AWC CCP questions
Where would you find the AWS Attestation of Compliance Documentation for PCI DSS? AWS Support Amazon Macie AWS Identity and Access Management AWS Artifact
AWS Artifact AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS' security and compliance reports and select online agreements. AWS Support's site provides general information about compliance, but it does not hold the secure reports or certificates. AWS IAM is used to control security within your AWS Account. Amazon Macie is a data security classification service. https://aws.amazon.com/artifact/
Your company is migrating its services to the AWS Cloud. The DevOps team has heard about Infrastructure as Code and wants to investigate this concept. Which AWS service would they investigate? Elastic Beanstalk AWS Lambda AWS CloudFormation CodeCommit
AWS CloudFormation AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so you can spend less time managing those resources and more time focusing on your applications that run in AWS.
What are the ways a user can access resources in their AWS account? select 3 AWS Command Line Interface (CLI) AWS Management Console API Gateway Application code
AWS Command Line Interface (CLI) The AWS CLI allows you to access your AWS account through a terminal or command window. AWS Management Console The AWS Management Console allows you to access your AWS account and manage applications running in your account from a web browser. Application code Application code is a form of programmatic access. Programmatic access provides access to your AWS resources through an application or a tool like the CLI.
Which AWS service would enable you to view the spending distribution in 1 of your AWS accounts? Billing Advisor AWS Cost Explorer AWS Organizations AWS Spending Explorer
AWS Cost Explorer Cost Explorer allows you to visualize and forecast your costs and usage over time.
Which of the following are classified as migration services? select 2 AWS Config AWS Snowball AWS OpsWorks AWS Application Discovery Service
AWS Snowball Snowball helps you migrate massive amounts of data into cloud, so it is considered a migration tool. https://aws.amazon.com/cloud-migration/ AWS Application Discovery Service AWS Application Discovery Service helps you gather information about your on-premises environment and is considered a migration tool. https://aws.amazon.com/cloud-migration/
A person new to the cloud is learning about the services that offer compute power. Which AWS services offer computing resources in the cloud? select 3 AWS Elastic Beanstalk Amazon Cognito AWS Lambda Amazon Simple Storage Service (S3) Amazon Elastic Compute Cloud (EC2)
AWS Elastic Beanstalk Elastic Beanstalk allows you to deploy your web applications and web services to AWS. Although we covered Elastic Beanstalk in the "Deployment and Infrastructure Management Services" lesson, it is a compute service. AWS Lambda Lambda is a serverless compute service that lets you run code without managing servers. Amazon Elastic Compute Cloud (EC2) EC2 allows you to rent and manage virtual servers in the cloud.
A company has made the decision to migrate its internal on-premises data center to the cloud. Who can help the company plan and conduct the migration? select 2 Marketplace AWS Support AWS Infrastructure Event Management Consulting partner from the AWS Partner Network (APN)
AWS Infrastructure Event Management Infrastructure Event Management offers architecture guidance and operational support during the preparation and execution of planned events, such as shopping holidays, product launches, and migrations. Consulting partner from the AWS Partner Network (APN) Consulting partners offer professional services.
Which of the following tools provides a view of the performance and availability of your AWS services based on your requirements? AWS Personal Health Dashboard AWS Systems Manager AWS Trusted Advisor AWS Service Health Dashboard
AWS Personal Health Dashboard AWS Personal Health Dashboard focuses on the performance and availability of your AWS services so you can respond accordingly.
After experiencing unusual behavior in your AWS account, you need to determine if there are any issues with AWS that may be affecting your account. What section of the AWS Management Console helps you inspect account alerts and find remediation guidance for your account? AWS CloudWatch AWS SNS AWS Service Health Dashboard AWS Personal Health Dashboard
AWS Personal Health Dashboard AWS Personal Health Dashboard gives you a personalized view of the status of services and resources used by your applications.
You suspect that 1 of the AWS services your company is using has gone down. How can you check on the status of this service? AWS Organizations AWS Trusted Advisor AWS Personal Health Dashboard Amazon Inspector
AWS Personal Health Dashboard AWS Personal Health Dashboard provides alerts and guidance for AWS events that might affect your environment. https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/
Which security service provides enhanced protections and 24/7 access to AWS experts for a fee when issues arise? Macie AWS Shield Advanced AWS Shield Standard Enterprise Support
AWS Shield Advanced AWS Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee.
A gaming company is using the AWS Developer Tools suite to develop, build, and deploy their applications. Which AWS service can be used to trace user requests from end to end through the application? CloudTrail Selected AWS Inspector CloudWatch AWS X-Ray
AWS X-Ray AWS X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application's underlying components. You can use X-Ray to analyze from simple three-tier applications to complex microservices applications consisting of thousands of services.
An IAM user with administrative access is attempting to close the AWS account. After troubleshooting, the admin user uncovers they need to sign in with root user credentials in order to perform this task. What other tasks require root user credentials? select 4 Activate IAM access to the Billing and Cost Management console Modifying the support plan Create a user with administrative access Changing the email address associated with the account Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) delete
Activate IAM access to the Billing and Cost Management console This task can only be performed when you sign in as the root user of an account. This task was presented in the additional reading, "Tasks that require root user credentials", provided with the lesson. Modifying the support plan This task can only be performed when you sign in as the root user of an account. Changing the email address associated with the account This task can only be performed when you sign in as the root user of an account. Configuring an Amazon S3 bucket to enable MFA (multi-factor authentication) delete This task can only be performed when you sign in as the root user of an account. This task was presented in the additional reading, "Tasks that require root user credentials," provided with the lesson.
Which of the following are best practices when it comes to securing your AWS account? select 5 Activate MFA on the root account Use groups to assign permissions Delete your root account password. Create individual IAM users Store your root account keys on your application for easy access. Delete your root access keys. Apply an IAM password policy
Activate MFA on the root account The root account has full control and access within an individual AWS account; therefore, it should be protected with MFA. Use groups to assign permissions Creating individual IAM users, using groups to assign them permissions, and creating a strong password policy are all key components of securing your AWS account. Create individual IAM users Creating individual IAM users, using groups to assign them permissions, and creating a strong password policy are all key components of securing your AWS account. Delete your root access keys. Creating individual IAM users, using groups to assign them permissions, and creating a strong password policy are all key components of securing your AWS account. The root user should only be used in emergencies, and therefore there should be no need to have root access keys which allow the root user programmatic access - any programmatic access should use something other than the root account. It is not possible to delete the root password, and this should be securely, safely stored and not used in any applications! Apply an IAM password policy Creating individual IAM users, using groups to assign them permissions, and creating a strong password policy are all key components of securing your AWS account.
You just had a Data Analyst join the company, and you have been tasked with creating a new IAM user accordingly. Although the user has received all the necessary credentials, she realized that she cannot perform any Amazon RDS actions on the Clients table. Which of the following are possible solutions to this issue? Select 2 Supply the password necessary to log into the AWS Console. Create a ticket for the Help Desk to resolve the issue. Add the user to the group that has the necessary permission policy. Double-check the credentials you sent to the user. Create an identity-based policy.
Add the user to the group that has the necessary permission policy. By default, an IAM user can't access anything in the AWS account. So, the inability to perform the RDS actions on the Clients table is not a technical or password issue. To grant access, you would need to create an identity-based policy. However, if there is a group in the account with the permission policy that will grant such access, you can add the user to that group instead. Create an identity-based policy. By default, an IAM user can't access anything in the AWS account. So, the inability to perform the RDS actions on the Clients table is not a technical or password issue. To grant access, you would need to create an identity-based policy. However, if there is a group in the account with the permission policy that will grant such access, you can add the user to that group instead.
The Chief Marketing Officer of the hotel chain you work for would like to develop a solution to enable voice recognition capabilities in rooms, so customers can request services without picking up the phone. Competitors have already begun rolling out these technologies in an attempt to improve their customers' experience. Which benefit of the AWS Cloud would you most emphasize to the CMO in your business case for creating an AWS-based solution that allows you to innovate more quickly and deliver your applications faster, as a response to your competitors? Deploy globally in minutes Agility Cost savings Elasticity
Agility The AWS Cloud provides instant access to new technologies. Companies can move with agility to satisfy new business requirements and meet competitive demands. There is a very low barrier of entry for innovation. If a solution is not meeting expectations, services can be instantly de-provisioned. The other 3 options will also prove to be benefits of deploying in the AWS Cloud, but the use case emphasizes the need to move quickly against competitive threats.
A development team has created a large amount of CloudFormation templates in the JSON format. Which AWS database would be best suited for storing these documents? AWS MySQL Amazon RedShift Amazon DocumentDB Amazon Aurora
Amazon DocumentDB Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly available, and fully managed document database service that supports MongoDB workloads. As a document database, Amazon DocumentDB makes it easy to store, query, and index JSON data.
You need to use an AWS service to assess software vulnerabilities and unintended network exposure of your Amazon EC2 instances. Which of the following services should you use? AWS Trusted Advisor Amazon Inspector AWS Shield AWS WAF
Amazon Inspector Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure.
Which of the following statements are true about who can use IAM roles? select 3 A web service offered by providers other than AWS. An IAM user in a different AWS account than the role. An IAM user in the same AWS account as the role. A web service offered by AWS.
An IAM user in a different AWS account than the role. A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2. An IAM user in the same AWS account as the role. A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2. A web service offered by AWS. A role can be used by either an IAM user in the same AWS account as the role or a user in a different AWS account. A role can also be used by a web service that AWS offers; a prime example is Amazon EC2.
Which of the following can be specified as an origin when creating a CloudFront distribution? select 3 An S3 bucket An elastic load balancer A domain name An RDS instance
An S3 bucket A CloudFront origin can be an S3 bucket, an elastic load balancer, or a valid domain name. An elastic load balancer A CloudFront origin can be an S3 bucket, an elastic load balancer, or a valid domain name. A domain name A CloudFront origin can be an S3 bucket, an elastic load balancer, or a valid domain name.
Which of the following are load balancer types offered by AWS? select 3 Application Network Web Database Original Service Classic
Application Application is a valid load balancer type AWS offers. Network Network is a valid load balancer type AWS offers. Classic Classic is a valid load balancer type AWS offers.
A new application rolled out by the development team is going to require load balancing of HTTP and HTTPS traffic. Which load balancer is best suited for this type of traffic? HTTP Load Balancer Network Load Balancer Classic Load Balancer Application Load Balancer
Application Load Balancer An Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers.
In the AWS Global Infrastructure, which components are physically separated and connected through low-latency links, enabling fault tolerance and high availability? Regions Selected Route 53 Virtual Private Clouds (VPCs) Availability Zones
Availability Zones Availability Zones (AZs) are connected among themselves in a single Region. They are physically separated, connected through low-latency links, fault tolerant, and allow high availability.
Which of the following is used to secure Amazon S3 buckets? API key Bucket access policy Security group Access keys
Bucket access policy A bucket access policy can be attached directly to an S3 bucket to limit access to specific users.
Which of the following allows you to make entire buckets (like 1 hosting an S3 website) public? Access control lists Bucket control lists Bucket policies Access policies
Bucket policies Bucket policies allow you to control access to entire buckets, whereas access control lists let you control access to individual objects within an S3 bucket. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
A customer has multiple IAM users that need the same access permissions. How can the customer provide the same access permissions to all the users quickly and efficiently? By assigning users to an EC2 security group By assigning a preconfigured AWS managed policy to each user By creating a policy and assigning it to each user By assigning users to an IAM group that has the needed permissions.
By assigning users to an IAM group that has the needed permissions. IAM groups allow a set of users to have the same access permissions.
How does AWS Shield Standard help protect your environment? By scanning incoming application traffic for known attacks. By blocking DDOS attacks. By scanning your instances for viruses. By scanning outgoing application traffic for sensitive information.
By blocking DDOS attacks. AWS Shield Standard is included at no extra cost, but will only block DDoS attacks on your AWS resources. It will not scan the contents of incoming or outgoing traffic (this is a function of WAF) and will not protect your environment from viruses.
AWS Trusted Advisor provides checks and recommended actions. Which of the following is not one of those checks? Unrestricted access for specific ports on EC2 Checks for usage more than 80% of the service limit CloudFront content delivery optimization Checks to determine if an administrative user is used instead of the root account
Checks to determine if an administrative user is used instead of the root account This is not a check provided in Trusted Advisor.
You have joined a small company and inherited an AWS application built within the EC2-Classic network. Which load balancer will work with this application? Classic Load Balancer None. The application needs to be upgraded. Application Load Balancer Network Load Balancer
Classic Load Balancer Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.
A developer would like to build a serverless application but doesn't want to install files or configure their local development machine. Which service will allow the developer to build the application by writing code in a web browser? CodeDeploy Cloud9 CloudFront CodePipeline
Cloud9 Cloud9 allows application developers to write code within an integrated development environment (IDE) from within their web browser.
Which AWS service allows the deployment of resources in code templates, otherwise known as Infrastructure as Code? OpsWorks Systems Manager Elastic Beanstalk CloudFormation
CloudFormation CloudFormation allows you to provision AWS resources using Infrastructure as Code (IaC).
You have been tasked with creating identical, repeatable infrastructure for your customers. Which service will you use? CloudFront CloudWatch AWS Config CloudFormation
CloudFormation CloudFormation provides the ability to provision a repeatedly deployable environment for your customers.
How can a customer meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud? Secrets Manager Identity and Access Management CloudHSM DynamoDB
CloudHSM CloudHSM allows customers to meet compliance requirements for data security by using dedicated hardware.
A software company is looking for a tool to automate their deployments from end to end. Which AWS service can provide this continuous delivery functionality? CodeDeploy CodePipeline CodeCommit CodeBuild
CodePipeline CodePipeline automates the software release process.
How can a customer with the Enterprise Support plan get help with billing and account questions? select 2 Contact the Support Concierge team. AWS Community Forums Use the AWS Support API to programmatically open a case with AWS Support. Technical Account Manager (TAM) AWS Online Tech Talks
Contact the Support Concierge team. The Concierge agent is the primary point of contact for billing or account inquiries. Use the AWS Support API to programmatically open a case with AWS Support. Customers on the Enterprise Support plan have access to the AWS Support API to create, manage, and close support cases.
Which of the following is NOT a compute service? EC2 Elastic Beanstalk Elastic Block Store Lambda
Elastic Block Store Elastic Block Store is a storage service - all others are compute services.
Scientists would like to analyze terabytes of scientific data from a rover that landed on Mars. Which service will help them find trends and understand the vast amount of data using Hadoop? Elastic MapReduce (EMR) SageMaker Kinesis Data Pipeline
Elastic MapReduce (EMR) EMR helps you process large amounts of data using big data frameworks like Hadoop.
You need to track your AWS costs on a detailed level. Which tool will allow you to do this? AWS CloudTrail CloudWatch AWS Organizations Cost Allocation Tags
Cost Allocation Tags A tag is a label that you or AWS assign to an AWS resource. Each tag consists of a key and a value. Tagged resources can appear on the Cost Explorer or on a cost allocation report.
You want to monitor the cost of using your AWS services and receive alerts when the thresholds you define are met. Which of the following AWS Budgets types should you create? Cost budget Savings Plans budget Reservation budget Usage budget
Cost budget You need to create a cost budget with AWS Budgets if you want to monitor the cost of using your AWS services.
A new application needs temporary access to resources in AWS. How can this best be achieved? Store an access key in an S3 bucket and give the application access to the bucket. Add the application to a group that has the appropriate permissions. Create an IAM policy and attach it to the application. Create an IAM role and have the application assume the role.
Create an IAM role and have the application assume the role. Roles define access permissions and are temporarily assumed by an IAM user or service.
Which policy will provide information on performing penetration testing on your EC2 instances? Customer Service Policy for Penetration Testing IAM policy JSON policy AWS Customer Agreement
Customer Service Policy for Penetration Testing AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for Amazon EC2 instances, NAT gateways, elastic load balancers, and 7 other services.
Which of the following is an AWS Well-Architected Framework design principle related to operational excellence? Scale horizontally for resilience. Assign only the least privileges required. Deploy smaller, reversible changes. Use serverless architectures first.
Deploy smaller, reversible changes. This is a design principle related to operational excellence. Smaller changes can easily be reverted, if necessary.
A company is developing a new web application that has high availability requirements. How can the company increase availability when deploying the application? select 2 Deploy the application to span across multiple Availability Zones (AZs). Deploy the application to the Region that is closest to most of its users. CloudFront S3 Transfer Acceleration Utilize a multi-Region deployment when deploying the application.
Deploy the application to span across multiple Availability Zones (AZs). Deploying applications to multiple AZs replicates applications across multiple data centers in the same Region, supporting high availability. Utilize a multi-Region deployment when deploying the application. Multi-Region deployments are best for applications that have extremely high availability requirements.
You have an Application Load Balancer for routing traffic from developers to the EC2 instance that contains a web application being put into operation. To prepare for the application going live for public use, you add an Auto Scaling group and a second Application Load Balancer to route web traffic from customers to the EC2 instance. The addition is an example of which of the following? Reliability Durability Elasticity Scalability
Durability Durability is all about long-term data protection. This means your data will remain intact without corruption.
You need to store key-value pairs of users and their high scores for a gaming application. Which is the fastest and cheapest storage option for this type of data? DynamoDB RDS MySQL Amazon S3 Amazon RedShift
DynamoDB DynamoDB is a fully managed NoSQL key-value and document database. DynamoDB scales automatically to massive workloads with fast performance and is the best choice for this scenario.
A healthcare agency needs to store certain patient information for up to 10 years. To save cost, they want to archive this data to cheaper storage. The data needs to be retrieved within 12 hours. Which is the cheapest option? Amazon S3 Glacier Flexible Retrieval (Formerly S3 Glacier) Redshift Glacier Deep Archive S3 Standard-IA
Glacier Deep Archive Glacier Deep Archive meets the requirement and is the cheapest option.
A company has developed a popular online multiplayer gaming application. How can the company enhance its players' online experience and improve overall application availability and reduce in-game latency? CloudTrail CloudFront Global Accelerator Route 53
Global Accelerator Global Accelerator can improve the experience by routing player traffic along with the private AWS global network to the fastest instance of your application. Player traffic is not negatively impacted by internet congestion and local outages.
What is the most efficient way for a customer to continuously monitor CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs looking for unauthorized behavior? Inspector GuardDuty CloudWatch Config
GuardDuty GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.
A purchasing department staff member is set up as an AWS user in the company's Procurement AWS account. At each month-end, the staff member needs access to an application running on EC2 in the company's Accounts Payable AWS account to reconcile reports. Which of the following provides the most secure and operationally efficient way to give the staff member access to the Accounts Payable application? Invoke an AWS Lambda function to run the application in the Accounts Payable AWS account. Have the user request temporary security credentials for the application by assuming a role. Configure Active Directory integration so you can federate the staff member's access to the Accounts Payable AWS account. Create a user for the staff member in the Accounts Payable AWS account.
Have the user request temporary security credentials for the application by assuming a role. The staff member should be given the ability to assume a role programmatically with the permissions necessary to run the Accounts Payable application.
A solutions architect is designing a system to withstand the failure of one or more components. What type of system is able to withstand failure? Secure Elastic Highly available Durable
Highly available Highly available systems are designed to operate continuously without failure for a long time. These systems avoid loss of service by reducing or managing failures.
Which of the following is an AWS global service? VPC IAM Amazon RDS EC2
IAM Identity and Access Management is a global service.
You are creating a few IAM policies. This is the first time you have worked with IAM policies. Which tool can you use to test IAM policies? Amazon GuardDuty IAM policy simulator Amazon Inspector CloudWatch
IAM policy simulator The IAM policy simulator allows you to test and troubleshoot identity-based policies, IAM permissions boundaries, service control policies (SCPs), and resource-based policies.
A company can provision a new EC2 instance at the click of a button, which reduces the time to make those resources available to their development team from weeks to just minutes. Which benefit of cloud computing does this demonstrate? Stop spending money running and maintaining data centers. Trade capital expense for variable expense. Go global in minutes. Increase speed and agility.
Increase speed and agility. The cloud gives you increased speed and agility. All the services you have access to help you innovate faster, giving you speed to market.
When you pay a subscription fee to a hosting company to serve your website on an instance you manage, which cloud computing model are you using? Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Function as a Service (FaaS)
Infrastructure as a Service (IaaS) IaaS offers building blocks that can be rented. When you pay a web hosting fee, you're using IaaS.
An organization needs to run a MySQL relational database on AWS. They plan to hire their own database administrators to manage their databases, including taking backups, using replication, and clustering. Which option provides the customer the control and flexibility needed? Use Systems Manager to install the MySQL database directly to on-premises servers. Use the Amazon Relational Database Service (RDS) to launch the MySQL database. Install the MySQL database directly on an EC2 instance. Open a case with AWS Support to have them assist the database administrators with the installation of the MySQL database.
Install the MySQL database directly on an EC2 instance. Installing the database directly to EC2 gives the customer complete control over the database and its management.
Which service powers the creation of encrypted EBS volumes for Amazon EC2? Key Management Service (KMS) CloudHSM Secrets Manager Identity and Access Management (IAM)
Key Management Service (KMS) When you create an encrypted Amazon EBS volume, you're able to specify a KMS customer master key.
A huge department store sells products online and in-person. Most of their customers use credit cards instead of cash when making purchases. For security purposes, the credit card data must be encrypted at rest. Which services allow the department store to generate and store the encryption key used to secure the credit card numbers? select 2 Macie Key Management Service (KMS) Secrets Manager CloudHSM Identity and Access Management (IAM)
Key Management Service (KMS) KMS allows you to generate and store encryption keys. CloudHSM CloudHSM is a hardware security module (HSM) used to generate and store encryption keys.
A company with a popular website would like to analyze website clickstreams in real time to determine site usability. How can they obtain the data in real time for analysis? DMS Data Pipeline Kinesis DynamoDB
Kinesis Kinesis allows you to analyze data and video streams in real time.
A company is using Trusted Advisor to ensure they are following AWS best practices. What real-time guidance does Trusted Advisor provide? select 3 Low utilization on EC2 instances Upcoming user interface changes to the console Amazon services down Exposed access keys S3 bucket permissions for public access
Low utilization on EC2 instances Trusted Advisor checks this for all customers. FYI: This was found in the "AWS Trusted Advisor best practice checklist" documentation linked from within the lesson. Exposed access keys Trusted Advisor checks this for Enterprise and Business Support customers. S3 bucket permissions for public access Trusted Advisor checks this for all customers.
A colleague tells you about a service that uses machine learning to discover and protect sensitive data stored in S3 buckets. Which AWS service does this? Inspector SageMaker Macie Rekognition
Macie Macie helps you discover and protect sensitive data.
A customer set up an Amazon S3 bucket to accept downloads from their mobile application users. Due to data privacy requirements, the customer needs to automatically and continually scan S3 for the users' addresses. Which service can do this? Athena GuardDuty Inspector Macie
Macie Macie uses machine learning to discover sensitive data stored on Amazon S3. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.
A company would like to reduce operational overhead when operating AWS infrastructure. Which service can help them do this? Professional Services Managed Services Technology partner from the AWS Partner Network (APN) Consulting partner from the AWS Partner Network (APN)
Managed Services Managed Services helps you efficiently operate your AWS infrastructure and reduces operational risks and overhead.
You need to allow IPv4 resources in a private subnet to connect to services outside your VPC, but you can't allow external services to initiate a connection with those private IPv4 resources. Which of the following must be present to enable this access? Security groups NAT gateway Network access control lists Route tables
NAT gateway A NAT gateway is required to allow resources in a private subnet to access the internet.
A fantasy sports company needs to run an application for the length of a football season (5 months). They will run the application on an EC2 instance and there can be no interruption. Which purchasing option best suits this use case? Spot Dedicated Reserved On-Demand
On-Demand This is not a long enough term to make Reserved Instances the better option. Plus, the application can't be interrupted, which rules out Spot Instances.
You have a short-term computing task to complete. It is essential that this task run uninterrupted from start to finish. Which is the best EC2 option for this task? On-Demand Instance Spot Instance Dedicated Host Reserved Instance
On-Demand Instance It is a short-term project, which rules out Reserved Instances, and it has to run uninterrupted, which rules out Spot Instances.
A company with a business-critical application needs to ensure business continuity and that they will not be impacted by capacity restraints in a given Region. How can the company ensure this? select 3 On-demand capacity reservation Savings Plan with a capacity reservation Convertible Reserved Instance (RI) with a capacity reservation Standard Reserved Instance (RI) with a capacity reservation Spot instance with a capacity reservation
On-demand capacity reservation On-Demand Capacity Reservations enable you to reserve compute capacity for your Amazon EC2 instances for any duration. Convertible Reserved Instance (RI) with a capacity reservation A Reserved Instance is a reservation of resources and capacity for either 1 or 3 years. A capacity reservation offers assurance that the customer will be given preference if there is ever a capacity constraint in a Region. Standard Reserved Instance (RI) with a capacity reservation A Reserved Instance is a reservation of resources and capacity for either 1 or 3 years. A capacity reservation offers assurance that the customer will be given preference if there is ever a capacity constraint in a Region.
Which of the following are pillars found in the AWS Well-Architected Framework? Select 2 Operational Excellence Cost Optimization Performance Optimization Deploying to multiple Availability Zones Encrypting data at rest
Operational Excellence The Operational Excellence pillar focuses on building applications that effectively support your workloads. Cost Optimization The Cost Optimization pillar focuses on building resilient systems at the least cost.
Which pillar of the Well-Architected Framework encourages the use of CloudFormation? Operational excellence Performance efficiency Reliability Selected Security
Operational excellence Operational excellence focuses on creating applications that effectively support production workloads. Scripting operations as code is a part of this pillar, which includes the use of CloudFormation.
A company would like to automate the configuration of its servers and deploy code to servers in the cloud and on-premises. Which service meets the requirement? Elastic Beanstalk OpsWorks CodeBuild CodeDeploy
OpsWorks OpsWorks allows you to use Chef or Puppet to automate the configuration of your servers and deploy code on-premises or the cloud.
In Identity and Access Management (IAM), which term applies to a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS? Principal Resource Identity Entity
Principal A principal is a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.
What does a developer need in order to log in to an EC2 instance via SSH from their local machine? select 3 Private key Public key API key SSH client Key Management System (KMS) generated key
Private key A key pair, consisting of a private key and a public key, is a set of security credentials you use to prove your identity when connecting to an instance. You store the private key locally typically as a pem file. Public key A key pair, consisting of a private key and a public key, is a set of security credentials you use to prove your identity when connecting to an instance. Amazon EC2 stores the public key. SSH client An SSH client is a program that allows establishing a secure connection from your local laptop to an EC2 instance.
A customer wants to run an application on a local version of an EC2 instance in a disconnected environment. Which Snow Family device supports this? Snowcone Snowball Snowball Edge Snowmobile
Snowball Edge Snowball Edge offers on-board storage and compute power that can handle local processing and edge-computing workloads in disconnected environments and handles transferring data between your local environment and AWS. Snowball Edge supports S3, EC2, Lambda, and IoT Greengrass.
A company has an application with user bases in both Australia and Canada. The company has deployed their application to servers currently provisioned in the Canada (Central) Region. Unfortunately, Australian users are experiencing high latency and slow download times. How can the company reduce latency? Provision resources across Availability Zones in the Canada (Central) Region to handle the demand. Use S3 Transfer Acceleration to speed up delivery of static content to users in Australia. Set up Direct Connect for users in Australia. Provision resources to the Asia Pacific (Sydney) Region in Australia.
Provision resources to the Asia Pacific (Sydney) Region in Australia. A multi-Region deployment solves the issue by deploying the application closest to the user base.
Which services can host a MariaDB database? select 2 RDS EC2 DynamoDB Aurora DocumentDB
RDS RDS supports several popular database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. EC2 For complete control of a database, you can install the database software directly on an EC2 instance.
You need to set up a data warehouse on AWS for financial/actuary data. Which AWS service will you use? DynamoDB ElastiCache Redshift RDS
Redshift Redshift is a scalable data warehouse solution.
What is a geographical area of the world that is a collection of logically grouped data centers? Data center Edge location Availability Zone (AZ) Region
Region A Region is a geographical area of the world that is a collection of data centers logically grouped into Availability Zones. (https://aws.amazon.com/about-aws/global-infrastructure/regions_az/?p=ngi&loc=2#Regions)
A development team wants to gain full observability into the health of their applications and instances in order to provide the best service level to users of their applications. Which services can help them monitor the health of their applications and instances? select 3 Simple Notification Service (SNS) Route 53 CloudTrail Elastic Load Balancing Elastic Beanstalk
Route 53 Route 53 can be used to configure DNS health checks to route traffic to healthy endpoints or to monitor the health of your applications. Elastic Load Balancing Load balancers monitor the health of EC2 instances and route the traffic to only instances that are in a healthy state. Elastic Beanstalk Elastic Beanstalk monitors application health via a health dashboard.
Which of the following are criteria affecting your billing for RDS? select 3 Data transferred in Running duration of the RDS instances Standard monitoring services Number of requests Additional storage
Running duration of the RDS instances RDS runs on EC2 instances, so much like an EC2 instance, you are charged based on how long the RDS instances are running, how much storage they have provisioned, and the requests they're processing. Number of requests RDS runs on EC2 instances, so much like an EC2 instance, you are charged based on how long the RDS instances are running, how much storage they have provisioned, and the requests they're processing. Additional storage RDS runs on EC2 instances, so much like an EC2 instance, you are charged based on how long the RDS instances are running, how much storage they have provisioned, and the requests they're processing.
A developer would like to access AWS services from application code. How can a developer achieve this? CodePipeline CodeBuild CodeCommit Software Development Kit (SDK)
Software Development Kit (SDK) SDKs allow you to access AWS services from popular programming languages like Java, Python, C#, and many more.
A developer doesn't want to hardcode the database password in their application code when developing a new application. Which service will help with accessing the password without having to hardcode it? Key Management Service (KMS) AWS Artifact Secrets Manager IAM credential report
Secrets Manager Secrets Manager allows you to manage and retrieve secrets (passwords or keys).
Using CloudTrail to track user activity and API calls within your account is an example of which AWS Well-Architected Framework pillar? Reliability Cost Optimization Operational Excellence Security
Security A design principle of the Security pillar is to track who did what and when. The Security pillar focuses on putting mechanisms in place to protect your systems and data.
Which of the following acts like built-in firewalls per instance for your virtual servers? Availability Zones Security groups Route tables Network access control lists
Security groups Security groups act like built-in firewalls for your virtual servers — the rules you create define what is allowed to talk to your instances and how. Although network access control lists can be used to block or deny traffic, these operate at the subnet level (covering all instances in the subnet with the same ruleset), not per instance as the question specifies. Route tables tell traffic where it should go next to reach its destination, and an Availability Zone is a collection of data centers — which isn't relevant in this question.
A customer is managing multiple AWS accounts using AWS Organizations. What can the customer use to restrict the same permissions across all AWS accounts managed under AWS Organizations using minimal effort? IAM user policy S3 bucket policy Service control policies IAM organization policy
Service control policies AWS Organizations provides central governance and management for multiple accounts. Organization service control policies (SCPs) allow you to create permissions guardrails that apply to all accounts within a given organization.
Which is the most efficient AWS feature that allows a company to restrict IAM users from making changes to a common administrator IAM role created in all accounts in their organization? Service control policies (SCPs) GuardDuty IAM findings IAM user policy Shield
Service control policies (SCPs) AWS Organizations provides central governance and management for multiple accounts. Organization SCPs allow you to create permissions guardrails that apply to all accounts within a given organization. Service control policies (SCPs)
A company is considering migrating its applications to AWS. Which costs should the company consider when comparing its on-premises total cost of ownership (TCO) to the TCO when running on AWS? select 3 Software development Help desk support costs Software license costs Hardware and infrastructure Data center cooling, power, and space requirements
Software license costs The company should consider the number of licenses and the cost of the licenses. Hardware and infrastructure The company should consider the cost of the hardware, like physical servers. Data center cooling, power, and space requirements The company should consider how much it costs to power its data center.
A company has signed a 3-year contract with a school district to develop a Teacher Absence Management application. Which type of EC2 instance would be best for application development on this project? Scheduled Reserved Instances Spot Instances On-Demand Instances Standard Reserved Instances
Standard Reserved Instances Standard Reserved Instances provide you with a significant discount (up to 72%) compared to On-Demand Instance pricing and can be purchased for a 1-year or 3-year term.
A company would like to implement a hybrid storage model where they connect on-premises data storage to storage in the AWS Cloud in order to move their backups to the cloud. What is the best and most efficient way to achieve this? Site-to-Site VPN Elastic File System (EFS) Direct Connect Storage Gateway
Storage Gateway Storage Gateway is a hybrid storage service that allows you to connect on-premises and cloud data.
A telecommunications company has hired you as a consultant to develop a business case for moving its IT applications and infrastructure to AWS. The company's leadership understands the agility value of the cloud, but the finance group is not interested in shifting capital expense to operating expense due to the company's tax structure. What will you include in the business case to attempt to satisfy everyone at the company? Suggest that the company make Reserved Instance purchases and capitalize them. Suggest that the company wait to migrate to AWS until the current infrastructure is fully depreciated. Show the company the TCO value of moving to an operating expense model. Show the value of an elastic infrastructure for avoiding wasted capacity.
Suggest that the company make Reserved Instance purchases and capitalize them. Many companies capitalize Reserved Instance purchases, especially those with 3-year terms.
A company is migrating its workloads to AWS. Which tool will help the company estimate their potential cloud bill and calculate their overall total cost of ownership (TCO) based on their current workloads? The company can use the AWS Pricing Calculator. The company can open an account and billing support case with AWS Support to get help with estimating the TCO. The company can research the published prices of the AWS services and manually calculate the estimate. The company can use the Cost Explorer to visualize its estimated TCO.
The company can use the AWS Pricing Calculator. The Pricing Calculator provides an estimate of AWS fees and charges. Since the company knows the workload details, the AWS Pricing Calculator can also help with calculating the total cost of ownership.
Which of the below are TRUE when running a database in an EC2 instance? select 3 The customer is responsible for updating the guest operating system. The customer is responsible for managing access to the database. AWS is responsible for updating the database software. AWS is responsible for updating the guest operating system. AWS is responsible for managing access to the database. The customer is responsible for updating the database software.
The customer is responsible for updating the guest operating system. As it is an EC2 instance, the customer is responsible for guest OS patching. The customer is responsible for managing access to the database. In this case, as the database is being run in an EC2 instance, all aspects of database updates and access is the responsibility of the customer. The customer is responsible for updating the database software. Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance) and software required to deliver the service — which in this case is the EC2 instance. Anything to do with the instance itself is the responsibility of the customer.
You want to streamline access management for your AWS administrators by assigning them a pre-defined set of permissions based on their job role. Which options below are the best way to approach this? Use IAM roles Use IAM policies Use IAM groups Use AWS Organizations
Use IAM policies You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it. Use IAM groups Using IAM groups lets you create a list of pre-defined permissions that any user made a part of that group will be granted. Roles are primarily used to grant AWS resources permissions to other AWS resources and generally are not for end-users.
A developer deployed an application that consisted of 1 Lambda function, a DynamoDB table, and a firewall using Web Application Firewall (WAF) via the AWS Command Line Interface (CLI). When attempting to access the application's resources via the AWS Management Console, the developer cannot find the Lambda function or DynamoDB table. What could be the problem? The developer probably forgot to issue the "save" command when using the CLI. The default rules in WAF prevent everyone on the internet from accessing the application unless specifically granted. The developer is probably in a different Region from where the resources were initially deployed. The developer probably forgot to assign the appropriate IAM access permissions to themselves before closing the CLI.
The developer is probably in a different Region from where the resources were initially deployed. Resources that aren't global are typically deployed to a specific Region. Since Regions are isolated and resources aren't automatically replicated across them, the developer needs to switch to the correct Region in order to find the resources.
The AWS global infrastructure includes Regions, Availability Zones, and edge locations. Which best describes the relationship between the infrastructure components? select 2 There are more Regions than edge locations. There are more Regions than Availability Zones. There are more Availability Zones than Regions There are more edge locations than Regions. There are more Availability Zones than edge locations.
There are more Availability Zones than Regions There are more edge locations than Regions.
Which of the following is correct regarding the number of Regions, Availability Zones, edge locations, and data centers? There are more Availability Zones than edge locations. There are more edge locations than Availability Zones. There are more Regions than edge locations. The number of Availability Zones is the same as the number of edge locations.
There are more edge locations than Availability Zones. Edge locations are a part of AWS' content distribution network and are separate from Regions and AZs. The number of edge locations around the world is greater than that of Regions and Availability Zones, in order to reduce latency between your content and your customers - the more that exist, the greater the chance there is 1 where you need it.
A company has multiple AWS accounts across many departments. They are considering using Organizations to group all their accounts under 1 master payer account. What are the benefits of using Organizations? select 3 They can reduce costs by sharing resources across accounts. They can easily add new accounts or create new accounts. They can automatically be alerted when new accounts are set up. This is not a benefit of AWS Organizations. They can receive 1 bill for all their AWS accounts. The IAM integration allows for IAM users to be deleted automatically when an account is closed.
They can reduce costs by sharing resources across accounts. Cost savings is a benefit of AWS Organizations. You'll receive volume discounts since usage is combined across accounts. They can easily add new accounts or create new accounts. Account governance is a benefit of AWS Organizations. You have a quick and automated way to create accounts or invite existing accounts. They can receive 1 bill for all their AWS accounts. Consolidated billing is a benefit of AWS Organizations. The advantage of consolidated billing is that you receive 1 bill for multiple accounts.
A customer needs to identify vulnerabilities on their EC2 instances, such as unintended network access. Which services will provide a report of findings? select 2 Trusted Advisor Macie IAM credential report AWS Artifact Inspector
Trusted Advisor Trusted Advisor is a tool that provides real-time guidance to help you provision resources following AWS best practices. It will check security groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports. Inspector Inspector works with EC2 instances to uncover and report vulnerabilities.
A company wants to provide access to an Amazon S3 bucket to all applications running on a Reserved Instance (RI) that's been assigned to a specific Availability Zone. What's the best way to give S3 access to all applications running on the EC2 instance? Use an IAM user Use an IAM policy with Amazon S3 access Use an IAM policy with administrator access Use an instance profile to pass an IAM role with Amazon S3 permissions to the EC2 instance
Use an instance profile to pass an IAM role with Amazon S3 permissions to the EC2 instance The company will need to create a role that grants access to S3 and associate it with the instance.
A project manager wants to identify, organize, search for, and filter all EC2 instances belonging to the Marketing department for budget management purposes. What is the best strategy for the project manager to identify Marketing resources? Use tags Use Systems Manager Open a case with AWS Support Talk with a Technical Account Manager (TAM)
Use tags The administrator can use tags to identify resources with the Marketing department.
You're hosting a web application on EC2. After a few days of production usage, you notice the traffic to the web application far exceeds what was expected. You've decided to move to a larger instance type. What AWS principle does this represent? Durability Elasticity Vertical scaling Horizontal scaling
Vertical scaling Vertical scaling is increasing the size and computing power of a single instance or node without increasing the number of nodes or instances.
Which of the following are advantages of cloud computing? Select 3 You can go global in minutes. You can increase speed and agility. You can trade variable expense for capital expense. You can stop guessing capacity.
You can go global in minutes. You can deploy your applications around the world at the click of a button. You can increase speed and agility. The provided services allow you to innovate more quickly and deliver your applications faster. You can stop guessing capacity. Your capacity is matched exactly to your demand.