Test - 1 Flashcards

Question

Question 25 Which of the below mentioned services are the building blocks for creating a basic high availability architecture in AWS. Select 2 options. EC2 B. SQS C. Elastic Load Balancer D. Cloudwatch

Answer 1

Answer: A, C Having EC2 instances hosting your applications in multiple subnets, hence multiple AZ’s and placing them behind an ELB is the basic building block of a high availability architecture in AWS. For more information on High availability and Fault tolerance please visit the below url https://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_ftha_04.pdf

Answer 2

Answer: C The AWS Documentation mentions the following When you create an Auto Scaling group, you must specify a launch configuration. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for your Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration. For more information on Launch Configuration for Autoscaling, please refer to the below link http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html

Answer 3

Answer: A Amazon Simple Storage Service is storage for the Internet. It is designed to make web-scale computing easier for developers. Amazon S3 has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any developer access to the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of web sites. For more information on S3 please visit the below url http://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html

Answer 4

Answer: A, B, C This is clearly given in the AWS documentation: For more information on Autoscaling please visit the below URL: http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroupLifecycle.html

Answer 5

Answer: B Amazon CloudFront is a global content delivery network (CDN) service that accelerates delivery of your websites, APIs, video content or other web assets For more information on AWS Cloudfront please visit the below url https://aws.amazon.com/cloudfront/

Answer 6

Answer: B "When you make a change to the Security Groups or Network ACL’s , they are applied immediately. This is clearly given in the AWS documentation For more information on Security Groups, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html "

Answer 7

Answer: B This requirement is given in the AWS documentation for the customer gateway. The traffic from the VPC gateway must be able to leave the VPC and traverse through the internet onto the customer gateway. Hence the customer gateway needs to be assigned a static IP that can be routable via the internet. For more information on VPC Virtual Private connections, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

Answer 8

Answer: A Use Amazon Kinesis Streams to collect and process large streams of data records in real time. You'll create data-processing applications, known as Amazon Kinesis Streams applications. A typical Amazon Kinesis Streams application reads data from an Amazon Kinesis stream as data records. These applications can use the Amazon Kinesis Client Library, and they can run on Amazon EC2 instances. The processed records can be sent to dashboards, used to generate alerts, dynamically change pricing and advertising strategies, or send data to a variety of other AWS services. For more information on Amazon Kinesis, please visit this URL: http://docs.aws.amazon.com/streams/latest/dev/introduction.html

Answer 9

Answer: A, B, C This is clearly mentioned in the AWS documentation: For more information on the criteria for attaching an EC2 instance to an existing AutoScaling group please visit the below URL: http://docs.aws.amazon.com/autoscaling/latest/userguide/attach-instance-asg.html

Answer 10

Answer: D AWS Lambda is a compute service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume-there is no charge when your code is not running. For more information on AWS Lamda please visit the below URL: http://docs.aws.amazon.com/lambda/latest/dg/welcome.html

Answer 11

Answer: C The AWS Documentation mentions the below Linux Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main difference between PV and HVM AMIs is the way in which they boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance. The below snapshot also shows the support for the T2 Instance family. For more information on the Instance types for Linux AMI’s, please refer to the below link https://aws.amazon.com/amazon-linux-ami/instance-type-matrix/

Answer 12

Answer: C The AWS Simple Storage service is the best option for this scenario. The AWS documentation provides the following information on the Simple Storage service Amazon S3 is object storage built to store and retrieve any amount of data from anywhere–web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry For more information on the Simple Storage Service, please refer to the below link https://aws.amazon.com/s3/

Answer 13

Answer: A, C The AWS Trusted Advisor can help you identify underutilized resources in AWS. For more information on AWS trusted advisor please visit the below URL: https:// aws.amazon.com/ premiumsupport/ trustedadvisor/ If You look at the Cloudwatch graphs, the CPU utilization of your resources and you can see the trend over time in the graphs. For more information on AWS Cloudwatch please visit the below URL: https://aws.amazon.com/cloudwatch/

Answer 14

Answer: D VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. For more information on VPC Flowlogs please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/AmazonVPC/latest/UserGuide/flow-logs.html

Answer 15

Answer: A, D AWS developer data centers across the world to help develop solutions that are close to the customer as possible. They also have center in core countries to help tie up with the specific laws and regulations for specific parts of the world. AWS does not have centers in every location of the world, hence option C is invalid. Services and prices are specific to every region, hence option B is invalid. For more information on Regions please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

Answer 16

Answer: B, C AWS Management Console-The console is a browser-based interface to manage IAM and AWS resources. AWS Command Line Tools-You can use the AWS command line tools to issue commands at your system's command line to perform IAM and AWS tasks; this can be faster and more convenient than using the console. For more information on interfacing with AWS please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Answer 17

Answer: A This is clearly given in the AWS documentation For more information on VPC Security please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

Answer 18

Answer: C AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. For more information on AWS Direct Connect, please visit the below URL: https:// aws.amazon.com/ directconnect/ If you require a port speed less than 1 Gbps, you cannot request a connection using the console. Instead, contact an APN partner, who will create a hosted connection for you. The hosted connection appears in your AWS Direct Connect console, and must be accepted before use. Please find an exact explanation in AWS documentation below: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getting_started.html#ConnectionRequest

Answer 19

Answer: A Cost Explorer is a free tool that you can use to view charts of your costs (also known as spend data) for up to the last 13 months, and forecast how much you are likely to spend for the next three months. You can use Cost Explorer to see patterns in how much you spend on AWS resources over time, identify areas that need further inquiry, and see trends that you can use to understand your costs. You can also specify time ranges for the data you want to see, and you can view time data by day or by month. For more information on Cost Explorer, please visit the URL: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-explorer-what-is.html

Answer 20

Answer: A AWS has published the Shared Responsibility Model. And the Physical networking comes as part of the responsibility of AWS. For more information on the Shared Responsibility Model, please refer to the below URL: https://aws.amazon.com/compliance/shared-responsibility-model/

Answer 21

Answer: C You can back up the data on your EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs. When you delete a snapshot, only the data unique to that snapshot is removed. For more information on EBS Snapshots, please refer to the below link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 22

Answer: C When you are looking at hosting intensive I/ O applications such as databases, always look to using IOPS as the preferred storage option. For more information on the various EBS Volume types, please refer to the below link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

Answer 23

Answer: A Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to route application traffic. The ELB is best used for EC2 instances multiple AZ’s. You cannot use ELB for distributing traffic across regions. For more information on AWS ELB, please refer to the below link: https://aws.amazon.com/elasticloadbalancing/

Answer 24

Answer: A, D Groups-Your EC2 instances are organized into groups so that they can be treated as a logical unit for the purposes of scaling and management. When you create a group, you can specify its minimum, maximum, and, desired number of EC2 instances. Launch configurations-Your group uses a launch configuration as a template for its EC2 instances. When you create a launch configuration, you can specify information such as the AMI ID, instance type, key pair, security groups, and block device mapping for your instances. For more information on AWS Autoscaling, please refer to the below link: http://docs.aws.amazon.com/autoscaling/latest/userguide/WhatIsAutoScaling.html

Answer 25

Answer: B The snapshot from the AWS documentation shows how the NAT instance is setup. It needs to be placed in the public subnet and the private subnet should have a route to it. For more information on AWS NAT Instance, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

Answer 26

Answer: A This setting is done at the subnet level and if marked as true, all instances launched in that subnet will get a public IP address by default. For more information on AWS IP Addressing, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html

Answer 27

Answer: D You can only have one internet gateway attached to your VPC at one time, hence the error must be coming because there is already an internet gateway attached. For more information on Internet gateways, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

Answer 28

Answer: C Amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. Customers can reliably store large or small amounts of data for as little as $0.004 per gigabyte per month, a significant savings compared to on-premises solutions. To keep costs low yet suitable for varying options for access to archives, from a few minutes to several hours. For more information on Amazon Glacier, please refer to the below link: https://aws.amazon.com/glacier/

Answer 29

Answer: C AWS Database Migration Service helps you migrate databases to AWS easily and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from most widely used commercial and open-source databases. For more information on aws database migration service, please visit the URL: https://aws.amazon.com/dms

Answer 30

Answer: D Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns. Transferring data with Snowball is simple, fast, secure, and can be as little as one-fifth the cost of high-speed Internet. For more information, please refer the below link: http://docs.aws.amazon.com/snowball/latest/ug/whatissnowball.html

Answer 31

Answer: D You can use Amazon CloudWatch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, and other sources. You can then retrieve the associated log data from CloudWatch Log. To enable Cloudwatch logs , follow the below steps Step 1) Go to the Cloudwatch section and click on Logs Step 2) Once you create a log group, you can then configure your EC2 instance to send logs to this Log Group. For more information on Cloudwatch logs please visit the link: http://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

Answer 32

Answer: A The reason why you cannot connect to the instance is because maybe the SSH protocol has not been enabled in the security group. Go to your EC2 Security groups, click on the required security groups to make the changes. Go to the Inbound Tab. Ensure that the Inbound rules has a rule for SSH protocol.

Answer 33

Answer: D A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region The below diagram shows an example of VPC peering. Now please note that VPC B cannot communicate to VPC C because there is no peering between them. For more information on VPC peering, please visit the URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html

Answer 34

Answer: A,C The Elastic Load balancer is one of the most the ideal solution for adding elasticity to your application. The below snapshot is an example where you can add 3 EC2 Instances to an ELB. All requests can then be routed accordingly to these instances. The other alternative is to create a routing policy in Route53 with Weighted routing policy . Weighted resource record sets let you associate multiple resources with a single DNS name. Weighted routing policy enables Route 53 to route traffic to different resources in specified proportions (weights).To create a group of weighted resource record sets, two or more resource record sets can be created that have the same combination of DNS name and type, and each resource record set is assigned a unique identifier and a relative weight. Option B is not valid because this will just cache the reads , and will not add that desired elasticity to your application. Option D is not valid , because there is no mention of a persistence layer in the question , that would require the use of DynamoDB. For more information on Elastic Load Balancer, please visit the below URL: https://aws.amazon.com/elasticloadbalancing/ For more information on Route53, please visit the below URL: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html

Answer 35

Answer: A The Maximum ratio of IOPS to volume size is 50:1 , so if the volume size is 8 GiB , the maximum IOPS of the volume can be 400. If you go beyond this value , you will get an error as shown in the screenshot below. For more information on Provisioned IOPS, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

Answer 36

Answer: C Spot instances enable you to bid on unused EC2 instances, which can lower your Amazon EC2 costs significantly. The hourly price for a Spot instance (of each instance type in each Availability Zone) is set by Amazon EC2, and fluctuates depending on the supply of and demand for Spot instances. Your Spot instance runs whenever your bid exceeds the current market price. Spot instances are a cost-effective choice if you can be flexible about when your applications run and if your applications can be interrupted. For example, Spot instances are well-suited for data analysis, batch jobs, background processing, and optional tasks Option A is invalid because even though Reserved instances can reduce costs , its best for workloads that would be active for a longer period of time rather than for batch load processes which could last for a shorter period of time. Option B is not right because On-Demand Instances tend to be more expensive than Spot Instances. Option D is invalid because there is no concept of Regular instances in AWS For more information on Spot Instances, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html

Answer 37

Answer: B The security groups need to configured to ensure that ping commands can go through. The below snapshot shows that the ICMP protocol needs to be allowed to ensure that the ping packets can be routed to the instances. You need to edit the Inbound Rules of the Web Security Group. Option A is invalid because the AMI will not impact the ping command Option C and D are invalid because even if you have a Public IP and Elastic IP allocated to the Instance, you need to ensure there is a route to the internet gateway and the Web Security Groups are configured accordingly. For more information on Security Groups, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Answer 38

Answer: C In order for a volume to be available in another availability zone, you need to first create a snapshot from the volume. Then in the snapshot from creating a volume from the snapshot , you can then specify the new availability zone accordingly. Option A is invalid, because the Instance and Volume have to be in the same AZ in order for it to be attached to the instance Option B is invalid , because there is no way to specify a volume as a source Option D is invalid , because the Diskcopy would just be a tedious process. For more information on snapshots, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 39

Answer: A IAM roles are designed in such a way so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. Option B,C and D are invalid because it is not secure to use API credentials from any EC2 instance. The API credentials can be tampered with and hence is not the ideal secure way to make API calls. For more information on IAM roles for EC2, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Answer 40

Answer: A As per the AWS documentation, below is the right way to access the instance metadata For more information on Instance metadata, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Answer 41

Answer: B Visit KB Article for the best recommended practices for MySQL For more information on best practices for MySQL Storage, please visit the below URL: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP _BestPractices.html#CHAP_BestPractices.MySQLStorage

Answer 42

Answer: A Following are the restrictions when naming buckets in S3. Bucket names must be at least 3 and no more than 63 characters long. Bucket names must be a series of one or more labels. Adjacent labels are separated by a single period (.). Bucket names can contain lowercase letters, numbers, and hyphens. Each label must start and end with a lowercase letter or a number. Bucket names must not be formatted as an IP address (e.g., 192.168.5.4). When using virtual hosted—style buckets with SSL, the SSL wildcard certificate only matches buckets that do not contain periods. To work around this, use HTTP or write your own certificate verification logic. We recommend that you do not use periods (""."") in bucket names. Option B is invalid because it has an upper case character Option C is invalid because the bucket name cannot start with a period (.). Option D is invalid because the bucket name cannot end with a period (.). For more information on S3 Bucket restrictions, please visit the below URL: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html

Answer 43

Answer: C Visit KB Article for features which are available for Route53 hence option A,B and D are valid. Register domain names — Your website needs a name, such as example.com. Amazon Route 53 lets you register a name for your website or web application, known as a domain name. Route internet traffic to the resources for your domain — When a user opens a web browser and enters your domain name in the address bar, Amazon Route 53 helps the Domain Name System (DNS) connect the browser with your website or web application. Check the health of your resources — Amazon Route 53 sends automated requests over the internet to a resource, such as a web server, to verify that it's reachable, available, and functional. You also can choose to receive notifications when a resource becomes unavailable and choose to route internet traffic away from unhealthy resources. Option C is basically a feature provided by the AWS Content Delivery service. For more information on Route53, please visit the below URL: http: //docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html

Answer 44

Answer: B All of the endpoints created with the API gateway are of HTTPS. Option A is incorrect because Amazon API Gateway does not support unencrypted (HTTP) endpoints Option C and D are invalid because API gateway expose HTTPS endpoints only For more information on API Gateways, please visit the below URL: https://aws.amazon.com/api-gateway/faqs/

Answer 45

Answer: D Each resource within a REST API can support one or more of the standard HTTP methods. You define which verbs should be supported for each resource (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS) and their implementation. For more information on API Gateways, please visit the below URL: https://aws.amazon.com/api-gateway/faqs/

Answer 46

Answer: A,B Currently Kubernetes and Docker are the container platform supported by EC2 Container Service. For more information on ECS, please visit the below URL: https://aws.amazon.com/ecs/faqs/ https://aws.amazon.com/blogs/aws/amazon-elastic-container-service-for-kubernetes/

Answer 47

Answer: C You can authenticate users in your organization's network, and then provide those users access to AWS without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like Security Assertion Markup Language (SAML) 2.0, with which you can use Microsoft AD FS to leverage your Microsoft Active Directory. Option A and D are incorrect because these are used when you want users to sign in using a well-known third party identity provider such as Login with Amazon, Facebook, Google. Option B is incorrect because this is more of a data exchange protocol. For more information on STS, please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

Answer 48

Answer: D Volume status checks enable you to better understand, track, and manage potential inconsistencies in the data on an Amazon EBS volume. They are designed to provide you with the information that you need to determine whether your Amazon EBS volumes are impaired, and to help you control how a potentially inconsistent volume is handled. If the status is insufficient-data, the checks may still be in progress on the volume. Option A is incorrect because if all checks have passed, then the status of the volume is OK. Option B and C are incorrect because if a check fails, then the status of the volume is impaired For more information on Volume status checks, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html

Answer 49

Answer: C You can customize an Amazon EC2 instance and then save its configuration by creating an Amazon Machine Image (AMI). You can launch as many instances from the AMI as you need, and they will all include those customizations that you’ve made. Each time you want to change your configuration you will need to create a new golden image, so you will need to have a versioning convention to manage your golden images over time Because of the above explanation , all of the remaining options are automatically invalid. For more information on AMI’s, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

Answer 50

Answer: C Option B and D is invalid because UDP health checks are not possible Option A is partially valid. A simple TCP health check would not detect the scenario where the instance itself is healthy, but the web server process has crashed. Instead, you should assess whether the web server can return a HTTP 200 response for some simple request. For more information on ELB health checks, please visit the below URL: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html

Answer 51

Answer: B Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). For more information on Multi-AZ, please visit the below URL: https://aws.amazon.com/rds/details/multi-az/ Option A is invalid because Amazon RDS takes a snapshot of the source instance and creates a read-only instance from the snapshot. For MySQL, MariaDB and PostgreSQL, Amazon RDS uses those engines’ native asynchronous replication to update the read replica whenever there is a change to the source DB instance. Option C is invalid, because the Redis engine for Amazon ElastiCache supports replication with automatic failover, but the Redis engine’s replication is asynchronous Option D is invalid because this is not supported by AWS.

Answer 52

Answer: A When you execute the AWS ec2 describe-instances CLI command with the instance_id as shown below AWS ec2 describe-instances --instance-id instance_id In the JSON response that's displayed, locate the StateReason element. An example is shown below. This will help in understanding why the instance was shutdown. "StateReason": { “Message”: "Client.UserInitiatedShutdown: User initiated shutdown", "Code": "Client. UserInitiatedShutdown" }, Option B is invalid because this command describes one or more of the images (AMIs, AKIs, and ARIs) available to you Option C is invalid because retrieve a JPG- format screenshot of a running instance. This might not help to the complete extent of understanding why the instance was terminated. Option D is invalid because this command describes the status of the specified volumes. For more information on the command, please visit the below URL: http: //docs.aws.amazon.com/cli/latest/reference/ec2/describe-instances. html

Answer 53

Answer: C When you create an SQS with the default options , the message retention period is 4 days. So if the application is processing the messages just once a week there are chances that messages sent at the start of the week will get deleted before it can be picked up by the application. Option A and B are invalid , because even if you use short or long polling , the application should be able to read the messages eventually. Option D is invalid because you can provide permissions at the queue level. For more information on SQS, please visit the below URL: https://aws.amazon.com/sqs/faqs/

Answer 54

Answer: B When you look at the Message lifecycle from AWS for SQS queues , one of the most important aspect is to delete the messages after they have been read from the queue. Option A and C are invalid because even if you use short or long polling , the application should be able to read the messages eventually. The main part is that the deletion of messages is not happening after they have been read. Option D is invalid because if the messages are not being read properly , then the application should not send successful notifications. For more information on SQS message lifecycle, please visit the below URL: http: //docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-message-lifecycle.html

Answer 55

Answer: C If the DNS hostnames option of the VPC is not set to ‘Yes’ then the instances launched in the subnet will not get DNS Names. You can change the option by choosing your VPC and clicking on ‘Edit DNS Hostnames’ Option A and B are invalid because if the CIDR blocks were invalid then the VPC or subnet would not be created. Option D is invalid because the subnet configuration does not have the effect on the DNS hostnames. For more information on VPC’s, please visit the below URL: https://aws.amazon.com/vpc/

Answer 56

Answer: A The Route table need to be to 0.0.0.0/0 to ensure that the routes from the internet can reach the instance Hence by default all other options become invalid For more information on Route Tables, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html

Answer 57

Answer: B The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers. Option A is invalid, because ideally you need a private subnet to host the database server. Option C and D are invalid because there is no case of accessing the application from on premise locations using VPN connections. For more information on this scenario, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

Answer 58

Answer: C One can use the Security Group , change the Inbound Rules so that the traffic will be allowed on the custom port. When you make a change to the Security Groups or Network ACL’s , they are applied immediately This is clearly given in the AWS documentation For more information on Security Groups, please refer to the below link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Answer 59

Answer: A If you look at the AWS Documentation, this is clearly given. You only get charged for the underlying resources created using Cloud Formation templates. So , because of the explanation , all other options automatically become invalid. For more informationon Cloudformation, please visit the below URL: https://aws.amazon.com/cloudformation/faqs/

Answer 60

Answer: B A point-in-time snapshot of an EBS volume, can be used as a baseline for new volumes or for data backup. If you make periodic snapshots of a volume, the snapshots are incremental—only the blocks on the device that have changed after your last snapshot are saved in the new snapshot. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to restore the entire volume. You can create a snapshot via the CLI command - create-snapshot Option A is incorrect because you normally use the Storage gateway to backup your on-premise data. Option C is incorrect because this is used for S3 storage Option D is incorrect because compression is another maintenance task and storing it in Glacier is not an ideal option For more information on snapshots, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

Answer 61

Answer: A Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects, such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases, such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB. Option B and C ,, even though partially correct would be an overhead for EC2 Instances to process the log files when you already have a ready made service which can help in this regard Option D is in invalid because DynamoDB is not an ideal option to store log files. For more information on EMR, please visit the below URL: http://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-what-is-emr.html

Answer 62

Answer: B Requirements for cross-region replication: The source and destination buckets must be versioning-enabled. The source and destination buckets must be in different AWS regions. You can replicate objects from a source bucket to only one destination bucket. Amazon S3 must have permission to replicate objects from that source bucket to the destination bucket on your behalf. If the source bucket owner also owns the object, the bucket owner has full permissions to replicate the object. If not, the source bucket owner must have permission for the Amazon S3 actions s3:GetObjectVersion and s3:GetObjectVersionACL to read the object and object ACL. If you are setting up cross-region replication in a cross-account scenario (where the source and destination buckets are owned by different AWS accounts), the source bucket owner must have permission to replicate objects in the destination bucket. The destination bucket owner needs to grant these permissions via a bucket policy. Option A is invalid , because it is available in all regions Option C is invalid because if so, then you would not be able to access S3 in that region Option D is invalid because you have not reached the configuration stage to select the destination bucket For more information on S3 Cross Region Replication, please visit the below URL: https://docs.aws.amazon.com/AmazonS3/latest/dev/crr.html

Answer 63

Answer: B The snapshot from the AWS documentation lists some of the service limits with AWS Lambda For more information on AWS Lambda, please visit the below URL: http: //docs.aws.amazon.com/lambda/latest/dg/limits.html

Answer 64

Answer: A With this configuration you can have 27 allowable hosts which fits the requirement. Option B is invalid because you can have only a maximum of 16 hosts with this configuration Option C and D are invalid because you can assign a single CIDR block to a VPC. The allowed block size is between a /16 netmask and /28 netmask. For more information on Subnets, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

Answer 65

Answer: B In this case, you can have multiple SQS queues. The SQS queues for the premium members can be polled first by the EC2 Instances and then those messages can be processed. For information on SQS best practices, please refer to the below link http: //docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-best-practices.html

Answer 66

Answer: A You need to ensure that the VPC has an internet gateway attached and the route table properly configured for the subnet. Option B is invalid because even the ELB is not accessible from the internet. Option C is invalid because the instances and ELB is not reachable via internet if no internet gateway is attached to the VPC. Option D is invalid because this will not have an impact on the issue. For more information on troubleshooting ELB, please visit the below URL: https://aws.amazon.com/premiumsupport/knowledge-center/elb-connectivity-troubleshooting/

Answer 67

Answer: C An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment,Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. Below is a snapshot of the service limits it can monitor. Option A is invalid because even though you can monitor resources , it cannot be checked against the service limit. Option B is invalid because this is the Elastic Compute cloud service Option D is invalid because it can be send notification but not check on service limits For more information on the Trusted Advisor monitoring, please visit the below URL: https://aws.amazon.com/premiumsupport/ta-faqs/

Answer 68

Answer: C The AWS Simple Storage service is the best option for this scenario. The AWS documentation provides the following information on the Simple Storage service Amazon S3 is object storage built to store and retrieve any amount of data from anywhere — web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry For more information on the Simple Storage Service, please refer to the below link https://aws.amazon.com/s3/

Answer 69

Answer: C AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. Option A is invalid because this is good to get a certain set of defined resources up and running. But it cannot be used to duplicate infrastructure as code. Option B is invalid because this is the Simple Queue Service which is used for sending messages. Option D is invalid because this is the Simple Notification service that is used for sending notifications. For more information on Cloudformation, please visit the below URL: http: //docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html

Answer 70

Answer: A As the number of EC2 instances in your AWS environment grows, so too does the number of administrative access points to those instances. Depending on where your administrators connect to your instances from, you may consider enforcing stronger network-based access controls. A best practice in this area is to use a bastion. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances. The below picture from the AWS documentation shows the setup of the bastion hosts in a public subnet. Option B is invalid because bastion hosts need to be in the public subnet Option C and D are invalid because bastion hosts are not used to host web resources. For more information on Bastion hosts, please visit the below URL: https://aws.amazon.com/blogs/security/controlling-network-access-to-ec2-instances-using-a-bastion-server/

Answer 71

Answer: B,C The Reserved Instance Marketplace is a platform that supports the sale of third- party and AWS customers’ unused Standard Reserved Instances, which vary in term lengths and pricing options. For example, you may want to sell Reserved Instances after moving instances to a new AWS region, changing to a new instance type, ending projects before the term expiration, when your business needs change, or if you have unneeded capacity For more information on selling instances, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-market-general.html Since the data is still required , it’s better to take snapshots of the existing volumes and then terminate the instances. For more information on EBS Snapshots, please visit the below URL: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html Option A and D are invalid , because you cannot convert Reserved instances to either on- demand instances or Spot Instances.

Answer 72

Answer: D You can copy an Amazon Machine Image (AMI) within or across an AWS region using the AWS Management Console, the AWS command line tools or SDKs, or the Amazon EC2 API, all of which support the CopyImage action. You can copy both Amazon EBS-backed AMIs and instance store-backed AMIs. You can copy AMIs with encrypted snapshots and encrypted AMIs. Copying a source AMI results in an identical but distinct target AMI with its own unique identifier. In the case of an Amazon EBS-backed AMI, each of its backing snapshots is, by default, copied to an identical but distinct target snapshot. Option A is invalid , because it is a maintenance overhead to maintain another non-running instance Option B is invalid , because the pre- configured software could have settings on the root volume Option C is invalid because this is a long and inefficient way to restore a failed instance For more information on Copying AMI’s, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html

Answer 73

Answer: A You need to add the following security rule so that you can access HTTP traffic to the server. Add the rules to the security group as desired. Option B is invalid because then you will not be able to access the server via SSH Option C and D are invalid because these routes are not ideal routes to add to the VPC. For more information on security groups, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Answer 74

Answer: B Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it's challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials. LAM roles are designed so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. For more information on IAM Roles, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html

Answer 75

Answer: B When you look at your cloudwatch metric dashboard, you can see the metrics for CPU Usage , Disk read operations and Network in You need to add a custom metric for Memory Usage. An example of enabling the custom metric is shown below URL: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/mon-scripts.html

Answer 76

Answer: A, C, D The image shows the in KB Article configuration of an instance which can be accessed from the internet. The key requirements are 1) An Internet gateway attached to the VPC 2) Apublic IP or elastic IP address attached to the instance 3) Aroute entry to the Internet gateway in the Route table Option B is invalid, because this is only required for communication between instances in the VPC. For more information on Public subnets, please refer to the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenarioi.html

Answer 77

Answer: C Kinesis Streams supports changes to the data record retention period of your stream. An Kinesis stream is an ordered sequence of data records meant to be written to and read from in real-time. Data records are therefore stored in shards in your stream temporarily. The time period from when a record is added to when it is no longer accessible is called the retention period. An Kinesis stream stores records from 24 hours by default, up to 168 hours. Option A , even though a possibility , cannot be taken for granted as the right option. Option B is invalid since S3 can store data indefinitely unless you have a lifecycle policy defined. Option D is invalid because the Kinesis service is perfect for this sort of data injestion For more information on Kinesis data retention, please refer to the below URL: http://docs.aws.amazon.com/streams/latest/dev/kinesis-extended-retention.html

Answer 78

Answer: A The following are the parts of a network ACL rule: Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it. Now since the first rule number is 100 and allows all traffic, no matter what rule you put after that all traffic will be allowed. Hence, all options except A are incorrect For more information on Network ACL, please refer to the below URL: http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Answer 79

Answer: B from both unintended user actions and application failures. You can optionally add another layer of security by configuring a bucket to enable MFA (Multi-Factor Authentication) Delete, which requires additional authentication for either of the following operations. 1) Change the versioning state of your bucket 2) Permanently delete an object version Option A is invalid because this would be a maintenance overhead Option C is invalid because changing the storage option will not prevent accidental deletion. Option D is invalid because the question does not ask to remove the delete permission completely. For more information on S3 versioning, please refer to the below URL: http://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html Versioning is a means of keeping multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon Sg bucket. With versioning, you can easily recover

Answer 80

Answer: C To get the private and public IP addresses, you can run the following commands on the running instance http://169.254.169.254/latest/meta-data/local-ipv4 http://169.254.169.254/latest/meta-data/public-ipv4 Option A is partially correct , but is an overhead when you already have the service running in AWS. Option B is incorrect, because you cannot get the IP address from the cloudwatch metric. Option D is incorrect, because user-data cannot get the IP addresses For more information on instance metadata , please refer to the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Answer 81

Answer: D These options are the best when it comes to storing session data. Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in- memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases For more information, please visit the below URL: https://aws.amazon.com/elasticache/ For DynamoDB, this is also evident from the AWS documentation For more information, please visit the below URL: http: //docs.aws.amazon.com/gettingstarted /latest/awsgsg-intro/gsg-aws-database.html And by default, in the industry , RDS have been used to store session data. The Elastic Load Balancer, AWS Storage Gateway and Cloudwatch cannot store session data.

Answer 82

Answer: C Some of the features of Business support are 1) 24x7 access to customer service, documentation, whitepapers, and support forums 2) Access to full set of Trusted Advisor checks 3) 24x7 access to Cloud Support Engineers via email, chat & phone Option A and B are invalid because they have Access to 6 core Trusted Advisor checks only. And they don’t have 24*7 support Option D is invalid because even though it fulfills all requirements, it is an expensive option and since Business support already covers the requirement, this should be selected , when you are taking cost as an option. For a full comparison of plans, please visit the following URL: https://aws.amazon.com/premiumsupport/compare-plans/

Answer 83

Answer: C The following is true with regards to Private IP addressing For instances launched in a VPC, a private IPv4 address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated. For instances launched in EC2-Classic, we release the private IPv4 address when the instance is stopped or terminated. If you restart your stopped instance, it receives a new private IPv4 address

Answer 84

Answer: D Use the following best practices for monitoring to help you with your Amazon EC2 monitoring tasks. Make monitoring a priority to head off small problems before they become big ones. Create and implement a monitoring plan that collects monitoring data from all of the parts in your AWS solution so that you can more easily debug a multi-point failure if one occurs. Your monitoring plan should address, at a minimum, the following questions: What are your goals for monitoring? What resources you will monitor? How often you will monitor these resources? What monitoring tools will you use? Who will perform the monitoring tasks? Who should be notified when something goes wrong? Automate monitoring tasks as much as possible. Check the log files on your EC2 instances. For more information on monitoring EC2, please refer to the below link: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring_ec2.html

Answer 85

Answer: B Since the requirement mentions that it does not matter if objects are lost and you need a low cost storage option then Reduced Redundancy Storage is the best option. The AWS Documentation mentions the below on Reduced Redundancy Storage Reduced Redundancy Storage (RRS) is an Amazon S3 storage option that enables customers to store noncritical, reproducible data at lower levels of redundancy than Amazon S3’s standard storage. It provides a highly available solution for distributing or sharing content that is durably stored elsewhere, or for storing thumbnails, transcoded media, or other processed data that can be easily reproduced For more information on RRS, please refer to the below link: https://aws.amazon.com/s3/reduced- redundancy/

Answer 86

Answer: D AWS hosts a variety of public datasets that anyone can access for free. Previously, large datasets such as the mapping of the Human Genome required hours or days to locate, download, customize, and analyze. Now, anyone can access these datasets via the AWS centralized data repository and analyze those using Amazon EC2 instances or Amazon EMR (Hosted Hadoop) clusters. By hosting this important data where it can be quickly and easily processed with elastic computing resources, AWS hopes to enable more innovation, more quickly. For more information on datasets please visit the below link https://aws.amazon.com/public-datasets/

Answer 87

Answer: B Normally database servers should not be exposed to the internet and should reside in private subnets. The web servers will be part of the public subnet and exposed to the end users.

Answer 88

The example shows a simple CloudFormation template. It creates an EC2 instance based on the AMI - ami-d6f32ab5. When the instance is created, it will output the AZ in which it is created. { "Resources": { "MyECaInstance”: { "Type": "AWS::EC2::Instance”, "Properties": { "Imageld": "ami-d6f32ab5" } } } “Outputs”: { "Availability": { "Description": "The Instance ID", "Value": {"Fn::GetAtt” : [ "MyEC2Instance”, “AvailabilityZone” ]} } }}

Answer 89

Answer: A EBS Volume replicated to physical hardware with in the same available zone, So if AZ fails then EBS volume will fail. That's why AWS recommend to always keep EBS volume snapshot in S3 bucket for high durability. When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to the failure of any single hardware component. Option B is wrong as EBS volume has multiple copies but with in same AZ , so volume will not persist in case of AZ failure. Option C is wrong because there is no special setup available to persist EBS volume across region or AZ. Answer D is wrong as EBS volume has same behavior regardless of region. As per AWS user guide: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html

Answer 90

Answer: A, D Some of the advantages of Multi AZ rds deployments are given below If an Availability Zone failure or DB Instance failure occurs, your availability impact is limited to the time automatic failover takes to complete The availability benefits of Multi-AZ deployments also extend to planned maintenance and backups. In the case of system upgrades like OS patching or DB Instance scaling, these operations are applied first on the standby, prior to the automatic failover. As a result, your availability impact is, again, only the time required for automatic failover to complete. If a storage volume on your primary fails in a Multi-AZ deployment, Amazon RDS automatically initiates a failover to the up-to-date standby For more information on Multi AZ rds deployments please visit the link https://aws.amazon.com/rds/details/multi-az/

Answer 91

Answer: D An instance must either have a public or Elastic IP in order to be accessible from the internet. A public IP address is reachable from the Internet. You can use public IP addresses for communication between your instances and the Internet. An Elastic IP address is a static IP address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. An Elastic IP address is a public IP address, which is reachable from the Internet. If your instance does not have a public IP address, you can associate an Elastic IP address with your instance to enable communication with the Internet; for example, to connect to your instance from your local computer. For more information on Elastic IP’s, please visit the link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Answer 92

Answer: C Amazon EC2 uses public-key cryptography to encrypt and decrypt login information. Public-key cryptography uses a public key to encrypt a piece of data, such as a password, then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. To log in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair

Answer 93

Answer: D You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. For more information on EBS snapshots, please visit the link- http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 94

Answer: B I2 instances are optimized to deliver tens of thousands of low-latency, random I/O operations per second (IOPS) to applications. They are well suited for the following scenarios: NoSQL databases (for example, Cassandra and MongoDB) Clustered databases Online transaction processing (OLTP) systems For more information on I2 instances, please visit the link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/i2-instances.html

Answer 95

Answer: A, B, D When you go to your IAM dashboard, you will see the set of elements which can be configured.

Answer 96

Answer: A, C, D AWS Lambda supports code written in Node.js (JavaScript), Python, Java (Java 8 compatible), and C# (using the .NET Core runtime). For more information on Amazon Lambda, please visit https://aws.amazon.com/lambda/?nc2=h_m1

Answer 97

Answer: D The AWS Documentation mentions the below With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)- compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and distribute long-term security credentials with your application. For more information on Web Identity Federation, please visit the below URL: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html

Answer 98

Answer: D When you enable Cloudtrail, you need to provide an S3 bucket where all the logs can be written to. For more information on AWS Cloudtrail, please visit https://aws.amazon.com/cloudtrail/

Answer 99

Answer: B The AWS documentation clearly highlights what happens in the event of an automatic failover for an AWS RDS instance. For more information on AWS RDS, please visit https://aws.amazon.com/rds/faqs/

Answer 100

Answer: C Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define. But you cannot tag a VPC endpoint For more information on AWS Resourcing Tagging, please visit http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html

Answer 101

Answer: A Visit the AWS documentation for the types of monitoring data. For more information on Volume monitoring, please visit http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status. html

Answer 102

Answer: C Amazon Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources. If you have multiple resources that perform the same function, you can configure DNS failover so that Amazon Route 53 will route your traffic from an unhealthy resource to a healthy resource. For example, if you have two web servers and one web server becomes unhealthy, Amazon Route 53 can route traffic to the other web server. So you can route traffic to a website hosted on S3 or to a cloudfront distribution. For more information on DNS failover using Routes3, please refer to the below link http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html

Answer 103

Answer: B One of the major advantages is that you can combine your on-premise data center to AWS via a VPN connection. You can create an IPsec, hardware VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints for automatic failover. You configure your customer gateway, which is the physical device or software application on the remote side of the VPN connection. For more information on VPN connections, please refer to the below link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn-connections.html

Answer 104

Answer: A Using Amazon CloudWatch alarm actions, you can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs. For more information on using alarm actions, please refer to the below link http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmActions.html

Answer 105

Answer: B Multi-AZ databases is better for production environments rather than for development environments, so you can reduce costs by not using this for development environments Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention For more information on Multi-AZ RDS, please refer to the below link https://aws.amazon.com/rds/details/multi-az/

Answer 106

Answer: A If the Internet gateway is not attached to the VPC, which is a pre-requisite for the instances to be accessed from the internet then the instances will not be reachable. You can assign instance from private subnet to ELB, in that case, ELB will automatically become internal ELB and AWS will assign scheme as "Internal" .If your subnet is public then ELB will automatically become external ELB and AWS will assign scheme as "Internet-facing”. You can add Internet Gateway to VPC and add IGW route in the subnet to make it available over the internet, however, in that case, AWS will still show ELB scheme as internal but it will allow internet traffic to the instance. See internal load balancer details here: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-internal-load-balancer.html For more information on Internet gateways, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

Answer 107

Answer: A Amazon Simple Queue Service (SQS) is a fully-managed message queuing service for reliably communicating among distributed software components and microservices - at any scale. Building applications from individual components that each perform a discrete function improves scalability and reliability, and is best practice design for modern applications For more information on SQS, please refer to the below link https://aws.amazon.com/sqs/

Answer 108

Answer: B, C Both RDS and DynamoDB are managed solutions provided by AWS. Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. For more information on RDS, please refer to the below link https://aws.amazon.com/rds/ Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. For more information on DynamoDB, please refer to the below link https://aws.amazon.com/dynamodb/

Answer 109

Answer: C Edge locations Using a network of edge locations around the world, Amazon CloudFront caches copies of your static content close to viewers, lowering latency when they download your objects and giving you the high, sustained data transfer rates needed to deliver large popular objects to end users at scale. For more information on Cloudfront and edge locations, please refer to the below link https://aws.amazon.com/cloudfront/ Availability Zones Each region is completely independent. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links. The following diagram illustrates the relationship between regions and Availability Zones. For more information on AZ, please refer to the below link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones. html

Answer 110

Answer: B Option A is wrong because this is used to relay information from private subnets to the internet. Option C is wrong because this is used as a queuing service in aws. Option D is wrong because this is used as an emailing service in aws. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules. In WAF, you can create a set of Conditions and Rules to protect your network against attacks from outside. For more information on AWS WAF please visit the below link https://aws.amazon.com/waf/

Answer 111

Answer: C Note that the question asks you for the least likely recommended option. The correct answer is C , SQS polling from an EC2 instance using IAM user credentials. An EC2 role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances. You should use IAM roles for secure communication between EC2 instances and resources on AWS. Your most likely scenario will actually be SQS polling from an EC2 instance deployed with an IAM role because when you're polling SQS from EC2 you should use IAM roles. What you should never do is use IAM user api keys for authentication to poll sqs messages. An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have any credentials (password or access keys) associated with it. Instead, if a user is assigned to a role, access keys are created dynamically and provided to the user. The most likely scenario will actually be SQS polling from an EC2 instance deployed with an IAM role because when your polling SQS from EC2 you should use IAM roles. We should never use [AM user api keys for authentication to poll SQS messages. Option C is correct which least likely scenario is. For more information on IAM Roles, please refer to the below link: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

Answer 112

Answer: A When a consumer receives and processes a message from a queue, the message remains in the queue. Amazon SQS doesn't automatically delete the message: Because it's a distributed system, there is no guarantee that the component will actually receive the message (the connection can break or a component can fail to receive the message). Thus, the consumer must delete the message from the queue after receiving and processing it. Q: How does Amazon SQS allow multiple readers to access the same message queue without losing messages or processing them multiple times? Every Amazon SQS queue has a configurable visibility timeout. A message is not visible to any other reader for a designated amount of time when it is read from a message queue. As long as the amount of time it takes to process the message is less than the visibility timeout, every message is processed and deleted. If the component processing of the message fails or becomes unavailable, the message again becomes visible to any component reading the message queue once the visibility timeout ends. This allows multiple components to read messages from the same message queue, each one working to process different messages. For more information on SQS Visibility timeout, please refer to the below link http://sqs-public- images.s3.amazonaws.com/Building Scalabale EC2 applications with SQ S2.pdf (this document explains in detai] how EC2 and SQS works together in all scenarios. There is also explanation what happens if the EC2 instance crashes before it deletes a message from Queue) http: //docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDevelope

Answer 113

Answer: C The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots (intentionally or unintentionally), data in the instance store persists. However, data in the instance store is lost under the following circumstances: The underlying disk drive fails The instance stops The instance terminates For more information on Instance store , please refer to the below link http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.h tml

Answer 114

Answer: A The bastion host should only have a security group from a particular IP address for maximum security. Since the request is to have a cheapest infrastructure, then you should use a small instance.

Answer 115

Answer: A, B, C This is given in the aws documentation For more information on VPC Peering configurations, please refer to the below link http: //docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid- peering-configurations.html

Answer 116

Answer: B You can copy an Amazon Machine Image (AMI) within or across an AWS region using the AWS Management Console, the AWS command line tools or SDKs, or the Amazon EC2 API, all of which support the CopyImage action. You can copy both Amazon EBS-backed AMIs and instance store-backed AMIs. You can copy AMIs with encrypted snapshots and encrypted AMIs. For more information on copying AMI’s, please refer to the below link http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html

Answer 117

Answer: B On the customer side gateway you need to have a public IP address which can be addressed by the VPN connection. For more information on VPN connections, please refer to the below link: http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpn- connections. html

Answer 118

Answer: D This is given in the aws documentation For more information on Cloudformation pricing, please refer to the below link https://aws.amazon.com/cloudformation/pricing/

Answer 119

Answer: A This is given in the aws documentation. For more information on S3, please refer to the below link https://aws.amazon.com/s3/faqs/

Answer 120

Answer: A This is given in the aws documentation For more information on CloudHSM, please refer to the below link https://aws.amazon.com/cloudhsm/faqs/

Answer 121

Answer: C A budget is a way to plan your usage and your costs (also known as spend data), and to track how close your usage and costs are to exceeding your budgeted amount. Budgets use data from Cost Explorer to provide you with a quick way to see your usage-to-date and current estimated charges from AWS, and to see how much your predicted usage accrues in charges by the end of the month. Budgets also compare the current estimated usage and charges to the amount that you indicated that you want to use or spend, and lets you see how much of your budget has been used. AWS updates your budget status several times a day. Budgets track your unblended costs, subscriptions, and refunds. You can create budgets for different types of usage and different types of cost. For example, you can create a budget to see how many EC2 hours you have used, or how many GB you have stored in an S3 bucket. You can also create a budget to see how much you are spending on a particular service, or how often you call a particular API operation. Budgets use the same data filters as Cost Explorer. To create your budget, you can perform the below steps Step 1) Go to your billing section, go to Budgets and create a new Budget Step 2) In the next screen, you can then mention the budget amount and what services to link the budget to. For more information on AWS Budgets please visit the below link http: //docs.aws.amazon.com/awsaccountbilling /latest/aboutv2/budgets- managing-costs.html

Answer 122

Answer: D You can use IAM user policies and attach them to users/groups that need specific access to S3 buckets. An example of creating such policies is given in the link below https://aws.amazon.com/blogs/security/writing-iam- policies-how-to-grant-access-to-an-amazon-s3-bucket/

Answer 123

Answer: C This is given in the aws documentation For more information on Security Groups, please refer to the below link http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security Groups.html

Answer 124

Answer: B, C “Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. For more information on EC2, please refer to the below link https://aws.amazon.com/ec2/ Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your Amazon EC2 resources. http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB. For more information on EMR, please refer to the below link https://aws.amazon.com/emr/ Amazon EMR and applications such as Hadoop need permission to access other AWS resources when running jobs on behalf of users. http: //docs.aws.amazon.com/emr/latest/ManagementGuide/emr-iam- roles. html “

Answer 125

Answer: A Using a network of edge locations around the world, Amazon CloudFront caches copies of your static content close to viewers, lowering latency when they download your objects and giving you the high, sustained data transfer rates needed to deliver large popular objects to end users at scale. For more information on Cloudfront and edge locations, please refer to the below link https: //aws.amazon.com/cloudfront/

Answer 126

Answer: C, D An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, ifa person changes jobs in your organization, instead of editing that user's permissions, you can remove him or her from the old groups and add him or her to the appropriate new groups. For more information on [AM Groups, please refer to the below link http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Answer 127

Answer: A, C, D By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user For more information on API Access keys, please refer to the below link http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access- keys. html

Answer 128

Answer: C It is clearly mentioned in the AWS documentation that data in an S3 bucket is replicated to multiple facilities in the same region. For more information on S3 product details, please refer to the below link https://aws.amazon.com/s3/details/

Answer 129

Answer: C This is given in the aws documentation For more information on NACL, please refer to the below link http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Answer 130

Answer: B, C, D Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications. AWS Redshift can be used for data warehousing. For more information on DynamoDB, please refer to the below link https://aws.amazon.com/dynamodb/

Answer 131

Answer: B The reason why you cannot connect to the instance is because by default RDP protocol will not be enabled on the Security Group. Option A is wrong because this is for the SSH protocol and here we want to RDP into the instance. Option C and D are wrong because there is no mention of anything wrong with the instance. Step 1) Go to your EC2 Security groups, click on the required security groups to make the changes. Go to the Inbound Tab. Step 2) Make sure to add a rule for the RDP protocol for the instance and then click the Save button.

Answer 132

Answer: D Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution For more information on Redshift, please refer to the below link http://docs.aws.amazon.com/redshift/latest/mgmt/welcome.html

Answer 133

Answer: D A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region The below diagram shows an example of VPC peering. Now please note that VPC B cannot communicate to VPC C because there is no peering between them.   For more information on VPC peering, please visit the url http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc- peering.html

Answer 134

Answer: A, D A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group. The below diagram’s show that rules can be defined for Inbound and Outbound For more information on Security Groups, please visit the url http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network- security. html

Answer 135

Answer: C  You have to ensure that the Route table has an entry to the Internet gateway because this is required for instances to communicate over the internet. The diagram shows the configuration of the public subnet in a VPC. Option A is wrong because you already have a public IP Assigned to the instance, so this should be enough to connect to the Internet. Option B is wrong because private IP’s cannot be access from the internet Option D is wrong because the Route table is what is causing the issue and not the system For more information on aws public subnet, please visit the link http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html

Answer 136

Answer: C EBS snapshots are incremental and complete, so you don’t need to maintain multiple snapshots if you are looking on reducing costs. You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. AWS Docs provides following details: In state 3, the volume has not changed since State 2, but Snapshot A has been deleted. The 6 GiB of data stored in Snapshot A that were referenced by Snapshot B have now been moved to Snapshot B, as shown by the heavy arrow. As a result, you are still charged for storing 10 GiB of data—6 GiB of unchanged data preserved from Snap A, and 4 GiB of changed data from Snap B. So as the diagram in AWS Document shows when we take multiple snapshots, the volume that occupied would be Snap A (10 GiB) + Snap B (4 GiB) + Snap C (2 GB) which is in total 16 GiB. In real production environment, the data on the EBS is changing every minute or even every second. So taking multiple snapshots would definitely consume more storage. Hence, Option C is correct which provide lowest cost and at the same time able to fully restore the data. Please refer to the following document on how incremental backup works: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.ht ml#how_snapshots_work For more information on EBS snapshots, please visit the link - http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 137

Answer: B Here the only option available is to create a new mount volume Option A is wrong because you cannot encrypt a volume once it is created. You would need to use some local encrypting algorithm if you want to encrypt the data on the volume. Option C is wrong because even if you unmounts the volume, you cannot encrypt the volume. Encryption has to be done during volume creation. Option D is wrong because even if the volume is not encrypted, the snapshot will also not be encrypted. You cannot create an encrypted snapshot of an unencrypted volume or change existing volume from unencrypted to encrypted. You have to create new encrypted volume and transfer data to the new volume. The other option is to encrypt a volume’s data by means of snapshot copying 1. Create a snapshot of your unencrypted EBS volume. This snapshot is also unencrypted. 2. Copy the snapshot while applying encryption parameters. The resulting target snapshot is encrypted. 3. Restore the encrypted snapshot to a new volume, which is also encrypted. but that option is not listed. Find more details here : http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

Answer 138

Answer: B Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. Below is the retention period for the various data points CloudWatch Metrics now supports the following three retention schedules: 1 minute datapoints are available for 15 days 5 minute datapoints are available for 63 days 1 hour datapoints are available for 455 days For more information on Amazon Cloudwatch, please visit https://aws.amazon.com/cloudwatch/

Answer 139

Answer: C DB Parameter Groups are used to assign specific settings which can be applied to a set of RDS instances in aws. In your RDS, when you go to Parameter Groups, you can create a new parameter group. In the parameter group itself, you have a lot of database related settings that can be assigned to the database. Option A, B and D are wrong because this is specific to what resources have access to the database. For more information on EB parameter groups, please visit http: //docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Worki ngWithParamGroups.html

Answer 140

Answer: B After you no longer need an Amazon EBS volume, you can delete it. After deletion, its data is gone and the volume can't be attached to any instance. However, before deletion, you can store a snapshot of the volume, which you can use to re-create the volume later. See more details here : http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting- volume.htm] Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume. You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. For more information on EBS snapshots, please visit the link - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 141

Answer: C A private IP address is an IP address that's not reachable over the Internet. You can use private IP addresses for communication between instances in the same network (EC2-Classic or a VPC). When an instance is launched a private IP address is allocated for the instance using DHCP. Each instance is also given an internal DNS hostname that resolves to the private IP address of the instance; for example, ip-10-251-50-12.ec2.internal. You can use the internal DNS hostname for communication between instances in the same network, but we can't resolve the DNS hostname outside the network that the instance is in. For more information on IP Addressing, please visit the link - http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance- addressing. html

Answer 142

Answer: B AWS Elastic Beanstalk stores your application files and, optionally, server log files in Amazon S3. If you are using the AWS Management Console, the AWS Toolkit for Visual Studio, or AWS Toolkit for Eclipse, an Amazon S3 bucket will be created in your account for you and the files you upload will be automatically copied from your local client to Amazon S3. Optionally, you may configure Elastic Beanstalk to copy your server log files every hour to Amazon S3. You do this by editing the environment configuration settings For more information on Elastic Beanstalk visit the below link https://aws.amazon.com/elasticbeanstalk/faqs/

Answer 143

Answer: A Option B is wrong because it is not an encrypted solution to $3 Option C is wrong because you can use S3 as a backup solution Option D is wrong because the SSL endpoint can be achieved via S3 The AWS Storage Gateway's software appliance is available for download as a virtual machine (VM) image that you install on a host in your datacenter. Once you’ve installed your gateway and associated it with your AWS Account through our activation process, you can use the AWS Management Console to create either gateway- cached volumes, gateway-stored volumes, or a gateway-virtual tape library (VTL), which can be mounted as iSCSI devices by your on-premises applications. You have primarily 2 types of volumes 1) Gateway-cached volumes allow you to utilize Amazon 83 for your primary data, while retaining some portion of it locally in a cache for frequently accessed data. 2) Gateway-stored volumes store your primary data locally, while asynchronously backing up that data to AWS For more information on AWS Storage gateways visit the below link https://aws.amazon.com/storagegateway/details/

Answer 144

Answer: D Instance metadata is data about your instance that you can use to configure or manage the running instance Because your instance metadata is available from your running instance, you do not need to use the Amazon EC2 console or the AWS CLI. This can be helpful when you're writing scripts to run from your instance. For example, you can access the local IP address of your instance from instance metadata to manage a connection to an external application. http://169.254.169.254/latest/meta-data/ For more information on Instance Metadata visit the below link http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance- metadata. html

Answer 145

Answer: B Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. You can set the backup retention period when you create a DB instance. If you don't set the backup retention period, Amazon RDS uses a default period retention period of one day. You can modify the backup retention period; valid values are 0 (for no backup retention) to a maximum of 35 days You will also specifically see AWS mentioning the risk of not allowing automated backups. For more information on Automated backups, please visit http: //docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Worki ngWithAutomatedBackups.html

Answer 146

Answer: B Amazon Kinesis is the best option for analyzing logs in real time The AWS documentation mentions the following for AWS Kinesis Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as application logs, website clickstreams, IoT telemetry data, and more into your databases, data lakes and data warehouses, or build your own real-time applications using this data. For more information on AWS Kinesis, please refer to the below URL: https://aws.amazon.com/kinesis/

Answer 147

Answer: A, B, D Amazon RDS detects and automatically recovers from the most common failure scenarios for Multi-AZ deployments so that you can resume database operations as quickly as possible without administrative intervention. Amazon RDS automatically performs a failover in the event of any of the following: Loss of availability in primary Availability Zone Loss of network connectivity to primary Compute unit failure on primary Storage failure on primary. Note: When operations such as DB Instance scaling or system upgrades like OS patching are initiated for Multi-AZ deployments, for enhanced availability, they are applied first on the standby prior to an automatic failover. As a result, your availability impact is limited only to the time required for automatic failover to complete. Note that Amazon RDS Multi-AZ deployments do not failover automatically in response to database operations such as long running queries, deadlocks or database corruption errors. For more information on read replicas, please visit https://aws.amazon.com/rds/details/read-replicas/

Answer 148

Answer: C “Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed. Each rule consists of the protocol and the CIDR range or source security group. For the TCP and UDP protocols, you must also specify the destination port or range of ports. For the ICMP protocol, you must also specify the ICMP type and code. For more information on revoke-security-group-ingress CLI command, please visit http: //docs.aws.amazon.com/cli/latest/reference/ec2/revoke- security-group-ingress.html "

Answer 149

Answer: A RRS only has 99.99% durability and there is a chance that data can be lost. So you need to ensure you have the right steps in place to replace lost objects. For more information on RRS, visit the link https: //aws.amazon.com/s3/reduced-redundancy/

Answer 150

Answer: C Amazon CloudFront is a web service that gives businesses and web application developers an easy and cost effective way to distribute content with low latency and high data transfer speeds. Like other AWS services, Amazon CloudFront is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees. With CloudFront, your files are delivered to end-users using a global network of edge locations. For more information on CloudFront, please visit the link https://aws.amazon.com/cloudfront/

Answer 151

Answer: A A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. Below is an example of a security group for EC2 instances that allows inbound rules and ensure there is a rule for TCP on port 22. For more information on EC2 Security groups, please visit the url - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network- security. html

Answer 152

Answer: A A block device is a storage device that moves data in sequences of bytes or bits (blocks). These devices support random access and generally use buffered I/O. Examples include hard disks, CD-ROM drives, and flash drives. A block device can be physically attached to a computer or accessed remotely as if it were physically attached to the computer. Amazon EC2 supports two types of block devices: Instance store volumes (virtual devices whose underlying hardware is physically attached to the host computer for the instance) EBS volumes (remote storage devices)

Answer 153

Answer: D This is clearly mentioned in the aws documentation that you cannot use the secondary DB instances for writing purposes. Here is the overview of Multi-AZ RDS Deployments: Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention. For more information on Multi AZ RDS, please visit the link https://aws.amazon.com/rds/details/multi-az/

Answer 154

Answer: A Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can easily customize the network configuration for your Amazon Virtual Private Cloud. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet For more information on Amazon VPC, please visit the link https://aws.amazon.com/vpc/

Answer 155

Answer: B, C, D You can use IAM to manage API key and MFA along with roles. Please find specific details below: http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access- keys. html http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_e nable. html If you go on the IAM console, you will see the options on the left hand side. The Security groups are managed as part of the EC2 dashboard and not the IAM console. For more information on IAM, please refer to the below link https://aws.amazon.com/iam/

Answer 156

Answer: D You can easily add tags which define which instances are production and which are development instances and then ensure these tags are used when controlling access via an LAM policy. For more information on tagging your resources, please refer to the below link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html

Answer 157

Answer: D You can take snapshots of EBS volumes and to automate the process you can use the CLI. The snapshots are automatically stored on S3 for durability. For more information on EBS snapshots, please refer to the below link http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 158

Answer: B As per the Shared responsibility model, the Physical network infrastructure is taken care by AWS. The below diagram clearly shows what has to be managed by customer and what is managed by AWS. For more information on the Shared Responsibility model, please refer to the below link https://aws.amazon.com/compliance/shared-responsibility-model/

Answer 159

Answer: A, C Find more details here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html EC2 instances are available in EBS backed storage and instance store backed storage. In fact, now more EC2 instances are EBS backed only so we need to consider both options while answering the question. Find more details here: https://aws.amazon.com/ec2/instance-types/ If you have an EBS backed instance store , then the underling host is changed when the instance is stopped and started. And if you have instance store volumes, the data on the instance store devices will be lost. For more information on the AMI types, please refer to the below link: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs - html

Answer 160

Answer: D Alias resource record sets are virtual records that work like CNAME records. But they differ from CNAME records in that they are not visible to resolvers. Resolvers only see the A record and the resulting IP address of the target record. As such, unlike CNAME records, alias resource record sets are available to configure a zone apex (also known as a root domain or naked domain) in a dynamic environment. So when you create a hosted zone and having a pointer to the load balancer , you need to mark ‘yes’ for the Alias option as shown below. Then you can choose the Elastic Load balancer which you have defined in aws. For more information on the zone apex, please visit the link http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/setting-up-route53-zoneapex-elb.html

Answer 161

Answer: A, C Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client- side encryption. You have the following options of protecting data at rest in Amazon S3. Use Server-Side Encryption — You request Amazon Sg to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects. Use Client-Side Encryption — You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. For more information on S3 encryption, please refer to the below link http: //docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

Answer 162

Answer: C AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. This is sufficient if you the basic needs of managing keys for security. For more information on KMS, please refer to the below link https://aws.amazon.com/kms/ For a higher requirement on security one can use CloudHSM. The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM For more information on CloudHSM, please refer to the below link https://aws.amazon.com/cloudhsm/

Answer 163

Answer: A You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it. To require that users access your content through CloudFront URLs, you perform the following tasks: Create a special CloudFront user called an origin access identity. Give the origin access identity permission to read the objects in your bucket. Remove permission for anyone else to use Amazon S3 URLs to read the objects. For more information on Restricting access to AWS S3, please refer to the below link: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/pr ivate-content-restricting-access-to-s3.html

Answer 164

Answer: C You can use Amazon EMR for processing the jobs Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost- effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB. Amazon EMR securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. For more information on Amazon EMR please refer to the below link https://aws.amazon.com/emr/

Answer 165

Answer: A, B The best option is to configure an Elastic IP that can be switched between a primary and failover instance. Here is a link on using Elastic IP for failover. https: //aws.amazon.com/articles/2127188135977316

Answer 166

Answer: A Amazon Simple Queue Service (SQS) is a fully-managed message queuing service for reliably communicating among distributed software components and microservices - at any scale. Building applications from individual components that each perform a discrete function improves scalability and reliability, and is best practice design for modern applications. SQS is the best option for creating a decoupled application. For more information on SQS, please refer to the below link https://aws.amazon.com/sqs/

Answer 167

Answer: A, C You can use both SWF and SQS to coordinate with EC2 instances and on-premise servers. Amazon Simple Queue Service (SQS) is a fully-managed message queuing service for reliably communicating among distributed software components and microservices - at any scale. Building applications from individual components that each perform a discrete function improves scalability and reliability, and is best practice design for modern applications. For more information on SQS, please refer to the below link https://aws.amazon.com/sqs/ The Amazon Simple Workflow Service (Amazon SWF) makes it easy to build applications that coordinate work across distributed components. In Amazon SWF, a task represents a logical unit of work that is performed by a component of your application. Coordinating tasks across the application involves managing intertask dependencies, scheduling, and concurrency in accordance with the logical flow of the application. Amazon SWF gives you full control over implementing tasks and coordinating them without worrying about underlying complexities such as tracking their progress and maintaining their state. For more information on SWF, please refer to the below link http: //docs.aws.amazon.com/amazonswf/latest/developerguide/swf-welcome.html

Answer 168

Answer: A If the threshold for the scale down is too low then the instances will keep on scaling down rapidly. Hence it is best to keep on optimal threshold for your metrics defined for Cloudwatch. For more information on scaling on demand, please refer to the below link http: //docs.aws.amazon.com/autoscaling/latest/userguide/as-scale-based- on-demand.html

Answer 169

Answer: A The best option is to use S3 because you can host a large amount of data in Sg and is the best storage option provided by AWS. The answer could be Glacier if question is just asking to choose the cheapest option to store a large amount of data , but here trick is in question where it mentioned to scale when "demand unexpectedly increase”. As Galicer required 3 to 5 hrs duration to get data , so it will not able to handle unexpected demand increase thus S3 is the best choice here. For more information on S3, please refer to the below link http: //docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html

Answer 170

Answer: D The bastion host should be in a public subnet with either a public or elastic IP and only allow RDP access from one IP from the corporate network. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. This is a security practice adopted by many organization to secure the assets in their private subnets.

Answer 171

Answer: D The AWS Documentation mentions the following Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns. Transferring data with Snowball is simple, fast, secure, and can be as little as one-fifth the cost of high-speed Internet. For more information on AWS Snowball , please visit the below link: https://aws.amazon.com/snowball/

Answer 172

Answer: C Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases. For more information on AWS Elastic Cache, please refer to the below link https://aws.amazon.com/elasticache/

Answer 173

Answer: B The best option is to enable Multi-AZ for the database. Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby (or to a read replica in the case of Amazon Aurora), so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB Instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention For more information on AWS Multi-AZ, please refer to the below link https://aws.amazon.com/rds/details/multi-az/

Answer 174

Answer: A, C By creating a read replica RDS, you have the facility to scale out the reads for your application, hence increasing the elasticity for your application. Also it can be used to reduce the load on the main database. Read Replica’s don’t provide write operations, hence option B is wrong. And Multi-AZ is used for failover so Option D is wrong. For more information on Read Replica, please refer to the below link https://aws.amazon.com/rds/details/read-replicas/

Answer 175

Answer: B A decider is an implementation of the coordination logic of your workflow type that runs during the execution of your workflow. You can run multiple deciders for a single workflow type. Because the execution state for a workflow execution is stored in its workflow history, deciders can be stateless. Amazon SWF maintains the workflow execution history and provides it to a decider with each decision task For more information on Decider tasks, please refer to the below link http: //docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dg- dev-deciders.html

Answer 176

Answer: D The maximum size of an SQS message as given in the AWS documentation is given below For more information on SQS, please refer to the below link https://aws.amazon.com/sqs/faqs/

Answer 177

Answer: D Cloudtrail can log all API calls which enter AWS. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure. CloudTrail provides a history of AWS API calls for your account, including API calls made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This history simplifies security analysis, resource change tracking, and troubleshooting. For more information on AWS Cloudtrail, please refer to the below link https://aws.amazon.com/cloudtrail/

Answer 178

Answer: A The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity Please refer to the below link for more details: https://en.wikipedia.org/wiki/Recovery_time_objective

Answer 179

Answer: B The below snapshot from the aws documentation shows the best architecture practices for avoiding DDos attacks. For best practices against DDos attacks , please visit the below link https://do.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf

Answer 180

Answer: C Its currently available for Cloudfront and ELB. Please find the below link for more details https://aws.amazon.com/about-aws/whats-new/2014/02/19/elastic-load-balancing-perfect-forward-secrecy-and-more-new-security-features/ https: //aws.amazon.com/blogs/aws/cloudfront-ssl-ciphers-session-ocsp-pfs/

Answer 181

Answer: A Gateway-cached volumes let you use Amazon Simple Storage Service (Amazon S3) as your primary data storage while retaining frequently accessed data locally in your storage gateway. Gateway-cached volumes minimize the need to scale your on-premises storage infrastructure, while still providing your applications with low-latency access to their frequently accessed data. You can create storage volumes up to 32 TiB in size and attach to them as iSCSI devices from your on-premises application servers. Your gateway stores data that you write to these volumes in Amazon S3 and retains recently read data in your on-premises storage gateway's cache and upload buffer storage. For more information on Storage gateways, please visit the link http: //docs.aws.amazon.com/storagegateway /latest/userguide/storage- gateway-cached-concepts.html

Answer 182

Answer: D The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM. For more information on CloudHSM, please refer to the below link https://aws.amazon.com/cloudhsm/

Answer 183

Answer: A When you configure an instance during creation, you can add custom scripts to the User data section. So in Step 3 of creating an instance, in the Advanced Details section, we can enter custom scripts in the User Data section. The below script installs Per] during the instance creation of the EC2 instance.

Answer 184

Answer: C Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases Option A is wrong because even if MySQL is installed on multiple systems, it will not help to serve the most recently used data. Option B is wrong because even a Multi-AZ option with an RDS will not suffice the requirement of the customer. Option D is wrong because this is a pure database option. For more information on Elastic cache, please visit the link https: //aws.amazon.com/elasticache/

Answer 185

Answer: A You can attach an elastic network interface to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach). An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An Elastic network interface can have the following A primary private IP address. One or more secondary private IP addresses. One Elastic IP address per private IP address. One public IP address, which can be auto-assigned to the elastic network interface for the when you launch an instance. For more information, see Public IP Addresses for Network Interfaces. One or more security groups. A MAC address. A source/destination check flag. A description. The below article shows where the ENI is present for an instance. When you click on the, you will get more details on the network interface For more information on Elastic Network interfaces, please visit the url - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#attach_eni_launch

Answer 186

Answer: B A Cloudwatch alarm is used to monitor any Amazon Cloudwatch metric in your account. For example, you can create alarms on an Amazon EC2 instance CPU utilization, Amazon ELB request latency, Amazon Dynamo DB table throughput, Amazon SQS queue length, or even the charges on your AWS bill. Option A is wrong because Cloudtrail is used for logging purposes and not monitoring purposes Option C is partially correct and you can implement this policy, but since you have the option to use an AWS service, you need to opt for this Option B instead. Option D is wrong because SQS is used as a Queuing service. For more information on Cloudwatch, please visit the link - https://aws.amazon.com/cloudwatch/fags/

Answer 187

Answer: C Gateway-Cached Volumes provides a durable and inexpensively way to store your primary data in Amazon S83, and retain your frequently accessed data locally. Gateway-Cached Volumes provide substantial cost savings on primary storage, minimize the need to scale your storage on-premises, and provide low-latency access to your frequently accessed data. In addition to storing your primary data in Amazon S3 using Gateway-Cached Volumes, you can also take point-in-time snapshots of your Gateway-Cached volume data in Amazon 83, enabling you to make space-efficient versioned copies of your volumes for data protection and various data reuse needs. Option A and B are invalid because the burden of trying to sync the most recently used data on either EBS volumes or S3 would be a burden for the IT Department. For more information on Gateway-Cached Volumes, please visit the link https://aws.amazon.com/storagegateway/faqs/

Answer 188

Answer: B "With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Follow the below steps to get this in place Step 1) Go the Lifecycle section of the $3 bucket and click on Add Rule Step 2) Choose what you want to export Step 3) Choose the Action to perform and then confirm on the Rule creation in the next screen. For more information on Lifecycle management, click on the link http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Answer 189

Answer: D Now even though SQS does guarantees the order of the messages for FIFO queues, this is still not the reason as to why this is the appropriate reason. The normal reason for using SQS, is for decoupling of systems and helps in horizontal scaling of aws resources. SQS does not either do transcoding output or checks the health of the worker instances. The health of the worker instances can be done via ELB or Cloudwatch. For more information on SQS, please visit the link - https://aws.amazon.com/sqs/faqs/

Answer 190

Answer: A Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in- progress snapshot is not affected by ongoing reads and writes to the volume. You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. For more information on EBS snapshots, please visit the link - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 191

Answer: B Elastic Load Balancing provides access logs that capture detailed information about requests or connections sent to your load balancer. Each log contains information such as the time it was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues. Perform the following steps to enable load balancing Step 1) Go to the Description tab for your load balancer Step 2) Go to the Attributes section and click on Edit Attributes Step 3) In the next screen, enable Access logging and choose the S3 bucket where the logs need to be added to. For more information on ELB logging, please visit the link — http://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

Answer 192

Answer: C Instance metadata is data about your instance that you can use to configure or manage the running instance. Option A is incorrect because, user data is what you enter when you launch an instance. This can be accessed by the instance later on. Option B is incorrect, because you use this feature to tag your resources to help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of tags. For more information on metadata, please visit the link - http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Answer 193

Answer: A For SSH access, the protocol has to be TCP, so Option B and C are wrong. For Bastion host, only the IP of the client should be put and not the entire network of 72.34.51.100/0 as given in option D. So this option is also wrong. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. This is a security practice adopted by many organization to secure the assets in their private subnets.

Answer 194

Answer: A Cloud front is only used for distribution of content across edge or region locations. It is not used for restricting access to content, so Option B is wrong. Blocking IP’s is challenging because they are dynamic in nature and you will not know which sites are accessing your main site, so Option C is also not feasible. Storing photos on EBS volume is not a good practice or architecture approach for an AWS Solution Architect.

Answer 195

Answer: A, D Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high- performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies For more information on EBS volumes, please visit the link - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced- networking. html

Answer 196

Answer: D AWS OpsWorks is a configuration management service that helps you configure and operate applications of all shapes and sizes using Chef. You can define the application’s architecture and the specification of each component including package installation, software configuration and resources such as storage. Start from templates for common technologies like application servers and databases or build your own to perform any task that can be scripted. AWS OpsWorks includes automation to scale your application based on time or load and dynamic configuration to orchestrate changes as your environment scales. For more information on Opswork, please visit the link — https://aws.amazon.com/opsworks/

Answer 197

Answer: C AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application. You don’t need to figure out the order for provisioning AWS services or the subtleties of making those dependencies work. CloudFormation takes care of this for you. After the AWS resources are deployed, you can modify and update them in controlled and predictable way, in effect applying version control to your AWS infrastructure the same way you do with your software. You can also visualize your templates as diagrams and edit them using a drag-and-drop interface with the AWS CloudFormation Designer. For more information on Cloudformation, please visit the link — https://aws.amazon.com/cloudformation/

Answer 198

Answer: C There is no additional charge for AWS CloudFormation. You only pay for the AWS resources that are created (e.g., Amazon EC2 instances, Elastic Load Balancing load balancers etc.) For more information on Cloudformation, please visit the link — https://aws.amazon.com/cloudformation/

Answer 199

Answer: B Option A is wrong because it already mentioned that your instances are in a public subnet. Only when your instances are in a private Subnet, then only you have to configure a NAT instance. Option C is wrong because the public IP address has to be configured in AWS and not on the EC2 instance. Option D is wrong because if the routing table was wrong then you would have an issue with the other 3 instances as well. And the question says that there is no issue with the other instances. For more information on Elastic IP’s, please visit the link: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Answer 200

Answer: B "Since this is like a batch processing job, the best type of instance to use is a Spot instances. Spot instances are normally used in batch processing jobs. Since these jobs don’t last for the entire duration of the year, they can bid upon and allocated and de- allocated as requested. Reserved Instances/Dedicated instances cannot be used because this is not a 100% used application. There is no mentioned on a continuous demand of work from the question so there is no need to use On-demand instances. What is Spot Instance? - These are spare unused Amazon EC2 instances that you can bid for. Once your bid exceeds the current spot price (which fluctuates in real time based on demand-and-supply) the instance is launched. The instance can go away anytime the spot price becomes greater than your bid price. Note that spot instance also a category of on-demand instance, but it is demanded based on the low cost bidding. What is On-demand instance? - They let you pay for your computing capacity needs by the hour. There is not much planning required from the user's end and no one time cost that you need to pay upfront like in case of reserved instances. Suitable for use cases where you do not want any long term commitment like testing and POCs, spiky, not to be interrupted workloads. For more information on Spot Instances, please visit the URL - https://aws.amazon.com/ec2/spot/ http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/how-spot-instances- work. html

Answer 201

Answer: A When you think of cost effectiveness, you can either have to choose Spot or Reserved instances. Now when you have a regular processing job, the best is to use spot instances and since your application is designed recover gracefully from Amazon EC2 instance failures, then even if you lose the Spot instance, there is no issue because your application can recover. For more information on spot instances, please visit the link https://aws.amazon.com/ec2/spot/

Answer 202

Answer: A, C, D Amazon S3 event notifications enable you to run workflows, send alerts, or perform other actions in response to changes in your objects stored in Amazon S3. You can use Amazon S3 event notifications to set up triggers to perform actions including transcoding media files when they are uploaded, processing data files when they become available, and synchronizing Amazon S3 objects with other data stores. When you go to the Events section in S3, you can see the options present there for SNS, SQS and Lambda function.

Answer 203

Answer: B Since you already have an existing role, you don’t need to create a new one, so Option A is wrong. Remember that roles are a global service that is available across all regions. So Option C is also wrong. Option D is wrong because this has to do with roles and no need of creating an AMI image. So when you create a role choose the Amazon EC2 option in the Select Role type. In the next screen, you can select the Amazon DynamoDB type of access required. Once the role is created, choose the role in the Configure Instance Details screen when creating the EC2 instance.

Answer 204

Answer: A Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables customers to offload the administrative burdens of operating and scaling distributed databases to AWS, so they don’t have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. DynamoDB is durable, scalable, and highly available data store in aws and can be used for real time tabulation. Option B is wrong because it is a petabyte storage engine and is used in cases where there is a requirement for an OLAP solution. Option C is wrong because it is used for processing streams and not for storage. Option D is wrong because it is a de-coupling solution. For more information on Amazon DynamoDB, please visit https://aws.amazon.com/dynamodb/faqs/

Answer 205

Answer: A AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume - there is no charge when your code is not running. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app For more information on Amazon Lambda, please visit https://aws.amazon.com/lambda/?nc2=h_m1

Answer 206

Answer: A Use Amazon Kinesis Streams to collect and process large streams of data records in real time. You'll create data-processing applications, known as Amazon Kinesis Streams applications. A typical Amazon Kinesis Streams application reads data from an Amazon Kinesis stream as data records. These applications can use the Amazon Kinesis Client Library, and they can run on Amazon EC2 instances. The processed records can be sent to dashboards, used to generate alerts, dynamically change pricing and advertising strategies, or send data to a variety of other AWS services For more information on Amazon Kinesis, please visit http: //docs.aws.amazon.com/streams/latest/dev/introduction.html

Answer 207

Answer: B When uploading large videos it’s always better to make use of aws multi part file upload. So if you are using the Multi Upload option for S3, then you can resume on failure. Below are the advantage of Multi Part upload Improved throughput—you can upload parts in parallel to improve throughput. Quick recovery from any network issues —smaller part size minimizes the impact of restarting a failed upload due to a network error. Pause and resume object uploads—you can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or abort the multipart upload. Begin an upload before you know the final object size—you can upload an object as you are creating it. For more information on Multi-part file upload for S3, please visit the URL - http://docs.aws.amazon.com/AmazonS3/latest/dev/qfacts.html

Answer 208

Answer: B Logging provides a way to get detailed access logs delivered to a bucket you choose. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Since you don’t want logging of every AWS service, there is no need to CloudTrail, hence you can neglect Option A. Option C is not valid because that refers to billing. Option D is invalid because event notifications is different from logging. To enable logging just go to the Logging section in your S3 bucket For more information on S3 Logging, please visit the URL - http: //docs.aws.amazon.com/AmazonS3/latest/UG/ManagingBucketLogging.html

Answer 209

Answer: B When you think of storage, the automatic choice should aws S3. Amazon S3 is storage for the Internet. It’s a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs. For more information on S3 Logging, please visit the URL - https://aws.amazon.com/s3/faqs/

Answer 210

Answer: A The question mentioned a scalable web tier and not a database tier. So Option C, D and B are already automated eliminated, since we do not need a database option. The below example shows an Elastic Load balancer connected to 2 EC2 instances connected via Auto Scaling. This is an example of an elastic and scalable web tier. By scalable we mean that the Auto scaling process will increase or decrease the number of EC2 instances as required.

Answer 211

Answer: B If your workload in an Amazon S3 bucket routinely exceeds 100 PUT/LIST/DELETE requests per second or more than 300 GET requests per second then you need to perform some guidelines for your S3 bucket. One way to add a hash prefix key to the key name - One way to introduce randomness to key names is to add a hash string as prefix to the key name. For example, you can compute an MDs hash of the character sequence that you plan to assign as the key name. For performance considerations, please visit the URL http://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-considerations.html

Answer 212

Answer: A Transitive VPC peering is not allowed in AWS. Here Test VPC has peered with Dev VPC and Test VPC also peered with Prod VPC but in order to establish private communication between Dev and Prod resources, new VPC peering has to create between Dev VPC and Prod VPC. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region The below diagram shows an example of VPC peering. Now please note that VPC B cannot communicate to VPC C because there is no peering between them. Hence in the same way the above question there is no peering between Prod and Dev. , hence the only way for them to communicate is to have a VPC peering setup between them. For more information on VPC peering, please visit the url http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html

Answer 213

Answer: B AWS Elastic Beanstalk makes it even easier for developers to quickly deploy and manage applications in the AWS Cloud. Developers simply upload their application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring. For more information on Elastic Beanstalk, please visit the URL https://aws.amazon.com/elasticbeanstalk/faqs/

Answer 214

Answer: C AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages, and can process and route those messages to AWS endpoints and to other devices reliably and securely. With AWS IoT, your applications can keep track of and communicate with all your devices, all the time, even when they aren’t connected. For more information on aws IoT, please visit the URL https://aws.amazon.com/iot/

Answer 215

Answer: A After you create [AM users and passwords for each, users can sign in to the AWS Management Console for your AWS account with a special URL. By default, the sign-in URL for your account includes your account ID. You can create a unique sign-in URL for your account so that the URL includes a name instead of an account ID By default the URL will be of the format shown below https://AWS-account-ID-or-alias.signin.aws.amazon.com/console

Answer 216

Answer: A, B, D An IAM user is an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. An IAM group is a collection of LAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS For more information on Identities, please visit the URL http: //docs.aws.amazon.com/IAM/latest/UserGuide/id.html

Answer 217

Answer: B The AWS Documentation mentions the following on storage gateways AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the Amazon Web Services (AWS) storage infrastructure. You can use the service to store data in the AWS Cloud for scalable and cost-effective storage that helps maintain data security. For more information on Storage gateways , please refer to the below URL: http: //docs.aws.amazon.com/storagegateway /latest/userguide/WhatIsStorageGateway.html

Answer 218

Answer: A Amazon Kinesis is a platform for streaming data on AWS, offering powerful services to make it easy to load and analyze streaming data, and also providing the ability for you to build custom streaming data applications for specialized needs. Web applications, mobile devices, wearables, industrial sensors, and many software applications and services can generate staggering amounts of streaming data — sometimes TBs per hour — that need to be collected, stored, and processed continuously. Amazon Kinesis services enable you to do that simply and at a low cost. For more information on Kinesis, please refer to the below link https://aws.amazon.com/kinesis/

Answer 219

Answer: A, B, C In Amazon Kinesis , the producers continually push data to Streams and the consumers process the data in real time. Consumers can store their results using an AWS service such as Amazon DynamoDB, Amazon Redshift, or Amazon S3. Its better to put the records to a persistent data store for any further processing at a later point in time. For more information on the key concepts of Amazon Kinesis, please refer to the below link: http://docs.aws.amazon.com/streams/latest/dev/key-concepts.html

Answer 220

Answer: A In order to implement disaster recovery you need to copy the AMI to the desired region, since AMI’s are different region wise. For more information on AMI’s, please visit the below url http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs. html

Answer 221

Answer: C By default, Records of a stream are accessible for up to 24 hours from the time they are added to the stream. You can raise this limit to up to 7 days by enabling extended data retention. So since the Kinesis stream is created with the default settings, the streams are not being added to S3 for one day. For more information on Kinesis streams, please visit the below url https://aws.amazon.com/kinesis/streams/faqs/

Answer 222

Answer: A,D The subnet could have created as a private subnet and not either not have the Route table updated with the internet gateway and the public IP is not attached to the EC2 instance. For more information on VPC and subnets, please visit the below url http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

Answer 223

Answer: A The best option is to group the set of users in a group and then apply a policy with the required access to the group. For more information on IAM Groups, please visit the below url http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Answer 224

Answer: A The AMI’s differ from the region to region, hence this is a not a required practice. You need to copy the AMI from region to region if you want to implement disaster recovery as a best practice. For more information on AMI’s, please visit the below url http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs. html

Answer 225

Answer: B Since the AMI is changed, you need to create a new launch configuration that can be used by the Autoscaling group. For more information on Launch configuration, please visit the below url http: //docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html

Answer 226

Answer: B, C, D This is given in the aws documentation For more information on adding instances to Autoscaling groups, please visit the below url http://docs.aws.amazon.com/autoscaling /latest/userguide/attach-instance-asg.html

Answer 227

Answer: A, B When designing which EC2 instances to use, you need to know the I/O and memory requirements. These are some of the core components of an Ec2 instance type. For more information on EC2 instance types, please visit the below url https://aws.amazon.com/ec2/instance-types/

Answer 228

Answer: C Amazon SWF promotes a separation between the control flow of your background job's stepwise logic and the actual units of work that contain your unique business logic. This allows you to separately manage, maintain, and scale "state machinery" of your application from the core business logic that differentiates it. As your business requirements change, you can easily change application logic without having to worry about the underlying state machinery, task dispatch, and flow control. When you use SWF you are guaranteed that a message will be processed only once. For more information on SWF, please visit the below url https://aws.amazon.com/swf/

Answer 229

Answer: B When defining a health check, in addition to the port number and protocol , you have to also define the page which will be used for the health check. If you don’t have the page defined on the web server then the health check will always fail. For more information on Health checks, please visit the below url http: //docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb- healthchecks. html

Answer 230

Answer: D To discover the availability of your EC2 instances, a load balancer periodically sends pings, attempts connections, or sends requests to test the EC2 instances. These tests are called health checks. The status of the instances that are healthy at the time of the health check is InService. The status of any instances that are unhealthy at the time of the health check is OutOfService. The load balancer performs health checks on all registered instances, whether the instance is in a healthy state or an unhealthy state. The load balancer routes requests only to the healthy instances. When the load balancer determines that an instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the instance when it has been restored to a healthy state. You can see the status of the instance in the Registered Instances section of the load balancer.

Answer 231

Answer: A The issue is probably due to the fact they maybe a human interaction such as an approval is required for the orders to be further processed. For more information on SWF, please visit the below url https://aws.amazon.com/swf/

Answer 232

Answer: C Option A is automatically incorrect because remember that the question asks for high availability. For option A, if the AZ goes down then the entire application fails. For Option B and D, the ELB is designed to only run in one region in aws and not across multiple regions. So these options are wrong. The right option is C.

Answer 233

Answer: A When an object is placed in S3, it is done via HTTP via a POST or PUT object request. When a success occurs, you will get a 200 HTTP response. But since a 200 Response can also contain error information, a check of the MD5 checksum confirms on whether the request was a success or not. For more information on the POST request for an object in S3, please visit the link: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST. html For more information on the PUT request for an object in S3, please visit the link: http: //docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectCOPY.html

Answer 234

Answer: B For an EC2 instance to allow SSH, you can have ‘Allow’ configuration for both Security and Network ACL for Inbound Traffic. For Outbound Traffic ‘Allow’ for Network ACL and "Deny' for Security The reason why Network ACL has to have both an Allow for Inbound and Outbound is because network ACL’s are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Whereas for Security groups, responses are stateful. So if an incoming request is granted, by default and outgoing request will also be granted.

Answer 235

Answer: B An IAM group is used to collectively manage users who need the same set of permissions. By having groups, it becomes easier to manage permissions. So if you change the permissions on the group scale, it will affect all the users in that group. Please find the steps below for the group creation. Step 1) Go to IAM and click on the Groups section. Click on Create New Group. Step 2) Provide a name for the Group Step 3) Next you need to attach a policy. Since the question asks that this group needs full access to S3 , choose the AmazonS3FullAccess role. Step 4) Once the group is created, you can then add the 50 users to the group For more information on users and groups, please visit the url - http://docs.aws.amazon.com/IAM/latest/UserGuide/id.html

Answer 236

Answer: B, D As per the shared responsibility shown below, the users are required to control the EC2 security via security groups and network access control layers. Also it is the user’s responsibility model, aws takes care of the physical components and the infrastructure to provide Virtualization. For more information on aws shared responsibility model, please visit the link - https://aws.amazon.com/blogs/security/tag/shared-responsibility-model/

Answer 237

Answer: A DynamoDB is an aws service that provides a NoSQL database option to users. DynamoDB is a hosted solution by aws , there is no requirement to manage the environment for DynamoDB. And the question clearly states there are no resources in place to manage the DynamoDB environment. DynamoDB lets you offload the administrative burdens of operating and scaling a distributed database, so that you don't have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. ElasticMapReduce is not a NoSQL solution. SimpleDB is a simplified DB solution given by aws and hence is not a solution. For more information on DynamoDB, please visit the link - http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

Answer 238

Answer: A, B, C Encryption in AWS needs to be done by the users and can be done on different levels. For EBS, we can enable encryption at the volume level. This can be done when the volume is created, this is shown in the screenshot below. On S3, For any object you can enable server side encryption by going to the Permissions section of the object in S3 and enable the server side encryption option. And finally, one can use Linux based tools to encrypt a volume if it is not encrypted.

Answer 239

Answer: B, C Amazon Glacier is an extremely low-cost storage service that provides secure, durable, and flexible storage for data backup and archival. So Amazon glacier is used for Infrequently accessed data and Data archives. For Cached Data Session , the service provided by aws is known as elastic cache. So Amazon glacier is the wrong option. For Active database storage , this is done via EBS volumes , so this option is also incorrect. For more information on Amazon Glacier , please visit the link - https://aws.amazon.com/glacier/faqs/

Answer 240

Answer: B "The best practice for LAM is to create roles which has specific access to an AWS service and then give the user permission to the AWS service via the role. To get the role in place, follow the below steps Step 1) Create a role which has the required ELB access Step 2) You need to provide permissions to the underlying EC2 instances in the Elastic Load Balancer For the best practices on LAM policies, please visit the link: http: //docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html]

Answer 241

Answer: A AWS Cloudtrail is the defacto service provided by aws for monitoring all API calls to AWS and is used for logging and monitoring purposes for compliance purposes. Amazon cloudtrail detects every call made to aws and creates a log which can then be further used for analysis. For more information on Amazon Cloudtrail , please visit the link — https://aws.amazon.com/cloudtrail/

Answer 242

Answer: A, B EC2 and Elastic Beanstalk are aws services that allow the developer access to the underlying infrastructure. When you create an Elastic beanstalk environment as shown below , you will have access to the underlying EC2 instance. So in the example , for the Elastic beanstalk environment , you will have access to the Windows Server 2012 environment. DynamoDB and RDS are services provided and the infrastructure is managed by aws.

Answer 243

Answer: D To protect objects in S3 from both accidental deletion and accidental overwriting, the methodology adopted by aws is to Enable versioning on the bucket. Versioning allows to store every version of an object , so that if by mistake there is a version deleted, you can recover other versions, because the entire object is not deleted. Enable Multi- Factor Authentication (MFA) protected access on S3 is only used to add an additional security layer to S3. So that users who are authenticated properly before having access to the bucket. But this is not what the question is asking. To enable versioning on S3, you need to go to the bucket , and in the properties , you can enable versioning.

Answer 244

Answer: C Please note that, no , by default , Encryption is not enabled. So option A and B are incorrect. Also note that it is not necessary to encrypt before every upload. For any object you can enable server side encryption by going to the Permissions section of the object in S3 and enable the server side encryption option. For more information on Encryption for S3 , please refer to the link - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

Answer 245

Answer: C, D Reserved Instances provide a significant discount (up to 75%) compared to On- Demand instance pricing. There is a fixed quote of reserved power that it is given to the account. You have the Flexibility to change families, OS types, and tenancies while benefitting from Reserved Instance pricing. Now reserved instances are bought upfront for a specified duration. Unlike On-demand instances, there is no cost difference if you stop the instances, so option A is incorrect. Since you have already bought the reserved instances, you cannot ask aws to recover the costs. The only 2 options available are to terminate the instances immediately and sell them on AWS Reserved Instance Marketplace for a specified price. Note that all Reserved Instances are grouped according to the duration of the term remaining and the hourly price in the market place. Hence, terminating the instance immediately would help to save remaining term. You can purchase reserved instances from the reserved instances section in the EC2 dashboard. In the next screen, you can choose the reserved instance to buy. But you are making an upfront commitment to buy the instances. For more information on reserved instances please follow the link - https://aws.amazon.com/ec2/pricing/reserved-instances/

Answer 246

Answer: A, D The question asks for Encryption at rest for S3, so any answer related to EBS encryption does not correspond to the right answer. For any object you can enable server side encryption by going to the Permissions section of the object in S3 and enable the server side encryption option. And then for client side encryption, you can encrypt the object and send it to S3 when you program your application. For the entire detailed description on Encryption strategies, please visit the link - http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html

Answer 247

Answer: A If you look at the SQS FAQ, it is clearly mentioned that SQS messages are guaranteed to be delivered at least once. The message size for SQS can be 256KB in size. The message formats can be in XML, JSON and unformatted text. The messages can live in the queue for a maximum of 14 days. For more information on SQS messages, please follow the link https://aws.amazon.com/sqs/faqs/

Answer 248

Answer: A Anything that is stored on an instance store volume is destroyed when the instance is shutdown. Instance store volumes are ephemeral, which means that they only survive when the instance is active. EBS backed Volumes are not ephemeral and exists even if the instance is stopped and started, so Option B is wrong. Even if EBS volume is not big enough, it does not mean that it will not be present when the instance is stopped and started, so Option C is wrong. If the instance is compromised, then the instance would not even start, so Option C is wrong. For more information on instance store volumes, please visit http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html

Answer 249

Answer: A, B, C DBz2 is the only database service not provided by AWS. For the list of DB services, please visit the link - https://aws.amazon.com/rds/ For more information on Aurora, please visit the link - https://aws.amazon.com/rds/aurora/ For more information on mySQL, please visit the link - https://aws.amazon.com/rds/mysql/ For more information on MariaDB , please visit the link - https://aws.amazon.com/rds/mariadb/

Answer 250

Answer: A AWS Import/Export is a service that accelerates transferring large amounts of data into and out of AWS using physical storage appliances, bypassing the Internet. For Amazon S3 Multipart Upload, there are the following restrictions, so then it’s better to use the Amazon Import/Export. For more information on aws import/export, please visit the link - https://aws.amazon.com/snowball/ Amazon Direct Connect is used as a connection between AWS and On-premise so this is the wrong option.

Answer 251

Answer: B In AWS , there are regions with each region separated in a seperate geographic area. Each region has multiple, isolated locations known as Availability Zones. An availability zone is used to host resources in a specific region. For more information on Regions and availability zone, please visit the url - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html An edge location is used to deliver content depending on the location of the user. So if the user is located in Australia, the Australia region can be used to deliver content. If a user was in Australia and you delivered content in Asia , there would a delay in the relay of information to the user. Each edge location synchronizes data so that integrity of data is maintained across all edge locations. For more information on Edge locations, please visit the url — https: //aws.amazon.com/about-aws/global-infrastructure/

Answer 252

Answer: C This is a tricky question and note that Options A, B and D can be used to decrease the likelihood of duplicate messages , but cannot remove the change entirely. For option A , even if the code is inserted , which should be the case already , if the EC2 instance goes down , the same issue can occur again. The message will not be deleted and when it comes in the SQS queue, it will be processed again. For option B , even if you increase the visibility timeout , if the process has taken the message but not deleted the message , after the visibility timeout expires , the EC2 instance will again process the message and the same issue will happen again. If you use long polling instead of short polling , you still have the same problem with Option A and B. For more information on SQS , please visit the link — https://aws.amazon.com/sqs/faqs/

Answer 253

Answer: D Below is a sample VPC from the aws VPC guides. For an instance to be available from the internet , you need to ensure 1) The Internet gateway is in place — This is has been confirmed in the question. 2) There isa route entry for the internet gateway — This should be in place , because out of the 2 instances , one is working. 3) The EC2 instance should have a public or Elastic IP — From the question , there is no mention of one being allocated to the problem instance. Hence option D is the right answer. For more information on VPC public subnets , please visit the url -http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html

Answer 254

Answer: C A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. In AWS , A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. This is a security practice adopted by many organization to secure the assets in their private subnets.

Answer 255

Answer: C Since the question states that the SQS is configured with the maximum retention period , it means that messages can last for 14 days. So option A is invalid , since the messages will still be in the queue even after 10 days Option B is invalid for the same reason noted in Option B Option D is invalid because a queue can have up to 120,000 messages. For more information on SQS, please visit the link: https: //aws.amazon.com/sqs/

Answer 256

Answer: B By default an SQS queue is configured with Short polling , which means that the queue is polled every so often for new messages. There is an option of long polling which allows for a shorter poll time but taking in more messages during the long polling cycle. In order to reduce the number of polling cycles , it better to have bigger gaps by enabling long polling. And this can be done by setting the ReceiveMessageWaitTimeSeconds attribute of the queue to a value greater than o. You can do this by changing the queue attributes as shown below Answer - B For more information on polling, please visit the link - http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-long-polling.html

Answer 257

Answer: D This question is not that complicated, even though if you don’t understand the options. By default when you see “collection of logs and processing of logs”, directly think of AWS EMR. Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB. Amazon EMR securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. For more information on EMR, please visit the link — https://aws.amazon.com/emr/

Answer 258

Answer: D A bastion host should always be a small EC2 instance, because there is no requirement of applications to run on it. Also you should only open port 22 from your IP address and no other IP Address. In AWS , A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. This is a security practise adopted by many organization to secure the assets in their private subnets.

Answer 259

Answer: A, C The AWS Documentation provides the following information on Cloudfront and Elastic Cache Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .php, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance. For more information on AWS Cloudfront, please visit the below URL: http: //docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.htm] Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in memory data stores, instead of relying entirely on slower disk-based databases. For more information on AWS Elastic Cache, please visit the below URL: https://aws.amazon.com/elasticache/

Answer 260

Answer: C For highly available websites, yes Multiple Availability Zones and Multiple subnets are required. Below is a simple architecture of a highly available website consisting of an ELB and 2 AZ’s. BY default each AZ should be located in a different subnet. Also auto-scaling is used to add additional EC2 instances for fault tolerance. SQS is not an option, because SQS is only used to decouple components in an architecture, it is not necessary for a high available web site.

Answer 261

Answer: B Please refer to the table in the KB Article which gives the restrictions for the Multi- part file upload for $3. From here it clearly shows that the right answer is 5TB. For more information on Multi-part file upload for S3 , please visit the url - http://docs.aws.amazon.com/AmazonS3/latest/dev/qfacts.html

Answer 262

Answer: A, C The screenshots are from the S3 FAQ’s of AWS. Visit KB Article. Option B is incorrect, because as per the S3 definition, the maximum size of objects can be 5 TB Option D is incorrect because you can virtually store objects of any type For more information on S3 , please visit the URL — https://aws.amazon.com/s3/faqs/

Answer 263

Answer: A A policy is a JSON document that specifies what a user can do on AWS. This document consists of Actions: what actions you will allow. Each AWS service has its own set of actions. Resources: which resources you allow the action on. Effect: what the effect will be when the user requests access—either allow or deny. Below is a sample snippet of a policy document that allows access to all users to Describe EC2 Instances. You can clearly see the Actions, Resources and Effect which define the policy document. For more information on policies, please visit the url - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Answer 264

Answer: A The AWS Documentation provides the following information A private IPv4 address is an IP address that's not reachable over the Internet. You can use private IPv4 addresses for communication between instances in the same network (EC2-Classic or a VPC). For more information on AWS IP Addressing, please visit the below URL: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing. html

Answer 265

Answer: D Permissions are defined via policies which consist of the following elements Actions: what actions you will allow. Each AWS service has its own set of actions. Resources: which resources you allow the action on. Effect: what the effect will be when the user requests access—either allow or deny. Below is a sample snippet of a policy document that allows access to all users to Describe EC2 Instances. You can clearly see the Actions, Resources and Effect which define the policy document. For more information on policies, please visit the url: http: //docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Answer 266

Answer: B The AWS Documentation provides the following information on SAML Federation AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an LAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of writing custom identity proxy code. For more information on SAML Federation, please visit the below URL: http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

Answer 267

Answer: A Automated backups automatically back up your DB instance during a specific, user-definable backup window. Amazon RDS keeps these backups for a limited period that you can specify. You can later recover your database to any point in time during this backup retention period. And all of these backups get stored to S3 by default. Option B is not correct, because that is used to store data for EC2 instances Option Cis not correct because an RDS cannot be used to store snapshots Option D because EMR is used for storing and processing logs. For more information on DB instance backup’s, go to the url - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html

Answer 268

Answer: A AWS free tier gives you access to the basic metrics for Cloudwatch and by default the basic package gives 5 minutes of aggregation of Cloudwatch metrics. If you need a further shorter interval, the you need to pay extra. For more information on the free tier , please feel free to visit the url - https://aws.amazon.com/free/

Answer 269

Answer: C Please note that this is an important concept, if you are pursuing further certifications in AWS. Tags in aws are used to segregate resources in aws, which can also be used for cost reporting and billing purposes. In EC2 dashboard , there is a separate section for Tags.

Answer 270

Answer: A A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level. Below is an example of a security group which has inbound rules. The below rule states that users can only SSH into EC2 instances that are attached to this security group. For more information on Security Groups , please visit the url - http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Answer 271

Answer: D You need to ensure that after a message is processed in SQS, the message is deleted. For more information on SQS, please visit the below url https://aws.amazon.com/sqs/faqs/

Answer 272

Answer: A Since there is a minimum of 4 instances required to run, if you deploy them in 3 AZ’s and even if one AZ goes down , you will have at least 4 instances running. Requirement is to look for Best Option. Since in question's context ensuring it will be fault tolerant and high availability system, 2 extra instances shall be created in another AZ. This will ensure the requirement is fulfilled properly. For more information on fault tolerance and high availability, please visit the below URL: https://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_ftha_o4.pdf

Answer 273

Answer: C One of the important aspects of hosting databases in VPC's is the following: Your VPC must have at least one subnet in at least two of the Availability Zones in the region where you want to deploy your DB instance. A subnet is a segment of a VPC's IP address range that you can specify and that lets you group instances based on your security and operational needs. Few important points about VPC: When you create a VPC, it spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. For more information on working with RDS instances , please refer to the below link: http: //docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html

Answer 274

Answer: B A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Option A and D are wrong because this is a tedious task and it only works for Windows systems. You need something that will work for Linux systems as well. Option C is only adequate for EC2 instances, but you need rules that will apply to the whole subnet. Otherwise the task of having this done for all servers becomes a tedious task. For more information on Network ACL’s, please visit the URL http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Answer 275

Answer: B You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long term access key credentials that your IAM users can use. Option A is wrong because this is the queuing service provided by AWS. Option C is wrong because this is the emailing service provided by AWS. Option D is wrong because there is a service which exists from AWS. For more information on STS, please visit the below URL http: //docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

Answer 276

Answer: A, D When you design a web server and database server, the security groups must be defined so that the web server can talk to the database server. An example image from the AWS documentation is given below Also when communicating between subnets you need to have the NACL’s defined Option B is wrong since the EC2 instances need not be of the same class or same key pair to communicate to each other. Option C is wrong since there the NAT and Internet gateway is used for the subnet to communicate to the internet. For more information on VPC and Subnets, please visit the below URL http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

Answer 277

Answer: D RRS only has 99.99% durability and there is a chance that data can be lost. So you need to ensure you have the right steps in place to replace lost objects. Even though RRS has 99.99% availability, all storage types have the same availability, so it does not answer the question on the specific trade-offs for RRS.

Answer 278

Answer: B As per the shared responsibility shown below, the users are required to control the EC2 security via security groups and network access control layers. For more information on the Shared Responsibility model, please refer the below URL: https://aws.amazon.com/compliance/shared-responsibility-model/

Answer 279

Answer: D Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database (DB) Instances, making them a natural fit for production database workloads. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure (for example, instance hardware failure, storage failure, or network disruption), Amazon RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete. And as per the AWS documentation, the cname is changed to the standby DB when the primary one fails. For more information on Multi-AZ RDS, please visit the link — https://aws.amazon.com/rds/details/multi-az/

Answer 280

Answer: A The Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services We can simply upload code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitering. Meanwhile we can retain full control over the AWS resources used in the application and can access the underlying resources at any time. Launch LAMP stack with Elastic Beanstalk: https://aws.amazon.com/getting-started/projects/launch-lamp-web-app/. We can do it on AWS CloudFormation as well in a harder way and it will be less Native: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/deploying.applications.html

Answer 281

Answer: A, B, C This is given in the AWS documentation: For more information on AWS Lambda, please visit the link: https://aws.amazon.com/lambda/faqs/

Answer 282

Answer: B This is given in the aws documentation For more information on AWS Lambda, please visit the link https://aws.amazon.com/lambda/faqs/

Answer 283

Answer: D Yes, You need to configure ALIAS record for ELB but it should point to A record. You can find details in below AWS document http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-to-elb-load- balancer.html This is given in the aws documentation For more information on Routes3, please visit the link http: //docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets- values-alias.html

Answer 284

Answer: B Only FIFO queues can preserve the order of messages and not standard queues. For more information on standard queues, please visit the below URL https://aws.amazon.com/sqs/faqs/

Answer 285

Answer: A AWS Direct Connect provides private connectivity between AWS and your data center, office, or co-location environment. It makes it easy to establish a dedicated connection from an on- premise network to Amazon VPC. However if you want to have a secure private connection between your on-premise architecture and VPC's hosted in AWS we can combine AWS Direct Connect dedicated network connection along with the Amazon VPC hardware VPN. AWS Direct Connect along with VPN can provide an IP-Sec encrypted private connection that also reduces network costs. Option A is correct answer for a secured private connection. Option B, Route 53 is AWS Domain Name service. Incorrect answer for this question Option C ClassicLink allows you to link your EC2-Classic instance to a VPC in your account, within the same region. Incorrect answer Option D is Incorrect. Further information is available on the following white-paper. https://media.amazonwebservices.com/AWS_Amazon_VPC_Connectivity_Options.pdf

Answer 286

Answer: A, C If your Amazon EBS volume is attached to a current generation EC2 instance type, you can increase its size, change its volume type, or (for an io1 volume) adjust its IOPS performance, all without detaching it. For more information on changing the volume size, please visit the link: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html For more information on changing the EBS encryption, please visit the link http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption. html

Answer 287

Answer: C You can control how long your objects stay in a CloudFront cache before CloudFront forwards another request to your origin. Reducing the duration allows you to serve dynamic content. Increasing the duration means your users get better performance because your objects are more likely to be served directly from the edge cache. A longer duration also reduces the load on your origin. For more information on changing the volume encryption, please visit the link http: //docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html

Answer 288

Answer: D "The AWS documentation mentions the following The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots (intentionally or unintentionally), data in the instance store persists. However, data in the instance store is lost under the following circumstances: - The underlying disk drive fails - The instance stops - The instance terminates For more information on Instance store AMI’s, please visit the below URL: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html AWS docs provides following details: it's an instance store. Storage for the Root Device All AMIs are categorized as either backed by Amazon EBS or backed by instance store. The former means that the root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot. The latter means that the root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3. For more information, see Amazon EC2 Root Device Volume. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html #storage-for-the-root-device

Answer 289

Answer: C Use the weighted routing policy when you have multiple resources that perform the same function (for example, web servers that serve the same website) and you want Amazon Route 53 to route traffic to those resources in proportions that you specify (for example, one quarter to one server and three quarters to the other). For more information on the routing policy, please visit the link http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

Answer 290

Answer: B If you need an AMI across multiple regions , then you have to copy the AMI across regions. Note that by default AMI’s that you have created will not be available across all regions. So option A is automatically invalid. Next you can share AMI’s with other users, but they will not be available across regions. So option C and D is invalid. You have to copy the AMI across regions. To copy AMI’s , follow the below steps Step 1) The first step is to create an AMI from your running instance by choosing on Image > Create Image. Step 2) Once the Image has been created, go to the AMI section in the EC2 dashboard and click on the Copy AMI option. Step 3 ) In the next screen , you can specify where to copy the AMI to. For the entire details to copy AMI’s , please visit the link - http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.html

Answer 291

Answer: A, B, C As RDS Instance is completely managed by AWS and user doesn't have access Operating System metrics, So it is logical for AWS to provide us those metrics. Please refer to AWS documentation http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Monitoring.html Refer to the screenshot attached which shows metrics like Freeable Memory, Freeable Space, Swap Usage etc which are Operating System visible metrics.

Answer 292

Answer: B The maximum size for EBS provisioned IOPS volume allowed is 16384 GiB which 16 TiB. See error while trying to create volume more than available size: The minimum size for an EBS Provisioned IOPS SSD volume is 4GiB and maximum size is 16TiB. This sort of volumes are normally used for hosting databases which require a lot of I/O operations. These types of volumes have better performance and are optimized for such scenarios. For more information on EBS volume types, please visit the link: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

Answer 293

Answer: B Since the data is not required to be accessed frequently, the data can be stored on Amazon glacier for cheaper storage. Remember that the recovery time for getting data from Glacier is from 3-5 hours. You can look at the FAQ section of aws glacier - https://aws.amazon.com/glacier/faqs/

Answer 294

Answer: B Please note that there is no cost when data is transferred from EC2 to S3 if they are in the same region. This is very important for an AWS Solution Architect to know.

Answer 295

Answer: B In Amazon EMR, you have the ability to work with the underlying instances wherein the EMR service allows you to associate the EC2 Key pair with the launched instances. This is also given in the AWS documentation. For more information on the access to EMR nodes , please visit the below URL http: //docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-access-ssh. html

Answer 296

Answer: A Bucket names must be unique across all regions. Let’s say you have created a bucket names devtoolslogging in the Singapore region. Now if you want to create a bucket of the same name in the Oregon region, you will get an error that the bucket already exists.

Answer 297

Answer: A You have the chance to enable static web site hosting for S3 buckets. This can be done via the properties option for the bucket. The end point of the bucket for static hosting will also be configured.

Answer 298

Answer: B AWS 83 is already highly available and fault tolerant. This is very clearly mentioned in its FAQ’s - https://aws.amazon.com/s3/faqs/

Answer 299

Answer: B, C When you launch the VPC wizard, you will get these options in the VPC wizard.

Answer 300

Answer: C “ephemeral is temporary storage that is always deleted when an instance is restarted in aws. When you stop or terminate an instance, every block of storage in the instance store is reset. Therefore, your data cannot be accessed through the instance store of another instance. Data on the EBS volume is LOST only if the Root Volume is EBS backed and the Delete On Termination flag is checked (Checked by default) Find more details in AWS documentation here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html?shortFooter=true#instance-store-lifetime “

Answer 301

Answer: B Please refer to the AWS SQS FAQ section - https://aws.amazon.com/sqs/faqs/

Answer 302

Answer: A When you have instances that will be used continuously and throughout the year, the best option is to buy reserved instances. By buying reserved instances, you are actually allocated an instance for the entire year or the duration you specify with a reduced cost. To understand more on reserved instances, please visit the link: https: //aws.amazon.com/ec2/pricing/reserved-instances/ https: //blog.cloudability.com/maximizing-cost-savings-aws-reserved-instances/ https: //awsinsider.net/articles/2017/03/21/controlling-aws-costs.aspx

Answer 303

Answer: C Please refer to the AWS S3 FAQ section - https://aws.amazon.com/s3/faqs/

Answer 304

Answer: A Amazon EBS-backed instances can be stopped and restarted. So we can say Instance-store backed instances cannot be restarted. Please see the url for the key differences between EBS and instance store volumes http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html

Answer 305

Answer: A The AWS Documentation mentions the following on Cloudwatch Logs You can use CloudWatch Logs to monitor applications and systems using log data. For example, CloudWatch Logs can track the number of errors that occur in your application logs and send you a notification whenever the rate of errors exceeds a threshold you specify. CloudWatch Logs uses your log data for monitoring; so, no code changes are required. For example, you can monitor application logs for specific literal terms (such as "NullReferenceException") or count the number of occurrences of a literal term at a particular position in log data (such as "404" status codes in an Apache access log). When the term you are searching for is found, CloudWatch Logs reports the data to a CloudWatch metric that you specify. Log data is encrypted while in transit and while it is at rest. For more information on Cloudwatch logs , please visit the below URL: http: //docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html

Answer 306

Answer: A With the above requirements, the best option is to opt for Amazon Glacier. Please refer to the Glacier FAQ’s https://aws.amazon.com/glacier/faqs/

Answer 307

Answer: D You cannot access OS of RDS Databases, as RDS is fully managed service by AWS. In case a customer wants to have access to OS for their Database for more granular control or other compliance reason, then they can install their Database engine in EC2 instance. In choice D, DB needs to be installed in EC2 for OS access with replication to support failover. Please follow below link for reference, which shows steps to install and configure Oracle in EC2 instance https://oracle-base.com/articles/vm/aws-ec2-installation-of-oracle Since the client wants privilege on the RDS, option B is not valid. Since there is a requirement for highly availability, you cannot have just one AZ and one EC2 instance. Hence D is the right answer. Please refer below link showing an architecture example to enable Oracle database high availability on EC2 server. http: //docs.aws.amazon.com/quickstart/latest/oracle-database/architecture.html For more information, please read the below link: http://docs.aws.amazon.com/dms/latest/userguide/CHAP_Introduction.ReplicationInstance.html

Answer 308

Answer: B Please refer to the product description for AWS Cloutrail at the URL - https://aws.amazon.com/cloudtrail/

Answer 309

Answer: B Option B is the correct answer because AWS Directory Services are used to to authenticate to an existing on-premises AD through VPN and AWS WorkSpaces service is used for Virtual desktops. Option A is incorrect because a ClassicLink, within the same region, allows us to link an EC2-Classic instance to a VPC in our account. Option C is incorrect because AWS Dictionary service needs a VPN connection to interact with an On-premise AD directory. Option D is incorrect because we need WorkSpaces for virtual desktops.

Answer 310

Answer: B, C and D. The Durability and availability are given in the aws site for RRS. Reduced Redundancy Storage (RRS) is an Amazon S3 storage option that enables customers to store non-critical, reproducible data at lower levels of redundancy than Amazon S3’s standard storage. S3 is the most reliable and durable storage service from Amazon. Whereas if you have data that is non-critical and can be easily reproducible if lost, then that can be stored in RRS to reduce the cost of your storage. The RRS option stores objects on multiple devices across multiple facilities, providing 400 times the durability of a typical disk drive, but does not replicate objects as many times as standard Amazon S3 storage. You can read more about RRS in the below link: https://aws.amazon.com/s3/reduced-redundancy/

Answer 311

Answer: D In LAM , when you create a user , you need to download the Access Key ID and Secret access key so that the user can access aws.

Answer 312

Answer: B DynamoDB is a fully managed NoSQL offering provided by AWS. It is now available in most regions for users to consume. The link provides the full details on the product http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

Answer 313

Answer: D Amazon Dynamo DB is used for storing small amounts of data such as user state information. And this service offer’s durability and low latency. Visit KB Article for the snapshot of when to use S3 and DynamoDB from the DynamoDB FAQ’ - https://aws.amazon.com/dynamodb/fags/

Answer 314

Answer: C The AWS documentation mentions the following on Read Replica’s Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This replication feature makes it easy to elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. For more information on Read Replica’s , please visit the below URL: https://aws.amazon.com/rds/details/read-replicas/

Answer 315

Answer: C For more information on Trusted Advisor Dashboard offers. Please visit: https://aws.amazon.com/premiumsupport/trustedadvisor/

Answer 316

Answer: C The correct answer for this questions is option ""C"". The option D is little bit tricky and which will make us think that it might be correct even though its not. Following AWS docs shows us when costs are not incurred. An Elastic IP address doesn’t incur charges as long as the following conditions are true: The Elastic IP address is associated with an Amazon EC2 instance. The instance associated with the Elastic IP address is running. The instance has only one Elastic IP address attached to it. If you’ve stopped or terminated an EC2 instance with an associated Elastic IP address and you don’t need that Elastic IP address any more, consider disassociating or releasing the Elastic IP address by following the instructions at Working with Elastic IP Addresses. Note: After an Elastic IP address is released, you can’t provision that same Elastic IP address again, though you can provision a different Elastic IP address. AWS doesn't want you waste the static public IP's . You will be charged for elastic IP 1- If EIP is created but not allocated to any instance. 2 - If EIP is attached to a stop instance. Reference link: https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/ Please find details below regarding Elastic IP Charges: https://aws.amazon.com/premiumsupport/knowledge-center/elastic-ip-charges/

Answer 317

Answer: A Remember that when a subnet is created, it is always mapped to one availability zone. When you go the VPC dashboard, and go to the Subnet section, you can click on Create Subnet When you create the subnet, you can only attach one AZ to the subnet.

Answer 318

Answer: C For any sort of storage for file based system, it must be done in Amazon S3.

Answer 319

Answer: A When you configure an instance during creation, you can add custom scripts to the User data section. So in Step 3 of creating an instance, in the Advanced Details section, we can enter custom scripts in the User Data section. The below script installs Perl during the instance creation of the EC2 instance.

Answer 320

Answer: A, B It is the best practice to always create LAM roles which can be assigned to EC2 instances and enable MFA for the root account. This will help to not compromise the Access Key ID/Secret Access Key combination.

Answer 321

Answer: C The default time interval is one minute. Note: Answer can also be B. S3 Standard - IA (Infrequently Accessed). However since other details are mentioned in question. we can say C. Glacier is most effective way of cost saving in this case. Reference link: https://aws.amazon.com/products/storage/

Answer 322

Answer: C Amazon Resource Names (ARNs) are used to uniquely identify AWS resources. For information on ARN’s, refer to the link - http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

Answer 323

Answer: A This is given in the aws documentation For more information on using Route53 along with S3, please visit the link http: //docs.aws.amazon.com/Route53/latest/ DeveloperGuide/RoutingToS3Bucket.html

Answer 324

Answer: C, D The justification for Infrastructure as code is given in the aws documentation For the justification on disaster recovery, please visit the below link https://aws.amazon.com/blogs/aws/new-whitepaper-use-aws-for-disaster-recovery/ For more information on Cloudformation, please visit the link https://aws.amazon.com/cloudformation/

Answer 325

Answer: D High availability is a characteristic of a system, which aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period. For more information on high availability, please refer to the following link https://en.wikipedia.org/wiki/High_availability

Answer 326

Answer: B The principle means giving a user account only those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. For more information on principle of least privilege, please refer to the following link https://en.wikipedia.org/wiki/Principle_of_least_privilege

Answer 327

Answer: B Elastic Load Balancing automatically distributes incoming application traffic across multiple Amazon EC2 instances. It enables you to achieve fault tolerance in your applications, seamlessly providing the required amount of load balancing capacity needed to route application traffic. And the ELB is used to distribute traffic between instances in Multiple AZ’s. For more information on Elastic Load Balancer, please refer to the following link https: //aws.amazon.com/elasticloadbalancing/ Some more key points about ELB: Elastic Load Balancer (ELB) is used for rotating traffic to various EC2 instances located across the multiple Availability Zones(AZ’s). ELB can detect the healthy and unhealthy EC2 instances. It will not route traffic to the unhealthy EC2 instances. If all the instances in the same AZ is not healthy, it will route the traffic to other AZ EC2 instances. Achieve higher levels of fault tolerance for your applications by using Elastic Load Balancing to automatically route traffic across multiple instances and multiple Availability Zones. Elastic Load Balancing ensures that only healthy Amazon EC2 instances receive traffic by detecting unhealthy instances and rerouting traffic across the remaining healthy instances. If all of your EC2 instances in one Availability Zone are unhealthy, and you have set up EC2 instances in multiple Availability Zones, Elastic Load Balancing will route traffic to your healthy EC2 instances in those other zones.

Answer 328

Answer: B and C. For the list of default services given for a default VPC and to get more information on what comes as part of a default VPC, follow the link http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.html

Answer 329

Answer: A You can create a scaling policy that uses CloudWatch alarms to determine when your Auto Scaling group should scale out or scale in. Each CloudWatch alarm watches a single metric and sends messages to Auto Scaling when the metric breaches a threshold that you specify in your policy. You can use alarms to monitor any of the metrics that the services in AWS that you're using send to CloudWatch, or you can create and monitor your own custom metrics. For more information on Scaling policies, please refer to the following link http: //docs.aws.amazon.com/autoscaling/latest/userguide/policy_creating.html

Answer 330

Answer: C The NACL’s can be modified to be most secure by only denying the traffic from the set of IP addresses. For more information on NACL, please refer to the following link http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

Answer 331

Answer: C For environments where clients cache DNS lookups, incoming requests might favor one of the Availability Zones. Using cross-zone load balancing, this imbalance in the request load is spread across all available instances in the region, reducing the impact of misbehaving clients. By default, your Classic Load Balancer distributes incoming requests evenly across its enabled Availability Zones. For example, if you have ten instances in Availability Zone us-west-2a and two instances in us-west-2b, the requests are distributed evenly between the two Availability Zones. As a result, the two instances in us-west-2b serve the same amount of traffic as the ten instances in us- west-2a. To ensure that your load balancer distributes incoming requests evenly across all instances in its enabled Availability Zones, enable cross-zone load balancing. For more information on ELB Cross load balancer, please refer to the following link http: //docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html

Answer 332

Answer: A, B Twenty instances limit is at the account level and you might have other applications running more EC2 instances across your account (may be in another region) which may cause a total number to exceed the limit. This is provided in the AWS documentation For more information on troubleshooting Autoscaling, please refer to the following link http://docs.aws.amazon.com/autoscaling /latest/userguide/ts-as-capacity.html

Answer 333

Answer: D The Multipart upload API enables you to upload large objects in parts. You can use this API to upload new large objects or make a copy of an existing object (see Operations on Objects). Multipart uploading is a three-step process: You initiate the upload, you upload the object parts, and after you have uploaded all the parts, you complete the multipart upload. Upon receiving the complete multipart upload request, Amazon S3 constructs the object from the uploaded parts, and you can then access the object just as you would any other object in your bucket. For more information on Multi-part file upload, please refer to the following link http: //docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html

Answer 334

Answer: B Lifecycle configuration enables you to specify the lifecycle management of objects in a bucket. The configuration is a set of one or more rules, where each rule defines an action for Amazon S3 to apply to a group of objects. These actions can be classified as follows: Transition actions — In which you define when objects transition to another storage class. For example, you may choose to transition objects to the STANDARD_IA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. For more information on Lifecycle policies, please refer to the following link http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Answer 335

Answer: D The AWS documentation mentions the following Elastic Beanstalk supports the deployment of web applications from Docker containers. With Docker containers, you can define your own runtime environment. You can choose your own platform, programming language, and any application dependencies (such as package managers or tools), that aren't supported by other platforms. Docker containers are self- contained and include all the configuration information and software your web application requires to run. For more information on Elastic beanstalk and docker, please visit the below URL: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/create_deploy_docker.html

Answer 336

Answer: C You can use Run Command from the Amazon EC2 console to configure instances without having to login to each instance For more information on the Run Command , please visit the below URL: http://docs.aws.amazon.com/systems-manager/latest/userguide/rc-console.html

Answer 337

Answer: A, C You can either build a VPN or have a direct connect connection For more information on VPC to on-premise networks, please refer to the following link https://aws.amazon.com/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

Answer 338

Answer: B Refer steps published by AWS support: https://aws.amazon.com/premiumsupport/knowledge-center/system-reachability-check/ For more information on starting and stopping instances, please refer to the following link http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html

Answer 339

Answer: A You can have a combination of Paying accounts and linked accounts. When you have consolidated billing you have the facility to reduce the costs for the paying account. This is one of the main advantages of consolidated billing. Consolidated billing has the following benefits: One Bill — You get one bill for multiple accounts. Easy Tracking — You can easily track each account's charges and download the cost data in CSV format. Combined Usage — If you have multiple accounts today, your charges might decrease because AWS combines usage from all accounts in the organization to qualify you for volume pricing discounts. For information on Consolidated billing, please visit the link: https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing. html

Answer 340

Answer: B This is given in a whitepaper published by AWS For more information on disaster recovery, please refer to the below link https://media.amazonwebservices.com/AWS_Disaster_Recovery.pdf

Answer 341

Answer: C To ensure that traffic is evenly distributed, you need to ensure the “Enable Cross-Zone Load balancing option” is chosen. This option comes up when you are creating a classic load balancer in Step 5 of Add EC2 instances.

Answer 342

Answer: A By default whatever changes you make to security rules will be applied in all instances which are part of that security group. When you add or remove rules, they are automatically applied to all instances associated with the security group. For more information, please refer the below URL: http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

Answer 343

Answer: B The minimum size of an object in S3 can be o bytes. You can refer to the S3 FAQ’s for more information on the allowable storage on S3. https://aws.amazon.com/s3/faqs/

Answer 344

Answer: B Since the data is not required to be accessed frequently, the data can be stored on Amazon glacier for cheaper storage. Remember that the recovery time for getting data from Glacier is from 3-5 hours. All other options are not correct and expensive compared to Amazon Glacier service. For more information on Glacier please visit the below URL: https://aws.amazon.com/glacier/faqs/

Answer 345

Answer: B DynamoDB is a fully managed NoSQL offering provided by AWS. It is now available in most regions for users to consume. AWS RDS database is not fully managed database, it is partially managed. For RDS, we still need to specify the server capacity , security group etc. This is the point most of them are confused, because they assume that RDS is the fully managed database. Even though the question doesn't ask about the type of database (NOSQL), the correct option is DynamoDB. For the fully managed option it is Aurora and DynamoDB. So, the correct option in this question is DynamoDB. The link provides the full details on the product 1. http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html 2. https://aws.amazon.com/products/databases/

Answer 346

Answer: A Memory Utilization is a metric not offered directly by CloudWatch. So when you view the CloudWatch metrics for your EC2 instance, you can see CPU Utilization and Disk Read Operations metrics. You can also see Network statistics for Data transfer, but you will not be able to see Memory Utilization. This will be a custom CloudWatch metric. For more information on CloudWatch, please refer the below URL: https://aws.amazon.com/cloudwatch/faqs/

Answer 347

Answer: B, D The screenshots show the details for M3 and C3 instance types. For details for all instance types, please visit the URL: https://aws.amazon.com/ec2/instance-types/

Answer 348

Answer: A When you configure an instance during creation, you can add custom scripts to the User data section. So in Step 3 of creating an instance, in the Advanced Details section, we can enter custom scripts in the User Data section. The below script installs Perl during the instance creation of the EC2 instance. For more information on user metadata and user data , please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

Answer 349

Answer: C By default no permissions are given to the user when they are created. Below is a snapshot of a newly created user. You can see that by default no permissions are assigned to the user. For more information on LAM users , please visit the below URL: https://aws.amazon.com/iam/details/manage-users/

Answer 350

Answer: D To discover the availability of your EC2 instances, a load balancer periodically sends pings, attempts connections, or sends requests to test the EC2 instances. These tests are called health checks. The status of the instances that are healthy at the time of the health check is InService. The status of any instances that are unhealthy at the time of the health check is OutOfService. The load balancer performs health checks on all registered instances, whether the instance is in a healthy state or an unhealthy state. The load balancer routes requests only to the healthy instances. When the load balancer determines that an instance is unhealthy, it stops routing requests to that instance. The load balancer resumes routing requests to the instance when it has been restored to a healthy state. You can see the status of the instance in the Registered Instances section of the load balancer. For more information on ELB health checks , please visit the below URL: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-healthchecks.html

Answer 351

Answer: B With Amazon lifecycle policies you can create transition actions in which you define when objects transition to another Amazon S3 storage class. For example, you may choose to transition objects to the STANDARD _IA (IA, for infrequent access) storage class 30 days after creation, or archive objects to the GLACIER storage class one year after creation. Follow the below steps to get this in place: Step 1) Go the Lifecycle section of the $3 bucket and click on Add Rule Step 2) Choose what you want to export Step 3) Choose the Action to perform and then confirm on the Rule creation in the next screen. For more information on Lifecycle management, click on the link: http://docs.aws.amazon.com/AmazonS3/latest/dev/object-lifecycle-mgmt.html

Answer 352

Answer: A Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume. You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. For more information on EBS snapshots, please visit the link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 353

Answer: A For SSH access, the protocol has to be TCP, so Option B and C are wrong. For Bastion host, only the IP of the client should be put and not the entire network of 72.34.51.100/0 as given in option D. So this option is also wrong. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. In AWS, A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. This is a security practice adopted by many organization to secure the assets in their private subnets. For more information on security groups, please refer the below URL: http: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security. html

Answer 354

Answer: B The Durability and availability are given in the aws site for RRS. For more information on RRS please visit the URL: https://aws.amazon.com/s3/reduced- redundancy/

Answer 355

Answer: A AWS OpsWorks is a configuration management service that helps you configure and operate applications of all shapes and sizes using Chef. You can define the application’s architecture and the specification of each component including package installation, software configuration and resources such as storage. Start from templates for common technologies like application servers and databases or build your own to perform any task that can be scripted. AWS OpsWorks includes automation to scale your application based on time or load and dynamic configuration to orchestrate changes as your environment scales. For more information on Opswork, please visit the link: https: //aws.amazon.com/opsworks/ https: //aws.amazon.com/opsworks/chefautomate/

Answer 356

Answer: C AWS CloudFormation gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application. You don’t need to figure out the order for provisioning AWS services or the subtleties of making those dependencies work. CloudFormation takes care of this for you. After the AWS resources are deployed, you can modify and update them in a controlled and predictable way, in effect applying version control to your AWS infrastructure the same way you do with your software. You can also visualize templates as diagrams and edit them using a drag-and-drop interface with the AWS CloudFormation Designer. For more information on Cloudformation, please visit the link: https://aws.amazon.com/cloudformation/

Answer 357

Answer: C The AWS Documentation mentions the following An Amazon Machine Image (AMI) provides the information required to launch an instance, which is a virtual server in the cloud. You specify an AMI when you launch an instance, and you can launch as many instances from the AMI as you need. You can also launch instances from as many different AMIs as you need. An AMI includes the following: - A template for the root volume for the instance (for example, an operating system, an application server, and applications) - Launch permissions that control which AWS accounts can use the AMI to launch instances - A block device mapping that specifies the volumes to attach to the instance when it's launched For more information on AMI’s, please visit the below URL: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html

Answer 358

Answer: C You can use a Network Address Translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances. The below diagram from aws showcases how the NAT instance is used For more information on NAT Gateways, please visit the URL: http: //docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html

Answer 359

Answer: C Amazon CloudFront is a web service that gives businesses and web application developers an easy and cost effective way to distribute content with low latency and high data transfer speeds. Like other AWS services, Amazon CloudFront is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees. With CloudFront, your files are delivered to end-users using a global network of edge locations. For more information on CloudFront, please visit the link: https://aws.amazon.com/cloudfront/

Answer 360

Answer: A, C This is clearly given in the AWS documentation: For more information on the connection errors to EC2 instances, please visit the link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

Answer 361

Answer: C Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases. Elastic Cache is a better option when compared to DynamoDB. The main consideration would be the performance. AWS Docs provides following details: In order to address scalability and to provide a shared data storage for sessions that can be accessible from any individual web server, you can abstract the HTTP sessions from the web servers themselves. A common solution to for this is to leverage an In-Memory Key/Value store such as Redis and Memcached. While Key/Value data stores are known to be extremely fast and provide sub-millisecond latency, the added network latency and added cost are the drawbacks. An added benefit of leveraging Key/Value stores is that they can also be utilized to cache any data, not just HTTP sessions, which can help boost the overall performance of your applications. For more information on Elastic cache, please visit the link: https://aws.amazon.com/elasticache/ https://aws.amazon.com/caching/session-management/

Answer 362

Answer: C When you add an Availability Zone to your load balancer, Elastic Load Balancing creates a load balancer node in the Availability Zone. Load balancer nodes accept traffic from clients and forward requests to the healthy registered instances in one or more Availability Zones. For more information on adding AZ’s to ELB, please refer to the below URL: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-az.html

Answer 363

Answer: D The Weighted Routing policy is the best option here. You can ensure that the CNAME for your domain gets a lower proportion for the application hosted in AWS initially. Later on the percentage can be increased based on the application performance The AWS documentation mentions the following on Route 53 Weighted Routing policy Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes, including load balancing and testing new versions of software. For more information on Weighted Routing policy, please refer to the below URL: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

Answer 364

Answer: B Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in progress snapshot is not affected by ongoing reads and writes to the volume. You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard. For more information on EBS snapshots, please visit the link: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Answer 365

Answer: A, B, C This is given in the AWS documentation For more information on serverless platform, please refer to the below URL: https://aws.amazon.com/serverless/

Answer 366

Answer: B When you go to the Monitoring tab for your AWS RDS instance, you will be able to see the CloudWatch metrics. For more information on Amazon Cloudwatch, please visit the below URL: https://aws.amazon.com/cloudwatch/

Answer 367

Answer: C The AWS Documentation mentions A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. If you've launched an EC2 instance before, you specified the same information in order to launch the instance. When you create an Auto Scaling group, you must specify a launch configuration. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for your Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration. For more information on launch configurations please see the below link: http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html

Answer 368

Answer: A, B, D Amazon RDS detects and automatically recovers from the most common failure scenarios for Multi-AZ deployments so that you can resume database operations as quickly as possible without administrative intervention. Amazon RDS automatically performs a failover in the event of any of the following: Loss of availability in primary Availability Zone Loss of network connectivity to primary Compute unit failure on primary Storage failure on primary Note: When operations such as DB Instance scaling or system upgrades like OS patching are initiated for Multi-AZ deployments, for enhanced availability, they are applied first on the standby prior to an automatic failover. As a result, your availability impact is limited only to the time required for automatic failover to complete. Note that Amazon RDS Multi-AZ deployments do not failover automatically in response to database operations such as long running queries, deadlocks or database corruption errors. For more information on read replicas, please visit the below URL: https://aws.amazon.com/rds/details/read-replicas/

Answer 369

Answer: A The AWS Documentation mentions the following The CloudWatch Logs agent provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. The agent is comprised of the following components: - A plug-in to the AWS CLI that pushes log data to CloudWatch Logs. - A script (daemon) that initiates the process to push data to CloudWatch Logs. A cron job that ensures that the daemon is always running. For more information on Cloudwatch logs Agent, please see the below link: http: //docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html

Answer 370

Answer: C Since the requirement is that the application should never go down even if an AZ is not available, we need to maintain 100% availability. Option A and D are incorrect because region deployment is not possible for ELB. ELB’s can manage traffic within a region and not between regions. Option B is incorrect because even if one AZ goes down, we would be operating at only 66% and not the required 100%. For more information on Autoscaling please visit the below URL: https://aws.amazon.com/autoscaling/

Answer 371

Answer A The AWS Documentation mentions the following: AWS Cloudtrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. For more information on CloudTrail, please refer to the below URL: https://aws.amazon.com/cloudtrail

Answer 372

Answer: A, C The AWS Documentation clearly mentions the cost to EC2 Instances Billing commences when Amazon EC2 initiates the boot sequence of an AMI instance. Billing ends when the instance terminates, which could occur through a web services command, by running "shutdown -h", or through instance failure. When you stop an instance, we shut it down but don't charge hourly usage for a stopped instance, or data transfer fees, but we do charge for the storage for any Amazon EBS volumes. For more information, please visit the below URL: https://aws.amazon.com/ec2/faqs/ The AWS Documentation clearly mentions the cost with regards to the VPC There are no additional charges for creating and using the VPC itself. For more information, please visit the below URL: https://aws.amazon.com/vpe/faqs

Test - 1 Flashcards

(396 cards)