Udemy Exams 1 & 2 Flashcards

Question

A company plans to use reserved instances to get discounted pricing for Amazon EC2 instances. The company may need to change the EC2 instance type during the one year period. ``` Which instance purchasing option is the MOST cost-effective for this use case? a) Zonal Reserved Instances b) Standard Reserved Instances c) Regional Reserved Instances d) Convertible Reserved Instances ```

Answer 1

Explanation A convertible reserved instance enables you to exchange one or more Convertible Reserved Instances for another Convertible Reserved Instance with a different configuration, including instance family, operating system, and tenancy. CORRECT: "Convertible Reserved Instances" is the correct answer. INCORRECT: "Standard Reserved Instances" is incorrect. With standard RIs you cannot change the instance type but you can change the instance size. INCORRECT: "Regional Reserved Instances" is incorrect. Regional RIs apply to instance usage within any AZ in a specified Region. INCORRECT: "Zonal Reserved Instances" is incorrect. Zonal RIs apply to instance usage within a specific AZ within an AWS Region.

Answer 2

Explanation A microservices architecture will help ensure that each component of the application can scale independently and be updated independently. Loose coupling further assists as it places reduces the dependencies between systems and ensures that messages and data being passed between application components can be reliably and durably stored. CORRECT: "Implement loosely coupled services" is the correct answer. INCORRECT: "Stop spending money on undifferentiated heavy lifting" is incorrect. This is not the best practice being implemented by the company. INCORRECT: "Manage change in automation" is incorrect. This is not the best practice being implemented by the company. INCORRECT: "Use multiple solutions to improve performance" is incorrect. This is not the best practice being implemented by the company.

Answer 3

Explanation It is a security best practice to rotate access keys regularly. This practice ensures that if access keys are compromised the security exposure is mitigated. CORRECT: "Customers should rotate access keys regularly" is the correct answer. INCORRECT: "There is no need to manage access keys" is incorrect. This is not true; you must rotate access keys. INCORRECT: "AWS rotate access keys on a schedule" is incorrect. AWS do not rotate your access keys. INCORRECT: "Never use access keys, always use IAM roles" is incorrect. It is often better and more secure to use IAM roles for some uses but it is certainly not the case that you should never use access keys.

Answer 4

Explanation An Amazon VPC includes multiple Availability Zones. Within a VPC you can create subnets in each AZ that is available in the Region and distribute your resources across these subnets for high availability. CORRECT: "Availability Zones" is the correct answer. INCORRECT: "AWS Regions" is incorrect. A VPC cannot include multiple Regions. INCORRECT: "Edge locations" is incorrect. A VPC cannot include multiple Edge locations as these are independent of the Regions in which a VPC is created. INCORRECT: "Internet gateways" is incorrect. You can only attach one Internet gateway to each VPC.

Answer 5

Explanation AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience. With AWS Outposts you can extend your VPC into the on-premises data center as in the following diagram: CORRECT: "AWS Outposts" is the correct answer. INCORRECT: "Amazon Connect" is incorrect. Amazon Connect provides a seamless omnichannel experience through a single unified contact center for voice, chat, and task management. INCORRECT: "AWS Direct Connect" is incorrect. Direct Connect is used for creating a low-latency private connection to an on-premises data center but it cannot be used to extend the VPC. INCORRECT: "Amazon Workspaces" is incorrect. Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution.

Answer 6

Explanation Scheduled scaling helps you to set up your own scaling schedule according to predictable load changes. For example, let's say that every week the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can configure a schedule for Amazon EC2 Auto Scaling to increase capacity on Wednesday and decrease capacity on Friday. CORRECT: "Configure a scheduled scaling policy" is the correct answer. INCORRECT: "Configure predictive scaling" is incorrect. Predictive scaling uses daily and weekly trends to determine when to scale. In this case the Cloud Practitioner knows about the event that will require more resources. INCORRECT: "Configure a target tracking scaling policy" is incorrect. This policy will cause the ASG to attempt to keep resource utilization at the target value. INCORRECT: "Configure a step scaling policy" is incorrect. Step scaling will launch resources in response to demand, this will not ensure the resource are ready at the right time as there will be a delay.

Answer 7

Explanation Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CORRECT: "Amazon CloudFront" is the correct answer. INCORRECT: "AWS Direct Connect" is incorrect. Direct Connect is a private network connection between an on-premises data center and AWS. INCORRECT: "Amazon EC2 Auto Scaling" is incorrect. Auto Scaling launches and terminates instances, this does not reduce latency for global users. INCORRECT: "Amazon ElastiCache" is incorrect. ElastiCache is a database caching service, it is not used to cache websites.

Answer 8

Explanation The Amazon Simple Storage Service (S3) offers virtually unlimited storage. The total volume of data and number of objects you can store are unlimited. Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes. The largest object that can be uploaded in a single PUT is 5 gigabytes. CORRECT: "Virtually unlimited" is the correct answer. INCORRECT: "1 PB" is incorrect. There is no such limit. INCORRECT: "100 TB" is incorrect. There is no such limit. INCORRECT: "100 PB" is incorrect. There is no such limit.

Answer 9

Explanation To make the deployment highly available the user should launch the instances across multiple Availability Zones in a single AWS Region. Elastic Load Balancers can only serve targets in a single Region so it is not possible to deploy across Regions. CORRECT: "Launch the instances across multiple Availability Zones in a single AWS Region" is the correct answer. INCORRECT: "Launch the instances as EC2 Spot Instances in the same AWS Region and the same Availability Zone" is incorrect. The pricing model is not relevant to high availability and deploying in a single AZ does not result in a highly available deployment. INCORRECT: "Launch the instances in multiple AWS Regions, and use Elastic IP addresses" is incorrect. You cannot use an ELB with instances in multiple Regions and using an EIP does not help. INCORRECT: "Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different Availability Zones" is incorrect. Using reserved instances may not be appropriate as we do not know whether this is going to be a long-term workload or not.

Answer 10

Explanation Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). CORRECT: "Amazon Macie" is the correct answer. INCORRECT: "Amazon GuardDuty" is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. INCORRECT: "AWS Policy Generator" is incorrect. The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources. INCORRECT: "Amazon Detective" is incorrect. Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity.

Answer 11

Explanation Pay-as-you-go pricing helps companies move away from fixed costs to variable costs in a model in which they only pay for what they actually use. There are no fixed term contracts with AWS so that requirement is also met. CORRECT: "Pay-as-you-go pricing" is the correct answer. INCORRECT: "Economies of scale" is incorrect. You do get good pricing because of the economies of scale leveraged by AWS. However, the value proposition for companies wishing to avoid fixed costs is pay-as-you-go pricing. This flexibility can be more important in some cases than the actual cost per unit. INCORRECT: "Volume pricing discounts" is incorrect. This is not the value proposition for this company as they are seeking to avoid long-term contracts and fixed costs, not to achieve a discount. INCORRECT: "Automated cost optimization" is incorrect. This is a not a feature that relates to the value proposition for this customer.

Answer 12

Explanation The ability to quickly provision resources on AWS is a good example of speed and agility. On AWS the resources are readily available and can be deployed extremely quickly. Scalable compute capacity is another example as it gives you the agility to easily reconfigure your resources with more or less capacity as is required. CORRECT: "Fast provisioning of resources" is a correct answer. CORRECT: "Scalable compute capacity" is also a correct answer. INCORRECT: "Private connections to data centers" is incorrect. A private connection to a data center is not an example of speed and agility. INCORRECT: "Secured data centers" is incorrect. Secured data centers are not an example of speed and agility. INCORRECT: "Lower cost of deployment" is incorrect. This is not an example of speed and agility.

Answer 13

Explanation With AWS you can pay for what you use and there is no requirement to enter into long term contracts. However, there are opportunities to gain large discounts by committing to 1 or 3 years contracts for reserved instances and savings plans. CORRECT: "It is not necessary to enter into long term contracts" is the correct answer. INCORRECT: "AWS is responsible for securing your applications" is incorrect. AWS does not secure your applications. INCORRECT: "Customers can request specialized hardware" is incorrect. This is not true; you have no say in what hardware AWS utilize. INCORRECT: "AWS provides full access to their data centers" is incorrect. This is never the case; you cannot access the AWS data centers.

Answer 14

Explanation AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. CORRECT: "Gain access to AWS security and compliance documents" is the correct answer. INCORRECT: "Download configuration details for all AWS resources" is incorrect. Artifact does not provide this capability. INCORRECT: "Access training materials for AWS services" is incorrect. Artifact does not provide training materials. INCORRECT: "Create a security assessment report for AWS services" is incorrect. Artifact cannot be used for this purpose.

Answer 15

Explanation The most cost-effective solution that works is to use Amazon EC2 instances that are right-sized with the most optimum instance types. Right-sizing is the process of ensuring that the instance type selected for each application provides the right amount of resources for the application. CORRECT: "Rehost the applications on Amazon EC2 instances that are right-sized" is the correct answer. INCORRECT: "Migrate the applications to dedicated hosts on Amazon EC2" is incorrect. Dedicated hosts are expensive and there is no need to use them with this solution. INCORRECT: "Use AWS Lambda to host the legacy applications in the cloud" is incorrect. It is unlikely that you can simply host legacy applications using AWS Lambda. INCORRECT: "Use an Amazon S3 static website to host the legacy application code" is incorrect. You cannot host legacy application code in an S3 static website, only static content is possible.

Answer 16

Explanation The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. The bucket policy below has a Principal element set to * which is a wildcard meaning any user. To grant access to a specific IAM user the following format can be used: "Principal":{"AWS":"arn:aws:iam::AWSACCOUNTNUMBER:user/username"} CORRECT: "Principal" is the correct answer. INCORRECT: "Action" is incorrect. Actions are the permissions that you can specify in a policy. INCORRECT: "Resource" is incorrect. Resources are the ARNs of resources you wish to specify permissions for. INCORRECT: "Condition" is incorrect. Conditions define certain conditions to apply when granting permissions such as the source IP address of the caller.

Answer 17

Explanation Moving the database to Amazon RDS means that the database can take advantage of the built-in Multi-AZ feature. This feature creates a standby instance in another Availability Zone and synchronously replicates to it. In the event of a failure that affects the primary database an automatic failover can occur and the database will become functional on the standby instance. CORRECT: "Migrate the database to Amazon RDS and enable the Multi-AZ feature" is the correct answer. INCORRECT: "Configure an Elastic Load Balancer in front of the EC2 instance" is incorrect. You cannot use an ELB to distribute traffic to a database and with a single instance there’s no benefit here at all. INCORRECT: "Configure EC2 Auto Recovery to move the instance to another Region" is incorrect. The auto recovery feature of EC2 automatically moves the instance to another host, not to another Region. INCORRECT: "Set the DeleteOnTermination value to false for the EBS root volume" is incorrect. This will simply preserve the root volume; it will not perform automatic recovery

Answer 18

Explanation Amazon Aurora is a relational database that is compatible with MySQL and PostgreSQL database engines. Aurora is extremely fast and scales up to 128 TB. You can also deploy replicas for read scaling within and across Regions. Aurora also offers automated backups. CORRECT: "Amazon Aurora" is the correct answer. INCORRECT: "Amazon DynamoDB" is incorrect. DynamoDB is a NoSQL (non-relational) database and you cannot deploy a MySQL database as it is a relational database type. INCORRECT: "Amazon Athena" is incorrect. Athena is used for querying data in Amazon S3 using SQL. INCORRECT: "Amazon DocumentDB" is incorrect. DocumentDB is a NoSQL database that supports document data structures.

Answer 19

Explanation Amazon EC2 is an infrastructure as a service (IaaS) solution. This means the underlying hardware and software layer for running a virtual server are managed for you. As a customer you must then manage the operating system and any software you install. This includes installing patches on the operating system as part of regular maintenance activities. CORRECT: "Amazon EC2" is the correct answer. INCORRECT: "AWS Lambda" is incorrect. This is a serverless service and you do not need to manage patches. INCORRECT: "AWS Fargate" is incorrect. This is a serverless service and you do not need to manage patches. INCORRECT: "Amazon DynamoDB" is incorrect. This is a serverless service and you do not need to manage patches.

Answer 20

Explanation AWS Well-Architected helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. There are 5 pillars and under the operational excellence pillar the following best practices are recommended: • Perform operations as code • Make frequent, small, reversible changes • Refine operations procedures frequently • Anticipate failure • Learn from all operational failures CORRECT: "Anticipate failure" is a correct answer. CORRECT: "Perform operations as code" is also a correct answer. INCORRECT: "Make large-scale changes" is incorrect. This is not an operational best practice. INCORRECT: "Perform manual operations" is incorrect. This is not an operational best practice. INCORRECT: "Create static operational procedures" is incorrect. This is not an operational best practice.

Answer 21

Explanation An Amazon EC2 Dedicated Host is a physical server fully dedicated for your use, so you can help address corporate compliance requirements. Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2, so that you get the flexibility and cost effectiveness of using your own licenses, but with the resiliency, simplicity and elasticity of AWS CORRECT: "Dedicated Hosts" is the correct answer. INCORRECT: "Dedicated Instances" is incorrect. With dedicated instances you are not given a specific physical server to run your instances on. INCORRECT: "Spot Instances" is incorrect. This deployment option does not provide a specific physical server. INCORRECT: "Reserved Instances" is incorrect. This deployment option does not provide a specific physical server.

Answer 22

Explanation Two of the benefits of using a managed Amazon RDS service instead of a self-managed database on EC2 are that you get automated backups and automatic software patching. CORRECT: "Automated backups" is a correct answer. CORRECT: "Software patching" is also a correct answer. INCORRECT: "Schema management" is incorrect. This is not a feature of the managed service. INCORRECT: "Indexing of tables" is incorrect. This is not a feature of the managed service. INCORRECT: "Root access to OS" is incorrect. You do not get root access to an RDS instance’s operating system.

Answer 23

Explanation A software development kit (SDK) is a collection of software development tools in one installable package. AWS provide SDKs for various programming languages and these can be used for integrating the features of AWS services directly into an application. CORRECT: "AWS Software Development Kit" is the correct answer. INCORRECT: "AWS Command Line Interface (CLI)" is incorrect. The AWS CLI is used for running commands but is not the best tool for integrating features of AWS services directly into an application. INCORRECT: "AWS CodeDeploy" is incorrect. CodeDeploy is used for deploying code from a code repository and actually installing the application. INCORRECT: "AWS CodePipeline" is incorrect. CodePipeline is used for automating the code release lifecycle.

Answer 24

Explanation By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices. CORRECT: "economies of scale" is the correct answer. INCORRECT: "pay-as-you go pricing" is incorrect. This is a benefit to the customer but is not the reason the actual unit prices are continually being reduce. INCORRECT: "elastic compute services" is incorrect. Elasticity is useful for scaling your resources and aligning costs with demand but is not why AWS prices are being lowered. INCORRECT: "compute savings plans" is incorrect. This is another feature you can take advantage of for bigger discounts but is not the reason for prices being lowered.

Answer 25

Explanation The ability to provision IT resources quickly and easily and also globally are valid benefits of using the AWS cloud. These are covered in AWS’ 6 advantages of cloud which include “Increase speed and agility” and “Go global in minutes”. CORRECT: "Fast provisioning of IT resources" is a correct answer. CORRECT: "Ability to go global quickly" is also a correct answer. INCORRECT: "Outsource all operational risk" is incorrect. You do not outsource all operational risk; you still have to manage risk for the applications you run on AWS. INCORRECT: "Total control over data center infrastructure" is incorrect. You don’t have any control over data center infrastructure in the AWS Cloud. INCORRECT: "Outsource all application development to AWS" is incorrect. You must still develop your own applications on the AWS Cloud.

Answer 26

Explanation Some tasks can only be performed by the root user of an AWS account. This includes changing the account name and changing AWS support plans. For more information view the AWS article referenced below. CORRECT: "Changing the account name" is a correct answer. CORRECT: "Changing AWS Support plans" is also a correct answer. INCORRECT: "Enabling encryption for S3" is incorrect. This does not require root. INCORRECT: "Viewing AWS CloudTrail logs" is incorrect. This does not require root. INCORRECT: "Changing payment currency" is incorrect. This does not require root.

Answer 27

Explanation An Amazon Relational Database Service (RDS) deployment across multiple availability zones is a good example of using the reliability pillar of the AWS Well-Architected Framework. The specific design principle being followed here is “Automatically recover from failure”. CORRECT: "Amazon RDS Multi-AZ deployment" is the correct answer. INCORRECT: "Amazon EBS provisioned IOPS volume" is incorrect. This would be an example of performance efficiency. INCORRECT: "Attach a WebACL to a CloudFront distribution" is incorrect. This would be an example of using the security pillar. INCORRECT: "Use CloudFormation to deploy infrastructure" is incorrect. This would be an example of using the operational excellence pillar.

Answer 28

Explanation AWS Trusted Advisor can improve the performance of your service by checking your service limits, ensuring you take advantage of provisioned throughput, and monitoring for overutilized instances. CORRECT: "AWS Trusted Advisor" is the correct answer. INCORRECT: "Amazon Inspector" is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. INCORRECT: "Amazon CloudWatch" is incorrect. CloudWatch monitors performance but does not provide recommendations for optimization. INCORRECT: "AWS CloudTrail" is incorrect. CloudTrail is an auditing service.

Answer 29

Explanation A self-managed relational database can be installed on Amazon EC2. When using this deployment you can choose the operating system and instance type that suits your needs and then install and manage any database software you require. The table below helps you to understand when to use different types of database deployment: CORRECT: "Amazon EC2" is the correct answer. INCORRECT: "Amazon RedShift" is incorrect. RedShift is managed data warehouse solution and is better suited to use cases where analytics of data is required. INCORRECT: "Amazon ElastiCache" is incorrect. ElastiCache is a managed service for in-memory, high-performance caching of database content. INCORRECT: "Amazon DynamoDB" is incorrect. DynamoDB is a non-relational (NoSQL) type of database.

Answer 30

Explanation You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts. With consolidated billing you get: - One bill for multiple accounts. - Easy tracking or charges across accounts. - Combined usage across accounts and sharing of volume pricing discounts, reserved instance discounts and savings plans. - No extra fee. CORRECT: "They will receive one bill for the accounts in the Organization" is a correct answer. CORRECT: "They may benefit from lower unit pricing for aggregated usage" is also a correct answer. INCORRECT: "The default service limits in all accounts will be increased" is incorrect. This is not true; service limit defaults are unaffected. INCORRECT: "They will receive a fixed discount for all usage across accounts" is incorrect. There is no fixed usage discount applied for consolidated billing. INCORRECT: "They will be automatically enrolled in a business support plan" is incorrect. This is not true; you must always pay for the business support plan.

Answer 31

Explanation Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password. CORRECT: "Access keys" is the correct answer. INCORRECT: "SSL/TLS certificate" is incorrect. Certificates are not used by users for authenticating to AWS services. INCORRECT: "SSH public keys" is incorrect. These are used for connections using the SSH protocol. INCORRECT: "User name and password" is incorrect. An IAM user name and password can be used for console access but cannot be used with the CLI or API.

Answer 32

Explanation Some forms of DDoS mitigation are included automatically with AWS services. You can further improve your DDoS resilience by using an AWS architecture with specific services and by implementing additional best practices. Using a firewall with AWS resources is recommended to reduce the attack surface of your services which can mitigate some DDoS attacks. CORRECT: "Configure a firewall in front of resources" is the correct answer. INCORRECT: "Use Amazon CloudWatch monitoring" is incorrect. Performance monitoring will not protect against DDoS. INCORRECT: "Enable AWS CloudTrail logging" is incorrect. Logging API calls will not protect against DDoS. INCORRECT: "Monitor the Service Health Dashboard" is incorrect. The service health dashboard is not personalized to your resources so is not useful for monitoring and will not protect against DDoS.

Answer 33

Explanation Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password. CORRECT: "Making programmatic calls to AWS from AWS APIs" is the correct answer. INCORRECT: "Logging in to the AWS Management Console" is incorrect. You use a user name and password for the management console. INCORRECT: "Ensuring the integrity of log files" is incorrect. This is not what access keys are used for. INCORRECT: "Enabling encryption in transit for web servers" is incorrect. SSL/TLS certificates are used for creating encrypted channels using HTTPS.

Answer 34

Explanation Amazon CloudWatch is a performance monitoring service. AWS services send metrics about their utilization to CloudWatch which collects the metrics. You can then view the results in CloudWatch and configure alarms. CORRECT: "Amazon CloudWatch" is the correct answer. INCORRECT: "AWS CloudTrail" is incorrect. CloudTrail is used for auditing, not performance monitoring. INCORRECT: "Amazon Inspector" is incorrect. Inspector is an automated security service. INCORRECT: "AWS Systems Manager" is incorrect. Systems Manager is used for managing EC2 instances such as installing patches and software.

Answer 35

Explanation AWS Trusted Advisor offers a rich set of best practice checks and recommendations across five categories: cost optimization, security, fault tolerance, performance, and service limits. The Trusted Advisor “low utilization Amazon EC2 instances” check, checks the Amazon Elastic Compute Cloud (Amazon EC2) instances that were running at any time during the last 14 days and alerts you if the daily CPU utilization was 10% or less and network I/O was 5 MB or less on 4 or more days. CORRECT: "AWS Trusted Advisor" is the correct answer. INCORRECT: "AWS CodeBuild" is incorrect. CodeBuild is used for compiling and testing code ahead of deployment. INCORRECT: "AWS Cost Explorer" is incorrect. Cost Explorer can be used to view itemized costs but you cannot check resource utilization. INCORRECT: "AWS Personal Health Dashboard" is incorrect. This dashboard will not warn you about underutilization of resources.

Answer 36

Explanation Cost allocation tags can be used to tag and categorize your resources and then run view the billing in Cost Explorer and the cost allocation report. For example you can tag your resources by department or project and then view costs attributed to the resources used by those groups. CORRECT: "Cost Allocation Tags" is the correct answer. INCORRECT: "AWS Trusted Advisor" is incorrect. This service advises you on best practices for provisioning resources. INCORRECT: "Consolidated billing" is incorrect. Consolidated billing will give you usage per account but not per project. INCORRECT: "Multiple accounts" is incorrect. You do not need to split your usage across multiple accounts, you can instead use cost allocation tags.

Answer 37

Explanation AWS are responsible for updating firmware on the physical Amazon EC2 host servers. Customers are then responsible for any patching of the EC2 operating system and any installed software. CORRECT: "Updating the firmware on the underlying EC2 hosts" is the correct answer. INCORRECT: "Configuring network ACLs to block malicious attacks" is incorrect. This is a customer responsibility. INCORRECT: "Patching software running on Amazon EC2 instances" is incorrect. This is a customer responsibility. INCORRECT: "Updating security group rules to enable connectivity" is incorrect. This is a customer responsibility.

Answer 38

Explanation In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes. This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower. CORRECT: "The ability to experiment quickly" is a correct answer. CORRECT: "The speed at which AWS resources can be created" is also a correct answer. INCORRECT: "The speed at which AWS rolls out new features" is incorrect. This is not a statement that describes agility. INCORRECT: "The elimination of wasted capacity" is incorrect. This is also known as right-sizing and it is a cost benefit of running in the cloud. It is not a statement that describes agility. INCORRECT: "The ability to automatically scale capacity" is incorrect. Auto scaling ensures you have the right amount of capacity available.

Answer 39

Explanation The most efficient option is to use multiple EC2 instances and distribute the workload across them. This is an example of horizontal scaling and will allow the workload to keep growing in size without any issue and without increasing the overall processing timeframe. CORRECT: "Run the batch workload in parallel across multiple Amazon EC2 instances" is the correct answer. INCORRECT: "Run the batch job on a larger Amazon EC2 instance type with more CPU" is incorrect. This may help initially but over time this will not scale well and the workload will take many days to complete. INCORRECT: "Change the Amazon EC2 volume type to a Provisioned IOPS SSD volume" is incorrect. This will improve the underlying performance of the EBS volume but does not assist with processing (more CPU is needed, i.e. by spreading across instances). INCORRECT: "Run the application on a bare metal Amazon EC2 instance" is incorrect. Bare metal instances are used for workloads that require access to the hardware feature set (such as Intel VT-x), for applications that need to run in non-virtualized environments for licensing or support requirements, or for customers who wish to use their own hypervisor.

Answer 40

Explanation An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and Linux Enterprise Server. Note that dedicated hosts can be considered “hosting model” as it determines that actual underlying infrastructure that is used for running your workload. All of the other answers are simply pricing plans for shared hosting models. CORRECT: "Dedicated Hosts" is the correct answer. INCORRECT: "Reserved Instances" is incorrect as this pricing model does not support physical isolation. INCORRECT: "On-Demand Instances" is incorrect as this pricing model does not support physical isolation. INCORRECT: "Spot Instances" is incorrect as this hosting pricing does not support physical isolation.

Answer 41

Explanation There are a several security best practices for AWS IAM that are listed in the document shared below. Enabling multi-factor authentication is a best practice to require a second factor of authentication when logging in. Another best practice is to grant least privilege access when configuring users and password policies. CORRECT: "Enable multi-factor authentication for users" is a correct answer. CORRECT: "Create IAM policies based on least privilege principles" is also a correct answer. INCORRECT: "Disable password policies and management console access" is incorrect. This is not a security best practice. There is no need to disable management console access and password policies should be used. INCORRECT: "Create IAM users in different AWS Regions" is incorrect. You cannot create IAM users in different Regions as the IAM service is a global service. INCORRECT: "Create IAM Roles and apply them to IAM groups" is incorrect. You cannot apply roles to groups, you apply policies to groups.

Answer 42

Explanation AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. AWS Glue provides all of the capabilities needed for data integration so that you can start analyzing your data and putting it to use in minutes instead of months. AWS Glue provides both visual and code-based interfaces to make data integration easier. Users can easily find and access data using the AWS Glue Data Catalog. Data engineers and ETL (extract, transform, and load) developers can visually create, run, and monitor ETL workflows with a few clicks in AWS Glue Studio. CORRECT: "AWS Glue" is the correct answer. INCORRECT: "Amazon QuickSight" is incorrect. Amazon QuickSight is a cloud-native, serverless, business intelligence service. INCORRECT: "Amazon Athena" is incorrect. Amazon Athena is a serverless, interactive query service to query data and analyze big data in Amazon S3 using standard SQL INCORRECT: "Amazon S3 Select" is incorrect. This service enables applications to retrieve only a subset of data from an object by using simple SQL expressions.

Answer 43

Explanation The customer is responsible for installing security updates on EC2 instances and enabling MFA. AWS is responsible for security of the physical data center and the infrastructure upon which customer services run. CORRECT: "Installing security updates on EC2 instances" is a correct answer. CORRECT: "Enabling multi-factor authentication (MFA) for privileged users" is also a correct answer. INCORRECT: "Collecting syslog messages from physical firewalls" is incorrect as this is an AWS responsibility. INCORRECT: "Issuing data center access keycards" is incorrect as this is an AWS responsibility. INCORRECT: "Installing security updates for server firmware" is incorrect as this is an AWS responsibility.

Answer 44

Explanation Amazon EC2 instances can be deployed in an Amazon VPC across multiple Availability Zones. You would then typically use an Elastic Load Balancer (ELB) to distribute load between the available instances. This architecture enables high availability as if a single instance fails or if something fails that causes an outage in an entire Availability Zone, the application still has available instances to continue to service demand. CORRECT: "Design for failure" is the correct answer. INCORRECT: "Design for agility" is incorrect. This is not an example of agility; it is an example of high availability and fault tolerance. INCORRECT: "Automate infrastructure" is incorrect. This is not an example of automating. INCORRECT: "Enable elasticity" is incorrect. This is not an example of elasticity. Elasticity would be enabled by using Amazon EC2 Auto Scaling.

Answer 45

Explanation AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage. Customers use Storage Gateway to simplify storage management and reduce costs for key hybrid cloud storage use cases. These include moving tape backups to the cloud, reducing on-premises storage with cloud-backed file shares, providing low latency access to data in AWS for on-premises applications, as well as various migration, archiving, processing, and disaster recovery use cases. CORRECT: "AWS Storage Gateway" is the correct answer. INCORRECT: "AWS Backup" is incorrect. AWS Backup is a fully managed backup service that makes it easy to centralize and automate the backup of data across AWS services. It is not used for connecting on-premises storage to cloud storage. INCORRECT: "Amazon Connect" is incorrect. Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost. It has nothing to do with storing data. INCORRECT: "AWS Direct Connect" is incorrect. AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. It is not related to storage of data.

Answer 46

Explanation The Amazon Elastic Container Service (ECS) is a compute service that allows you to run Docker containers as tasks on AWS. AWS Lambda is a function as a service offering that provides the ability to run compute functions in response to triggers. CORRECT: "Amazon ECS" is a correct answer. CORRECT: "AWS Lambda" is also a correct answer. INCORRECT: "Amazon DynamoDB" is incorrect. DynamoDB is a database service. INCORRECT: "Amazon EFS" is incorrect. The Elastic File System (EFS) is a file-based storage system. INCORRECT: "Amazon CloudHSM" is incorrect. CloudHSM is a service that is used to securely store and manage encryption keys.

Answer 47

Explanation According to the AWS Shared Responsibility Model updating Amazon EC2 guest operating systems falls under the area of security “in” the cloud which is a customer responsibility. With EC2, AWS manage the underlying platform on which EC2 runs but you must launch and manage your operating systems. CORRECT: "Updating the guest operating system on Amazon EC2 instances" is the correct answer. INCORRECT: "Maintaining the infrastructure needed to run Amazon DynamoDB" is incorrect. This is a responsibility of AWS. INCORRECT: "Updating the operating system of AWS Lambda instances" is incorrect. This is a responsibility of AWS. INCORRECT: "Maintaining Amazon API Gateway infrastructure" is incorrect. This is a responsibility of AWS.

Answer 48

Explanation By default new users are created with NO access to any AWS services – they can only login to the AWS console. You must apply permissions to users to allow them to access services. The recommended way to do this is to organize users into groups and then apply permissions policies to the group. CORRECT: "By default new users are created without access to any AWS services" is the correct answer. INCORRECT: "The user needs to login with a key pair" is incorrect. Key pairs are used for programmatic access using the API so they are required for API access only. INCORRECT: "The services are currently unavailable" is incorrect as it is far more likely that the user just doesn’t have permissions. INCORRECT: "The default limit for user logons has been reached" is incorrect as there is no limit for user logons.

Answer 49

Explanation The TCO calculators allow you to estimate the cost savings when using AWS, compared to on-premises, and provide a detailed set of reports that can be used in executive presentations. The calculators also give you the option to modify assumptions that best meet your business needs. CORRECT: "Estimate savings when comparing the AWS Cloud to an on-premises environment" is the correct answer. INCORRECT: "Generate reports that break down AWS Cloud compute costs by duration, resource, or tags" is incorrect. This describes the AWS Cost & Usage Report. INCORRECT: "Estimate a monthly bill for the AWS Cloud resources that will be used" is incorrect. This describes the AWS Pricing Calculator (or Simple Monthly Calculator). INCORRECT: "Enable billing alerts to monitor actual AWS costs compared to estimated costs" is incorrect. Billing alerts can be enabled using Amazon CloudWatch.

Answer 50

Explanation Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Inspector automatically assesses applications for vulnerabilities or deviations from best practices. CORRECT: "Use AWS Inspector" is the correct answer. INCORRECT: "Use AWS Artifact" is incorrect. AWS Artifact is your go-to, central resource for compliance-related information that matters to you. INCORRECT: "Use AWS Shield" is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. INCORRECT: "Use AWS WAF" is incorrect. AWS Web application Firewall (WAF) is a firewall service, it is not used for assessing best practice.

Answer 51

Explanation You can use Amazon S3 to host a static website. On a static website, individual webpages include static content. They might also contain client-side scripts. By contrast, a dynamic website relies on server-side processing, including server-side scripts such as PHP, JSP, or ASP.NET. Amazon S3 does not support server-side scripting, but AWS has other resources for hosting dynamic websites. CORRECT: "Amazon S3" is the correct answer. INCORRECT: "Amazon EBS" is incorrect as it cannot be used to host a static website. INCORRECT: "AWS CloudFormation" is incorrect as it cannot be used to host a static website. INCORRECT: "Amazon EFS" is incorrect as it cannot be used to host a static website.

Answer 52

Explanation AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources. The dashboard displays relevant and timely information to help you manage events in progress, and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues. CORRECT: "AWS Personal Health Dashboard" is the correct answer. INCORRECT: "AWS Service Health Dashboard" is incorrect. This shows the current status of services across regions. However, it does not provide proactive notifications of scheduled activities or guidance of any kind. INCORRECT: "AWS Trusted Advisor dashboard" is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices. INCORRECT: "Amazon CloudWatch dashboard" is incorrect as this service is used for monitoring performance related information for your infrastructure and resources, not the underlying AWS resources.

Answer 53

Explanation An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. CORRECT: "AWS IAM role" is the correct answer. INCORRECT: "AWS Systems Manager" is incorrect. This service manages Amazon EC2 instances. INCORRECT: "Amazon Connect" is incorrect. This is a contact center service. INCORRECT: "AWS IAM access key" is incorrect. Access keys are considered long-term credentials and therefore should not be embedded on EC2 instances in code. Using a role is more secure

Answer 54

Explanation AWS Managed Services manages the daily operations of your AWS infrastructure in alignment with ITIL processes. AWS Managed Services provides a baseline integration with IT Service Management (ITSM) tools such as the ServiceNow platform. AWS Managed Services provides ongoing management of your AWS infrastructure so you can focus on your applications. By implementing best practices to maintain your infrastructure, AWS Managed Services helps to reduce your operational overhead and risk. AWS Managed Services currently supports the 20+ services most critical for Enterprises, and will continue to expand our list of integrated AWS services. AWS Managed Services is designed to meet the needs of Enterprises that require stringent SLAs, adherence to corporate compliance, and integration with their systems and ITIL®-based processes. CORRECT: "Alignment with ITIL processes" is a correct answer. CORRECT: "Baseline integration with ITSM tools" is also a correct answer. INCORRECT: "Managed applications so you can focus on infrastructure" is incorrect as this is not offered by AWS Managed Services. INCORRECT: "Designed for small businesses" is incorrect as the service is designed for enterprises. INCORRECT: "Support for all AWS services" is incorrect as the service does not support all AWS services.

Answer 55

Explanation All client-side and server-side encryption is a responsibility of the customer using the AWS Cloud. This can be clearly seen in the shared responsibility model infographic below: CORRECT: "Maintaining server-side encryption" is the correct answer. INCORRECT: "Securing servers and racks at AWS data centers" is incorrect. This is an AWS responsibility. INCORRECT: "Maintaining firewall configurations at a hardware level" is incorrect. This is an AWS responsibility. INCORRECT: "Maintaining physical networking configuration" is incorrect. This is an AWS responsibility.

Answer 56

Explanation AWS Key Management Service (KMS) gives you centralized control over the encryption keys used to protect your data. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. CORRECT: "AWS CloudHSM" is a correct answer. CORRECT: "AWS KMS" is also a correct answer. INCORRECT: "AWS DMS" is incorrect. AWS Database Migration Service is used for migration of databases. INCORRECT: "AWS SMS" is incorrect. AWS Server Migration Service is used for migration of virtual machines. INCORRECT: "Amazon ELB" is incorrect. Amazon Elastic Load Balancing is used for distributing incoming connections to pools of EC2 instances

Answer 57

Explanation Amazon QuickSight is a scalable, serverless, embeddable, machine learning-powered business intelligence (BI) service built for the cloud. QuickSight lets you easily create and publish interactive BI dashboards that include Machine Learning-powered insights. QuickSight dashboards can be accessed from any device, and seamlessly embedded into your applications, portals, and websites. CORRECT: "Amazon QuickSight" is the correct answer. INCORRECT: "Amazon Redshift" is incorrect. RedShift is a data warehouse solution not a dashboard. You can use QuickSight with RedShift. INCORRECT: "Amazon Kinesis" is incorrect. This is a service for collecting streaming data. INCORRECT: "Amazon Athena" is incorrect. Athena is used for running SQL queries on data in Amazon S3.

Answer 58

Explanation AWS recommends that you create individual IAM users rather than sharing IAM user accounts. For extra security, AWS recommends that you require multi-factor authentication (MFA) for all users in your account. For privileged IAM users who are allowed to access sensitive resources or API operations, AWS recommend using U2F or hardware MFA devices. CORRECT: "Create individual IAM users" is the correct answer. CORRECT: "Enable MFA for all users" is the correct answer. INCORRECT: "Assign permissions to users" is incorrect. You should use groups to assign permissions to IAM users and should avoid embedding access keys in application code. INCORRECT: "Embed access keys in application code" is incorrect as this is against best practice as it is highly insecure. INCORRECT: "Grant greatest privilege" is incorrect. AWS recommend creating individual IAM users and assigning the least privilege necessary for them to perform their role.

Answer 59

Explanation Cost optimization can include using Auto Scaling groups to scale the number of EC2 instances according to actual demand. Also, using Amazon EC2 reserved instances for suitable workloads is a good way of optimizing costs over the longer term. CORRECT: "Implement Auto Scaling groups to add and remove instances based on demand" is a correct answer. CORRECT: "Purchase Amazon EC2 Reserved Instances" is also a correct answer. INCORRECT: "Create a policy to restrict IAM users from accessing the Amazon EC2 console" is incorrect. This is not an optimization strategy; it will just prevent access completely which could be going too far. INCORRECT: "Set a budget to limit spending on Amazon EC2 instances using AWS Budgets" is incorrect. You can use AWS Budgets to notify you of spend but not to actually limit spend. INCORRECT: "Create users in a single Region to reduce the spread of EC2 instances globally" is incorrect. You cannot create users in a single Region, all IAM Users are global.

Answer 60

Explanation By using cloud computing, you can achieve a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices. CORRECT: "Economies of scale" is the correct answer. INCORRECT: "The AWS global infrastructure" is incorrect. The global infrastructure is the basis of the AWS platform but it is not the reason prices continue to reduce. INCORRECT: "Pay-as-you go pricing" is incorrect. This pricing model is a benefit but not the reason unit prices are reducing. INCORRECT: "Reserved instance pricing" is incorrect. This pricing model results in savings for customers in specific areas but not the reason for the overall reduction in prices.

Answer 61

Explanation For extra security, AWS recommends that you require multi-factor authentication (MFA) for all users in your account. With MFA, users have a device that generates a response to an authentication challenge. Both the user's credentials (something you know) and the device-generated response (something you have) are required to complete the sign-in process. If a user's password or access keys are compromised, your account resources are still secure because of the additional authentication requirement. Additionally, strong password policies should be used to enforce measures including minimum password length, complexity, and password reuse restrictions. CORRECT: "AWS Multi-Factor Authentication (AWS MFA)" is a correct answer. CORRECT: "Strong password policies" is also a correct answer. INCORRECT: "AWS Secrets Manager" is incorrect. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. INCORRECT: "AWS Certiﬁcate Manager" is incorrect. This service is used for creating SSL/TLS certificates for use with HTTPS connections. INCORRECT: "Security group rules" is incorrect as these are used to restrict traffic to/from your EC2 instances.

Answer 62

Explanation In a cloud computing environment, new IT resources are only a click away, which means that you reduce the time to make those resources available to your developers from weeks to just minutes. This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower. CORRECT: "Agility" is the correct answer. INCORRECT: "Elasticity" is incorrect. Elasticity enables infrastructure to scale based on demand and helps applications perform and be cost effective. It does not reduce time to market. INCORRECT: "Fault tolerance" is incorrect as this is involved with ensuring applications stay available in the event of a fault. INCORRECT: "Cost effectiveness" is incorrect. The AWS Cloud can be cost effective but this is not the benefit that allows faster time to market.

Answer 63

Explanation Amazon Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to decouple microservices, distributed systems, and serverless applications. Amazon SNS provides topics for high-throughput, push-based, many-to-many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints for parallel processing, including Amazon SQS queues, AWS Lambda functions, and HTTP/S webhooks. Additionally, SNS can be used to fan out notifications to end users using mobile push, SMS, and email. CORRECT: "Amazon Simple Notiﬁcation Service (Amazon SNS)" is the correct answer. INCORRECT: "Amazon Simple Email Service (Amazon SES)" is incorrect. This service is used for sending email but not SMS text messages. INCORRECT: "Amazon Simple Workflow Service (Amazon SWF)" is incorrect. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud. INCORRECT: "Amazon Simple Queue Service (Amazon SQS)" is incorrect. Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.

Answer 64

Explanation Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define. You can use the fleet management features of EC2 Auto Scaling to maintain the health and availability of your fleet. You can also use the dynamic and predictive scaling features of EC2 Auto Scaling to add or remove EC2 instances. Dynamic scaling responds to changing demand and predictive scaling automatically schedules the right number of EC2 instances based on predicted demand. Dynamic scaling and predictive scaling can be used together to scale faster. The image below shows an example where an Auto Scaling group is configured to ensure the average CPU of instances in the ASG does not exceed 60%. An additional instance is being launched as the actual load is 71.5%. CORRECT: "Auto Scaling" is the correct answer. INCORRECT: "Load balancing" is incorrect. Load balancing is not about compute capacity but ensuring connections are distributed across multiple instances. INCORRECT: "Fault tolerance" is incorrect. Fault tolerance is related to the architecture of an application that ensures that the failure of any single component does not affect the application. INCORRECT: "High availability" is incorrect. High availability ensures the maximum uptime for your application by designing the system to recover from failure.

Answer 65

Explanation You can run Amazon EC2 compute instances hosted on a Snowball Edge with the sbe1, sbe-c, and sbe-g instance types. The sbe1 instance type works on devices with the Snowball Edge Storage Optimized option. The sbe-c instance type works on devices with the Snowball Edge Compute Optimized option. Both the sbe-c and sbe-g instance types work on devices with the Snowball Edge Compute Optimized with GPU option. CORRECT: "Amazon EC2" is the correct answer. INCORRECT: "AWS Server Migration Service (AWS SMS)" is incorrect. AWS SMS does not integrate natively with Snowball Edge. INCORRECT: "AWS Database Migration Service (AWS DMS)" is incorrect. AWS DMS does not integrate natively with Snowball Edge. INCORRECT: "AWS Trusted Advisor" is incorrect. Trusted Advisor does not integrate natively with Snowball Edge.

Answer 66

Explanation In a highly available system the failure of a single component should not affect the application. This means that if a single component such as an application server fails, there should be other applications servers available that can seamlessly take over operations and ensure the application continues to operate. CORRECT: "The failure of a single component should not affect the application" is the correct answer. INCORRECT: "Servers have low-latency and high throughput network connectivity" is incorrect. It is not necessary for all architectures to have low-latency and high throughput network connectivity and this does not ensure high availability. INCORRECT: "There are enough servers to run at peak load available at all times" is incorrect. This would be wasteful in terms of resources and cost. There should be enough servers available to handle current load with adequate capacity to operate functionally in the event of a system failure. Additional servers can be launched automatically. as the application demand increases. INCORRECT: "A single monolithic application component handles all operations" is incorrect. This is a bad design practice that reduces the availability of the system as the failure of update of any individual component can bring the whole system down.

Answer 67

Explanation AWS Trusted Advisor checks security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Unrestricted access increases opportunities for malicious activity (hacking, denial-of-service attacks, loss of data). The ports with highest risk are flagged red, and those with less risk are flagged yellow. Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP. The following image shows the results of the security group checks in an AWS account: CORRECT: "AWS Trusted Advisor" is the correct answer. INCORRECT: "Amazon CloudWatch" is incorrect. CloudWatch is used for performance monitoring. INCORRECT: "VPC Flow Logs" is incorrect. VPC Flow Logs are used to capture network traffic information, they will not easily identify unrestricted security groups. INCORRECT: "AWS CloudTrail" is incorrect. This service is used for auditing API actions

Answer 68

Explanation AWS Budgets allows you to set custom budgets to track your cost and usage. With AWS Budgets, you can choose to be alerted by email or SNS notification when actual or forecasted cost and usage exceed your budget threshold, or when your actual RI and Savings Plans' utilization or coverage drops below your desired threshold. CORRECT: "AWS Budgets" is the correct answer. INCORRECT: "Consolidated billing" is incorrect. This is associated with AWS Organizations and provides a single bill across multiple member accounts. INCORRECT: "AWS Trusted Advisor" is incorrect. This service provides guidance on AWS best practices. INCORRECT: "Cost Explorer" is incorrect. This service is used for exploring the costs incurred within your account.

Answer 69

Explanation Consolidated billing has the following benefits: One bill – You get one bill for multiple accounts. Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data. Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts and Reserved Instance discounts. This can result in a lower charge for your project, department, or company than with individual standalone accounts. CORRECT: "You receive a single bill for multiple accounts" is a correct answer. CORRECT: "You can combine usage and share volume pricing discounts" is also a correct answer. INCORRECT: "You receive one bill per AWS account" is incorrect as you receive a single bill for multiple accounts. INCORRECT: "You pay a fee per linked account" is incorrect as you do not pay a fee. INCORRECT: "You are charged a fee per user" is incorrect as you do not pay a fee.

Answer 70

Explanation Using AWS cloud services can help development teams to be more productive as they spend less time working on the infrastructure layer as it is provided for them. This additionally means launching new workloads requires less time as you can automate the implementation of the application and there is no underlying hardware layer to configure. CORRECT: "Less staff time is required to launch new workloads" is a correct answer. CORRECT: "Increased productivity for application development teams" is also a correct answer. INCORRECT: "Increased time to market for new application features" is incorrect. AWS services should decrease time to market, not increase time. INCORRECT: "Higher acquisition costs to support elastic workloads" is incorrect. The acquisition costs should be lower, not higher. INCORRECT: "Lower overall utilization of server and storage systems" is incorrect. This is not a benefit of moving to the cloud.

Answer 71

Explanation AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network. CORRECT: "Virtual Private Network" is the correct answer. INCORRECT: "AWS Mobile Hub" is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services. INCORRECT: "AWS Web Application Firewall (WAF)" is incorrect. This service is used for protecting against common web exploits. INCORRECT: "Amazon Virtual Private Cloud (VPC)" is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.

Answer 72

Explanation AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time. CORRECT: "AWS Elastic Beanstalk" is the correct answer. INCORRECT: "Amazon LightSail" is incorrect. LightSail is a good service to use when you don’t have good knowledge of AWS. However, you cannot deploy a scalable node.js application into a VPC. INCORRECT: "AWS CloudFormation" is incorrect. CloudFormation is used for automating the deployment of infrastructure resources in AWS. INCORRECT: "Amazon EC2" is incorrect. This would require more expertise that using Elastic Beanstalk.

Answer 73

Explanation Dependencies such as queuing systems, streaming systems, workflows, and load balancers are loosely coupled. Loose coupling helps isolate behavior of a component from other components that depend on it, increasing resiliency and agility AWS recommend that you architect applications that scale horizontally to increase aggregate workload availability. This scaling should be automatic where possible. CORRECT: "Implement loose coupling" is a correct answer. CORRECT: "Design for scalability" is also a correct answer. INCORRECT: "Implement manual scalability" is incorrect. AWS do not recommend manual processes. Everything should be automated as much as possible. INCORRECT: "Use self-managed servers" is incorrect. AWS do not recommend using self-managed servers. They do recommend using serverless services if you can. INCORRECT: "Rely on individual components" is incorrect. This is not a best practice; you should never rely on individual components. It is better to build redundancy into the system so the failure of an individual component does not affect the functioning of the application.

Answer 74

Explanation AWS WAF is a web application firewall that protects against common exploits that could compromise application availability, compromise security or consume excessive resources. CORRECT: "AWS WAF" is the correct answer. INCORRECT: "AWS Shield" is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. INCORRECT: "Security Group" is incorrect. Security groups are firewalls applied at the instance level. INCORRECT: "Network ACL" is incorrect. Network ACLs are firewalls applied at the subnet level.

Answer 75

Explanation Pay-as-you-go-pricing is an example of the AWS advantage “Trade capital expense for variable expense”. This is documented in the Six Advantages of Cloud Computing. Instead of having to invest heavily in data centers and servers before you know how you’re going to use them, you can pay only when you consume computing resources, and pay only for how much you consume. CORRECT: "Pay-as-you-go pricing" is the correct answer. INCORRECT: "Economies of scale" is incorrect. This is not an example of replacing fixed expenses with variable expenses. The benefit of economies of scale relates to achieving a lower variable cost than you can get on your own. Because usage from hundreds of thousands of customers is aggregated in the cloud, providers such as AWS can achieve higher economies of scale, which translates into lower pay as-you-go prices. INCORRECT: "Global reach" is incorrect. This is most closely associated with the advantage “Go global in minutes”. With AWS you can easily deploy your application in multiple regions around the world with just a few clicks. This means you can provide lower latency and a better experience for your customers at minimal cost. INCORRECT: "High availability" is incorrect. High availability is not related to pricing. Instead, it means you can design your applications to be available with minimum downtime even when disruptions occur.

Answer 76

Explanation An AWS Direct Connect connection is a private, dedicated link to AWS. As it does not use the internet, performance is consistent. The following diagram shows how a corporate data center is connected to AWS using a Direct Connect link via an AWS Direct Connect location: CORRECT: "AWS Direct Connect" is the correct answer. INCORRECT: "AWS Managed VPN" is incorrect. This services uses the public internet so it is not a dedicated link and performance will not be consistent. INCORRECT: "Amazon Connect" is incorrect. Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost INCORRECT: "AWS DataSync" is incorrect. AWS DataSync makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx for Windows File Server.

Answer 77

Explanation AWS is a cost-effective for dynamic workloads because it is elastic, meaning your workload can scale based on demand. And because you only pay for what you use (pay-as-you-go pricing). CORRECT: "Elasticity" is the correct answer. CORRECT: "Pay-as-you-go pricing" is the correct answer. INCORRECT: "High availability" is incorrect. This is not a characteristic that results in cost-effectiveness. INCORRECT: "Strict security" is incorrect. This is not a characteristic that results in cost-effectiveness. INCORRECT: "Reliability" is incorrect. This is not a characteristic that results in cost-effectiveness.

Answer 78

Explanation Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs are associated with AWS Organizations and help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. CORRECT: "AWS Organizations" is the correct answer. INCORRECT: "AWS Global Infrastructure" is incorrect. SCPs are not associated with the AWS Global Infrastructure. INCORRECT: "AWS Regions" is incorrect. SCPs are not associated with AWS Regions. INCORRECT: "Availability Zones" is incorrect. SCPs are not associated with Availability Zones.

Answer 79

Explanation If you suspect that AWS resources are used for abusive purposes, contact the AWS Trust & Safety team using the Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com. Provide all the necessary information, including logs in plaintext, email headers, and so on, when you submit your request. CORRECT: "AWS Trust & Safety team" is the correct answer. INCORRECT: "AWS Professional Services" is incorrect. This is not the correct team. INCORRECT: "AWS Partner Network (APN)" is incorrect. This is not the correct team. INCORRECT: "AWS Technical Account Manager (TAM)" is incorrect. This is not the correct team.

Answer 80

Explanation The AWS Storage Gateway service enables hybrid storage between on-premises environments and the AWS Cloud. It provides low-latency performance by caching frequently accessed data on premises, while storing data securely and durably in Amazon cloud storage services. AWS Storage Gateway supports three storage interfaces: file, volume, and tape File gateway provides a virtual on-premises file server, which enables you to store and retrieve files as objects in Amazon S3 The volume gateway represents the family of gateways that support block-based volumes, previously referred to as gateway-cached and gateway-stored modes Tape Gateway (formerly known as Gateway Virtual Tape Library) is used for backup with popular backup software. All other answers are bogus and use terms that are associated with Storage Gateways (S3, block, cached) CORRECT: "File Gateway" is a correct answer. CORRECT: "Tape Gateway" is also a correct answer. INCORRECT: "S3 Gateway" is incorrect as explained above. INCORRECT: "Block Gateway" is incorrect as explained above. INCORRECT: "Cached Gateway" is incorrect as explained above.

Answer 81

Explanation AWS Snowball is a method of transferring the data using a physical device. A Snowball Edge device can hold up to 80 TB so a single device can be used. This transfer method completely avoids the slow and unreliable internet connection. CORRECT: "AWS Snowball" is the correct answer. INCORRECT: "Amazon S3 Glacier" is incorrect. Glacier is used for archiving data in the cloud. INCORRECT: "AWS Storage Gateway" is incorrect. Storage Gateway is a service that offers options for connecting on-premises storage to the cloud. INCORRECT: "AWS DataSync" is incorrect. DataSync uses the internet to transfer data You can utilize Snowcone but that only holds up to 8 TB per device.

Answer 82

Explanation When performing a TCO analysis you must include all costs you are currently incurring in the on-premises environment that you will not pay for in the AWS Cloud. This should include labor costs for activities that will be reduced or eliminated. Labor costs that will continue to be incurred in the cloud need not be included. CORRECT: "Physical compute hardware" is a correct answer. CORRECT: "Network infrastructure in the data center" is also a correct answer. INCORRECT: "Operating system administration" is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud. INCORRECT: "Project management services" is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud. INCORRECT: "Database schema development" is incorrect. You don’t need to include these costs as you will continue to incur them in the AWS Cloud.

Answer 83

Explanation Amazon Elastic Container Service (ECS) is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run applications on a managed cluster of Amazon EC2 instances. CORRECT: "Amazon ECS" is the correct answer. INCORRECT: "AWS Lambda" is incorrect. AWS Lambda is a serverless technology that lets you run code in response to events as functions INCORRECT: "Amazon ECR" is incorrect. Amazon Elastic Container Registry (ECR) is a fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images INCORRECT: "Amazon AMI" is incorrect. Amazon Machine Images (AMI) store configuration information for Amazon EC2 instances.

Answer 84

Explanation AWS provides many options for high availability including multiple availability zones within Regions and multiple Regions around the world. There are also many options to leverage durable data storage, message buses, databases. AWS have a huge global infrastructure with massive amounts of capacity. It is therefore very easy to accommodate large changes in application demand and this can often be seamless to your application. CORRECT: "AWS makes it easy to implement high availability" is a correct answer. CORRECT: "AWS can accommodate large changes in application demand" is also a correct answer. INCORRECT: "AWS automatically replicates all data globally" is incorrect. This is not true; data is not replicated globally unless you configure it do so. INCORRECT: "AWS will fully manage the entire application" is incorrect. This is not true; AWS will not manage your application. INCORRECT: "AWS takes care of application security patching" is incorrect. AWS take care of security patches for the underlying infrastructure but not your application.

Answer 85

Explanation The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS Cloud. CORRECT: "AWS CloudHSM" is the correct answer. INCORRECT: "AWS Secrets Manager" is incorrect. AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. INCORRECT: "AWS Key Management Service (AWS KMS)" is incorrect. This service is also involved with creating and managing encryption keys but does not use dedicated hardware. INCORRECT: "AWS Directory Service" is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

Answer 86

Explanation Amazon S3 Standard-Infrequent Access is the most cost-effective choice. It provides immediate access and is suitable for this use case as it is lower cost than S3 standard. Note that you must pay a fee for retrievals which is why you would only use this tier for infrequent access use cases. CORRECT: "Amazon S3 Standard-Infrequent Access" is the correct answer. INCORRECT: "Amazon Glacier with expedited retrievals" is incorrect. Amazon Glacier with expedited retrievals is fast (1-5 minutes) but not immediate. INCORRECT: "Amazon EFS" is incorrect. Amazon EFS is a high-performance file system and not ideally suited to this scenario, it is also not the most cost-effective option. INCORRECT: "Amazon S3 Standard" is incorrect. Amazon S3 Standard provides immediate retrieval but is not less cost-effective compared to Standard-Infrequent access.

Answer 87

Explanation AWS Artifact, available in the console, is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS’ compliance documentation and AWS agreements. You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports. CORRECT: "Using AWS Artifact" is the correct answer. INCORRECT: "Using AWS Trusted Advisor" is incorrect. AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. INCORRECT: "Using AWS Inspector" is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. INCORRECT: "Using the AWS Personal Health Dashboard" is incorrect. AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you.

Answer 88

Only the business and enterprise plans provide support via email, chat and phone. CORRECT: "Business" is the correct answer. CORRECT: "Enterprise" is the correct answer. INCORRECT: "Basic" is incorrect does not provide support via email, chat and phone. INCORRECT: "Developer" is incorrect only provides email support. INCORRECT: "Global" is incorrect is not a support plan offered by AWS.

Answer 89

Explanation AWS Glue is an Extract, Transform, and Load (ETL) service. You can use AWS Glue with data sources on Amazon S3, RedShift and other databases. With AWS Glue you transform and move the data to various destinations. It is used to prepare and load data for analytics. CORRECT: "AWS Glue" is the correct answer. INCORRECT: "Amazon RedShift" is incorrect. Amazon RedShift is a data warehouse. With a data warehouse you load data from other databases such as transactional SQL databases and run analysis. You can analyze data using SQL and Business Intelligence tools. INCORRECT: "Amazon EMR" is incorrect. Amazon EMR is a managed Hadoop framework running on EC2 and S3. It is used for analyzing data, not for ETL. INCORRECT: "Amazon Kinesis" is incorrect. Amazon Kinesis is used for collecting, processing and analyzing real-time streaming data.

Answer 90

Explanation You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts. Consolidated billing has the following benefits: * One bill – You get one bill for multiple accounts. * Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data. * Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts. * No extra fee – Consolidated billing is offered at no additional cost. CORRECT: "Consolidated billing" is the correct answer. INCORRECT: "Amazon Cloud Directory" is incorrect. Cloud Directory is used for creating cloud-native directories. This is not related to billing. INCORRECT: "AWS Cost Explorer" is incorrect. AWS Cost Explorer has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time. It does not centralize billing. INCORRECT: "AWS Cost and Usage report" is incorrect. The AWS Cost & Usage Report lists AWS usage for each service category used by an account and its IAM users in hourly or daily line items, as well as any tags that you have activated for cost allocation purposes.

Answer 91

Explanation AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments, CORRECT: "AWS OpsWorks" is the correct answer. INCORRECT: "AWS Conﬁg" is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. INCORRECT: "AWS CloudFormation" is incorrect. AWS CloudFormation provides a common language for you to model and provision AWS and third party application resources in your cloud environment. INCORRECT: "AWS Systems Manager" is incorrect. AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources.

Answer 92

Explanation An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. CORRECT: "One or more physical data centers" is the correct answer. INCORRECT: "A completely isolated geographic location" is incorrect. This is a description of an AWS Region. INCORRECT: "One or more edge locations based around the world" is incorrect. Edge locations are used by Amazon CloudFront for caching content. INCORRECT: "A subnet for deploying resources into" is incorrect. Subnets are created within AZs.

Answer 93

Explanation Amazon CloudFront is a content delivery network (CDN) that caches media assets such as files, photos, and videos in Edge locations around the world. This gets your content closer to the user base which decreases latency. AWS Global Accelerator is a service that can direct users to the nearest AWS Region that contains and endpoint for an application. The service utilizes Edge locations to decrease latency and then forwards all traffic on the AWS global network which also decreases latency. CORRECT: "Amazon CloudFront" is a correct answer. CORRECT: "AWS Global Accelerator" is also a correct answer. INCORRECT: "Amazon VPC" is incorrect as this service does not decrease latency for global users. INCORRECT: "Application Auto Scaling" is incorrect as this is used to scale applications based on workload, it does not decrease latency. INCORRECT: "AWS Direct Connect" is incorrect as this service does decrease latency but not for a global user base.

Answer 94

Explanation Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. The downside is that if capacity becomes temporarily unavailable, your instances may be terminated. CORRECT: "Spot Instances" is the correct answer. INCORRECT: "On-Demand Instances" is incorrect. On-demand instances are not subject to interruption if capacity becomes temporarily unavailable. INCORRECT: "Standard Reserved Instances" is incorrect. Reserved instances are not subject to interruption if capacity becomes temporarily unavailable INCORRECT: "Convertible Reserved Instances" is incorrect. Reserved instances are not subject to interruption if capacity becomes temporarily unavailable.

Answer 95

Explanation Amazon EC2 Auto Scaling helps you maintain application availability and allows you to automatically add or remove EC2 instances according to conditions you define. You can use the fleet management features of EC2 Auto Scaling to maintain the health and availability of your fleet. You can also use the dynamic and predictive scaling features of EC2 Auto Scaling to add or remove EC2 instances. CORRECT: "Scales the number of EC2 instances in or out automatically, based on demand." is the correct answer. INCORRECT: "Scales the size of EC2 instances up or down automatically, based on demand." is incorrect. Auto Scaling adjusts the number of EC2 instances, not the size of EC2 instances. INCORRECT: "Automatically updates the EC2 pricing model, based on demand." is incorrect. Auto Scaling does not change pricing models INCORRECT: "Automatically modifies the network throughput of EC2 instances, based on demand." is incorrect. Auto Scaling does not modify network throughput for instances.

Answer 96

Explanation Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. CORRECT: "Amazon Inspector" is the correct answer. INCORRECT: "EC2 security groups" is incorrect. Security groups are instance-level firewalls used for controlling network traffic reaching and leaving EC2 instances. INCORRECT: "AWS Conﬁg" is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. INCORRECT: "Amazon Macie" is incorrect. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.

Answer 97

Explanation According to the AWS shared responsibility model AWS are responsible for security “of” the cloud. This includes updating the firmware of the EC2 host servers on which instances run. All of the other answers are incorrect as they represent security “in” the cloud which is a customer responsibility. CORRECT: "Updating Amazon EC2 host firmware" is the correct answer. INCORRECT: "Granting permissions to users and services" is incorrect as this is a customer responsibility. INCORRECT: "Encrypting data at rest" is incorrect as this is a customer responsibility. INCORRECT: "Updating operating systems" is incorrect as this is a customer responsibility.

Answer 98

Explanation A couple of the benefits that companies will realize immediately when using the AWS Cloud are increased agility and a change from capital expenditure to variable operational expenditure. Agility is enabled through the flexibility of cloud services and the ease with which applications can be deployed, scaled, and managed. When using cloud services you pay for what you use and this is a variable, operational expense which can be beneficial to company cashflow. CORRECT: "Capital expenses are replaced with variable expenses" is a correct answer. CORRECT: "Increased agility" is also a correct answer. INCORRECT: "Variable expenses are replaced with capital expenses" is incorrect. This is the wrong way around, capital expenses are replaced with variable expenses. INCORRECT: "User control of physical infrastructure" is incorrect. This is not true, you do not get control of the physical infrastructure. INCORRECT: "No responsibility for security" is incorrect. This is not true, you are still responsible for “security in the cloud”.

Answer 99

Explanation AWS CodeCommit is a fully-managed source control service that hosts secure Git-based repositories. It makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem. CodeCommit eliminates the need to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to securely store anything from source code to binaries, and it works seamlessly with your existing Git tools. CORRECT: "AWS CodeCommit" is the correct answer. INCORRECT: "AWS CodeBuild" is incorrect. AWS CodeBuild is a fully managed continuous integration service that compiles source code, runs tests, and produces software packages that are ready to deploy. INCORRECT: "AWS CodeDeploy" is incorrect. CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services. INCORRECT: "AWS CodePipeline" is incorrect. AWS CodePipeline is a fully managed continuous delivery service that helps you automate your release pipelines for fast and reliable application and infrastructure updates.

Answer 100

Explanation This is the list of valid IAM best practices: • Lock away your AWS account root user access keys • Create individual IAM users • Use groups to assign permissions to IAM users • Grant least privilege • Get started using permissions with AWS managed policies • Use customer managed policies instead of inline policies • Use access levels to review IAM permissions • Configure a strong password policy for your users • Enable MFA • Use roles for applications that run on Amazon EC2 instances • Use roles to delegate permissions • Do not share access keys • Rotate credentials regularly • Remove unnecessary credentials • Use policy conditions for extra security • Monitor activity in your AWS account • Video presentation about IAM best practices CORRECT: "Create individual IAM users" is a correct answer. CORRECT: "Use groups to assign permissions to IAM users" is also a correct answer. INCORRECT: "Embed access keys in application code" is incorrect. This is not a best practice; you should always try and avoid embedding any secret credentials and access keys in application code. Instead, it is preferable to use IAM roles to delegate permission to applications. INCORRECT: "Use inline policies instead of customer managed policies" is incorrect. This is not a best practice. You should use customer managed policies instead of inline policies. INCORRECT: "Grant maximum privileges to IAM users" is incorrect. You should instead follow the principle of least privilege and grant the minimum permissions a user needs to perform their job role.

Answer 101

Explanation AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. These capabilities help simplify operational analysis and troubleshooting. CORRECT: "AWS CloudTrail" is the correct answer. INCORRECT: "Amazon Inspector" is incorrect. Inspector is used for running an automated security assessment service on cloud resources. INCORRECT: "Amazon CloudWatch" is incorrect. CloudWatch is used for performance monitoring. INCORRECT: "AWS Trusted Advisor" is incorrect. Trusted Advisor helps you to build your AWS resources in accordance with best practices.

Answer 102

Explanation If you have multiple EC2 instances that are part of an application, you should deploy them into separate availability zones (AZs). Each AZ has redundant power and is also fed from a different grid. AZs also have low-latency network links which is often advantageous for most applications. You do not need to deploy into separate regions to prevent a power outage bringing your application down. AZs have redundant power and grids so you are safe deploying your applications into multiple AZs. If you split your applications across regions you introduce latency which may impact your application. You may also run into data sovereignty issues in some cases. Deploying your EC2 instances into different VPCs is not required and would complicate your application deployment. Also, bear in mind that VPCs within a region use the same underlying infrastructure so deploying into different VPCs may still result in your EC2 instances being deployed into the same AZs. It is a best practice to deploy into separate AZs. CORRECT: "Launch the EC2 instances into different Availability Zones" is the correct answer. INCORRECT: "Launch the EC2 instances in separate regions" is incorrect as described above. INCORRECT: "Launch the EC2 instances into different VPCs" is incorrect as described above. INCORRECT: "Launch the EC2 instances into Edge Locations" is incorrect. You cannot deploy EC2 instances into Edge Locations.

Answer 103

Explanation Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password. CORRECT: "An access key ID" is a correct answer. CORRECT: "A secret access key" is also a correct answer. INCORRECT: "A public key" is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances. INCORRECT: "A private key" is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances. INCORRECT: "An IAM Role" is incorrect. IAM Roles are not used for configuring the CLI for programmatic access. They can be used for delegating access to AWS services and cross-account access.

Answer 104

Explanation Amazon S3 is an object storage system. Typical use cases include: Backup and storage, application hosting, media hosting, software delivery and hosting a static website. CORRECT: "Host a static website" is the correct answer. CORRECT: "Media hosting" is the correct answer. INCORRECT: "Install an operating system" is incorrect. You cannot install an operating system on an object-based storage system. Instead, you need a block-based storage system such as Amazon EBS. INCORRECT: "In-memory data cache" is incorrect. You cannot use Amazon S3 as an in-memory data cache; for this you need a service such as Amazon ElastiCache. INCORRECT: "Message queue" is incorrect. You cannot use Amazon S3 as a message queue (or at least it is not a typical use case). You should use a services such as Amazon SQS or Amazon MQ.

Answer 105

Explanation AWS enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) to use the secure AWS environment to process, maintain, and store protected health information. CORRECT: "HIPAA" is the correct answer. INCORRECT: "ISO 27001" is incorrect as ISO/IEC 27001 is an information security standard. INCORRECT: "PCI DSS" is incorrect as PCI DSS is related to the security of credit card payments. INCORRECT: "SOC 1" is incorrect as this relates to financial reporting.

Answer 106

Explanation Amazon Elastic Map Reduce (EMR) is a web service that enables businesses, researchers, data analysts, and developers to easily and cost-effectively process vast amounts of data. EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3. CORRECT: "Amazon EMR" is the correct answer. INCORRECT: "Amazon DynamoDB" is incorrect. DynamoDB is not a hosted Hadoop framework, it is a no-SQL database. INCORRECT: "Amazon Athena" is incorrect. Amazon Athena is a serverless, interactive query service to query data and analyze big data in Amazon S3 using standard SQL INCORRECT: "Amazon Redshift" is incorrect. Amazon Redshift is a fast, simple, cost-effective data warehousing service.

Udemy Exams 1 & 2 Flashcards

(130 cards)