SA Exam - Whiz Lab 3

A company is building a two tier web application to serve dynamic transaction based content. The data tier is leveraging an Online Transactional Processing database. What services should you leverage to enable an elastic and scalable web tier? A. Elastic Load Balancing, EC2, and Auto Scaling B. Elastic Load Balancing, RDS with Multi AZ, and S3 C. RDS with Multi AZ and Auto Scaling D. EC2, DynamoDb, and S3

A

Is it true that EBS can always tolerate an AZ failure? A. No, all EBS volume is stored in a single AZ B. Yes, EBS volume has multiple copies so it should be fine C. Depends on how it is setup D. Depends on the region where EBS volume initiated

A EBS volume replicated to physical hardware with in the same AZ, so if AZ fails then EBS volume will fail. Thats they AWS recommends to always keep EBS volume snapshot in S3 bucket for high durability When you create an EBS volume in an AZ, it is automatically replicated within that zone to prevent data loss due to the failure of any single hardware component

A company has assigned two web server instances in a VPC subnet to an ELB. However, the instances and the ELB are not reachable via URL to the elastic load balancer. How can you resolve the issue so that your web server instances can start serving the web app data to the public internet? A. Attach an internet gateway to the VPC and route it to the subnet B. Add an elastic IP address to the instance C. Use Amazon Elastic Load Balancer to serve requests to your instances located in the internal subnet D. None of the avocet

A If the internet gateway is not attached to the VPC, which is a pre requisite for the instances to be accessed from the internet then the instances will not be reachable. You can assign instance from private subnet to ELB, in that case, ELB will automatically become internal ELB and AWS will assign scheme as "internal". If your subnet is public then ELB will automatically become external ELB and AWS will assign scheme as "internet facing". You can add internet gateway to VPC and add IGW route in the subnet to make it available over the internet, however, in that case, AWS will still show EB scheme as internal but it will allow internet traffic to the instance

Your organization has been using HSM for secure key storage. Is is only used for generating keys for your EC2 instances. Unfortunately, the HSM has been zeroed after someone attempted to log in as the administrator three times using an invalid password. This means that the encryption keys on it have been wiped. You did not have a copy of keys stored anywhere else. How can you obtain a new copy of the keys that you had stored on HSM? A. You cannot; the keys are lost if you did not have a copy B. Contact AWS support; your incident will be routed to the team that supports AWS HSM and a copy of the keys will be sent to you after verification C. Restore a snapshot of the HSM D. You can still connect via CLI; use the command "get-client-configuration" and you can get a copy of the keys

A Question: Can amazon recover my keys if I lose my credentials to the appliance? No. Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.

What type of monitoring for EBS volumes is available automatically in 5 minute periods at no charge? A. Basic B. Primary C. Detailed D. Local

A Basic - Data is available automatically in 5 minute periods at no charge. This includes data fro the root device volumes for EBS backed instances Detailed - provisioned IOPS SSD volumes automatically send one minute metrics to cloud watch

Does S3 provide read after write consistency for new objects? A. Yes, for all regions B. No, not for any region C. Yes, but only for certain regions and for new objects D. Yes, but only for certain regions, not the us-standard region

A Question: What data consistency model does Amazon S3 employ? Amazon S3 buckets in all regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES

A company has EC2 instances running in AWS. The EC2 instances are running via an Autoscaling solution. There is a lot of application requests or work items being lost because of the load on servers. The Autoscaling solution is launching new instances to take the load but theres are still some application request which are being lost. Which of the following is likely to provide the most cost effective solution to avoid losing recently submitted requests? A. Use an SQS queue to decouple the application components B. Keep one extra EC2 instances always powered on in case a spike occurs C. Use larger instances for your applications D. Pre warm your Elastic Load balancer

A SQS is fully managed message queueing service for reliably communicating among distributed software components and micro services - at any scale. Building applications from individual comments that each performs a discrete function improves scalability and reliability, and is best practice design for modern applications

Besides regions and their included AZ, which of the following is another "regional" data center location used for content distribution? A. Edge location B. Front Location C. Backend Location D. Cloud Location

A Using a network of edge locations around the world, amazon cloud front caches copies of your static content close to viewers, lowering latency when they download your objects and giving you the high, sustained data transfer rates needed to deliver large popular objects to end users at scale

One of your instances is reporting an unhealthy systems status check. However, this is not something you should to monitor and repair on your own. How might you automate the repair of the system status check failure in an AWS environment? A. Create cloud watch alarms that stop and start the instance based off the status check alarms B. Write a script that queries the EC2 API for each instance status check C. Write a script that periodically shuts down and starts instances based on certain stats D. Implement a third party monitoring tool

A Using amazon cloud watch alarm actions, you can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs

An EC2 instance retrieves a message from an SQS queue, begins processing the message, then crashes. What happens to the message? A. When the message visibility timeout expires, the message becomes available for processing by other EC2 instances B. It will remain in the queue and still assigned to same EC2 instances when instances become online within visibility timeout C. The message is deleted and become duplicated when the EC2 instance comes online

A When a consumer receives and processes a message from a queue, the message rains in the queue. Amazon SQS doesn't automatically delete the message: Because its a distributed system, there is no guarantee that the component will actually y receive the message. Thus, the consumer must delete the message from the queue after receiving and processing it. Furthermore, there is no special code required to deal with the message that was being processed when the server crashed. Thats when even though the message was read from the amazon SQS queue, the message remains in the queue until the server explicitly deletes it. So if the server fails while processing a message and therefore deleting the message, it will find the message again when it comes back online. Q: How does SQS allow multiple readers to access the same message queue without losing messages or processing them multiple times? Every SQS queue has a configurable visibility timeout. A message is not visible to any other reader for a designated amount of time when it is read from a message queue. As long as the amount of time it takes to process the message is less than the viability timeout, every message is processed and deleted. If the component processing of the messages fails or becomes unavailable, the message again becomes visible to any component reading the message queue once the visibility timeout ends. This allows multiple components to read messages from the same message queue, each one working to process different messages.

You have been told you need to set up a bastion host by your manager in cheapest, most secure way, and that you should be the only person that can access it via SSH. Which of the following setups would satisfy your manager's requests? A. A small EC2 instance and a security group which only allows access on port 22 via your IP address B. A large EC2 instance a security group which only allows access on port 22 via your IP address C. A large EC2 instance and a security group which allows access on port 22 D. A small EC2 instance a security group which only allows access on port 22

A the bastion host should only have security group from a particular IP address for maximum security. Since the request is to have a cheapest infrastructure, then you should use a small instance.

In AWS security groups are what the two types of rules you can define? Choose 2: A. Inbound B. Transitional C. Bi-Directional D. Outbound

A and D A security group acts as a virtual firewall that controls the traffic of one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add urls to each security group that allow traffic to or from its associated instances. You can modify the rules or a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

Which of the following benefits does adding Multi AZ deployment in RDS provide? Choose 2 answers: A. Multi AZ deployed database can tolerate an AZ failure B. Decrease latencies if app servers accessing database are in multiple AZ C. Make database access times faster for all app servers D. Make database more available during maintenance tasks

A and D. Some of the advantages of Multi AZ RDS deployments are given below: - If an AZ failure or DB instance failure occurs, your availability impact is limited to the time automatic failure takes to complete - The availability benefits of Multi AZ deployments also extend to planned maintenance and backups. In the case of system upgrades like OS patching or DB instance scaling, these operations are applied first on the standby, prior to the automatic failover. As a result, your availability impact, again, only the time required for automatic failover to complete - If a storage volume on your primary fails in a multi-az deployment, RDS automatically initiates a failover to the up to date standby

An instance can have many states that perform part of its lifecycle. Choose 3 options which are the correct states of an instance cycle. A. rebooting B. prending C. running D. shutdown

A, B, and C

Which of the following are invalid VPC peering configurations? Choose 3 answers: A. Overlapping CIDR blocks B. Transitive peering C. Edge to edge routing via gateway D. One to one relationship between 2 VPCs

A, B, and C

Which of the following can be used as an origin server in cloud front? Choose 3 answers from the options given below. A. A web server running on EC2 B. A web server running in your own datacenter C. A RDS instance D. An amazon S3 bucket

A, B, and D Currently cloud front supports the following types of distributions: - S3 buckets - when you use amazon s3 as an origin for your distribution, you place any objects that you want cloud front to deliver in an amazon S3 bucket - custom origin - a custom origin is an HTTP server, for example, a web server. The HTTP server can be a amazon EC2 instance or an HTTP server that you manage privately. When you use a custom origin, you specify the DNS name of the server, along with the HTTP and HTTPS ports and the protocol that you want cloud front to use when fetching objects from your origin

Which of the below elements can you manage in the IAM dashboard? Choose 3 answers from the options given below: A. Users B. Encryption keys C. Cost allocation reports D. Policies

A, B, and D When you go to your IAM dashboard, below are the set of elements which can be configured.

What are the languages currently supported by AWS Lambda? Choose 3 answers from the options given below: A. Node.js B. Angular JS C. Java D. Python

A, C, and D AWS Lambda supports code written in Node.js, Python, Java, and C#

API Access Keys are required to make programmatic call to AWS from which of the following? Choose 3: A. AWS Tools for Windows PowerShell B. Managing AWS resources through the AWS console C. Direct HTTP call using the API D. AWS CLI

A, C, and D By default, when you create an access key, its status is active, which means the user can use the access key for AWS Cli, tools for windows powershell, and API calls. each user can have two active access keys, which is useful when you must rotate the users access keys. you can disable a users access key, which means it can't be used for API calls. you might do this while you're rotating keys for to revoke API access for a user

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions wants to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divines. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose two answers: A. Use AWS consolidated billing and disable AWS root account access for the child accounts B. Enable IAM cross account access for all corporate IT administrators in each child account C. Create separate VPCs for each division within the corporate IT AWS account D. Use AWS consolidated billing by creating AWS organizations to link the divisions accounts to a parent corporate account E. Write all child AWS cloud trail and amazon cloud watch logs to each child accounts amazon S3 "log" bucket

B and D Since the resources need to be separated and a separate governance model is required for each section of resources, then its better to have separate AWS account for each division. Each divisions AWS account can sign up for consolidating billing to the main corporate account by creating AWS organizations. The IT administrators can then be granted access via cross account role access

A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets and VPC-2 contains only public subnets. The company uses a single AWS direct connect connection and private virtual interface to connect their own premises network with VPC-1. Which two methods increases the fault tolerance of the connection to VPC-1? Choose 2. A. Establish a hardware VPN over the internet between VPC-2 and the on premises network B. Establish a hardware VPN over the internet between VPC-1 and the on premises network C. Establish a new AWS direct connect connection and private virtual interface in the same region as VPC-2. D. Establish a new AWS direct connect connection and private virtual interface in a different AWS region than VPC-1 E. Establish a new AWS direct connect connection and private virtual interface in the same AWS region as VPC-1

B and E Having a VPN connection is considered as a backup to a direct connect connection. One can also have another direct connect connection, so that if one goes down, the other would still be active. This needs to be in the same region as VPC-1.

By default, what happens to data when an EC2 terminates? Select 3: A. For EBS backed AMI, the root EBS volume with operating system preserved by default B. For EBS backed AMI, any volume attached apart from the OS volume is preserved C. All the snapshots of the EBS volume with operating system is preserved D. For S3 backed AMI, all the data in the local (ephemeral) hard drive is deleted

B, C, and D When the instance is terminated, the volume will remain, unless you specifically delete the volume. When you create an instance, you have the root volume that does get deleted on deletion of the instance. But when you add a new volume, by default the "Delete on termination flag" is unchecked. So unless you don't check this, the volume will remain. The whole idea of snapshots is to remain even if the volume or instance is deleted Ephemeral storage is temporary storage by default and gets deleted when the system is terminated Notes: If an AMI is backed by instance store, that means that the root device for an instance launched from that AMI is created from a template stored in S3. To create a Linux AMI backed by instance store, you have to use EC2 AMI tools and run them on the instance itself. You can use the AWS console. Creating EBS backed AMIs is much simpler and can be done in the AWS console

What are three attributes of DynamoDb? Choose 3: A. Used for data warehousing B. NoSQL database platform C. Uses key value store D. Fully managed

B, C, and D DynamoDB is fast and flexible NoSQL database service for all applications that need consistent, single digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key value store models. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications. AWS Redshift can be used for data warehousing

When storing sensitive data on the cloud which of the below options should be carried out on AWS? Choose 3 answers from the options given below: A. With AWS, you do not need to worry about encryption B. Enable EBS Encryption C. Encrypt the file system on an EBS volume using linux tools D. Enable S3 encryption

B, C, and D EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume Data protection refers to protecting data while in transit and at rest. You can protect data in transit by using SSL or by using client side encryption.

Currently you're helping design and architect a highly available application. After building the initial environment, you've found that part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before changes are applied and the application begins working correctly? A. generally, it takes 2-5 minutes in order for the rules to propagate B. Immediately after a reboot of the EC2 instances belong to that security group C. Changes apply instantly to the security group, and the application should be able to respond to 443 requests D. It will take 60 seconds for the rules to apply to all availability zones within the region

C Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports. When you add or remove rules, they are automatically applied to all instances associated with the security group

Which of the below resources cannot be tagged in AWS? A. Images (AMI) B. EBS Volumes C. Placement Groups D. VPC

C Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type - you can quickly identity a specific resource based on the tags you've assigned to it. Each tag consists of a key and an optional value, both of which you define. But, you cannot tag a VPC endpoint

You are running an instance store based instance. You shutdown and then start the instance. You then notice that the data which you saved earlier is no longer available. What might be the case of this? A. The volume was not big enough to handle all of the processing data B. The EC2 instance was using EBS backed root volumes, which are ephemeral and only live for the life of the instance C. The EC2 instance was using instances store volumes, which are ephemeral and only live for the life of the instance D. The instance might have been compromised

C The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots, data in the instance store persists. However, data in the instance store is lost under the following circumstances: - The underlying disk drive fails - The instance stops - The instance terminates

How are network access rules evaluated? A. Rules are evaluated by rule number, from highest to lowest, and executed immediately when a matching allow/deny rule is found B. All rules are evaluated before any traffic is allowed or denied C. Rules are evaluated by rule number, from lowest to highest, and executed immediately when matching allow/deny rule is found D. Rules are evaluated by rule number, from lowest to highest, and executed after all rules are checked for conflicting allow/deny rules

C The following are the parts of ta network ACL rule" - Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, its applied regardless of any high numbered rule that may contradict it - Protocol. You can specify any protocol that has a standard protocol number. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes - [Inbound rules only] The source of the traffic and the destination port or port range - [Outbound rules only] The destination for the traffic and the destination port or port range - Choice of ALLOW or DENY for the specified traffic

What are the main benefits of IAM groups? Choose 2: A. Ability to create custom permission policies B. Allow for EC2 instances to gain access to S3 C. Easier user/policy management D. Assign IAM permission policies to more than one user at a time

C and D An IAM group is a collection of IAM users. Groups let you specify permission for multiplier users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Any user in that group automatically has the permissions that are assigned to the group. If a new user joins your organization and needs administrator privileges, you can assign the appropriate permissions by adding the user to that group. Similarly, if a person changes jobs in your organization, instead of editing that users permission, you can remove him or her from the old groups and add him or her to the appropriate new groups

What is the key aspect for the below AMI image: A. Since its a EBS volume AMI, its special in nature B. Since its a linux based AMI, it is special in nature C. Since its a HVM based AMI, its special in nature D. Since its a NAT based AMI, it is special in nature

D Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amazon-ami-vpc-nat in their names, so you can search for them in the amazon EC2 console. When you launch an instance from a ANT AMI, the following configuration occurs on the instance: - IPv3 forwarding is enabled and ICMP redirects are disable in /etc/systclt.d/10-nat-settings.conf - A script located at /usr/sbin/configure-at.sh runs at startup and configures I-tables Ip masquerading

A company has the following EC2 instance configuration. They are trying to connect to the instance from the internet. They have verified the existence of the internet gateway and the route tables are in place. What could be the issue? A. Its launched in the wrong AZ B. The AMI used to launch the instance cannot be accessed from the internet C. The private IP is wrongly assigned D. There is no elastic IP assigned

D An instance must either have a public or Elastic IP in order to be accessible from the internet. A public IP address is reached from the internet. You can use IP addresses for communication between your instances the internet. An elastic IP address is a static IP address designed for dynamic cloud computing. An elastic IP address is associated with your AWS account. With an elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. An elastic IP address is a public IP address, which is reachable from the internet. If your instance does not have a public IP address, you can associate an elastic IP address with your instance to enable communication with the internet, for example, to connect to your instance from your local computer.

A photo sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign in using an OpenID compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations? A. SAML based identity federation B. Cross account access C. AWS identity and access management roles D. Web identity federation

D With web identity federation, you don't need to create custom sign in code or manage your own user identities. Instead, users of your app can sign in using a well known identity provider - such as login with amazon, Facebook, google, or any other OpenID connect compatible IdP, device an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using IdP helps you keep your AWS account secure, because you don't have to embed and distribute long term security credentials with your application.

Which feature in AWS allows 2 VPCs to talk to each other? A. VPC Connection B. VPN Connection C. Direct Connect D. VPC Peering

D A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instance in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.

You have written a cloud formation templates that creates 1 elastic load balancer fronting 2 EC2 instances. Which section of the template should you edit so that the DNS of the load balancer is returned upon creation of the stack? A. Resources B. Parameters C. Outputs D. Mappings

C

What is one of the major advantages of having a VPN in AWS? A. You don't have to worry about security, this is managed by AWS B. You can connect your cloud resources to on premise data centers using VPN connections C. You can provision unlimited number of S3 resources D. None of the above

B One of the major advantages is that you can combine your on premise dat center to AWS via a VPN connection You can create an IPsec, hardware VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints for automatic failover. You can configure your customer gateway, which is the physical device or software application on the remote side of the VPN connection

You have built an AMI. Another AWS account holder wants to use your AMI, but is not able to access it. What could be the issue? A. It is not possible to share AMIs B. The AMI needs to be made public C. The owner of AMI needs to be changed D. The AMI ID does not allow sharing

B An AMI provides the information required to launch an instance, which is a virtual server in the cloud. After you create an AMI, you can keep it private so that only you can use it, or you can share it with a specified list of AWS accounts. You can also make your custom AMI public so that the community can use it. To make the AMI public, carry out the following steps: 1. Choose the AMI and then choose the menu option of Moidy Image Permissions 2. Make the image as public

In the event of an unplanned outage of your primary DB, AWS RDS automatically switches over to the secondary. In such a case which record in Route 53 is changed? Select one answer from the options given below: A. DNAME B. CNAME C. TXT D. MX

B Failover is automatically handled by RDS so that you can resume database operations as quickly as possible without administrative intervention. When failing over, RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn prompted to become the new primary. It is encouraged to implement database connection retypes at the application layer

A company wants to host a selection of MongoDB instances. They are expecting a high load and want to have as low latency as possible. Which class of instances from the below list should they choose from. A. T2 B. I2 C. T1 D. G2

B I2 instances are optimized to deliver tens of thousands of low latency, random I/O operations per second to applications. They are well suited for the following scenarios: - NoSQL databases - Clustered databases - Online transaction processing (OLTP systems)

A company is running three production web server reserved EC2 instances with EBS backed root volumes. These instances have a consistent CPU load of 805. Traffic is being distributed to the instances by an Elastic Load Balancer. They also have production and development Multi AZ RDS MySQL databases. What recommendation would you make to reduce cost in this environment without affecting availability of mission critical systems? A. Consider using on demand instances instead of reserved EC2 instances B. Consider not using a multi AZ RDS deployment for the development database C. Consider using spot instances instead of reserved RC2 instances D. Consider removing the elastic load balancer

B Multi AZ databases is better for production environments rather than development environments, so you can reduce costs by not using this for development environments Amazon RDS Multi AZ deployments provide enhanced availability and durability for database instances, making them a natural fit for production database workloads. When you provision a multi AZ DB instance, amazon RDS automatically creates a primary DB instance and synchronously replicates the data to standby instance in a different AZ/ Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. In case of an infrastructure failure, RDS performs an automatic failover to the standby, so that you can resume database operations as soon as the failover is complete. Since the endpoint for your DB instance ramming the same after failover, your application can resume database operation without the need for manual administrative intervention.

In VPCs with private and public subnets, database servers should ideally be launched into: A. the public subnet B. the private subnet C. either of them D. not recommended, they should ideally be launched outside VPC

B Normally database servers should not be exposed to the internet and should reside in private subnets. The we servers will be part of the public subnet and exposed to the end users.

In order to establish a successful site to site VPN connection form your on premise network to the VPC, which of the following needs to be configured outside of the VPC? A. The main route table to route traffic through a NAT instance B. A public IP address on the customer gateway for the on premise network C. A dedicated NAT instance in a public subnet D. An elastic IP address on the virtual private gateway

B On the customer side gateway you need to have a public IP address which can be addressed by the VPN connection

If you cannot connect to your EC2 instance via Microsoft Remote Desktop, and you have already verified the instance has a public IP and the Internet gateway and route tables are in place, what should you do next? A. Adjust the security group to allow traffic from port 22 B. Adjust the security group to allow traffic from port 3389 C. Restart the instance since there might be some issue with the instance D. Create a new instance since there might be some issue with the instance

B The reason why you cannot connect to the instance is because by default RDP protocol will not be enabled on the security group 1. Go to your EC2 security groups, click on the required security groups to make the changes. Go to the inbound tab 2. Make sure to add a rule for the RDP protocol for the instance and then click the save button

What is an AWS service which can help protect web applications from common security threats from the outside world? A. NAT B. WAF C. SQS D. SES

B WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. WAF vies you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use WAF to create custom rules that block common track patterns, such as SQL injection or cross site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, WAF includes a full featured API that you can use to automate the creation, deployment, and maintenance of web security rules. In WAF, you can create a set of conditions and rules to protect your network against attacks from outside

you've been tasked with building out a duplicate environment in another region for disaster recovery purposes. part of you environment relies on EC2 instances with preconfigured software. What steps would you take to configure the instances in another region? A. Create an AMI of the EC2 instance B. Create an AMI of the EC2 instance and copy the AMI to the desired region C. Make the EC2 instance shareable among other regions through IAM permissions D. None of the above

B You can copy an AMI within or across an AWS region using the AWS management console, the AWS command line tools or SDKs, or the Amazon EC2 API, all of which support the copy image action. you can copy both amazon EBS backed AMIs and instance store backed AMIs. You can copy AMIs with encrypted snapshots and encrypted AMIs

When using the following AWS services, which should be implemented in multiple AZ for high availability solutions? Choose 2: A. DynamoDB B. EC2 C. Elastic Load Balancing D. SNS E. S3

B and C

After migrating an application architecture from on premise to AWS, you will not be responsible for the ongoing maintenance of packages for which of the following AWS services that your application uses. Choose two correct answers from the options below: A. Elastic Beanstalk B. RDS C. DynamoDB D. EC2

B and C Both RDS and DynamoDB are managed solutions provided by AWS. RDS makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost efficient and resizable capacity while managing time consuming database administration tasks, freeing you up to focus on your applications and business. DynamoDB is a fast and flexible NoSQL database service fora ll applications that need constant, single digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key value store models

Which of the following services allow the administrator access to the underlying operating system? Choose 2 answers: A. RDS B. EMR C. EC2 D. DynamoDB

B and C EC2 is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web scale cloud computing easier for developers. Your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as your EC2 resources. EMR provides a managed Hadoop framework that makes it easy, fast, and cost effective to process vast amounts of data across dynamically scalable EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, Base, Presto, and Flink in EMR, and interact with data in other other AWS data stores such as S3 and DynamoDb

What is the basic requirement to login into an EC2 instance on the AWS cloud? A. Volumes B. AMIs C. Key pairs D. S3

C Amazon EC2 uses a public key cryptography to encrypt and decrypt login information. Public key cryptography uses a public key to encrypt a piece of data, such as a password, the the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair. To login in to your instance, you must create a key pair, specify the name of the key pair when you launch the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSh. With windows instances, you use a key pair to obtain the administrator password and then log in using RDP. When you launch an EC2 instance, you will either be asked to create a new key pair or an existing key pair. This is .pem file which can then use to log into your instance.

A customer is leveraging S3 in eu-west-1 to store static content for a web based property. The customer is storing objects using standard storage class. where are the customers objects replicated? A. A single facility in eu-west-1 and a single facility in eu-central-1 B. A single facility in eu-west-1 and a single facility in us-east-1 C. Multiple facilities in eu-west-1 D. A single facility in eu-west-1

C It is clearly mentioned in the AWS documentation that data in an S3 bucket is replicated to multiple facilities in the same region. S3 provides durable infrastructure to store important data and is designed for durability of 99.99999999999% of objects. Your data is redundantly stored across multiple facilities and multiple devices in each facility

What service from AWS can help manage the budgets for all resources? A. Cost Explorer B. Cost Allocation Tags C. AWS Budgets D. Payment History

C A budget is a way to plan your usage and your costs, and to track how close your usage and costs are to exceeding your budgeted amount. Budgets use data from cost explore to provide you with a quick way to see your usage to date and rarest estimated charges from AWS, and to see how much your predicted usage accrues in charges by the end of the month. Budgets also compare the current estimated usage and charges to the amount that you indicated that you want to use or spend, and lets you see how much of your budget has been used. AWS updates your budget status several times a day. Budgets track your unblended costs, subscriptions, and refunds. You can create budgets for different types of usage and different types of costs. For example, you can create a budget to see how many EC2 hours you have used, or how many GB you have stored in an S3 bucket. you can also create a budget to see how many EC2 hours you have used, or how many GB you have stored in an S3 bucket. You can slo create a budget to see how much you are spending on a particular service, or how often you call a particular API operation. Budgets use the same data filters as Cost Explorer. To create your budget, you can perform the below steps: 1. Go to your billing section, go to Budgets and create a new Budget 2. In the next screen, you can then mention the budget amount and what services to link the budget to

What is the difference between an availability zone and an edge location? A. Edge locations are used as control stations for AWS resources B. An edge location is used as a link when building load balancing between regions C. An AZ is an isolated location inside a region; an edge location will deliver cached content to the closest location to reduce latency D. An AZ is a grouping of AWS resources in a specific region; an edge location is a specific resource within the AWS region

C Edge locations - Using a network of edge locations around the world, amazon cloud front caches copies of your static content close to viewers, lowering latency when they download your objects and giving you the high, sustained data transfer rates needed to deliver large polar objects to end users at scale Availability zones - etc h region is completely independent. Each availability zone is isolated, but eh availability zones in a region are connected through low latency links. The following diagram illustrates the relationship between regions and availability zones

Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company on premises data center. Which of these are you least likely to recommend as part of that process? A. SQS polling from an EC2 instance deployed with an IAM role B. SWF workflow C. SQS polling from an EC2 instance using IAM user credentials D. SQS polling from an on premises serving using IAM user credentials

C Note that the question asks you for the least likely recommended option. SQS polling from an EC2 instance using IAM user credentials. AN EC2 role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances. You should use IAM roles for secure communication between EC2 instances and resources on AWS. SQS polling from an EC2 instance deployed within an IAM role is most likely because when your SSQS from EC2 you should use IAM roles. What you should never do is use IAM user api keys for authentication to poll sis messages. An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have any credentials associated with it. Instead, if a user is assigned to a role, access keys are created dynamically and provided to the user.

There is a company website that is going to be launched in the coming weeks. There is a probability that the traffic will be quite high in the first couple of weeks. In the event of a load failure, how can you set up DNS failover to a static website? A. Duplicate the exact application architecture in another region and configure DNS weight based routing B. Enable failover to an on premise data center to the application hosted there C. Use Route 53 with the failover option to failover to a static S3 website bucket or cloud front distribution D. Add more servers in case the application fails

C Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources. If you have multiple resources that perform the same function, you can configure DNS failover so that Route 53 will route your traffic from an unhealthy resource to a healthy resource. For example, if you have two web servers and one web server becomes unhealthy, Route 53 can route traffic to the other web server. So you can route traffic to a web site hosted on S3 or to a cloud from distribution

Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud based applications. What is the monthly charge for using the public data sets? A. 1 time charge of $1 for all the datasets B. $1 per dataset per month C. $10 per month for all datasets D. There is no charge for using public data sets

D AWS hosts a variety pf public datasets that any one can access for free. Previously, large datasets such as the mapping of the human genome required hours or days to locate, download, customize and analyze. Now, anyone can access these datasets via the AWS centralized data repository and analyze those using Amazon EC2 instances or Amazon EMR (Hosted Hadoop) clusters. By hosting this important at a where it can be quickly and easily processed with elastic computing resources, AWS hopes to enable innovation more quickly

In cloud trail, where does it store all of the logs that it creates? Choose one answer from the options given below: A. A separate EC2 instance with EBS storage B. RDS instance C. DynamoDB instance D. S3

D When you enable cloud trail, you need to provide an S3 bucket where all the logs can be written to.

A customer wants to leverage S3 and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third party software to support this integration. Which approach will limit access of the third party software to only the Amazon S3 bucket named "company-backup"? A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive "company backup" B. A custom bucket policy limited to the Amazon S3 API in "company backup" C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive "company backup" D. A custom IAM user policy limited to the Amazon S3 API in "company backup"

D As part of the question we want to gran permission for a third party software to have only access to "company backup" bucket. In our scenario, we are using a third party software from a third party provider and need not have to be a federated account. Therefore to access other services that account will need to be given permissions to S3. its IAM user policy we can provide granular permissions to third party. The following documentation from AWS will give more information regarding the usage of bucket polices and user policies on S3 buckets. When to use a Bucket policy - If an was account the towns a bucket wants to gran permissions to users in its account, it can either use a bucket policy or a user policy. But the following scenarios, you will need to use a bucket policy. You want to manage cross account permissions for all S3 permissions. You can use ACLs to grand cross account permissions to other accounts, but ACLs support only a finite set to permission, these don't include all Amazon S3 permissions. Although both bucket and user policies granting permission for all S3 operations, the user policies are for managing permissions for users in your account. For cross account permissions to other AWS accounts or users in another account, you must use a bucket policy. - When to use a user policy - In general, you can use either a user policy or a bucket policy to mange permissions. You may choose to manage permissions by creating users and managing permissions individually by attaching policies to users, or you may find that resource based policies, such as a bucket policy, work better for your scenario. Note that AWS identity and access management enables you to create multiple users within your AWS account and manage their permissions via user policies. An IAM user must have permissions from the parent account to which it belongs, and from the AWS account that owns the resource the user wants to access. The permissions can be granted as follows: - Permission from the parent account - The parent account can grant permissions to its user by attaching a user policy - Permission from the resource owner - The resource owner can grant permission to either the IAM user or the parent account. This is akin to a child who wants to play with a toy that belongs to someone else. In this case, the child must get permission from a parent to play with the toy and permission from the toy owner. Note: The bucket policy will be convenient if you are aging to limit the access to AWS users or other AWS account. However the question is about third party software. So it is recommended to have IAM user policy to limit the access from other AWS services.

A company has a workflow that sends video files from their on premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service for this scenario? A. SQS standard queue guarantees the order of the messages B. SQS synchronously provides transcoding output C. SQS checks the health of the worker instances D. SQS helps the facilitate horizontal scaling of encoding tasks

D Based on the number of messages in the queue, the appropriate number of processing servers will be created to process the tasks accordingly

What database service should you choose if you need petite scale data warehousing? A. DynamoDB B. ElastiCache C. RDS D. Redshift

D Redshift is a fast, fully managed data warehouse that makes it simple and cost effective to analyze all your data using stand SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high performance local disks, and massively parallel query execution

You have 5 cloud formation templates. Each template has been denied for a specific purpose. What determines the cost of using the cloud formation templates/ A. $1.10 per template B. The length of time it takes to build the architecture with cloud formation C. It depends not he region the template is created in D. Cloud formation does not have a cost but you are charged for the underlying resources it builds

D There is no additional charge for AWS cloud formation. You pay for AWS resources created using cloud formation in the same manner as if you created them manually. You only pay for what you use, as you use it; there are no minimum fees and no required upfront commitments

Which of the below features allows you to take backups of your EBS volumes? A. Volumes B. State manager C. Placement groups D. Snapshots

D You can easily create a snapshot from a volume while the instance is running and the volume is in use. You can do this from the EC2 dashboard.