ASP3
19 You currently have a placement group of instances. When you try to add new instances to the group you receive a 'capacity error'. Which of the following actions will most likely fix this problem? Choose the correct answer from the options below Please select : A. Make a new Placement Group and launch the new instances in the new group. Make sure the Placement Groups are in the same subnet. B. Stop and restart the instances in the Placement Group and then try the launch again. C. Request a capacity increase from AWS as you are initially limited to 10 instances per Placement Group. D. Make sure all the instances are the same size and then try the launch again.
b
20, A company currently has an on-premise location connecting to a VPC. The company wants to have a dedicated network connection from the on-premise location to the VPC? Choose the correct answer from the below options which would help to fulfill the above requirement. Please select : A. Provision a VPN connection between the on-premise data center and the AWS region using the VPN section of a VPC. B. Suggest provisioning a Direct Connect connection between the on-premise data center and the AWS region. C. Use a hardware VPN to connect both locations. D. Use a software VPN to connect both locations.
b
16, When one creates an encrypted EBS volume and attach it to a supported instance type, which of the following data types are encrypted? Choose 3 options from the below: Please select : A. Data at rest inside the volume B. All data copied from the EBS volume to S3 C. All data moving between the volume and the instance D. All snapshots created from the volume
a,c,d
63 Your supervisor is upset about the fact that SNS topics that he subscribed to are now cluttering up his email inbox. How can he stop receiving the email from SNS without disrupting other users' ability to receive the email from SNS? Choose 2 options from the below: Please select : A. You can delete the subscription from the SNS topic responsible for the emails B. You can delete the endpoint from the SNS subscription responsible for the emails C. You can delete the SNS topic responsible for the emails D. He can use the unsubscribe information provided in the emails
a,d
71 You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly. Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 correct options from the below: Please select : A. A network ACL that allows communication between the two subnets B. Both instances are the same instance class and using the same Key-pair C. That the default route is set to a NAT instance or internet Gateway (IGW) for them to communicate D. Security groups are set to allow the application host to talk to the database on the right port/protocol
a,d
9* What should you consider when you try to implement a IDS infrastructure on AWS? Choose 2 answers from the options below Please select : A. Implement IDS/IPS agents on each Instance running In VPC B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic. C. Implement Elastic Load Balancing with SSL listeners In front of the web applications D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.
a,d
49 Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. Choose 2 options from the below: Please select : A. Create an IAM Role that allows write access to the DynamoDB table B. Add an IAM Role to a running EC2 instance C. Create an IAM User that allows write access to the DynamoDB table D. Add an IAM User to a running EC2 instance E. Launch an EC2 Instance with the IAM Role included in the launch configuration
a,e
18, A company has the requirement to analyze the clickstreams from a web application. Which of the below options will fulfill this requirement? Please select : A. Log clicks in weblogs by URL and store it in Amazon S3, and then analyze with Elastic MapReduce B. Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers C. Write click events directly to Amazon Redshift and then analyze with SQL D. Publish web clicks by session to an Amazon SQS queue men periodically drain these events to Amazon RDS and analyze with sql
b
73 A media company produces new video files on-premises every day with a total size of around 100GB after compression. All files have a size of 1 -2 GB and need to be uploaded to Amazon S3 every night in a fixed time window between 3 AM and 5 AM. Current upload takes almost 3 hours, although less than half of the available bandwidth is used. What step(s) would ensure that the file uploads are able to complete in the allotted time window? Please select : A. Increase your network bandwidth to provide faster throughput to S3 B. Upload the files in parallel to S3 C. Pack all files into a single archive, upload it to S3, and then extract the files in AWS D. Use AWS Import/Export to transfer the video files
b
76 A user is trying to save some cost on the AWS services. Which of the below-mentioned options will not help him to save cost? Please select : A. Delete the unutilized EBS volumes once the instance is terminated B. Delete the AutoScaling launch configuration after the instances are terminated C. Release the elastic IP if not required once the instance is terminated D. Delete the AWS ELB after the instances are terminated
b
78 Your company has a lot of GPU intensive workloads. Also, these workloads are part of a process in which some steps need manual intervention. Which of the below options works out for the above-mentioned requirement? Please select : A. Use AWS Data Pipeline to manage the workflow. Use an auto-scaling group of G2 instances in a placement group. B. Use Amazon Simple Workflow (SWF) to manage the workflow. Use an autoscaling group of G2 instances in a placement group. C. Use Amazon Simple Workflow (SWF) to manage the workflow. Use an autoscaling group of C3 instances with SR-IOV (Single Root I/O Virtualization). D. Use AWS data Pipeline to manage the workflow. Use auto-scaling group of C3 with SR-IOV (Single Root I/O virtualization).
b
14, A company has a web application hosted on AWS. The IT Security Administrator has noticed that a lot of requests are coming from a set of IPs. As an AWS professional, what can you do to ensure that this type of attack is limited? Please select : A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (internet Gateway) B. Create web Security Group rules to block the attacking IP addresses over port 80 C. Put the application on the private subnet. D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses
d
17, You currently have an EC2 instance with EBS volumes that store a lot of files. It takes a long time for an application to process the files. Which of the following options can be used to ensure the right storage option is used and to also ensure high availability of the application? Please select : A. S3 to store I/O files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue B. EBS with Provisioned IOPS (PIOPS) to store I/O files. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications C. S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications D. EBS with Provisioned IOPS (PIOPS) to store I/O files SQS to distribute elaboration commands to a group of hosts working in parallel. Use Auto Scaling to dynamically size the group of hosts depending on the length of the SQS queue
d
29 A company is running a MySQL RDS instance inside of AWS. However, a new requirement for disaster recovery is keeping a read replica of the production RDS instance in an on-premise data center. What is the securest way of performing this replication? Choose the correct option from the below: Please select : A. Configure the RDS instance as the master and enable replication over the open internet using a secure SSL endpoint to the on-premise server. B. RDS cannot replicate to an on-premise database server. Instead, first configure the RDS instance to replicate to an EC2 instance with core MySQL, and then configure replication over a secure VPN/VPG connection. C. Create a Data Pipeline that exports the MySQL data each night and securely downloads the data from an S3 HTTPS endpoint. D. Create an IPSec VPN connection using either OpenVPN or VPN/VGW through the Virtual Private Cloud service.
d
35, You are designing network connectivity for your fat client application. The application is designed for business travelers who must be able to connect to it from their hotel rooms, cafes, public Wi-Fi hotspots, and elsewhere on the Internet. While you do not want to publish the application on the Internet. Which network design meets the above requirements while minimizing deployment and operational costs? Choose the correct answer from the options below Please select : A. Implement AWS Direct Connect, and create a private interface to your VPC. Create a public subnet and place your application servers in it. B. Implement Elastic Load Balancing with an SSL listener that terminates the back-end connection to the application. C. Configure an IPsec VPN connection, and provide the users with the configuration details. Create a public subnet in your VPC, and place your application servers in it. D. Configure an SSL VPN solution in a public subnet of your VPC, then install and configure SSL VPN client software on all user computers. Create a private subnet in your VPC and place your application servers in
d
44 An application runs on-premise as well as on AWS to achieve the minimum recovery time objective(RTO). Which of the below-mentioned configurations will not meet the requirements of the multi-site solution scenario? Please select : A. Keep the application running on-premise and in AWS with full capacity B. Setup weighted DNS service like Route53 to route traffic accross sites C. Configure data replication D. Setup a single DB instance
d
56 A company has a requirement to host an application behind an AWS ELB. The application will be supporting multiple device platforms. Each device platform will need separate SSL certificates assigned to it. Which of the below options is the best setup in AWS to fulfill the above requirement? Please select : A. Setup a hybrid architecture to handle multiple SSL certificates by using separate EC2 Instance groups running web applications for different platform types running in a VPC. B. Set up one ELB for all device platforms to distribute load among multiple instance under it. Each EC2 instance implements will have different SSL certificates assigned to it. C. You just need to set one certificate for the ELB, that should be sufficient enough for the different device platforms D. Create multiple ELB's for each type of certificate for each device platform.
d
58 You decide to configure a bucket for static website hosting. As per the AWS documentation, you create a bucket named 'mybucket.com' and then you enable website hosting with an index document of 'index.html' and you leave the error document as blank. You then upload a file named 'index.html' to the bucket. After clicking on the endpoint of mybucket.com.s3-website-us-east-1.amazonaws.com you receive 403 Forbidden error. You then change the CORS configuration on the bucket so that everyone has access, however, you still receive the 403 Forbidden error. What additional step do you need to do so that the endpoint is accessible to everyone? Choose the correct option from the below: Please select : A. Register mybucket.com on Route53 B. Wait for the DNS change to propagate C. You need to add a name for the error document, because it is a required field D. Change the permissions on the index.html file also, so that everyone has access
d
60 Explain what the following resource in a CloudFormation template does. Choose the best possible answer. "SNSTopic" : { "Type" : "AWS::SNS::Topic", "Properties" : { "Subscription" : [{ "Protocol" : "sqs", "Endpoint" : { "Fn::GetAtt" : [ "SQSQueue", "Arn" ] } }] } Please select : A. Creates an SNS topic which allows SQS subscription endpoints to be added as a parameter on the template B. Creates an SNS topic which allows SQS subscription endpoints C. Creates an SNS topic and then invokes the call to create an SQS queue with a logical resource name of SQSQueue D. Creates an SNS topic and adds a subscription ARN endpoint for the SQS resource created under the logical name SQSQueue
d
61 Of the 6 available sections on a CloudFormation template (Template Description Declaration, Template Format Version Declaration, Parameters, Resources, Mappings, Outputs), which is the only one required for a CloudFormation template to be accepted? Choose an option from the below: Please select : A. Parameters B. Template Declaration C. Mappings D. Resources
d
39 A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario? Please select : A. It will throw a CIDR overlap error B. It is not possible to create a subnet with the same CIDR as the VPC C. The second subnet will be created D. The VPC will modify the first subnet to allow this IP range
a
2, Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high-resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required that you may need to pay for a consultant. How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery'? Please select : A. Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. Use S3 to host videos with Lifecycle Management to archive original flies to Glacier after a few days. Use CloudFront to serve HLS transcoded videos from S3. B. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number or nodes depending on the length of the queue. Use S3 to host videos with Lifecycle Management to archive all files to Glacier after a few days. Use CloudFront to serve HLS transcoding videos from Glacier C. Elastic Transcoder to transcode original nigh-resolution MP4 videos to HLS EBS volumes to host videos and EBS snapshots to incrementally backup original rues after a few days. CloudFront to serve HLS transcoded videos from EC2. D. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few days CloudFront to serve HLS transcoded videos from EC2
a
23 A legacy application is being migrated to AWS. It works on the TCP protocol. There is a requirement to ensure scalability of the application and also ensure that records of the client IP using the application are recorded. Which of the below mentioned steps would you implement to fulfil the above requirement? Please select : A. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two or more application servers in different AZs. B. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs. C. Use Route 53 with Latency Based Routing enabled to distribute load on two or more application servers in different AZs. D. Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs.
a
27 A company has a Direct Connect established between their on-premise location and AWS. The applications hosted on the on-premise location are experiencing high latency when using S3. What could be done to ensure that the latency to S3 can be reduced? Please select : A. Configure a public virtual interface to connect to a public S3 endpoint resource. B. Establish a VPN connection from the VPC to the public S3 endpoint. C. Configure a private virtual interface to connect to the public S3 endpoint via the Direct Connect connection. D. Add a BGP route as part of the on-premise router; this will route S3 related traffic to the public S3 endpoint to dedicated AWS region.
a
30* Your company's on-premises content management system has the following architecture: Application Tier - Java code on a JBoss application server Database Tier - Oracle database regularly backed up to Amazon Simple Storage Service (S3) using the Oracle RMAN backup utility Static Content - stored on a 512GB gateway stored Storage Gateway volume attached to the application server via the iSCSI interface Which AWS based disaster recovery strategy will give you the best RTO? Please select : A. Deploy the Oracle database and the JBoss app server on EC2. Restore the RMAN Oracle backups from Amazon S3. Generate an EBS volume of static content from the Storage Gateway and attach it to the JBoss EC2 server. B. Deploy the Oracle database on RDS. Deploy the JBoss app server on EC2. Restore the RMAN Oracle backups from Amazon Glacier. Generate an EBS volume of static content from the Storage Gateway and attach it to the JBoss EC2 server. C. Deploy the Oracle database and the JBoss app server on EC2. Restore the RMAN Oracle backups from Amazon S3. Restore the static content by attaching an AWS Storage Gateway running on Amazon EC2 as an iSCSI volume to the JBoss EC2 server. D. Deploy the Oracle database and the JBoss app server on EC2. Restore the RMAN Oracle backups from Amazon S3. Restore the static content from an AWS Storage Gateway-VTL running on Amazon EC2
a
4, Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your AWS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these solutions would you recommend? Please select : A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected. Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. B. Create a new CloudTrail with one new S3 bucket to store the logs. Configure SNS to send log file delivery notifications to your management system. Use IAM roles and S3 bucket policies on the S3 bucket that stores your logs. C. Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected. Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. D. Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools. Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.
a
41 Which of the following AWS services can be used to define alarms to trigger on a certain activity in the AWS Data pipeline? Please select : A. SNS B. SQS C. SES D. CodeDeploy
a
42- Does an AWS Direct Connect location provide access to Amazon Web services in the region it is associated with as well as access to other US regions? Please select : A. Yes B. No , it only pertains to the region it is associated with
a
47 There is a requirement to migrate 3TB of data to AWS. There is a restriction of the time to migrate the data and there is a limitation of only a 100MBit line to the AWS Cloud. What is the best solution to use to migrate the data to the cloud? Please select : A. Amazon Import/Export B. Amazon S3 C. Amazon Storage Gateway D. Amazon Direct Connect
a
50 A company wants to utilize AWS storage. For them low storage cost is paramount, the data is rarely retrieved, and data retrieval times of several hours are acceptable for them. What is the best storage option to use? Please select : A. Glacier B. Reduced Redundancy Storage C. EBS backed storage connected to EC2 D. Cloud Front
a
53 A custom script needs to be passed to a new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this? Please select : A. User data B. EC2Config service C. IAM roles D. AWS Config
a
6, You have instances in a public subnet which downloads patches from the internet in addition to serving clients on the normal HTTP protocol. There is a requirement to ensure that just the serving protocol and the URL's listed to get the patches are accessible from the instances. Which of the following options would you consider? Please select : A. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access. Remove default routes. B. Implement security groups and configure outbound rules to only permit traffic to the url's. C. Move all your instances into private VPC subnets. Remove default routes from all routing tables and add specific routes to the software depots and distributions only. D. Implement network access control lists to all specific destinations, with an Implicit deny as a rule.
a
67 A web application is currently hosted on an on-premise location. There is ad-campaign underway and there is a probability that the influx of traffic on the website is going to increase. The company does not have the time to migrate this application to AWS. Which scenario below will provide full site functionality, while helping to improve the ability of your application to take the influx of traffic in the short timeframe required? Please select : A. Offload traffic from on-premises environment by setting up a CloudFront distribution and configure CloudFront to cache objects from a custom origin. Choose to customize your object cache behaviour and select a TTL that objects should exist in cache. B. Migrate to AWS because this is the only option. Use VM import 'Export to quickly convert an on-premises web server to an AMI create an Auto Scaling group which uses the imported AMI to scale the web tier based on incoming traffic. C. Create an S3 bucket and configure it tor website hosting. Migrate your DNS to Route53 using zone import and leverage Route53 DNS failover to failover to the S3 hosted website. D. Create an AMI which can be used of launch web servers in EC2. Create an Auto Scaling group which uses the AMI's to scale the web tier based on incoming traffic. Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted in AWS.
a
22* You currently have developers who have access to your production AWS account? There is a concern raised that the developers could potentially delete the production based EC2 resources. Which of the below options could help alleviate this concern? Choose 2 options. Please select : A. Tag the production instances with a production-identifying tag and add resource-level permissions to the developers with an explicit deny on the terminate API call to instances with the production tag. B. Create separate accounts for development based resources and users and use cross-account role access with the right IAM policies to ensure developers cant terminate resources C. Modify the IAM policy on the developers to require MFA before deleting EC2 instances and disable MFA access to the employee D. Modify the IAM policy on the developers to require MFA before deleting EC2 instances
a,b
15* Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? Choose 3 Answers from the options below Please select : A. Setting up a federation proxy or identity provider B. Using AWS Security Token Service to generate temporary tokens C. Tagging each folder in the bucket D. Configuring IAM role E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket
a,b,d
54 You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3options from the below: Please select : A. Amazon EC2 placement groups B. Enhanced networking C. Amazon PV AMI D. Amazon HVM AMI E. Amazon Linux F. Amazon VPC
a,b,d
32 The Marketing Director in your company asked you to create a mobile app that lets users post sightings of good deeds known as random acts of kindness in 80-character summaries. You decided to write the application in JavaScript so that it would run on the broadest range of phones, browsers, and tablets. Your application should provide access to Amazon DynamoDB to store the good deed summaries. Initial testing of a prototype shows that there aren't large spikes in usage. Which option provides the most cost-effective and scalable architecture for this application? Please select : A. Provide the JavaScript client with temporary credentials from the Security Token Service using a Token Vending Machine (TVM) on an EC2 instance to provide signed credentials mapped to an Amazon Identity and Access Management (IAM) user allowing DynamoDB puts and S3 gets. You serve your mobile application out of an S3 bucket enabled as a web site. Your client updates DynamoDB. B. Register the application with a Web Identity Provider like Amazon, Google, or Facebook, create an IAM role for that provider, and set up permissions for the IAM role to allow S3 gets and DynamoDB puts. You serve your mobile application out of an S3 bucket enabled as a web site. Your client updates DynamoDB. C. Provide the JavaScript client with temporary credentials from the Security Token Service using a Token Vending Machine (TVM) to provide signed credentials mapped to an IAM user allowing DynamoDB puts. You serve your mobile application out of Apache EC2 instances that are load-balanced and autoscaled. Your EC2 instances are configured with an IAM role that allows DynamoDB puts. Your server updates DynamoDB. D. Register the JavaScript application with a Web Identity Provider like Amazon, Google, or Facebook, create an IAM role for that provider, and set up permissions for the IAM role to allow DynamoDB puts. You serve your mobile application out of Apache EC2 instances that are load-balanced and autoscaled. Your EC2 instances are configured with an IAM role that allows DynamoDB puts. Your server updates DynamoDB.
b
38- An administrator has granted Temporary credentials from STS to a set of users. It is later realized that these credentials should not have been given. Can these credentials be revoked? Please select : A. True B. False
b
43 An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the web server on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network interface can receive the SSH traffic only from a selected IP range, while the internet facing web server will have an IP address which can receive traffic from all the internet IPs. How can the organization achieve this by running the web server on a single instance? Please select : A. It is not possible to have 2 IP addresses for a single instance B. The organization should create 2 network interfaces, one for the internet traffic and the other for the backend traffic C. The organization should create 2 EC2 instances as this is not possible with one EC2 instance D. This is not possible
b
46- In Amazon Cognito, your mobile app authenticates with the Identity Provider (IdP) using the provider's SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito. Which of the following is returned for the user to provide a set of temporary, limited-privilege AWS credentials Please select : A. Cognito SDK B. Cognito Key pair C. Cognito ID D. Cognito API
b
55 You have a video transcoding application running on Amazon EC2. Each instance polls a queue to find out which video should be transcoded and then runs a transcoding process. If this process is interrupted, the video will be transcoded by another instance based on the queuing system. You have a large backlog of videos which need to be transcoded and would like to reduce this backlog by adding more instances. You will need these instances only until the backlog is reduced. Which type of Amazon EC2 instances should you use to reduce the backlog in the most cost-efficient way? Please select : A. Reserved instances B. Spot instances C. Dedicated instances D. On-demand instances
b
57 Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service? Please select : A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials. B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP. C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials. D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated. E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.
b
59 Server-side encryption is about data encryption at rest. That is, Amazon S3 encrypts your data at the object level as it writes it to disk in its data centers and decrypts it for you when you go to access it. There are a few different options depending on how you choose to manage the encryption keys. One of the options is called 'Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)'. Which of the following best describes how this encryption method works? Choose the correct answer from the options below Please select : A. There are separate permissions for the use of an envelope key (that is, a key that protects your data's encryption key) that provides added protection against unauthorized access of your objects in S3 and also provides you with an audit trail of when your key was used and by whom. B. Each object is encrypted with a unique key employing strong encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. C. You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disk, and decryption, when you access your objects. D. A randomly generated data encryption key is returned from Amazon S3, which is used by the client to encrypt the object data
b
69 There are currently multiple applications hosted in a VPC. During monitoring, it has been noticed that multiple port scans are coming in from a specific IP Address block. The internal security team has requested that all offending IP Addresses be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP Addresses? Please select : A. Create an AD policy to modify the Windows Firewall settings on all hosts in the VPC to deny access from the IP Address block B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP Address block C. Add a rule to all of the VPC Security Groups to deny access from the IP Address block D. Modify the Windows Firewall settings on all AMI's that your organization uses in that VPC to deny access from the IP address block
b
70 You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check but these unhealthy instances are not being terminated. What do you need to do to ensure trial instances marked unhealthy by the ELB will be terminated and replaced? Please select : A. Change the thresholds set on the Auto Scaling group health check B. Add an Elastic Load Balancing health check to your Auto Scaling group C. Increase the value for the Health check interval set on the Elastic Load Balancer D. Change the health check set on the Elastic Load Balancer to use TCP rather than HTTP checks
b
8, What are the benefits of using an IPSec tunnel from connecting from an on-premise location to AWS? Choose 4 correct options from the below: Please select : A. End-to-end protection of data in transit B. End-to-end Identity authentication C. Data encryption across the Internet D. Protection of data in transit over the Internet E. Peer identity authentication between VPN gateway and customer gateway F. Data integrity protection across the Internet
c,d,e,f
45* There is a requirement for an application hosted on a VPC to access the On-premise LDAP server. The VPC and the On-premise location are connected via an IPSec VPN. Which of the below are the right options for the application to authenticate each user? Choose 2 answers from the options below A. Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials. B. The application authenticates against LDAP and retrieves the name of an IAM role associated with the user. The application then calls the IAM Security Token Service to assume that IAM role. The application can use the temporary credentials to access any AWS resources. C. Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials. The application calls the identity broker to get IAM federated user credentials with access to the appropriate AWS service. D. The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate AWS service.
b,c
64 You have created an Elastic Load Balancer with Duration-Based sticky sessions enabled in front of your six EC2 web application instances in US-West-2. For High Availability, there are three web application instances in Availability Zone 1 and three web application instances in Availability Zone 2. To load test, you set up a software-based load tester in Availability Zone 2 to send traffic to the Elastic Load Balancer, as well as letting several hundred users browse to the ELB's hostname. After a while, you notice that the users' sessions are spread evenly across the EC2 instances in both AZ's, but the software-based load tester's traffic is hitting only the instances in Availability Zone 2. What steps can you take to resolve this problem? Choose 2 correct options from the below: A. Create a software=based load tester in US-East-1 and test from there B. Force the software-based load tester to re-resolve DNS before every request C. Use a third party load-testing service to send requests from globally distributed clients D. Switch to Application-Controlled sticky session
b,c
24* Which of the following are ways to minimize the attack surface area as a DDOS minimization strategy in aws? Choose 3 correct answer from the options below Please select : A. Configure services such as Elastic Load Balancing and Auto Scaling to automatically scale. B. Reduce the number of necessary Internet entry points. C. Separate end user traffic from management traffic. D. Eliminate non-critical Internet entry points.
b,c,d
12* Which of the following are recommendations from AWS when migrating a legacy application which is hosted on a virtual machine in an on-premise location? Choose 2 answers from the options below Please select : A. Use a NAT instance to route traffic from the instance in the VPC. B. Use an Elastic IP address on the VPC instance C. Use entries in Amazon Route 53 that allow the Instance to resolve its dependencies' IP addresses on the on-premise location D. Use the VM Import facility provided by aws.
b,d
72 You are managing a legacy application Inside VPC with hard coded IP addresses in its configuration. Which two mechanisms will allow the application to failover to new instances without the need for reconfiguration? Choose 2 answers Please select : A. Create an ELB to reroute traffic to a failover instance B. Create a secondary ENI that can be moved to a failover instance C. Use Route53 health checks to fail traffic over to a failover instance D. Assign a secondary private IP address to the primary ENI that can be moved to a failover instance
b,d
52 A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2 options from the below: Please select : A. Amazon Simple Email Service B. Amazon CloudWatch C. Amazon Simple Queue Service D. Amazon Route 53 E. Amazon Simple Notification Service
b,e
1 As an AWS professional, you have been told to ensure that traffic to an application is evenly balanced. The application has multiple web servers that host the application. Choose an answer from the below options which will fulfill the above requirement. Please select : A. Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT instance public IP address. B. Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers. Configure a Route53 CNAME record to your CloudFront distribution. C. Place all your web servers behind ELB. Configure a Route53 CNAME to point to the ELB DNS name. D. Configure ELB with an EIP. Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP.
c
10, An application store a set of files in a single Amazon S3 bucket. Users will upload files from their mobile device directly to Amazon S3 and will be able to view and download their uploaded files directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the mobile application? Please select : A. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app and use them to access Amazon S3. B. Record the user's Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials using the AWS Security Token Service 'AssumeRole' function, store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app. C. Record the user's Information In Amazon DynamoDB. When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions, store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app. D. Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3. E. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user. Generate an access Key and secret Key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
c
11, You have an application running on an EC2 Instance access an S3 bucket. How should the application use AWS credentials to access the S3 bucket securely? A. Use the AWS account access Keys. The application retrieves the credentials from the source code of the application. B. Create an IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user's credentials from the EC2 instance user data. C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role's credentials from the EC2 Instance metadata D. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
c
21 An auditor has been called upon to carry out an audit of the configuration of your AWS accounts. The auditor has specified that they just want to read only access to the AWS resources on all accounts. Which of the below options would help the auditor get the required access? Please select : A. Create an IAM user for each AWS account with read-only permission policies for the auditor, and disable each account when the audit is complete. B. Configure an on-premise AD server and enable SAML and identify federation for single sign-on to each AWS account. C. Create an IAM role with read-only permissions to all AWS services in each AWS account. Create one auditor IAM account and add a permissions policy that allows the auditor to assume the ARN role for each AWS account that has an assigned role. D. Create a custom identity broker application that allows the auditor to use existing Amazon credentials to log into the AWS environments.
c
25, You've created a temporary application that accepts image uploads, stores them in S3, and records information about the image in RDS. After building this architecture and accepting images for the duration required, it's time to delete the CloudFormation template. However, your manager has informed you that for some reasons they need to ensure a backup is taken of the RDS when the CloudFormation template is deleted. Which of the below-mentioned options will fulfill the above requirement? Please select : A. You don't need to do anything because by default all resources are saved when a cloudformation template is deleted. B. This is not possible, by default all resources will be deleted when a cloudformation template is deleted. C. Set the DeletionPolicy on the RDS resource to snapshot. D. Set the DeletionPolicy on the RDS resource to delete.
c
26, An application, basically a mobile application needs access for each user to store data in a DynamoDB table. What is the best method for granting each mobile device that ensures the application has access DynamoDB tables for storage when required? Choose the correct options from the below: Please select : A. During the install and game configuration process, have each user create an IAM credential and assign the IAM user to a group with proper permissions to communicate with DynamoDB. B. Create an IAM group that only gives access to your application and to the DynamoDB tables. Then, when writing to DynamoDB, simply include the unique device ID to associate the data with that specific user. C. Create an IAM role with the proper permission policy to communicate with the DynamoDB table. Use web identity federation, which assumes the IAM role using AssumeRoleWithWebIdentity, when the user signs in, granting temporary security credentials using STS. D. Create an Active Directory server and an AD user for each mobile application user. When the user signs in to the AD sign-on, allow the AD server to federate using SAML 2.0 to IAM and assign a role to the AD user which is the assumed with AssumeRoleWithSAML.
c
28 There is a requirement to carry out the backup of an Oracle RAC cluster which is currently hosted on the AWS public cloud. How can this be achieved? Please select : A. Create manual snapshots of the RDS backup and write a script that runs the manual snapshot B. Enable Multi-AZ failover on the RDS RAC cluster to reduce the RPO and RTO in the event of disaster or failure. C. Create a script that runs snapshots against the EBS volumes to create backups and durability. D. Enable automated backups on the RDS RAC cluster; enable auto snapshot copy to a backup region to reduce RPO and RTO.
c
3, Your company is hosting an application on the cloud. Your IT Security department has recently noticed that there seem to be some SQL Injection attacks against the application. Which of the below approach provides a cost-effective scalable mitigation to this kind of attack? Please select : A. Create a DirectConnect connection so that your have a dedicated connection line. B. Create NACL rules for the subnet hosting the application. C. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group D. Remove all but TLS 1 & 2 from the web tier ELB and enable Advanced Protocol Filtering. This will enable the ELB itself to perform WAF functionality.
c
31 An ERP application is deployed in multiple Availability Zones in a single region. In the event of failure, the RTO must be less than 3 hours, and the RPO is 15 minutes. The customer realizes that data corruption occurred roughly 1.5 hours ago. Which DR strategy can be used to achieve this RTO and RPO in the event of this kind of failure? Please select : A. Take 15-minute DB backups stored in Amazon Glacier, with transaction logs stored in Amazon S3 every 5 minutes. B. Use synchronous database master-slave replication between two Availability Zones. C. Take hourly DB backups to Amazon S3, with transaction logs stored in S3 every 5 minutes. D. Take hourly DB backups to an Amazon EC2 instance store volume, with transaction logs stored in Amazon S3 every 5 minutes.
c
33* You are building a website that will retrieve and display highly sensitive information to users. The amount of traffic the site will receive is known and not expected to fluctuate. The site will leverage SSL to protect the communication between the clients and the web servers. Due to the nature of the site you are very concerned about the security of your SSL private key and want to ensure that the key cannot be accidentally or intentionally moved outside your environment. Additionally, while the data the site will display is stored on an encrypted EBS volume, you are also concerned that the web servers' logs might contain some sensitive information; therefore, the logs must be stored so that they can only be decrypted by employees of your company. Which of these architectures meets all of the requirements? Please select : A. Use Elastic Load Balancing to distribute traffic to a set of web servers. To protect the SSL private key, upload the key to the load balancer and configure the load balancer to offload the SSL traffic. Write your web server logs to an ephemeral volume that has been encrypted using a randomly generated AES key. B. Use Elastic Load Balancing to distribute traffic to a set of web servers. Use TCP load balancing on the load balancer and configure your web servers to retrieve the private key from a private Amazon S3 bucket on boot. Write your web server logs to a private Amazon S3 bucket using Amazon S3 server-side encryption. C. Use Elastic Load Balancing to distribute traffic to a set of web servers, configure the load balancer to perform TCP load balancing, use an AWS CloudHSM to perform the SSL transactions, and write your web server logs to a private Amazon S3 bucket using Amazon S3 server-side encryption. D. Use Elastic Load Balancing to distribute traffic to a set of web servers. Configure the load balancer to perform TCP load balancing, use an AWS CloudHSM to perform the SSL transactions, and write your web server logs to an ephemeral volume that has been encrypted using a randomly generated AES key.
c
34* An organization has the requirement to store 10TB worth of scanned files. There is a requirement to have a search application in place which can be used to search through the scanned files. Which of the below mentioned option is the best option for implementing the search facility? Please select : A. Use S3 with reduced redundancy lo store and serve the scanned files. Install a commercial search application on EC2 Instances and configure with auto-scaling and an Elastic Load Balancer. B. Model the environment using CloudFormation. Use an EC2 instance running Apache webserver and an open source search application, stripe multiple standard EBS volumes together to store the scanned files with a search index. C. Use S3 with standard redundancy to store and serve the scanned files. Use CloudSearch for query processing, and use Elastic Beanstalk to host the website across multiple availability zones. D. Use a single-AZ RDS MySQL instance to store the search index for the scanned files and use an EC2 instance with a custom application to search based on the index.
c
36 Which of the below components is used by AWS Data Pipeline to poll for tasks and then performs those tasks? Please select : A. Definition Syntax File B. S3 C. Task Runner D. AWS OpsWork
c
37 An organization has created multiple components of a single application. Currently, all the components are hosted on a single EC2 instance. Due to security reasons, the organization wants to implement 2 separate SSL certificates for the separate modules. How can the organization achieve this with a single instance? Please select : A. Create a VPC with multiple EC2 instances and attach separate security groups to each instance B. Create a VPC with multiple subnets and host the EC2 instance in each subnet C. Create an EC2 instance with multiple network interfaces and multiple elastic IP Addresses D. None of the above
c
48 Which of the following features ensures even distribution of traffic to Amazon EC2 instances in multiple Availability Zones registered with a load balancer? Please select : A. Elastic Load Balancing request routing B. An Amazon Route 53 weighted routing policy C. Elastic Load Balancing cross-zone load balancing D. An Amazon Route 53 latency routing policy
c
5, A company has recently started using Docker cloud. This is a SaaS solution for managing Docker containers on the cloud. There is a requirement for the SaaS solution to access AWS resources. Which of the following options would meet the requirement for enabling the SaaS solution to work with AWS resources in the most secured manner? Please select : A. From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account. B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application. Create a new access and secret key for the user and provide these credentials to the SaaS provider. C. Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application. D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas application to work, provide the role ARM to the SaaS provider to use when launching their application instances.
c
65 * You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this? Choose the correct answer from the options below Please select : A. Use CloudFront distributions for static content. B. Store photos on an EBS volume of the web server. C. Remove public read access and use signed URLs with expiry dates. D. Block the IPs of the offending websites in Security Groups.
c
66 Your "forums" table has a primary key of "id". Using DynamoDB, you're able to query the data based on the id primary key. You need to be able to query the forums table by userId. What would you add to the table during table creation time? Choose correct option from the below: Please select : A. Create a second table that contains all the information by userId. B. Create a hash and range primary key. C. Create a secondary index. D. None of the above
c
7, Your company has recently extended its datacenter into a VPC on AWS. There is a requirement for on-premise users manages AWS resources from the AWS console. You don't want to create IAM users for them again. Which of the below options will fit your needs for authentication? Please select : A. Use OAuth 2.0 to retrieve temporary AWS security credentials to enable your members to sign in to the AWS Management Console. B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your members to sign in to the AWS Management Console. C. Use your on-premises SAML 2 O-compliant identity provider (IDP) to grant the members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint. D. Use your on-premises SAML2.0-compliant identity provider (IDP) to retrieve temporary security credentials to enable members to sign in to the AWS Management Console.
c
77 An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3 and setup the ELB. Which of the below mentioned AWS services meets the requirement for making an orderly deployment of the software? Please select : A. AWS Elastic Beanstalk B. AWS Cloudfront C. AWS Cloudformation D. AWS DevOps
c
80 You have large instances in your AWS infrastructure which you have recently setup. After close monitoring you see that only partial CPU is being used a lower percentage of the time. These instances manage the creation of files on S3. Which of the below solutions will ensure better utilization of resources? Please select : A. Use Amazon glacier instead of S3. B. Add additional large instances by introducing a task group. C. Use t2 instances if possible. D. Ensure the application hosted on the EC2 instances uses larger files on S3 to handle more load.
c
13- You are designing an application and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? Choose 3 answers from the options below Please select : A. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth. B. Use dedicated instances to ensure that each instance has the maximum performance possible. C. Use an Amazon CloudFront distribution for both static and dynamic content. D. Use an Elastic Load Balancer with auto scaling groups at the web, App and Amazon Relational Database Service (RDS) tiers E. Add alert Amazon CloudWatch to look for high Network in and CPU utilization. F. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
c,d,e
62* You created three S3 buckets - "mydomain.com", "downloads.mydomain.com", and "www.mydomain.com". You uploaded your files, enabled static website hosting, specified both of the default documents under the "enable static website hosting" header, and set the "Make Public" permission for the objects in each of the three buckets. All that's left for you to do is to create the Route 53 Aliases for the three buckets. You are going to have your end users test your websites by browsing to http://mydomain.com/error.html, http://downloads.mydomain.com/index.html, and http://www.mydomain.com. What problems will your testers encounter? Choose an option from the below: Please select : A. http://mydomain.com/error.html will not work because you did not set a value for the error.html file B. http://www.mydomain.com will not work because the URL does not include a file name at the end of it C. There will be no problems, all three sites should work D. http://downloads.mydomain.com/index.html will not work because the "downloads" prefix is not a supported prefix for S3 websites using Route 53 aliases
d
68 What would you set in your CloudFormation template to fire up different instance sizes based off of environment type? i.e. (If this is for prod, use m1.large instead of t1.micro) Choose a correct answer from the options below Please select : A. Outputs B. Resources C. Mappings D. conditions
d
74 Your team is excited about the use of AWS because now they have access to "programmable Infrastructure". You have been asked to manage your AWS infrastructure In a manner similar to the way you might manage application code. You want to be able to deploy exact copies of different versions of your infrastructure, stage changes into different environments, revert back to previous versions, and identify what versions are running at any particular time (development test QA . production). Which approach addresses this requirement? Please select : A. Use cost allocation reports and AWS Opsworks to deploy and manage your infrastructure. B. Use AWS CloudWatch metrics and alerts along with resource tagging to deploy and manage your infrastructure. C. Use AWS Beanstalk and a version control system like GIT to deploy and manage your infrastructure. D. Use AWS CloudFormation and a version control system like GIT to deploy and manage your infrastructure.
d
75 What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails? Please select : A. The IP of the primary DB instance is switched to the standby DB instance B. The RDS (Relational Database Service) DB instance reboots C. A new DB instance is created in the standby availability zone D. The canonical name record (CNAME) is changed from primary to standby
d
79 An organization is generating digital policy files which are required by the admins for verification. Once the files are verified they may not be required in the future unless there is some compliance issue. which is the best possible solution if the organization wants to save them in a cost-effective way? Please select : A. AWS RRS B. AWS S3 C. AWS RDS D. AWS Glacier
d
Which of the following cache engines does Amazon Elastic Cache Support? Please select : A. Memcache Only B. Redis Only C. Wincache and Redis D. Memcache and Redis
d
51 How can you secure data at rest on an EBS volume? A. Attach the volume to an instance using EC2's SSL interface. B. Write the data randomly instead of sequentially. C. Encrypt the volume using the S3 server-side encryption service. D. Create an IAM policy that restricts read and write access to the volume. E. Use an encrypted file system on top of the EBS volume.
e