AWS Solutions Architect
True/false: An EC2 instance must be in a public subnet to access the internet.
B. An EC2 instance can access the Internet from a private subnet provided it uses a NAT gateway or NAT instance.
True/false: Changing the instance type of an EC2 instance will change its elastic IP address.
B. An elastic IP address will not change. A public IP address attached to an instance will change if the instance is stopped, as would happen when changing the instance type. See Chapter 2 for more information.
You're designing an application that takes multiple image files and combines them into a video file that users on the Internet can download. Which of the following can help you quickly implement your application in the fastest, most highly available, and most costeffective manner? A. EC2 spot fleet B. Lambda C. Relational Database Service (RDS) D. Auto Scaling
B. Lambda is a highly available, reliable, "serverless" compute platform that runs functions as needed and scales elastically to meet demand. EC2 spot instances can be shut down on short notice.
Which of the following AWS tools will allow you to locate EC2 instances closer to each other to reduce network latency? A. Load balancing B. Placement groups C. AWS Systems Manager D. AWS Fargate
B. Load balancing directs external user requests between multiple EC2 instances, Systems Manager provides tools for monitoring and managing your resources, and Fargate is an interface for administrating Docker containers on Amazon ECS.
Which AWS tool lets you organize your EC2 instances and configure their network connectivity and access control? A. Load Balancing B. Amazon Virtual Private Cloud (VPC) C. Amazon CloudFront D. AWS endpoints
B. VPCs are virtualized network environments where you can control the connectivity of your EC2 (and RDS, etc.) infrastructure. Load Balancing routes incoming user requests among a cluster of available servers, CloudFront maintains a network of endpoints where cached versions of your application data are stored to provide quicker responses to user requests, and AWS endpoints are URIs that point to AWS resources within your account.
True/false: You can use either CodeDeploy or an AWS Systems Manager command document to deploy a Lambda application.
B. You can use CodeDeploy to deploy an application to Lambda or EC2 instances. But an AWS Systems Manager command document works only on EC2 instances.
Elastic Beanstalk
Beanstalk is a managed service that abstracts the provisioning of AWS compute and networking infrastructure. You are required to do nothing more than push your application code, and Beanstalk automatically launches and manages all the necessary services in the background.
Direct Connect
By purchasing fast and secure network connections to AWS through a third-party provider, you can use Direct Connect to establish an enhanced direct tunnel between your local data center or office and your AWS-based VPCs.
According to default behavior (and AWS recommendations), which of the following IP addresses could be assigned as the private IP for an EC2 instance? (Choose two.) A. 54.61.211.98 B. 23.176.92.3 C. 172.17.23.43 D. 10.0.32.176
C, D. By default, EC2 uses the standard address blocks for private subnets, so all private addresses will fall within these ranges: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
For data workloads requiring more speed and flexibility than a closely defined structure offers, which service should you choose? A. Relational Database Service (RDS) B. Amazon Aurora C. Amazon DynamoDB D. Key Management Service (KMS)
C. DynamoDB provides a NoSQL (nonrelational) database service for workloads that can be more efficiently run without the relational schema of SQL database engines (like those, including Aurora, that are offered by RDS). KMS is a tool for generating and managing encryption keys.
True/false: The EBS Lifecycle Manager can take snapshots of volumes that were once attached to terminated instances.
A. The EBS Lifecycle Manager can take scheduled snapshots of any EBS volume, regardless of attachment state.
Glacier
A good choice for when you need large data archives stored cheaply over the long term and can live with retrieval delays measuring in the hours. Glacier's lifecycle management is closely integrated with S3.
Which three attributes of an incoming data packet are used by a security group to determine whether it should be allowed through? (Choose three.) A. Network port B. Source address C. Datagram header size D. Network protocol
A, B, D. Security group rules do not take packet size into consideration.
Where might CodeDeploy look for the appspec.yml file? (Choose two.) A. GitHub B. CodeCommit C. S3 D. CloudFormation
A, C. CodeDeploy looks for the appspec.yml file with the application files it is to deploy, which can be stored in S3 or on GitHub.
You need to deploy multiple EC2 Linux instances that will provide your company with virtual private networks (VPNs) using software called OpenVPN. Which of the following will be the most efficient solutions? (Choose two.) A. Select a regular Linux AMI and bootstrap it using user data that will install and configure the OpenVPN package on the instance and use it for your VPN instances. B. Search the community AMIs for an official AMI provided and supported by the OpenVPN company. C. Search the AWS Marketplace to see whether there's an official AMI provided and supported by the OpenVPN company. D. Select a regular Linux AMI and SSH in to manually install and configure the OpenVPN package.
A, C. Many third-party companies maintain official and supported AMIs running their software on the AWS Marketplace. AMIs hosted among the community AMIs are not always official and supported versions. Since your company will need multiple such instances, you'll be better off automating the process by bootstrapping rather than having to configure the software manually each time
Which of the following are benefits of instance store volumes? (Choose two.) A. Instance volumes are physically attached to the server that's hosting your instance, allowing faster data access. B. Instance volumes can be used to store data even after the instance is shut down. C. The use of instance volumes does not incur costs (beyond those for the instance itself). D. You can set termination protection so an instance volume can't be accidentally shut down
A, C. The data on instance volumes is ephemeral and will be lost as soon as the instance is shut down. There is no way to set termination protection for instance volumes as they're dependent on the lifecycle of their host instances.
How are IAM roles commonly used to ensure secure resource access in relation to EC2 instances? (Choose two.) A. A role can assign processes running on the EC2 instance permission to access other AWS resources. B. A user can be given permission to authenticate as a role and access all associated resources. C. A role can be associated with individual instance-based processes (Linux instances only), giving them permission to access other AWS resources. D. A role can give users and resources permission to access the EC2 instance.
A, D. IAM roles define how resources access other resources. Users cannot authenticate as an instance role, nor can a role be associated with an instance's internal system process.
Normally, two instances running m5.large instance types can handle the traffic accessing your online e-commerce site, but you know that you will face short, unpredictable periods of high demand. Which of the following choices should you implement? (Choose two.) A. Configure autoscaling. B. Configure load balancing. C. Purchase two m5.large instances on the spot market and as many on-demand instances as necessary. D. Purchase two m5.large reserve instances and as many on-demand instances as necessary.
A, D. Reserved instances will give you the best price for instances you know will be running 24/7, while on-demand makes the most sense for workloads that will run at unpredictable times but can't be shut down until they're no longer needed. Load balancing controls traffic routing and, on its own, has no impact on your ability to meet changing demand.
True/false: You can use a Quick Start Amazon Machine Image (AMI) to create any instance type.
A. A Quick Start AMI is independent of the instance type. See Chapter 2 for more information.
You're using EC2 Auto Scaling and want to implement a scaling policy that adds one extra instance only when the average CPU utilization of each instance exceeds 90 percent. However, you don't want it to add more than one instance every five minutes. Which of the following scaling policies should you use? A. Simple B. Step C. Target tracking D. PercentChangeInCapacity
A. A simple scaling policy changes the group size and then has a cooldown period before doing so again. Step scaling policies don't have cooldown periods. Target tracking policies attempt to keep a metric at a set value. PercentChangeInCapacity is a simple scaling adjustment type, not a scaling policy.
Which of the following will allow you to quickly copy a virtual machine image from your local infrastructure to your AWS VPC? A. AWS Simple Storage Service (S3) B. AWS Snowball C. VM Import/Export D. AWS Direct Connect
C. S3 buckets are used to store an image, but they're not directly involved in the import operation. The Snowball is a physical high-capacity storage device that Amazon ships to your office for you to load data and ship back. Direct Connect uses Amazon partner providers to build a high-speed connection between your servers and your AWS VPC.
True/false: An EC2 instance in a private subnet can resolve an "A" resource record for a public hosted zone hosted in Route 53.
A. An EC2 instance in a private subnet still has access to Amazon's private DNS servers, which can resolve records stored in public hosted zones.
What does the term availability zone refer to in AWS documentation? A. One or more isolated physical data centers within an AWS region B. All the hardware resources within a single region C. A single network subnet used by resources within a single region D. A single isolated server room within a data center
A. An availability zone is an isolated physical data center within an AWS region. Regions are geographic areas that contain multiple availability zones, subnets are IP address blocks that can be used within a zone to organize your networked resources, and there can be multiple data centers within an availability zone.
True/false: If versioning is enabled on an S3 bucket, applying encryption to an unencrypted object in that bucket will create a new, encrypted version of that object.
A. Applying encryption to an unencrypted object will create a new, encrypted version of that object. Previous versions remain unencrypted.
True/false: EC2 Auto Scaling automatically replaces group instances directly terminated by the root user.
A. Auto Scaling always attempts to maintain the minimum group size or, if set, the desired capacity.
To save configuration time and money, you want your application to run only when network events trigger it but shut down immediately after. Which of the following will do that for you? A. AWS Lambda B. AWS Elastic Beanstalk C. Amazon Elastic Container Service (ECS) D. Auto Scaling
A. Beanstalk launches and manages infrastructure for your application that will remain running until you manually stop it, ECS manages Docker containers but doesn't necessarily stop them when a task is done, and Auto Scaling can add instances to an already running deployment to meet demand.
Where do AWS Config and CloudTrail store their logs? A. S3 buckets B. CloudWatch Logs C. CloudTrail Events D. DynamoDB E. Amazon Athena
A. Both store their logs in S3 buckets.
You need a low-latency platform where you can store files to be mounted within multiple VPC-based instances. Which of the following AWS services is your best choice? A. AWS Storage Gateway B. AWS S3 C. Amazon Elastic File System D. AWS Elastic Block Store
C. S3 can be used to share files, but it doesn't offer low-latency access—and its eventual consistency won't work well with filesystems. Storage Gateway is designed to simplify backing up archives to the AWS cloud; it's not for sharing files. EBS volumes can be used for only a single instance at a time.
The sensitivity of the data your company works with means that the instances you run must be secured through complete physical isolation. What should you specify as you configure a new instance? A. Dedicated Host Tenancy B. Shared Tenancy C. Dedicated Instance Tenancy D. Isolated Tenancy
A. Dedicated Instance tenancy instances may be hosted on the same physical server as other instances within your account, while only Dedicated Host tenancy offers full isolation.
You configured a CloudWatch alarm to monitor CPU utilization for an EC2 instance. The alarm began in the INSUFFICIENT_DATA state and then entered the ALARM state. What can you conclude from this? A. The instance recently rebooted. B. CPU utilization is too high. C. The CPU utilization metric crossed the alarm threshold. D. The instance is stopped
C. The transition to the ALARM state simply implies that the metric crossed a threshold but doesn't tell you what the threshold is. Newly created alarms start out in the INSUFFICIENT_DATA state
True/false: You can use an existing domain name with Route 53 without switching its registration to AWS.
A. Route 53 is a true DNS service in that it can host zones for any domain name. You can also register domain names with or transfer them to Route 53.
True/false: You can create a DynamoDB global secondary index for an existing table at any time.
A. You can create a global secondary index for an existing table at any time. You can create a local secondary index only when you create the table.
Which of the following services can you deactivate on your account? A. Security Token Service (STS) B. CloudWatch C. Virtual Private Cloud (VPC) D. Lambda
A. You can deactivate STS for all regions except US East
Which of the following configuration details cannot be changed on an existing EC2 instance? A. AMI B. Instance type C. Security group D. Public IP address
A. You can edit or even add or remove security groups from running instances and the changes will take effect instantly. Similarly, you can associate or release an Elastic IP address to/from a running instance. You can change an instance type as long as you shut down the instance first. But the AMI can't be changed; you'll need to create an entirely new instance.
Auto Scaling
Copies of running EC2 instances can be defined as image templates and automatically launched (or scaled up) when client demand can't be met by existing instances. As demand drops, unused instances can be terminated (or scaled down).
Your AWS CLI command to launch an AMI as an EC2 instance has failed, giving you an error message that includes InvalidAMIID.NotFound. What of the following is the most likely cause? A. You haven't properly configured the ~/.aws/config file. B. The AMI is being updated and is temporarily unavailable. C. Your key pair file has been given the wrong (overly permissive) permissions. D. The AMI you specified exists in a different region than the one you've currently specified.
D. AMIs are specific to a single AWS region and cannot be deployed into any other region. Should your AWS CLI or its key pair not be configured properly, your connection would have failed completely. A public AMI being unavailable because it's "updating" is theoretically possible but unlikely.
Storage Gateway
Storage Gateway is a hybrid storage system that exposes AWS cloud storage as a local, on-premises appliance. Storage Gateway can be a great tool for migration and data backup and as part of disaster recovery operations.
Config
The Config service is designed to help you with change management and compliance for your AWS account. You first define a desired configuration state, and Config will get to work evaluating any future states against that ideal. When a configuration change pushes too far from the ideal baseline, you'll be notified.
API Gateway
This service enables you to create and manage secure and reliable APIs for your AWS-based applications.
CloudFormation
This service enables you to use template files to define full and complex AWS deployments. The ability to script your use of any AWS resources makes it easier and more attractive to automate, standardizing and speeding up the application launch process.
Virtual Private Cloud (VPC)
VPCs are highly configurable networking environments designed to host your EC2 (and RDS) instances. You use VPC-based tools to closely control inbound and outbound network access to and between instances.
Identity and Access Management (IAM)
You use IAM to administrate user and programmatic access and authentication to your AWS account. Through the use of users, groups, roles, and policies, you can control exactly who and what can access and/or work with any of your AWS resources.
True/false: S3 cross-region replication uses transfer acceleration.
B. S3 cross-region replication transfers objects between different buckets. Transfer acceleration uses a CloudFront edge location to speed up transfers between S3 and the Internet.
True/false: After uploading a new object to S3, there will be a slight delay (one to two seconds) before the object is available.
B. S3 uses a read-after-write consistency model for new objects, so once you upload an object to S3, it's immediately available.
Which of the following use cases would be most cost effective using spot market instances? A. Your e-commerce website is built using a publicly available AMI. B. You provide high-end video rendering services using a fault-tolerant process that can easily complete a job that was unexpectedly interrupted. C. You're running a backend database that must be reliably updated to keep track of critical transactions. D. Your deployment runs as a static website on S3.
B. Spot market instances can be shut down with only a minimal (two-minute) warning, so they're not recommended for workloads that require reliably predictable service. Even if your AMI can be re-launched, the interrupted workload will still be lost. Static S3 websites don't run on EC2 infrastructure in the first place.
Which of the following would you use to administrate your AWS infrastructure via your local command line or shell scripts? A. AWS Config B. AWS CLI C. AWS SDK D. The AWS Console
B. The AWS Command Line Interface (CLI) is a tool for accessing AWS APIs from the command-line shell of your local computer. The AWS SDK is for accessing resources programmatically, the AWS Console works graphically through your browser, and AWS Config is a service for editing and auditing your AWS account resources.
True/false: The Developer Support plan provides access to a support application programming interface (API).
B. The Business plan offers access to a support API, but the Developer plan does not. See Chapter 1 for more information.
For an account with multiple resources running as part of multiple projects, which of the following key/value combination examples would make for the most effective identification convention for resource tags? A. servers:server1 B. project1:server1 C. EC2:project1:server1 D. server1:project1
B. The first of two strings in a resource tag is the key—the group to which the specific resource belongs. The second string is the value, which identifies the resource itself.
Which of the following is the best tool to control access to your AWS services and administration console? A. AWS Identity and Access Management (IAM) B. Key Management Service (KMS) C. AWS Directory Service D. Simple WorkFlow (SWF)
A. AWS IAM lets you create user accounts, groups, and roles and assign them rights and permissions over specific services and resources within your AWS account. KMS is a tool for generating and managing encryption keys, Directory Service allows you to integrate your resources with external users and resources through third-party authentication services, and SWF is a tool for coordinating application tasks.
Which of the following commands will (when run from a shell session on an EC2 instance) display the instance ID? A. curl http://169.254.169.254/latest/meta-data/instance-action B. curl http://149.253.169.253/latest/meta-data/instanceaction C. curl http://169.254.169.254/latest/meta/instance-action D. curl http://169.254.169.254/meta-data/instance-action
A. Accept no substitutes: it's curl http://169.254.169.254/latest/meta-data/ instance-action.
True/false: CloudFormation stack names are case-sensitive.
A. Almost everything in CloudFormation is case sensitive.
Which service would you use to most effectively reduce the latency your end users experience when accessing your application resources over the Internet? A. Amazon CloudFront B. Amazon Route 53 C. Elastic Load Balancing D. Amazon Glacier
A. CloudFront maintains a network of endpoints where cached versions of your application data are stored to provide quicker responses to user requests. Route 53 manages DNS and network routing, Elastic Load Balancing routes incoming user requests among a cluster of available servers, and Glacier provides high-latency, low-cost file storage.
True/false: Durability measures the percentage of likelihood that a given object will not be inadvertently lost by AWS over the course of a year.
A. Durability corresponds to an average annual expected loss of objects stored on S3, not including objects you delete. Availability measures the amount of time S3 will be available to let you retrieve those objects.
True/false: Enabling point-in-time RDS snapshots is sufficient to give you a recovery point objective (RPO) of less than 10 minutes.
A. Enabling point-in-time recovery gives you an RPO of about five minutes. The recovery time objective (RTO) depends on the amount of data to restore.
Which of the following services can alert you to malware on an EC2 instance? A. AWS GuardDuty B. AWS Inspector C. AWS Shield D. AWS Web Application Firewall
A. GuardDuty looks for potentially malicious activity. Inspector looks for vulnerabilities that may result in compromise. Shield and Web Application Firewall protect applications from attack.
You have a publicly available file called filename stored in an S3 bucket named bucketname. Which of the following addresses will successfully retrieve the file using a web browser? A. https://s3.amazonaws.com/bucketname/filename B. https://filename/bucketname.s3.amazonaws.com C. s3://bucketname/filename D. s3://filename/bucketname
A. HTTP (web) requests must address the s3.amazon.aws.com domain along with the bucket and filenames.
What is the maximum size of S3 object metadata? A. 2 KB B. 5 GB C. 100 MB D. 5 TB
A. Object metadata contains information used by S3 to manage an object's security profile, behavior, and the way it's exposed to client requests. Storing this information requires very little space—2 KB will normally be more than enough.
An application you want to run on EC2 requires you to license it based on the number of physical CPU sockets and cores on the hardware you plan to run the application on. Which of the following tenancy models should you specify? A. Dedicated host B. Dedicated instance C. Shared tenancy D. Bring your own license
A. The dedicated host option lets you see the number of physical CPU sockets and cores on a host. See Chapter 2 for more information.
True/false: The route table for a public subnet must have a default route pointing to an Internet gateway as a target
A. The definition of a public subnet is a subnet that has a default route pointing to an Internet gateway as a target. Otherwise, it's a private subnet.
Your company needs direct access to AWS support for both development and IT team leaders. Which support plan should you purchase? A. Business B. Developer C. Basic D. Enterprise
A. Unlike the Basic and Developer plans (which allow access to a support associate to no or one user, respectively), the Business plan allows multiple team members.
Which of the following EBS options will you need to keep your data-hungry application that requires up to 20,000 IOPS happy? A. Cold HDD B. General-purpose SSD C. Throughput-optimized HDD D. Provisioned-IOPS SSD
D. Provisioned-IOPS SSD volumes are currently the only type that comes close to 20,000 IOPS. In fact, they can deliver up to 32,000 IOPS.
If you want to generate an AMI from an existing EBS volume, which of the following steps will get you there? (Choose three.) A. Create an image from a detached EBS volume, use it to create a snapshot, select your new AMI from your private collection, and launch it. B. Create a snapshot of the EBS root volume you need, use it to create an image, select your new AMI from your private collection, and launch it. C. Create an image from the EBS volume attached to the instance, select your new AMI from your private collection, and launch it. D. Import the snapshot of an EBS root volume from a different AWS account, use it to create an image, select your new AMI from your private collection, and launch it
B, C, D. When an image is created, a snapshot is automatically created from which an AMI is built. One does not, however, create a snapshot from an image.
You have a VMware virtual machine in your local infrastructure that you'd like to copy to your AWS account and run as an EC2 instance. Which of the following will be necessary steps? (Choose two.) A. Import the virtual machine to your AWS region using a secure SSH tunnel. B. Import the virtual machine using VM Import/Export. C. Select the imported VM from among your private AMIs and launch an instance. D. Select the imported VM from the AWS Marketplace AMIs and launch an instance.
B, C. The VM Import/Export tool handles the secure and reliable transfer for a virtual machine between your AWS account and local data center. A successfully imported VM will appear among the private AMIs in the region you selected.
You have an instance running within a private subnet that needs external network access to receive software updates and patches. Which of the following can securely provide that access from a public subnet within the same VPC? (Choose two.) A. Internet gateway B. NAT instance C. Virtual private gateway D. NAT gateway
B, D. NAT instances and NAT gateways are AWS tools for safely routing traffic between private and public subnets and from there, out to the Internet. An Internet gateway connects a VPC with the Internet, and a virtual private gateway connects a VPC with a remote site over a secure VPN.
Which of the following is not an AWS service? A. CloudFormation B. Puppet C. OpsWorks D. Snowball
B. Puppet is a configuration management platform that AWS offers via OpsWorks but is not itself an AWS service.
True/false: AWS is responsible for managing the network configuration of your EC2 instances.
B. Customers are responsible for managing the network configuration of EC2 instances. AWS is responsible for the physical network infrastructure. See Chapter 1 for more information.
Which of the following steps does the most to protect your AWS account? A. Deleting unused Identity and Access Management (IAM) policies B. Revoking unnecessary access for IAM users C. Rotating root access keys D. Restricting access to S3 buckets E. Rotating Secure Shell (SSH) key pairs
B. Revoking unnecessary access for IAM users is the most effective of the listed measures for protecting your AWS account.
True/false: EC2 sends instance memory utilization metrics to CloudWatch every five minutes.
B. EC2 doesn't track instance memory utilization.
Your developers want to run fully provisioned EC2 instances to support their application code deployments but prefer not to have to worry about manually configuring and launching the necessary infrastructure. Which of the following should they use? A. AWS Lambda B. AWS Elastic Beanstalk C. Amazon EC2 Auto Scaling D. Amazon Route 53
B. Elastic Beanstalk takes care of the ongoing underlying deployment details for you, allowing you to focus exclusively on your code. Lambda will respond to trigger events by running code a single time, Auto Scaling will ramp up existing infrastructure in response to demand, and Route 53 manages DNS and network routing.
Simple Queue Service (SQS)
SQS allows for event-driven messaging within distributed systems that can decouple while coordinating the discrete steps of a larger process. The data contained in your SQS messages will be reliably delivered, adding to the fault-tolerant qualities of an application.
Simple WorkFlow (SWF)
SWF lets you coordinate a series of tasks that must be performed using a range of AWS services or even nondigital (meaning, human) events. SWF can be the "glue" and "lubrication" that both speed a complex process and keep all the moving parts from falling apart.
Which of the following use cases is well suited for DynamoDB? A. Running a MongoDB database on AWS B. Storing large binary files exceeding 1 GB in size C. Storing JSON documents that have a consistent structure D. Storing image assets for a website
C. DynamoDB is a key-value store that can be used to store items up to 400 KB in size.
Which of the following lets you spin up new web servers the quickest? A. Lambda B. Auto Scaling C. Elastic Container Service D. CloudFront
C. Elastic Container Service lets you run containers that can launch in a matter of seconds. EC2 instances take longer. Lambda is "serverless," so you can't use it to run a web server. CloudFront provides caching but isn't a web server.
You want to use Route 53 to send users to the application load balancer closest to them. Which of the following routing policies lets you do this with the least effort? A. Latency routing B. Geolocation routing C. Geoproximity routing D. Edge routing
C. Geoproximity routing routes users to the location closest to them. Geolocation routing requires you to create records for specific locations or create a default record
Which of the following can be used to encrypt the operating system of an EC2 instance? A. AWS Secrets Manager B. CloudHSM C. AWS Key Management Service (KMS) D. AWS Security Token Service (STS)
C. KMS can be used to encrypt Elastic Block Store (EBS) volumes that store an instance's operating system.
Which instance type will, if left running, continue to incur costs? A. Spot B. Standard reserved C. On-demand D. Convertible reserved
C. On-demand instances will continue to run and incur costs. Reserved instances cost the same whether they're running or stopped. Spot instances will be terminated when the spot price exceeds your bid price.
Which of the following services is most useful for decoupling the components of a monolithic application? A. SNS B. KMS C. SQS D. Glacier
C. Simple Queue Service (SQS) allows for event-driven messaging within distributed systems that can decouple while coordinating the discrete steps of a larger process. See Chapter 1 for more information.
You want to be sure that the application you're building using EC2 and S3 resources will be reliable enough to meet the regulatory standards required within your industry. What should you check? A. Historical uptime log records B. The AWS Program Compliance Tool C. The AWS service level agreement (SLA) D. The AWS Shared Responsibility Model
C. The AWS service level agreement tells you the level of service availability you can realistically expect from a particular AWS service. You can use this information when assessing your compliance with external standards. Log records, while they can offer important historical performance metrics, probably won't be enough to prove compliance. The AWS Shared Responsibility Model outlines who is responsible for various elements of your AWS infrastructure. There is no AWS Program Compliance tool.
You created a Virtual Private Cloud (VPC) using the Classless Inter-Domain Routing (CIDR) block 10.0.0.0/24. You need to connect to this VPC from your internal network, but the IP addresses in use on your internal network overlap with the CIDR. Which of the following is a valid way to address this problem? A. Remove the CIDR and use IPv6 instead. B. Change the VPC's CIDR. C. Create a new VPC with a different CIDR. D. Create a secondary CIDR for the VPC
C. You can't change the primary CIDR for a VPC, so you must create a new one to connect it to your internal network.
CloudFront
CloudFront is Amazon's distributed global content delivery network (CDN). When properly configured, a CloudFront distribution can store cached versions of your site's content at edge locations around the world so they can be delivered to customers on request with the greatest efficiency and lowest latency.
CloudTrail
CloudTrail collects records of all your account's API events. This history is useful for account auditing and troubleshooting purposes.
Lambda
Serverless application architectures like the one provided by Amazon's Lambda service allow you to provide responsive publicfacing services without the need for a server that's actually running 24/7. Instead, network events (like consumer requests) can trigger the execution of a predefined code-based operation. When the operation (which can currently run for as long as 15 minutes) is complete, the Lambda event ends, and all resources automatically shut down.
Which of the following is the correct endpoint address for an EC2 instance running in the AWS Ireland region? A. compute.eu-central-1.amazonaws.com B. ec2.eu-central-1.amazonaws.com C. elasticcomputecloud.eu-west-2.amazonaws.com D. ec2.eu-west-1.amazonaws.com
D. EC2 endpoints will always start with an ec2 prefix followed by the region designation (eu-west-1 in the case of Ireland).
Which ElastiCache engine can persistently store data? A. MySQL B. Memcached C. MongoDB D. Redis
D. ElastiCache supports Memcached and Redis, but only the latter can store data persistently.
Which of the following is the best use-case scenario for Elastic Block Store? A. You need a cheap and reliable place to store files your application can access. B. You need a safe place to store backup archives from your local servers. C. You need a source for on-demand compute cycles to meet fluctuating demand for your application. D. You need persistent storage for the file system run by your EC2 instance.
D. Elastic Block Store provides virtual block devices (think: storage drives) on which you can install and run filesystems and data operations. It is not normally a cost-effective option for long-term data storage.
When planning your data operations, it's important to understand the practical limitations you'll face. Which of the following will normally be available only in limited amounts? A. PUT requests/month against an S3 bucket B. The volume of data available per S3 bucket C. Account-wide S3 storage space D. The number of S3 buckets within a single account
D. In theory, at least, there's no limit to the data you can upload to a single bucket or to all the buckets in your account or to the number of times you upload (using the PUT command). By default, however, you are allowed only 100 S3 buckets per account.
What is a difference between a token generated by the AWS Security Token Service (STS) and an IAM access key? A. The token generated by STS can't be used by an IAM principal. B. An IAM access key is unique. C. The token generated by STS can be used only once. D. The token generated by STS expires
D. STS tokens expire while IAM access keys do not. An STS token can be used more than once. IAM access keys and STS tokens are both unique. An IAM principal can use an STS token.
What do you have to do to securely authenticate to the GUI console of a Windows EC2 session? A. Use the private key of your key pair to initiate an SSH tunnel session. B. Use the public key of your key pair to initiate an SSH tunnel session. C. Use the public key of your key pair to retrieve the password you'll use to log in. D. Use the private key of your key pair to retrieve the password you'll use to log in.
D. The client computer in an encrypted operation must always provide the private key to authenticate. For EC2 instances running Windows, you retrieve the password you'll use for the GUI login using your private key.
Which S3 encryption option does not require AWS persistently storing the encryption keys it uses to decrypt data? A. Client-side encryption B. SSE-KMS C. SSE-S3 D. SSE-C
D. With SSE-C you provide your own keys for Amazon to use to decrypt and encrypt your data. AWS doesn't persistently store the keys.
DynamoDB
DynamoDB can be used for fast, flexible, highly scalable, and managed nonrelational (NoSQL) database workloads.
Elastic Block Store (EBS)
EBS provides the virtual data drives that host the operating systems and working data of an EC2 instance. They're meant to mimic the function of the storage drives and partitions attached to physical servers.
Elastic Compute Cloud (EC2)
EC2 server instances provide virtual versions of the servers you would run in your local data center. EC2 instances can be provisioned with the CPU, memory, storage, and network interface profile to meet any application need, from a simple web server to one part of a cluster of instances providing an integrated multitiered fleet architecture. Since EC2 instances are virtual, they're much more resource-efficient and deploy nearly instantly.
Directory Service
For AWS environments that need to manage identities and relationships, Directory Service can integrate AWS resources with identity providers like Amazon Cognito and Microsoft AD domains.
Elastic Load Balancing
Incoming network traffic can be directed between multiple web servers to ensure that a single web server isn't overwhelmed while other servers are underused or that traffic isn't directed to failed servers.
Key Management Service (KMS)
KMS is a managed service that allows you to administrate the creation and use of encryption keys to secure data used by and for any of your AWS resources.
CloudWatch
No deployment is complete without some kind of ongoing monitoring in place. And generating endless log files doesn't make much sense if there's no one keeping an eye on them. CloudWatch can be set to monitor process performance and utilization through events and, when preset thresholds are met, either send you a message or trigger an automated response.
Relational Database Service (RDS)
RDS is a managed service that builds you a stable, secure, and reliable database instance. You can run a variety of SQL database engines on RDS, including MySQL, Microsoft SQL Server, Oracle, and Amazon's own Aurora.
Route 53
Route 53 is the AWS DNS service that lets you manage domain registration, record administration, routing protocols, and health checks, which are all fully integrated with the rest of your AWS resources
Simple Storage Service (S3)
S3 offers highly versatile, reliable, and inexpensive object storage that's great for data storage and backups. It's also commonly used as part of larger AWS production processes, including through the storage of script, template, and log files.
Simple Notification Service (SNS)
SNS is a notification tool that can automate the publishing of alert topics to other services (to an SQS Queue or to trigger a Lambda function, for instance), to mobile devices, or to recipients using email or SMS.
