer
181
Are data about the performance and cost of your system. Appear as you create and deploy new service resources. Can also be published from your app.
CloudWatch Metrics
182
Allows you to filter, aggregate, and graph metrics in the console.
Metrics Explorer
183
Metric streams allow you to configure metric to stream to: Amazon S3 & Amazon Kinesis Firehose
Metrics Streams
184
Allows you to quickly and securely transfer files to and from S3 over long distances. Improves speed up to 50-500% for long distance transfers.
S3 Transfer Acceleration
185
Key components of S3 Transfer Acceleration...
CloudFront - Edge Location - Distinct URL
186
Which S3 Transfer Acceleration key is.... SW Transfer Acceleration uses CloudFront Edge locations to accelerate transfers to and from S3.
CloudFront
187
Which S3 Transfer Acceleration key is.... Instead of uploading directly to your S3 bucket, you use a special URL to upload to an Edge location nearby, which will then transfer that file to S3.
Edge Location
188
Which S3 Transfer Acceleration key is.... You will get a distinct URL to upload to: acloudguru.s3-accelerate.amazonaws.com
Distinct URL
189
Why enhance S3 performance with Multipart Upload?
- Recommended for files over 100 mb - Ideal for moving data objects can be cumbersome and expensive. - Increase performance when uploading files to S3
190
Multipart Upload preparation...
1. Prepare the data 2. Move the pieces 3. S3 Puts it together
191
AWS Trusted Advisor provides which thypes of optimization recommendations?
Across multiple services it recommends about: - Security - Performance - Service Limits - Fault Tolerance - Cost Optimization
192
Allow you to control your EC2 instance pacement strategy. Great for low latency, high network throughput or high-performance computing applications.
Placement Groups
193
Placement Groups Type.... Instances are all created in a 'single AZ'
Cluster
194
Placement Groups Type.... Instances are created in 'logical segments' called partitions (which can be Multi AVZs), each located in a separate rack(s), with independent network and power.
Partition
195
Placement Groups Type.... Each instance is created in a 'separate rack' with independent network and power.
Spread
196
Pools and shares DB connections to assist with application scalability and DB efficiency.
RDS Proxy
197
What is the purpose of a RDS Proxy?
Increase Application Availability
198
EC2 Instance Storage Types?
File Storage (Amazon S3, Amazon EFS) lock Level Storage (Ec2 Instance Store, Amazon EBS)
199
(Ephemeral) Temporary block-level storage devices for EC2. Does not exist independently from the file of the instance. Great for frequently changing data; caches, temporary content, buffers, etc. Max. of 10 GiB Greater throughput than EBS Volumes created from template in S3 Can be selected as root volume or as addition volumes.
EC2 Instance Store
200
Which of the following use cases would not be ideal for creating an AWS Budget? 1. Monitoring the utilization or coverage of Savings Plans associated with your EC2 and Fargate-hosted applications. 2. In addition to creating budgets, this AWS service would be great for visualizing, viewing, and analyzing your AWS usage costs.
2. Cost Explorer would be the ideal service to visualize, view, and analyze your AWS usage costs. AWS Budget allows us to fiscally and proactively track our usage costs.
201
Your manager has asked if you can find a way to possibly optimize costs without compromising performance or causing downtime. You notice that the company is using Auto Scaling to keep a minimum amount of instances running at all times, while also providing the possibility to add more instances if the Elastic Load Balancing (ELB) latency metric increases over a period of 1 minute. At that point, the Auto Scaling group will add 2 more instances in order to ensure that there are plenty of extra resources to handle more load. This is great, but it is not optimized for cost yet. What can you do to reduce costs without losing elasticity or causing downtime?
Purchase Reserved Instances for the minimum amount of instances and then use On-Demand Instances for instances launched by Auto Scaling beyond the minimum requirement. This is the best option to both meet the requirements (elasticity and no downtime) and lower costs over time.
202
You are designing infrastructure for an application that handles multiple petabytes per month of data transfer. It's utilized by customers globally, and you have been asked to develop an AWS solution that provides the lowest costs and best user experience. The data consists of static large video clips. You already have data center infrastructure that could optionally be used. Which option would you suggest in order to meet the requirements?
Migrate the media to AWS S3 and configure CloudFront to use S3 as the origin. S3 is a very economical storage system and has several features, such as lifecycle configuration, that can be leveraged to take advantage of cost savings. This is the best option for cost and for user experience.
203
You have a new project which requires you to introduce automated cost reporting of the applications running across several AWS services. Which AWS tool do you recommend using for generating this reporting?
AWS Cost and Usage Reports publishes billing reports to an S3 bucket. You automatically receive reports that break down your costs for each unique combination of AWS products, usage type, and operation in your AWS account.
204
Which step would not optimize costs on AWS?
Disassociating any Elastic IP that is not needed by your EC2 instances. Disassociating unused Elastic IPs alone does not provide cost savings. The unused Elastic IP should be deleted if it is not going to be used in the future.
205
A company runs a large number of AWS EC2 instances for internal departments. The company needs to track the costs of its existing AWS resources by department and cost center. What should a SysOps administrator do to meet this requirement?
Apply user-defined tags to the instances through Tag Editor. Activate these tags for cost allocation.
206
After observing higher than expected usage costs for the quarter, you have been asked to investigate the overall cost and performance of the compute components in your AWS environment. You see that EC2 costs are reasonably small, but you are generating significant network charges due to the amount of data coming from your EC2 instances. What should you do to further analyze the usage patterns of these resources?
Use AWS Compute Optimizer to analyze the configuration and resource utilization of your workload. Compute Optimizer analyzes the configuration and resource utilization of your workload to identify defining characteristics. For example, if a workload is CPU or network bandwidth-intensive, if it exhibits a daily pattern, or if a workload accesses local storage frequently.
207
You have millions of objects in an S3 bucket. You are storing irreplaceable data that requires real-time access on rare occasions. Which of the following is the cheapest suitable storage class to use?
Amazon S3 Standard-IA (infrequent access) is appropriate in this case. Real-time access is available, at a low cost, and the class maintains the full S3 resilience.
208
You're a consultant and one of your clients has over 20 EC2 instances that are preconfigured and used during peak periods of the year for their application. Those are currently in a stopped state now, but they are still incurring costs in that Region. What's a possible reason for this?
EBS volumes have a per-GB month charge. EBS volumes remain even while the instances are stopped. Stopped instances incur no costs. Only running instances do.
209
Your fleet of EC2 instances is running 100% of the time, and there is no reason to believe that the demand will decrease. What pricing model might you use to reduce costs?
Reserved Instances (RIs) provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing. You have the flexibility to change families, OS types, and tenancies while benefiting from Reserved Instance pricing when you use Convertible Reserved Instances. To maintain a fleet of Spot Instances, you would need to be bidding fairly high, so it is likely the RIs will give you a better price point. But you would need to check.
210
Which tool can be used to report low-utilization EC2 instances, providing rightsizing recommendations?
AWS Cost Explorer provides rightsizing recommendations.
211
You have been asked to review a legacy application that periodically processes document uploads from field agents. The EC2 instance runs with 4-5% CPU usage for most of the day, with occasional peaks of 60-80% for very brief periods while document processing occurs. What can you do to help you to improve your AWS resource configurations, reduce costs and increase workload performance?
AWS Compute Optimizer uses machine learning to analyze historical utilization metrics and provides recommendations aligning with right sizing best practices.
212
Your business needs a small database for storing simple names, addresses, and ID picture information for 1200 employees. The activity will be fairly low, though queries will be on a daily basis. The business wants the most suitable low-cost solution available within AWS. Which option would you suggest?
DynamoDB has no dedicated infrastructure footprint, and its cost is based on usage, performance, and storage. Since the data doesn't require a structured format, this is a viable solution.
213
Your team would like to leverage EFS For an upcoming project and would like to require encryption (at rest and in flight). How can you easily achieve this?
Enable encryption of data at rest when creating an Amazon EFS file system. Attach a file system policy with a condition granting permissions to only clients using the TLS encryption protocol. Amazon EFS supports two forms of encryption for file systems: encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system. Using file system policies to require encryption in flight along with the tls flag in the efs-mount-helper are an incredibly easy option to require encryption in flight.
214
True or False? You can create an S3 lifecycle policy to migrate objects from Glacier to Standard-IA.
FALSE. Lifecycle policies can't work backwards. You can use a lifecycle policy to migrate objects from the more frequently accessed storage classes to the longer-term options, but not the other way around.
215
You have a web application with the frontend hosted on EC2 and the database hosted on RDS in a single Availability Zone. You notice that when backups are taken from your RDS instance, your application's performance is severely degraded. Your boss asks you to fix the issue. What should you do?
Convert your existing Single-AZ DB instance to a Multi-AZ deployment. This way, when the backups are taken, they will be taken from the secondary, not the primary. Multi-AZ deployment eliminates the performance degradation associated with backups as the backup is taken from the Multi-AZ Standby instance.
216
You work for a large telecommunications company supporting their main customer billing application, which runs on a number of load-balanced EC2 instances and writes millions of records per second to an Aurora database. Last month, you onboarded a large new customer, and the billing department is now complaining about poor performance of the platform when inserting customer billing data, which is a write-heavy operation, making multiple additional updates to the database. CloudWatch is reporting 100% CPU utilization for Aurora. Which of the following is the BEST solution given the available information?
Increase the size of your Aurora instances. Adding a read replica or configuring Multi-AZ will not help because the workload is write-heavy rather than read-heavy. Increasing the size of application servers will not help as the bottleneck is with the database. Increasing the size of the Aurora servers is the best option because it will increase the write capacity of the database.
217
The sales team has several regularly updated assets located in an S3 bucket in the Northern Virginia Region. They're sharing these assets with customers located in Australia, and the Australian customers are reporting incredibly slow load times. What feature can our team easily enable to increase application efficiency by reducing overall latency to these assets?
S3 cross-region replication is a great way to lower latency by moving objects closer to the requestor, along with leveraging services like CloudFront.
218
How can Auto Scaling help your resources handle changes on demand?
By adding or removing EC2 instances from your EC2 fleet based on conditions you specify. These can include such things as at a specific time, or depending on how busy your application is. Auto Scaling cannot change the size of existing instances, nor can it add or change storage on an instance.
219
What AWS resource defines the configuration of instances created by EC2 Auto Scaling?
Launch templates are the best way to define what your instances will look like.
220
You are a SysOps engineer at a startup that is growing quite quickly. The startup has a fleet of EC2 instances inside an Auto Scaling group that scales based on CPU utilization. You notice that CPU utilization is not a great metric and that the main bottleneck seems to be the maxed-out number of connections between the Classic Load Balancer and an EC2 instance. You want to adjust your Auto Scaling configuration to address this bottleneck. Which two of the following metrics should you consider for your Classic Load Balancer?
SurgeQueueLength and SpilloverCount. The Classic Load Balancer metric SurgeQueueLength measures the total number of requests queued by your Classic Load Balancer. An increased maximum statistic for SurgeQueueLength indicates that backend systems aren't able to process incoming requests as fast as the requests are received. When requests exceed the maximum SurgeQueueLength, the SpilloverCount metric starts to measure rejected requests.
221
An intern unintentionally suspended versioning on one of our production S3 buckets. Our team just received a report that a few important files whose only existing version ID was null have been deleted. How can we recover these files?
It's not possible since versioning was suspended. The object is gone. If versioning is suspended for a bucket, a DELETE request only removes an object whose version ID is null and inserts a delete marker into the bucket. Remember that a delete marker doesn't have content, so you lose the content of the null version when a delete marker replaces it.
222
You are attempting to launch EC2 instances in an Auto Scaling group. However, every time you try, the launch operation fails. Which of the following could NOT be a reason for the failure? 1. The security group specified in the launch template doesn't exist. 2. You have hit the default limit for the number of times you can use the key pair. 3. The requested instance type is not supported in your Availability Zone. 4. The key pair you have specified doesn't exist.
2. You have hit the default limit for the number of times you can use the key pair. There is no limit for key pair use. All objects associated with the launch template must exist for EC2 Auto Scaling to successfully launch a new EC2 instance. The requested instance type must also be supported in your Availability Zone.
223
You are using ElastiCache to cache your web application. The caching seems to be running more and more slowly, and you want to diagnose the cause of this issue. If you are using Memcached as your caching engine, what parameter should be adjusted if you find that the overhead pool is less than is required by your application?
memcached_connections_overhead Increasing the value of the memcached_connections_overhead parameter will reduce the amount of memory available for storing items and provide a larger buffer for connection overhead, according to the AWS Elasticache documentation.
224
You are running your production database in RDS for MySQL on an independent EBS volume and you are fast approaching an average IOPS of 9,000. You have decided to migrate your database to an EBS volume with provisioned IOPS. Your primary users only use the database between 9 AM-6 PM, so you can afford to have some downtime out of hours, but not during the working day. Which is the best option below to achieve this migration?
Update the EBS volume where the MySQL database is running to change its volume type from gp2 to io1. The changes will take place behind the scenes, and requires no further intervention from an administrator. Since 2017, AWS customers have been able to modify the type of EBS volume without needing to snapshot the volume. This allows you to transition between volume types, such as gp2 and io1, transparently to the underlying operating system on the EC2 instance. Prior to this, the correct procedure would have been to arrange downtime, and manually snapshot and restore the volume in the correct volume type.
225
Which strategy can be used to create a highly available application using EC2 Auto Scaling?
Define multiple AZs in your Auto Scaling group.
226
You would like to receive an alert if more than three of your application servers fail to respond to a basic health check by the Elastic Load Balancer. Which metric could you use to configure this?
UnHealthyHostCount is a valid metric. This metric reports how many targets are in an unhealthy state.
227
What happens when RDS fails over from one Availability Zone to another?
Failover is handled by AWS, and the failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. When RDS undergoes a failover, the managed services do an update to the associated Route 53 record to ensure the RDS DNS endpoint points to the new primary host after the failover. The old host becomes a standby while the issue is addressed, and if it's not easily fixable, the standby instance is replaced.
228
True/False: One of the main purposes of Elastic IPs is the ability to mask the failure of an instance or software by rapidly remapping the address to another instance in your AWS account.
True. Elastic IP addresses provide a static IPv4 address. We can mask the failure of instances as the EIP is rapidly remapped to the new healthy host.
229
Your Aurora database is experiencing performance issues due to a sudden and significant increase in the number of connections to the database. You have already added Aurora replicas and have been tasked with finding an automated solution to scale your database so that your application can deal with the increased number of connections. After investigating, you discover that your current replicas can cope with an average of 1,000 connections. With connections greater than 1,000, there is a risk that performance starts to become degraded. Which of the following solutions do you recommend?
Create an Auto Scaling policy to add Aurora replicas. The policy should use a target tracking metric based on the average number of connections to your replicas. Aurora Auto Scaling allows your Aurora DB cluster to handle a sudden increase in read workload by adding Aurora replicas. A target metric of average number of connections to your Aurora replicas can be used as the metric to base scaling decisions on.
230
Is Providing greater redundancy via automatic failoverss a use case for RDS MySQL read replicas?
NO. Read replicas are designed to provide enhanced performance and durability for RDS database (DB) instances. Redundancy (high availability) is achieved with Multi-AZ deployments. But, in Aurora read replicas are used as failover targets and are automatically promoted when the primary instance in a cluster fails health checks.
231
If you have data that needs to be instantly retrievable, but it's not likely to be needed anytime soon, which S3 storage class would you select?
S3 Standard-IA
232
Your Aurora database has been experiencing intermittent performance issues for read operations due to fluctuating workloads over the past few months. Which of the following could you implement to ensure Aurora scales elastically to improve read performance?
Configure Aurora Auto Scaling. Manually adding a read replica will improve read performance. However, this will not ensure that Aurora scales elastically. To scale elastically would require the read replica to be terminated when it is no longer required. This answer does not consider removing the replica when it is no longer needed.
233
Your application is using an ElastiCache for Memcached cluster to handle session state and cache frequently accessed data. However, during peak times users are complaining that your website is running very slowly. You check the CloudWatch metrics for your application servers and database and cannot see any evidence of an issue, however, you notice that your ElastiCache for Memcached cluster is showing 98% CPU utilization. What is the easiest solution to improve your cluster performance?
Scale out your cluster by adding more nodes. Scaling a Memcached cluster out and in is as easy as adding or removing nodes from the cluster. The Memcached engine supports partitioning your data across multiple nodes. Because of this, Memcached clusters scale horizontally easily. A Memcached cluster can have from 1 to 40 nodes. To horizontally scale your Memcached cluster, merely add or remove nodes.
234
Which AWS service natively supports the Systems Manager Parameter Store for secure, hierarchical storage for configuration data and secrets management?
AWS CloudFormation natively supports the Systems Manager Parameter Store. This means you can directly use parameters stored in the Parameter Store in your CloudFormation templates.
235
Which AWS service can you use to protect against DDoS attacks?
AWS Shield protects against DDOS and several other types of attacks.
236
You are creating a fleet of EC2 instances that will be inside an Auto Scaling group. These EC2 instances will need to write a custom metric to CloudWatch and will need the appropriate permissions to do this. What is the most secure way to enable this?
Create an IAM role with CloudWatch permissions and a new launch configuration to associate the role with EC2 instances. Update your Auto Scaling group with the launch configuration. Applications that run on Amazon EC2 instances need credentials to access other Amazon Web Services. To provide these credentials in a secure way, use an IAM role. The role supplies temporary permissions that the application can use when it accesses other AWS resources. The role's permissions determine what the application is allowed to do. For instances in an Auto Scaling group, you must create a launch template or launch configuration and choose an instance profile to associate with the instances.
237
Which of the following AWS services does NOT allow native encryption of data-at-rest?
ElastiCache for Memcached. Memcached is an in-memory datastore, so there is no data-at-rest to encrypt.
238
Which of the following AWS services does NOT natively support the Systems Manager Parameter Store?
Amazon RDS. Amazon RDS is a managed relational database service, and while it supports secrets manager, it does not have native support for Parameter Store:
239
You are working on a project to launch an application that stores highly confidential data. Your compliance team advise that they do not want to host the application on multi-tenant hardware. Which class of EC2 instance can you use to host the application?
Dedicated instances create resources on hardware that is dedicated to a single customer, and Dedicated instances that belong to different AWS accounts are isolated at the hardware-level. They are single-tenancy.
240
Which of the following AWS services natively support the Systems Manager Parameter Store?
CloudFormation, Lambda, and EC2 all natively support the Systems Manager Parameter Store. RDS doesn't have native support for Parameter Store but you can utilize Lambda in association with RDS to fulfill your requirements. Indeed you could utilize Lambda in addition with any service that doesn't natively support Parameter Store.
241
Your organization is being audited and you are asked to implement monitoring for every single API call that occured in your AWS account. Which service can you use to achieve this?
AWS CloudTrail is the best practice for this scenario, as it provides visibility into API calls, providing streamlined access to an account-level event history.
242
Which of the following methods does STS (Security Token Service) use to grant temporary access to AWS resources for authenticated users?
Active Directory Federation, Cross-Account Access, and Federation with Web Identity Providers. STS uses Active Directory Federation (via the AssumeRoleWithSAML action), Cross-Account Access (via the AssumeRole action), and Federation with Web Identity Providers (via the AssumeRoleWithWebIdentity action) to grant temporary access to AWS resources for authenticated users.
243
Which service runs a command on a group of systems based on tags?
Systems Manager Run Command is a service used to manage the configuration of your managed instances and can run commands on a group of systems based on tags
244
Which service is used to return temporary credentials when users authenticate to AWS via Active Directory?
AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
245
Which of the following statements is NOT correct regarding Multi-Factor Authentication (MFA)?
You can enforce the use of MFA using Trusted Advisor. Trusted Advisor is a service used to provide recommendations using a series of evaluations, providing insight into possible performance, cost, or security improvements for your environments. It does not enforce the use of MFA
246
You are supporting a large environment running in AWS. The security architect in your organization asks you to implement a configuration management tool to record the state of your infrastructure and notify you of any changes to the baseline. Which service can you use to achieve this without a substiantial amount of effort?
AWS Config can be used to establish baselines and enforce a set of rules against your infrastructure for continuous monitoring, assessment, and change management.
247
Which of the following is NOT a method by which STS (Security Token Service) grants temporary access to AWS resources for authenticated users?
Cross-Origin Resource Sharing. AWS Security Token Service doesn't have any specific action for cross-origin resource sharing. Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.
248
Which AWS service or feature can be used to capture detailed information about the IP traffic going to and from network interfaces in your VPC?
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
249
You are using CloudFront to serve web content to your customers. However, you are receiving lots of complaints that users cannot access the website. While troubleshooting, you notice that CloudFront is returning "403 - Access Denied" errors. What could be the problem?
"403 - Access Denied" is a client-side error. Objects must exist and be publicly accessible. Reference: I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?
250
Which of the following DNS record types is used to route traffic to a web server using an IPv4 address?
You use an A record to route traffic to a resource, such as a web server, using an IPv4 address.
251
What is the impact of increasing the TTL (Time to Live) for objects stored in your CloudFront cache?
The objects will be stored in the cache for longer, potentially increasing the cache hit ratio. By increasing the TTL for objects in the cache, the objects will remain in the cache for longer. This can increase your cache hit ratio because objects are more likely to be served from the cache instead of needing to be requested from the origin.
252
Which of the following represents the required components to configure a Site-to-Site VPN?
A Site-to-Site VPN requires a virtual private gateway, which is the VPN concentrator on the AWS side of the connection, and a customer gateway device, which is a physical device or software application on your side of the connection.
253
You are having issues sending traffic from your VPC to your Direct Connect connection. You believe it's a routing issue, but you need to confirm this by looking at the relevant logs. Which options will give you the best chance of troubleshooting your problem?
There is only one possible option on the above list that could assist you in resolving any VPC-based routing issues and that is to enable VPC Flow Logs. You can create a flow log for a VPC, a subnet, or a network interface.
254
You are running a popular photography website that is hosted in an S3 bucket located in us-east-1. Over the past, year you have noticed that you have gained many new visitors from Europe, Africa, and India. You are concerned that your new users are not getting the best experience, because you have received complaints that the website takes a long time to load images. Which AWS service can you use to improve performance for these users?
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. R
255
Which of the following is a valid method to connect systems in your own data center to EC2 instances that only have private IP addresses?
Direct Connect is used to provide a private connection between AWS and your data center, office, or colocation environment. A site-to-site VPN can be used to enable instances launched in your VPC to securely connect with your own remote network. Both of these methods can be used to connect systems in your own data center to EC2 instances that only have private IP addresses. Reference Documentation: What is AWS Site-to-Site VPN?
256
Which of the following can you use to control cookies and HTTP headers that are included in requests that CloudFront sends to your origin?
You can use an origin request policy to configure CloudFront to include cookies and HTTP request headers in origin requests
257
You are using CloudFront to serve web content to your customers. Instead of directing customers to the default CloudFront URL provided by AWS, you would like to use a cool new domain name that you own (myawesomewebsite.com) and have your domain name resolve to the CloudFront distribution. How could you do this in AWS?
A Route 53 alias record allows you to map one DNS name (example.com) to another ‘target’ DNS name (https://d111111abcdef8.cloudfront.net/).
258
Which Route 53 routing policy allows you to improve performance for your users by serving their requests from the AWS Region that provides the lowest latency?
Latency-based routing allows you to improve performance for your users by serving their requests from the AWS Region that provides the lowest latency.
259
You have been asked to design a stable, consistent network connection between your on-premises data center and your production VPC in AWS. Which of the following should you recommend?
Direct Connect is designed to provide a stable, reliable, consistent and secure connection between AWS and your data center, office, or colocation environment.
260
Which AWS service can be used to resolve a human-friendly domain name like http://acloud.guru into an IP address such as 82.124.53.1?
Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services.
261
What is a primary function of Route 53 Resolver?
Resolving DNS queries for resources in your VPC.. Route 53 Resolver is a regional DNS service that provides recursive DNS lookups for names hosted in EC2. This includes resolving DNS queries for resources in your VPC.
262
You have been asked to gather detailed information relating to incoming requests to CloudFront. Which of the following logs will provide information relating to the request time, edge location, client IP address, method, object requested, HTTP status code, and edge location response?
You can configure CloudFront to create log files that contain detailed information about every user request that CloudFront receives. These are called standard logs, also known as access logs.
263
Your web application has a global user base and you would like to route incoming traffic to the website according to the location of the user in order to give your users a personalized experience depending on their location. Which approach do you recommend?
Use Route53 with a geolocation routing policy.. Geolocation routing policies route based on the physical location of a user, whereas latency-based routing selects the AWS Region with the lowest latency.
264
Which of the following represents the best practices to improve the cache hit ratio for a CloudFront distribution?
Forwarding only the necessary HTTP request headers and cookies to the CloudFront origin, and increasing the TTL of cached objects. To optimize the cache hit ratio, it is best to only forward necessary HTTP headers and cookies to avoid filling up the cache unnecessarily. Additionally, increasing the TTL for objects in the cache can increase the cache hit ratio as objects will be cached for a longer period of time.
265
Which of the following AWS services can be used to provide a private connection, which does not use the internet, between EC2 instances in your VPC and your S3 buckets?
A VPC endpoint provides a private connection between your VPC and supported AWS services. The network connection uses AWS PrivateLink to reach services like S3 instead of using the public internet.
266
What is a key characteristic of Network ACLs in terms of traffic flow?
It is correct to say that Network ACLs are stateless, which means that return traffic must be explicitly allowed by the rules.
267
What is one method to connect systems in your own data center to EC2 instances that only have private IP addresses?
Direct Connect is used to provide a private connection between AWS and your data center, office, or colocation environment.
268
You would like to configure active-passive failover for your website. Which Route 53 routing policy enables you to route traffic to a primary resource when the resource is healthy and to a secondary resource when the primary is unhealthy?
Failover routing allows you to configure active-passive failover by enabling you to route traffic to a primary resource when the resource is healthy and to a secondary resource when the primary is unhealthy.
269
What is one essential component required to configure a Site-to-Site VPN?
A virtual private gateway is the VPN concentrator on the AWS side of the Site-to-Site VPN connection. It is an essential component for setting up a Site-to-Site VPN.
270
You are looking for a secure remote login solution that does not require you to configure a bastion host or manage SSH keys. Which of the following is the best solution?
Systems Manager Session Manager is designed to provide a browser-based interactive session for Windows and Linux hosts. No SSH, RDP, bastion hosts, or SSH keys are required. Sessions are secured using TLS encryption.
271
Which of the following services allows to you to run a secure, remote interactive session to Windows or Linux EC2 instances using PowerShell or Bash?
Session Manager enables you to run an interactive session on your EC2 instances, using Bash, PowerShell, the AWS CLI, or SDK. Session Manager provides support for Windows, Linux, and macOS from a single tool.
272
Which of the following statements relating to CloudFront is correct?
An edge location is a location where CloudFront content is cached. Objects are cached for a period of time known as the time-to-live (TTL). The origin contains the files that the CloudFront distribution will serve.. It is correct to say that an edge location is the location where CloudFront content is cached. Objects are cached for a period of time known as the time-to-live. The origin contains the files that the CloudFront distribution will serve.
273
You are supporting a busy website, hosted in S3 and using CloudFront to deliver content. You would like to further increase performance for your users. Somebody has suggested improving the cache hit ratio. Which of the following actions could you take to improve your cache hit ratio?
You can improve performance by increasing the proportion of your viewer requests that are served directly from the CloudFront cache, instead of going to your origin servers for content. This is known as improving the cache hit ratio. You can increase the cache hit ratio by increasing the TTL (time-to-live) for objects in your cache.
274
Which of the following statements correctly describes the nature of Network ACLs and Security Groups in AWS?
Network ACLs are stateless, which means that return traffic must be explicitly allowed by the rules. On the other hand, security groups are stateful, which means that return traffic is automatically allowed, regardless of any rules.
275
Which of the following best describes the functions of Route 53 Resolver?
The Route 53 Resolver serves as a regional DNS service within AWS, capable of handling DNS queries for resources within your Virtual Private Cloud (VPC). It efficiently resolves these internal queries, maintaining optimal network performance and reliability. For external resources, it performs recursive DNS lookups. The DNS resolvers used for these external lookups can vary based on your VPC's configuration and may include the Amazon Provided DNS, custom DNS resolvers, on-premises DNS resolvers for hybrid cloud scenarios, or public name servers available on the internet. This flexibility allows the Route 53 Resolver to manage DNS queries, irrespective of whether the resources are located within your VPC or externally.
276
You are supporting a busy website that relies on CloudFront to deliver content. Different parts of the website use HTTP request headers and cookies to determine which version of the web content to serve. You are under pressure from management to optimize performance for your users. Which of the following actions could help improve the cache hit ratio and optimize performance for users?
Configure CloudFront to forward only the relevant cookies and headers to the CloudFront origin. When forwarding headers or cookies, it is best to only forward those that are necessary. This avoids filling up the cache unnecessarily and helps optimize our cache hit ratio. If we forward all cookies and headers indiscriminately, CloudFront can end up caching multiple versions of identical content to cater to all the different header and cookie combinations.
277
Which of the following allows EC2 instances in two VPCs to communicate with each other using private IP addresses?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private addresses. Instances in either VPC can communicate with each other as if they are within the same network.
278
Which of the following is a special CloudFront user that can access the files in an S3 bucket, serve them to users, and allows you to restrict access to objects in the bucket so that all users must use the CloudFront URL instead of a direct S3 URL?
The Origin Access Control (OAC) is a special user in Amazon CloudFront that can access files in an Amazon S3 bucket and serve them to users. It is used to restrict access to objects in the bucket so that users must use the CloudFront URL instead of a direct S3 URL. This is achieved by setting up a CloudFront distribution with an S3 bucket origin and configuring the OAC settings. This enables the S3 bucket to only exchange data with CloudFront, ensuring that all access to the content is managed and controlled through CloudFront. This is particularly useful for distributing content securely and globally.
279
Which of the following can explicitly deny access from a specific IP address to all of the EC2 instances in your subnet?
You should use a Network ACL for this, because it operates at a subnet level and supports both allow and deny rules
280
Which Route 53 DNS record type allows you to map one DNS name to another and create a record with the same name as the zone apex (for example, acloud.guru)?
Alias records allow you to route queries from one domain name to another. You can also create an alias record for a zone apex, like acloud.guru.
281
What is a common client-side error message in CloudFront?
If CloudFront requests an object from your origin, and the origin returns an HTTP 4xx status code, there's a problem with communication between CloudFront and your origin. A 4xx status code indicates the problem is client-side, rather than server-side. "404" means the client requested an object that could not be found, which is a client-side error. Reference Documentation: Troubleshooting Error Responses from Your Origin
282
You are configuring the Route 53 policy for your application. You have 10 different application servers all serving the same content and you would like Route 53 to respond to DNS queries with up to 8 healthy records selected at random. Which routing policy should you select?
With mutivalue answer routing, Route 53 will respond with up to 8 healthy records selected at random.
283
Which Route 53 routing policy enables you to route traffic based on the location of your users?
Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning from the location that the DNS queries originate. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.
284
Which of the following services can you use to enable EC2 instances in a private subnet to connect to S3 without sending traffic across the internet?
A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWSPrivateLink. AWSPrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network.
285
Which of the following actions would NOT improve the cache hit ratio for a CloudFront distribution?
Forwarding all HTTP request headers to the CloudFront origin. Cache hit ratio is the proportion of requests that are served directly from the CloudFront cache. If we forward all HTTP headers, CloudFront can end up caching multiple versions of identical content to cater to all the different header combinations. This fills up the cache and also causes multiple requests to the origin, rather than serving content from the cache. This will ultimately reduce the cache hit ratio.
286
Which Route 53 routing policy enables you to route traffic to your resources based on the distance between your users and your resources?
Geoproximity routing enables you to route traffic to your resources based on the distance between your users and your resources. Route 53 calculates which resource is closer to the source of the query and routes requests accordingly.
287

AWS (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions