AWS Certified Solutions Architect - Associate Practice Questions

अब Quizwiz के साथ अपने होमवर्क और परीक्षाओं को एस करें!

"23. Question What about below is false for AWS SLA ? 1. RDS multi-AZ is guarantee to 99.95%. 2. S3 availability is guarantee to 99.95%. 3. EBS availability is guarantee to 99.95%. 4. EC2 availability is guarantee to 99.95%."

" S3 availability is guarantee to 99.95%. S3 availability is 99.9% http://aws.amazon.com/s3/sla/"

Do the system resources on the Micro instance meet the recommended configuration for Oracle? A. Yes completely B. Yes but only for certain situations C. Not in any circumstance

C. Not in any circumstance Be Careful with the question? The question is if the system resources on the micro instance meet the recommended configuration for oracle. And no if we can use micro instance. The answer is: yes we can use micro instances for tests purposes, but it doesn't meet the recommended configuration. So the correct answer is:C

9) The template description declaration cannot be added if the AWSTemplateFormatVersion is not declared at the top of the template.

True Explanation The description and template format declarations are not required on the template. However, if you are to use the description declaration the AWSTempIateFormatVersion must be declared at the top of the template.

1) An IAM role, when assigned to an EC2 instance, will allow code to be executed on that instance without API access keys.

True An EC2 instance can assume an IAM role with the given IAM role permissions. Any code executed on the EC2 that assumes the role can access any API calls if the required permissions are assigned. The app or CLI on the EC2 instance that assumed the IAM role does not have to have API access credentials keys- Further Reading httgszlllinuxacademy-com/cg/courses/lesson/course/117/Iesson/1/module/11

Will my standby RDS instance be in the same Availability Zone as my primary? A. Only for Oracle RDS types B. Yes C. Only if configured at launch D. No

D. No https://aws.amazon.com/rds/details/multi-az/?nc1=h_ls When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ).

4) A web browser only needs the common language domain name to locate a web server on the Internet.

False A web browser must have the IP address of a web server to locate it on the Internet.

4) AWS Lambda is a server-specific compute platform.

False Lambda is a serverless compute platform. EC2 would be an example of a server-specific platform.

4) Even if you are only using one EC2 instance to run an application, you should still use an ELB.

False Using an ELB with only one EC2 instance would provide NO additional benefit, and you would be charged money for using it.

5) When using Lambda, you are charged for use even when your code is NOT running.

False You are only charged (by the millisecond) for how long it takes you code to run each time it is executed.

4) Auto Scaling is used as a security feature in AWS.

False Auto Scaling is not an AWS security feature

5) AWSTempIateFormatVersion declaration is required for the template to work inside CloudFormation.

False Further Reading httpszfilinuxacademycom/cp/courses/lesson/course/121/lesson/3/moduIe/11

5) An Internet Gateway MUST be attached to a VPC for AWS resources, such as an ECZ instance, to have access to the Internet.

True If a VPC does NOT have an IGW attached, then NO resources inside of the VPC can access the Internet.

"4. Question Is it possible to change an instance type after it has been created? 1. Type can be changed if it has an instance store volume root device 2. Type can be changed if it has an EBS store volume root device 3. Instance type can not be changed 4. This question doesn't make sense"

Type can be changed if it has an EBS store volume root device

"58. Question Does Route 53 support MX Records? 1. It supports CNAME records, but not MX records. 2. Yes 3. No 4. Only Primary MX records, Secondary MX records are not supported."

Yes

"47. Question You have an application running in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. With three AZs available in that region (us-west-2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent fault tolerance if any single AZ in us-west-2 becomes unavailable? Choose 2 answers 1. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. 2. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances 3. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances 4. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2-instances 5. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances"

"1. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. 5. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances"

"42. Question You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers 1. Amazon CloudWatch 2. Amazon DynamoDB 3. Amazon Relational Database Service (RDS) 4. Elastic Loab Balancing 5. AWS Storage Gateway 6. Amazon ElasticCache"

"2. Amazon DynamoDB 3. Amazon Relational Database Service (RDS) 6. Amazon ElasticCache"

"1. Question What combination of the following options will protect Amazon Simple Storage (S3) objects from both accidental deletion and accidental overwriting? Choose 2 answers 1. Disable S3 delete using an IAM bucket policy. 2. Enable S3 versioning on the bucket. 3. Access S3 data using only signer URLs. 4. Enable S3 Reduced Redundancy Storage. 5. Enable multi-factor authentication (MFA) protected access."

"2. Enable S3 versioning on the bucket. 5. Enable multi-factor authentication (MFA) protected access."

"43. Question In reviewing the Auto Scaling events for your application you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? Choose 3 answers 1. Modify the Auto Scaling group termination policy to terminate the newest instance first 2. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. 3. Modify the Auto Scaling policy to use scheduled scaling actions. 4. Modify the Auto Scaling group termination policy to terminate the oldest instance first. 5. Modify the Auto Scaling group cool-down timers."

"2. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. 3. Modify the Auto Scaling policy to use scheduled scaling actions. 5. Modify the Auto Scaling group cool-down timers."

"38. Question A customer's nightly EMR job processes a single 2TB data file stored on Amazon Simple Storage Service (S3). The Amazon Elastic Map Reduce (EMR) job runs on two On-Demand core nodes and three On-Demand task nodes. Which of the following may help reduce the EMR job completion time? Choose 2 answers 1. Use a bootstrap action the present the S3 bucket as a local filesystem. 2. Use three Spot Instances rather than three On-Demand instances for the taks nodes. 3. Change the input split size in the MapReduce job configuration 4. Adjust the number of simultaneous mapper tasks 5. Launch the core nodes and task nodes within an Amazon Virtual Cloud 6. Enable termination protection for the job flow."

"3. Change the input split size in the MapReduce job configuration 4. Adjust the number of simultaneous mapper tasks"

6) Route Tables are what direct the flow of traffic between resources within a VPC.

True

"29. Question The user just started an instance at 3 PM. Between 3 PM to 5 PM, he stopped and started the instance twice. During the same period, he has run the linux reboot command by ssh once and triggered reboot from AWS console once. For how many instance hours will AWS charge this user 1. 4 2. 3 3. 5 4. 2"

"4 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html"

"Which of the below mentioned steps will not be performed while creating the AMI of instance stored-backend? 1. Register the AMI. 2. Define the AMI launch permissions. 3. Bundle the volume. 4. Upload the bundled volume."

"Define the AMI launch permissions. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-instance-store.html"

"27. Question What about is EC2 Role is true ? 1. Setup an IAM user for the instance to restrict access to AWS API and assign it at launch. 2. Launch an instance with an AWS Identity and Aceess Management (IAM) role to restrict AWS API access for the instance. 3. Setup an IAM group with restricted AWS API access and put the instance in the group at launch. 4. Pass access AWS credentials in the User Data field when the instance is launched."

"Launch an instance with an AWS Identity and Aceess Management (IAM) role to restrict AWS API access for the instance. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html"

"21. Question An IAM user is trying to perform an action on an object belonging to some other root account's bucket. Which of the below mentioned options will AWS S3 not verify? 1. Permission provided by the parent of the IAM user on the bucket 2. Permission provided by the bucket owner to the IAM user 3. The object owner has provided access to the IAM user 4. Permission provided by the parent of the IAM user"

"Permission provided by the parent of the IAM user on the bucket If the IAM user is trying to perform some action on the object belonging to another AWS user's bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner. http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html"

"26. Question You have assigned one Elastic IP to your EC2 instance. Now we need to restart the VM without EIP changed. Which of below you should not do? 1. When the instance is in VPC private subnet, stop/start works. 2. Reboot the instance. 3. Reboot and stop/start both works. 4. When the instance is in VPC public subnets, stop/start works."

"Reboot and stop/start both works. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-lifecycle.html#lifecycle-differences"

"25. Question About the charge of Elastic IP Address, which of the following is true? 1. You are charged for each Elastic IP addressed. 2. Elastic IP addresses can always be used with no charge. 3. You can have 5 Elastic IP addresses per region with no charge. 4. You can have one Elastic IP (EIP) address associated with a running instance at no charge."

"You can have one Elastic IP (EIP) address associated with a running instance at no charge. To ensure efficient use of Elastic IP addresses, we impose a small hourly charge if an Elastic IP address is not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface. While your instance is running, you are not charged for one Elastic IP address associated with the instance, but you are charged for any additional Elastic IP addresses associated with the instance. For more information, see Amazon EC2 Pricing. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html"

"24. Question Placement Groups: enables applications to participate in a low-latency, 10 Gbps network. Which of below statements is false. 1. A placement group can span peered VPCs. 2. Not all of the instance types that can be launched into a placement group. 3. A placement group can't span multiple Availability Zones. 4. You can move an existing instance into a placement group by specify parameter of placement group."

"You can move an existing instance into a placement group by specify parameter of placement group. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html"

"35. Question You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr and your Spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance? 1. $0.025 2. $0.05 3. $0.02 4. $0.00 5. $0.06"

$0.00

MySQL installations default to port _____. A. 3306 B. 443 C. 80 D. 1158

A. 3306 http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html

Using Amazon IAM, I can give permissions based on organizational groups? A. True B. False

A. True

What is the charge for the data transfer incurred in replicating data between your primary and standby? A. No charge. It is free. B. Double the standard data transfer charge C. Same as the standard data transfer charge D. Half of the standard data transfer charge

A. No charge. It is free. https://aws.amazon.com/rds/faqs/?nc1=h_ls

Using SAML (Security Assertion Markup Language 2.0) you can give your federated users single sign-on (SSO) access to the AWS Management Console. A. True B. False

A. True

When creating an RDS instance you can select which availability zone in which to deploy your instance. A. True B. False

A. True

When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones. A. True B. False

A. True

"57. Question In "Detailed" monitoring data available for your EBS volumes, Provisioned IOPS volumes automatically send _________ minute metrics to Amazon CloudWatch 1. 1 2. 2 3. 3 4. 5"

1. 1

"22. Question Select the correct set of options. These are the initial settings for the default security group 1. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other. 2. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other. 3. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other. 4. Allow all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other."

1. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#DefaultSecurityGroup By default, an outbound rule allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).

"2. Question How can we protect accidental termination of our instances? 1. By using ""Enable termination protection"" option 2. By using security group and disabling remote access to instances. 3. By using ""Change shutdown behavior"" option. 4. We can not prevent accidental termination."

1. By using "Enable termination protection" option

"60. Question Which DNS name can only be resolved within Amazon EC2? 1. Private DNS name 2. Global DNS name 3. External DNS name 4. Internal DNS name"

1. Private DNS name

11) How many secondary indexes are allowed per table?

10 Explanation You can define up to 5 local secondary indexes and 5 global secondary indexes per table.

You can add multiple volumes to an EC2 instance and then create your own RAID 5/RAID 10/RAID 0 configurations using those volumes. A. True B. False

A. True

"52. Question Can you create IAM security credentials for existing users? 1. No, IAM requires that all users who have credentials set up are not existing users 2. Yes, existing users can have security credentials associated with their account 3. No, security credentials are created within GROUPS, and then users are associated to GROUPS at a later time. 4. Yes, but only IAM credentials, not ordinary security credentials."

2. Yes, existing users can have security credentials associated with their account Q: What problems does IAM solve? IAM makes it easy to provide multiple users secure access to your AWS resources. IAM enables you to: Manage IAM users and their access: You can create users in AWS's identity management system, assign users individual security credentials (such as access keys, passwords, multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can specify permissions to control which operations a user can perform. Manage access for federated users: You can request security credentials with configurable expirations for users who you manage in your corporate directory, allowing you to provide your employees and applications secure access to resources in your AWS account without creating an IAM user account for them. You specify the permissions for these security credentials to control which operations a user can perform.

"3. Question Is it possible to create an AMI while an instance is running? 1. No, instance should be stopped and rebooted 2. Yes, if only ""no reboot"" option is checked 3. Yes, AMI can be created without any change 4. Yes, only if it is Linux instance"

2. Yes, if only "no reboot" option is checked

4) Amazon SQS max message size is

256KB Further Reading httgszlllinuxacademy.com/cg/courses/Iesson/course/150/Iesson/1/moduIe/11

5) Amazon 808 max message size is

256KB Further Reading httpszlllinuxacademy.com/cp/courses/lesson/course/l 50/Iesson/1/moduIe/11

Multi-AZ deployment is supported for Microsoft SQL Server DB Instances. A. True B. False

A. True https://aws.amazon.com/about-aws/whats-new/2014/05/19/amazon-rds-for-sqlserver-introduces-multi-az-support/

"59. Question Will my standby RDS instance be in the same AZ as my primary? 1. Only if configured at launch 2. Yes 3. Only for Oracle RDS types 4. No"

4. No

7) How many global secondary indexes are allowed per table?

5 global secondary indexes and 5 local secondary indexes are allowed on a table.

"33. Question You have been tasked with creating a VPC network topology for your company. The VPC network must support both Internet-facing applications and internally-facing applications accessed only over VPN. Both Internet-facing and internally-facing applications must be able to leverage at least three AZs for high availability. At a minimum, how many subnets must you create within your VPC to accommodate these requirements? 1. 2 2. 3 3. 4 4. 6"

6

You run an ad-supported photo sharing website using S3 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the photos on your site, causing loss to your business. What is an effective method to mitigate this? A.Remove public read access and use signed URLs with expiry dates. B.Use CloudFront distributions for static content. C.Block the IPs of the offending websites in Security Groups. D. Store photos on an EBS volume of the web server.

A A signed URL includes additional information, for example, an expiration date and time, that gives you more control over access to your content.

When creation of an EBS snapshot is initiated, but not completed, the EBS volume: A.Can be used while the snapshot is in progress. B.Cannot be detached or attached to an EC2 instance until the snapshot completes C.Can be used in read-only mode while the snapshot is in progress. D.Cannot be used until the snapshot completes.

A Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

How can the domain's zone apex, for example, "myzoneapexdomain.com", be pointed towards an Elastic Load Balancer? A.By using an Amazon Route 53 Alias record B.By using an AAAA record C.By using an Amazon Route 53 CNAME record D.By using an A record

A You can create an alias resource record set at the zone apex. You cannot create a CNAME record at the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. Source: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html

You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost-effective way. Which of the following will meet your requirements? A.Spot Instances B.Reserved instances C.Dedicated instances D.On-Demand instances

A http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-interruptions.html Looking at 2 key words in the question "most cost-effective way" and "recover gracefully". Anytime you see "most cost-effective way" immediately think SPOT, then to confirm if it should be spot, check if it can recover as spot instances are pulled out anytime. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html

If I write the below command, what does it do? ec2-run ami-e3a5408a -n 20 -g appserver A.Start twenty instances as members of appserver group. B.Creates 20 rules in the security group named appserver C.Terminate twenty instances as members of appserver group. D.Start 20 security groups

A Start twenty instances as members of appserver group. ec2-run-instances ami_id [-n instance_count] [-k keypair] [-g group [-g group ...]] [-d user_data | -f filename] [-instance-type instance_type] [- availability-zone zone] [-placement-group group_name] [-tenancy tenancy] [-kernel kernel_id] [-ramdisk ramdisk_id] [-block-device-mapping mapping] [-monitor] [-subnet subnet_id] [-disable-api-termination] [-instanceinitiated-shutdown-behavior behavior] [-private-ip-address ip_address] [-client-token token] [-secondary-private-ip-address ip_address | — secondary-private-ip-address-count count] [-network-attachment attachment] [-iam-profile arn | name] [-ebs-optimized] [-associate-public-ip-address Boolean]

While performing the volume status checks, if the status is insufficient-data, what does it mean? A.the checks may still be in progress on the volume B.the check has passed C.the check has failed

A Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. If all checks pass, the status of the volume is ok. If a check fails, the status of the volume is impaired. If the status is insufficient-data, the checks may still be in progress on the volume. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html f the status is insufficient-data, the checks may still be in progress on the volume. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html#monitoring-volume-checks

A startup s photo-sharing site is deployed in a VPC. An ELB distributes web traffic across two subnets. ELB session stickiness is configured to use the AWS-generated session cookie, with a session 111 of 5 minutes. The webserver Auto Scaling Group is configured as: min-size=4, max-size=4. The startups preparing for a public launch, by running load-testing software installed on a single EC2 instance running in us-west-Za. After 60 minutes of load-testing, the webserver logs show: Which recommendations can help ensure load-testing HTTP requests are evenly distributed across the four webservers? Choose 2 answers. ------------------------------------------------------------------ WEBSERVER | # of HTTP requests | # of HTTP requets LOGS | from load-tester | from privt bta usr ------------------------------------------------------------------ webserver #1 | 19,210 | 434 subnet in us-wst2a | | webserver #2 | 21,790 | 490 subnet in us-wst2a | | webserver #3 | 0 | 410 subnet in us-wst2b | | webserver #4 | 0 | 428 subnet in us-wst2b | | ------------------------------------------------------------------ A.Re-conflgure the load-testing software to re-resolve DNS for each web request. B.Use a 3rd-party load-testing service which offers globally-distributed test clients. C.Configure ELB and Auto Scaling to distribute across us-west-Za and us-west-Zc. D.Configure ELB seSSion stickiness to use the app-specific session cookie. E.Launch and run the load-tester EC2 instance from us-east-l instead.

A & D

You are using an m1.small EC2 Instance with one 300 GB EBS volume to host a relational database. You determined that write throughput to the database needs to be increased. Which of the following approaches can help achieve this? Choose 2 answers A. Use an array of EBS volumes. B. Enable Multi-AZ mode. C. Place the instance in an Auto Scaling Groups D. Add an EBS volume and place into RAID 5. E. Increase the size of the EC2 Instance. F. Put the database behind an Elastic Load Balancer.

A & E 1. use EBS-optimized instance 2. use RAID-0 (array of volume) http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSPerformance.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html A is correct (we can use array of EBS volumes for RAID 0 that improves performance) E is correct (the instance size influence IO operations performance. m1.small that is used is obviously can be increased) C is wrong (You can not scale relational databases simply by creating more instances, you need to perform more advanced DB replication and master/slave configuration as well to scale DB) D is wrong (JM is right, Amazon strongly doesn't recommend RAID 5 and RAID 6)

Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? Choose 2 answers A. Amazon Relational Database Service B. Amazon Elastic Map Reduce C. Amazon ElastiCache D. Amazon DynamoDB E. AWS Elastic Beanstalk

A - No https://aws.amazon.com/rds/faqs/ B - Yes https://docs.aws.amazon.com/ElasticMapReduce/latest/DeveloperGuide/emr-plan-access.html C - No https://aws.amazon.com/elasticache/ D - No https://aws.amazon.com/dynamodb/ E - Yes https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.ec2connect.html

You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement? A.Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source 72.34.51.100/32 B.Security Group Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32 C.Network ACL Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32 D.Network ACL Inbound Rule: Protocol - TCP, Port Range-22, Source 72.34.51.100/0

A - correct B - (UDP isnt correct) C - (UDP isnt correct) D - bad IP mask

***You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a world-wide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon RDS database Static content resides on Amazon S3, and is distributed through Amazon CloudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization, you use an Amazon RDS extra large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range. Web analytics reports show that the average load time of your web pages is around 1 5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds. How would you improve page load times for your users? (Choose 3 answers) A.Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively. B.Add an Amazon ElastiCache caching layer to your application for storing sessions and frequent DB queries C.Configure Amazon CloudFront dynamic content support to enable caching of re-usable content from your site D.Switch Amazon RDS database to the high memory extra large Instance type E.Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.

A -> MAYBE. Since anyways Autoscale is configured I do not see a chance of performance improvement at 30% vs 60% both mean there is still enough CPU cycles available. B -> YES. This is a no brainer C -> YES. But I am not sure if Cloudfront can really accelerate dynamic content in the way define in this section. D -> MAYBE. Possible that memory increase may decrease querry tine. E -> MAYBE. The new updates every 15 minutes and we are assumming 100% of the data will be read , Cloudfront is already deployed and the reason for hitting the origin is only for dynamic data which cannot be cached. Having another region can gelp serve this dynamic data for global audience. On the flip side replication between the two DB needs to be ensured. Yo cannot have independent DB at both location as these may also store state information.

Which of the following are true regarding AWS CloudTrail? Choose 3 answers A.CloudTrail is enabled globally B.CloudTrail is enabled by default C.CloudTrail is enabled on a per-region basis D.CloudTrail is enabled on a per-service basis. E.Logs can be delivered to a single Amazon S3 bucket for aggregation. F.CloudTrail is enabled for all available services within a region. G.Logs can only be processed and delivered to the region in which they are generated.

A C E http://docs.aws.amazon.com/awscloudtrail/latest/userguide/how-cloudtrail-works.html A:have a trail with the Apply trail to all regions option enabled. C:have multiple single region trails. E: Log files from all the regions can be delivered to a single S3 bucket Global service events are always delivered to trails that have the Apply trail to all regions option enabled. Events are delivered from a single region to the bucket for the trail. This setting cannot be changed. If you have a single region trail, you should enable the Include global services option. If you have multiple single region trails, you should enable the Include global services option in only one of the trails. D Incorrect : once enabled it is applicable for all the supported services, service can't be selected

You are the new IT architect in a company that operates a mobile sleep tracking application When activated at night, the mobile app is sending collected data points of 1 kilobyte every 5 minutes to your backend The backend takes care of authenticating the user and writing the data points into an Amazon DynamoDB table. Every morning, you scan the table to extract and aggregate last night's data on a per user basis, and store the results in Amazon S3. Users are notified via Amazon SMS mobile push notifications that new data is available, which is parsed and visualized by (he mobile app Currently you have around 100k users who are mostly based out of North America. You have been tasked to optimize the architecture of the backend system to lower cost what would you recommend? (Choose 2 answers) A.Create a new Amazon DynamoDB (able each day and drop the one for the previous day after its data is on Amazon S3. B.Have the mobile app access Amazon DynamoDB directly instead of JSON files stored on Amazon S3. C.Introduce an Amazon SQS queue to buffer writes to the Amazon DynamoDB table and reduce provisioned write throughput. D.Introduce Amazon Elasticache lo cache reads from the Amazon DynamoDB table and reduce provisioned read throughput. E.Write data directly into an Amazon Redshift cluster replacing both Amazon DynamoDB and Amazon S3.

A and C are the right answers. A: you store around 1.2GB/hour (100000*1kb*60/5), most customers being in the US it means you would store that kind of data mostly over 10 hours, that's 12GB/day. Storing that kind of data would be expensive so we drop the previous data that was already stored in S3. C: Second most costly factor is your write units, using a SQS queue would split that in half (most customers being in north america). B is wrong because it doesn't help with reducing costs. You will still need to parse files and storing raw files in S3 is cheaper than in DynamoDB.

You are implementing a URL whitelisting system for a company that wants to restrict outbound HTTP'S connections to specific domains from their EC2-hosted applications you deploy a single EC2 instance running proxy software and configure It to accept traffic from all subnets and EC2 instances in the VPC. You configure the proxy to only pass through traffic to domains that you define in its whitelist configuration You have a nightly maintenance window or 10 minutes where ail instances fetch new software updates. Each update Is about 200MB In size and there are 500 instances In the VPC that routinely fetch updates After a few days you notice that some machines are failing to successfully download some, but not all of their updates within the maintenance window The download URLs used for these updates are correctly listed in the proxy's whitelist configuration and you are able to access them manually using a web browser on the instances What might be happening? (Choose 2 answers) A.You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for all instances to download their updates in time. B.You have not allocated enough storage to the EC2 instance running me proxy so the network buffer is filling up. causing some requests to fall C.You are running the proxy in a public subnet but have not allocated enough EIPs lo support the needed network throughput through the Internet Gateway (IGW) D.You are running the proxy on a affilelentiy-sized EC2 instance in a private subnet and its network throughput is being throttled by a NAT running on an undersized EO£ instance E.The route table for the subnets containing the affected EC2 instances is not configured to direct network traffic for the software update locations to the proxy.

A and D are the right answers. I agree with kirrim's explanation. Running out of buffer should not cause some of the updates failing. This rules out B

You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers) A.Route 53 Record Sets B.IM1 Roles C.Elastic IP Addresses (EIP) D.EC2 Key Pairs E.Launch configurations F.Security Groups

A&B. As per the document defined, new IPs should be reserved not the same ones. Elastic IP Addresses are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, however, Elastic IP addresses enable you to mask instance or Availability Zone failures by programmatically remapping your public IP addresses to instances in your account in a particular region. For DR, you can also pre-allocate some IP addresses for the most critical systems so that their IP addresses are already known before disaster strikes. This can simplify the execution of the DR plan http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/resources.html

Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers) A.Create an IAM Role that allows write access to the DynamoDB table. B.Add an IAM Role to a running EC2 instance. C.Create an IAM User that allows write access to the DynamoDB table. D.Add an IAM User to a running EC2 instance. E.Launch an EC2 Instance with the IAM Role included in the launch configuration.

A and E correct. Why E and not B: Can I change the IAM role on a running EC2 instance? No. At this time, you cannot change the IAM role on a running EC2 instance. You can change the permissions on the IAM role associated with a running instance, and the updated permissions take effect almost immediately Source: https://aws.amazon.com/iam/faqs/

You deployed your company website using Elastic Beanstalk and you enabled log file rotation to S3. An Elastic Map Reduce job is periodically analyzing the logs on S3 to build a usage dashboard that you share with your CIO. You recently improved overall performance of the website using Cloud Front for dynamic content delivery and your website as the origin. After this architectural change, the usage dashboard shows that the traffic on your website dropped by an order of magnitude. How do you fix your usage dashboard'? A.Enable Cloud Front to deliver access logs to S3 and use them as input of the Elastic Map Reduce job. B.Turn on Cloud Trail and use trail log tiles on S3 as input of the Elastic Map Reduce job C.Change your log collection process to use Cloud Watch ELB metrics as input of the Elastic Map Reduce job D.Use Elastic Beanstalk "Rebuild Environment" option to update log delivery to the Elastic Map Reduce job. E.Use Elastic Beanstalk 'Restart App server(s)" option to update log delivery to the Elastic Map Reduce job.

A for sure. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3-bucket Re: D and E. The EMR job and CloudFront components would be configured independently from the ElasticBeanstalk environment. Since the necessary changes to add CloudFront logs into the S3 bucket for the EMR job to ingest and work on would be configured in CloudFront (not in the web or app servers, which never see the traffic CloudFront is handling for them), you should not have to touch your ElasticBeanstalk environment.

Your company hosts a social media site supporting users in multiple countries. You have been asked to provide a highly available design tor the application that leverages multiple regions tor the most recently accessed content and latency sensitive portions of the wet) site The most latency sensitive component of the application involves reading user preferences to support web site personalization and ad selection. In addition to running your application in multiple regions, which option will support this application's requirements? A.Serve user content from S3. CloudFront and use Route53 latency-based routing between ELBs in each region Retrieve user preferences from a local DynamoDB table in each region and leverage SQS to capture changes to user preferences with SOS workers for propagating updates to each table. B.Use the S3 Copy API to copy recently accessed content to multiple regions and serve user content from S3. CloudFront with dynamic content and an ELB in each region Retrieve user preferences from an ElasticCache cluster in each region and leverage SNS notifications to propagate user preference changes to a worker node in each region. C.Use the S3 Copy API to copy recently accessed content to multiple regions and serve user content from S3 CloudFront and Route53 latency-based routing Between ELBs In each region Retrieve user preferences from a DynamoDB table and leverage SQS to capture changes to user preferences with SOS workers for propagating DynamoDB updates. D.Serve user content from S3. CloudFront with dynamic content, and an ELB in each region Retrieve user preferences from an ElastiCache cluster in each region and leverage Simple Workflow (SWF) to manage the propagation of user preferences from a centralized OB to each ElastiCache cluster.

A is correct http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_mediasharing_09.pdf http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_adserving_06.pdf B SQS is not cross-region. You can subscribe an SQS queue in one region to an SNS topic in another region. Source: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqssubscribe.html

Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you may need to pay for a consultant. How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery'? A.Elastic Transcoder to transcode original high-resolution MP4 videos to HLS S3 to host videos with Utecycle Management to archive original flies to Glacier after a few days CloudFront to serve HLS transcoded videos from S3 B.A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number or nodes depending on the length of the queue S3 to host videos with Lifecycle Management to archive all files to Glacier after a few days CloudFront to serve HLS transcoding videos from Glacier C.Elastic Transcoder to transcode original nigh-resolution MP4 videos to HLS EBS volumes to host videos and EBS snapshots to incrementally backup original rues after a fe days.CioudFront to serve HLS transcoded videos from EC2. D.A video transcoding pipeline running on EC2 using SOS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queue E8S volumes to host videos and EBS snapshots to incrementally backup original files after a few days CloudFront to serve HLS transcoded videos from EC2

A is more appropriate as b says glacier as origin for cloudfront distribution which is of no use

***Your customer wishes to deploy an enterprise application to AWS which will consist of several web servers, several application servers and a small (50GB) Oracle database information is stored, both in the database and the file systems of the various servers. The backup system must support database recovery whole server and whole disk restores, and individual file restores with a recovery time of no more than two hours. They have chosen to use RDS Oracle as the database Which backup architecture will meet these requirements? A.Backup RDS using automated daily DB backups Backup the EC2 instances using AMIs and supplement with file-level backup to S3 using traditional enterprise backup software to provide file level restore B.Backup RDS using a Multi-AZ Deployment Backup the EC2 instances using Amis, and supplement by copying file system data to S3 to provide file level restore. C.Backup RDS using automated daily DB backups Backup the EC2 instances using EBS snapshots and supplement with file-level backups to Amazon Glacier using traditional enterprise backup software to provide file level restore D.Backup RDS database to S3 using Oracle RMAN Backup the EC2 instances using Amis, and supplement with EBS snapshots for individual volume restore.

A is most plausible answer here is why B: MultiAZ deployement is not a backup mechanism its a HA mechanism C: GLacier kills this option as question ask for restoration time of less than 2 hours D: File level recovery is not possible with AMI and Snapshots A: Does not need AMI backups however it may be added to juust add spcie to the question https://d0.awsstatic.com/whitepapers/Backup_and_Recovery_Approaches_Using_AWS.pdf

Your company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2 answers) A.Deploy ElasticCache in-memory cache running in each availability zone B.Implement sharding to distribute load to multiple RDS MySQL instances C.Increase the RDS MySQL Instance size and Implement provisioned IOPS D.Add an RDS MySQL read replica in each availability zone

A is right choice. B is not right for MySQL's case C I am not sure if you can increase IOPS for RDS MySql D does help this case. However, this may possibly increase 'write' time, which is a big NO-NO in this scenario. Hence A & C are right

An administrator is using Amazon CloudFormation to deploy a three tier web application that consists of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the CloudFormation template which of the following would allow the application instance access to the DynamoDB tables without exposing API credentials? A.Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and associate the Role to the application instances by referencing an instance profile. B.Use me Parameter section in the Cloud Formation template to nave the user input Access and Secret Keys from an already created IAM user that has me permissions required to read and write from the required DynamoDB table. C.Create an Identity and Access Management Role that has the required permissions to read and write from the required DynamoDB table and reference the Role in the instance profile property of the application instance. D.Create an identity and Access Management user in the CioudFormation template that has permissions to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and secret keys and pass them to the application instance through user-data.

A is saying that you reference the instance profile name within the role configuration to bind them together. C is saying that you reference the role name within the instance profile configuration to bind them together. Correct answer is C, you configure the role name within the instance profile configuration. http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-instanceprofile.html

How many types of block devices does Amazon EC2 support? A. 2 B. 4 C. 3 D. 1

A. 2 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html Amazon EC2 supports two types of block devices: Instance store volumes (virtual devices whose underlying hardware is physically attached to the host computer for the instance) EBS volumes (remote storage devices)

Your application is using an ELB in front of an Auto Scaling group of web/application servers deployed across two AZs and a Multi-AZ RDS Instance for data persistence. The database CPU is often above 80% usage and 90% of I/O operations on the database are reads. To improve performance you recently added a single-node Memcached ElastiCache Cluster to cache frequent DB query results. In the next weeks the overall workload is expected to grow by 30%. Do you need to change anything in the architecture to maintain the high availability or the application with the anticipated additional load'* Why? A.Yes. you should deploy two Memcached ElastiCache Clusters in different AZs because the ROS Instance will not Be able to handle the load It me cache node fails. B.No. if the cache node fails the automated ElastiCache node recovery feature will prevent any availability impact. C.Yes you should deploy the Memcached ElastiCache Cluster with two nodes in the same AZ as the RDS DB master instance to handle the load if one cache node fails. D.No if the cache node fails you can always get the same data from the DB without having any availability impact.

A is the correct answer. B- No, If the cache node fails the automated ElastiCache node recovery feature will prevent any availability impact. Does not provide high availability, as data is lost if the node is lost. C- Yes you should deploy the Memcached ElastiCache Cluster with two nodes in the same AZ as the RDS DB master instance to handle the load if one cache node fails. Single AZ affects availability as DB is Multi AZ and would be overloaded is the AZ goes down. D- No if the cache node fails you can always get the same data from the DB without having any availability impact. Will overload the database affecting availability.

A large real-estate brokerage is exploring the option o( adding a cost-effective location based alert to their existing mobile application The application backend infrastructure currently runs on AWS Users who opt in to this service will receive alerts on their mobile device regarding real-estate otters in proximity to their location. For the alerts to be relevant delivery time needs to be in the low minute count the existing mobile app has 5 million users across the us Which one of the following architectural suggestions would you make to the customer? A.The mobile application will submit its location to a web service endpoint utilizing Elastic Load Balancing and EC2 instances: DynamoDB will be used to store and retrieve relevant otters EC2 instances will communicate with mobile earners/device providers to push alerts back to mobile application. B.Use AWS DirectConnect or VPN to establish connectivity with mobile carriers EC2 instances will receive the mobile applications ' location through carrier connection: ROS will be used to store and relevant relevant offers EC2 instances will communicate with mobile carriers to push alerts back to the mobile application C.The mobile application will send device location using SQS. EC2 instances will retrieve the relevant others from DynamoDB AWS Mobile Push will be used to send offers to the mobile application D.The mobile application will send device location using AWS Mobile Push EC2 instances will retrieve the relevant offers from DynamoDB EC2 instances will communicate with mobile carriers/device providers to push alerts back to the mobile application.

A is the only relevant answer, although there are better ways to do the same B VPN has nothing to do with this problem C mobile has no access to SQS "The mobile application will send device location using SQS" D Mobile push is a server tool and cannot be accessed from mobile "The mobile application will send device location using AWS Mobile Push" This leaves us with A

A web design company currently runs several FTP servers that their 250 customers use to upload and download large graphic files They wish to move this system to AWS to make it more scalable, but they wish to maintain customer privacy and Keep costs to a minimum. What AWS architecture would you recommend? A.ASK their customers to use an S3 client instead of an FTP client. Create a single S3 bucket Create an IAM user for each customer Put the IAM Users in a Group that has an IAM policy that permits access to subdirectories within the bucket via use of the 'username' Policy variable. B.Create a single S3 bucket with Reduced Redundancy Storage turned on and ask their customers to use an S3 client instead of an FTP client Create a bucket for each customer with a Bucket Policy that permits access only to that one customer. C.Create an auto-scaling group of FTP servers with a scaling policy to automatically scale-in when minimum network traffic on the auto-scaling group is below a given threshold. Load a central list of ftp users from S3 as part of the user Data startup script on each Instance. D.Create a single S3 bucket with Requester Pays turned on and ask their customers to use an S3 client instead of an FTP client Create a bucket tor each customer with a Bucket Policy that permits access only to that one customer.

A is the right answer. Great example to support it is here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/ C doesn't allow to keep costs to a minimum.

An International company has deployed a multi-tier web application that relies on DynamoDB in a single region For regulatory reasons they need disaster recovery capability In a separate region with a Recovery Time Objective of 2 hours and a Recovery Point Objective of 24 hours They should synchronize their data on a regular basis and be able to provision me web application rapidly using CloudFormation. The objective is to minimize changes to the existing web application, control the throughput of DynamoDB used for the synchronization of data and synchronize only the modified elements. Which design would you choose to meet these requirements? A.Use AWS data Pipeline to schedule a DynamoDB cross region copy once a day. create a Lastupdated' attribute in your DynamoDB table that would represent the timestamp of the last update and use it as a filter. B.Use EMR and write a custom script to retrieve data from DynamoDB in the current region using a SCAN operation and push it to QynamoDB in the second region. C.Use AWS data Pipeline to schedule an export of the DynamoDB table to S3 in the current region once a day then schedule another task immediately after it that will import data from S3 to DynamoDB in the other region. D.Send also each Ante into an SQS queue in me second region; use an auto-scaiing group behind the SQS queue to replay the write in the second region.

A is the right answer. See here: https://aws.amazon.com/blogs/aws/copy-dynamodb-data-between-regions-using-the-aws-data-pipeline/ Option C is not the right answer because it is not incremental. DynamoDB cross-region replication is a newer feature which is better approach than option A: https://aws.amazon.com/about-aws/whats-new/2015/07/amazon-dynamodb-available-now-cross-region-replication-triggers-and-streams/

***You have a periodic Image analysis application that gets some files In Input analyzes them and tor each file writes some data in output to a ten file the number of files in input per day is high and concentrated in a few hours of the day. Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process What services could be used to reduce the elaboration time and improve the availability of the solution? A.S3 to store I/O files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue B.EBS with Provisioned IOPS (PIOPS) to store I/O files. SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications C.S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications D.EBS with Provisioned IOPS (PIOPS) to store I/O files SOS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group ot hosts depending on the length of the SQS queue.

A is the right answer. C? D? SNS doesn't allow you to distribute tasks between group of hosts. It allows you sending notification but how do you decide which host will handle it? Also PIOPS is good for performance but not for availability which this task is asking about. There is no problem in using S3 as there is no frequently changing data, you process the file and write the result once and don't change it later

3) What is the primary difference between a global secondary index and a local secondary index?

A local secondary index has the same partition key as the primary key and the global secondary index has a different partition and sort key Further Reading httpszlllinuxacademycom/cp/courses/lesson/course/119/lesson/3/moduIe/11

"13. Question How can you change the instance type used in Auto Scaling Group? 1. 3. A new launch configuration with a new instance type should be created and attached to AS group 2. 2. Instances should be stopped and then type can be changed 3. 1. AS Group should be deleted and recreated 4. 4. It is not possible to change the instance type"

A new launch configuration with a new instance type should be created and attached to AS group

"8. Question You are configuring a new VPC for one of your client for a cloud migration project. Only a public VPN will be in place. After you created your VPC, you created a new subnet, a new internet gateway and attached your internet gateway with your VPC. As you created your first instance in to your VPC, you realized that you can not connect the instance even it is configured with elastic IP. What should be done to access the instance? 1. 3. A NAT instance should be created and all traffic should be forwarded to NAT instance 2. 1. A NACL should be created and allow all outbound traffic 3. 2. A route should be created as 0.0.0.0/0 and your internet gateway as target 4. 4. Attach another ENI to instance and connect via new ENI"

A route should be created as 0.0.0.0/0 and your internet gateway as target

3) What best describes Route 53?

A service to register domains and configure DNS records Route 53 is the AWS service for managing domain names and DNS record sets.

"55. Question What does Amazon CloudFormation provide? 1. A template to map network resources for Amazon Web Services 2. The ability to setup Auto Scaling for Amazon EC2 Instances 3. A template resource creation for Amazon Web Services. 4. None of these"

A template resource creation for Amazon Web Services.

Can the string value of 'Key' be prefixed with ":aws:"? A. No B. Only for EC2 not S3 C. Yes D. Only for S3 not EC2

A. No "The tag key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and cannot be prefixed with "aws:" or "rds:"." http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html

What are two primary use cases of SNS? Choose the 2 correct answers: A. To notify the AWS account owner when current monthly billings reach a certain amount B. To alert a system admin of an Eo2 failure C. To keep track of contact lists D. To advertise to potential customers

A, B

In the shared security model, AWS is responsible for which of the following security best practices (check 3 answers) A. Penetration testing B. Threat modeling C. Static code analysis D. Life-cycle management of IAM credentials E. Encryption of EBS (Elastic Block Storage) volumes F. Patch management on the EC2 instances operating system G. Security Group and ACL (Access Control List) settings

A, B, C

Amazon EBS snapshots have which of the following two characteristics? choose 2 answers A. EBS snapshots only save incremental changes from snapshot to snapshot B. EBS snapshots can only be restored to an EBS volume of the same size or smaller C. EBS snapshots can be created in real-time without stopping an EC2 instance D. EBS snapshots can only be restored and mounted to an instance in the same Availability Zone as the original EBS volume

A, C

Company C is currently hosting their corporate site in an Amazon SB bucket with Static Website Hosting enabled. Currently, when visitors go to http://www.companyc.com the index.html page is returned. Company C now would like a new page welcome.html to be returned when a visitor enters http://www.companyc.com in the browser. Which of the following steps will allow Company C to meet this requirement? Choose 2 answers A.Upload an html page named welcomehtml to their S3 bucket B.Create a welcome subfolder in their S3 bucket C.Set the Index Document property to welcomehtml D.Move the index.html page to a welcome subfolder E.Set the Error Document property to welcome.html

A, C

Which of the following are SQL database engines? Choose the 2 correct answers: A. Amazon Aurora B. NoSQL C. MySQL D. DynamoDB

A, C

Which of the following programming languages have an officially supported AWS SDK? Choose 2 answers A.PHP B.Pascal C.Java D.SQL E.Perl

A, C

Which features can be used to restrict access to data in S3? Choose 2 answers A.Set an S3 ACL on the bucket or the object. B.Create a CloudFront distribution for the bucket. C.Set an S3 bucket policy. D.Enable IAM Identity Federation E.Use S3 Virtual Hosting

A, C Q: How secure is my data? Amazon S3 is secure by default. Only the bucket and object owners originally have access to Amazon S3 resources they create. Amazon S3 supports user authentication to control access to data. You can use access control mechanisms such as bucket policies and Access Control Lists (ACLs) to selectively grant permissions to users and groups of users. You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server Side Encryption (SSE) option or the Server Side Encryption with Customer-Provide Keys (SSE-C) option to encrypt data stored-at-rest. Amazon S3 provides the encryption technology for both SSE and SSE-C. Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3. Source: https://aws.amazon.com/s3/faqs/

Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers) A.Implement third party volume encryption tools B.Do nothing as EBS volumes are encrypted by default C.Encrypt data inside your applications before storing it on EBS D.Encrypt data using native data encryption drivers at the file system level E.Implement SSL/TLS for all services running on the server

A, C and D Not E since SSL/TLS is encryption in transfer (https) and not encryption of sensitive data at rest. And B is just not true. Although you nowadays can add encryption when creating a EBS volume but it is NOT turned on by default.

IAM policies can be directly attached to? (Choose all that apply.) Choose the 3 correct answers: A. Groups B. EC2 Instances C. Users D. Roles

A, C, D

What AWS products and features can be deployed by Elastic Beanstalk? Choose 3 answers A.Auto scaling groups B.Route S3 hosted zones C.Elastic Load Balancers D.RDS Instances E.Elastic IP addresses F.SQS Queues

A, C, D

Which of the following are valid arguments for an SNS Publish request? Choose 3 answers A.Subject B.Language C.Message D.Destination E.TopicAm F.Format

A, C, E

***Which of the following are characteristics of a reserved instance? Choose 3 answers A.It can be migrated across Availability Zones B.It is specific to an Amazon Machine Image (AMI) C.It can be applied to instances launched by Auto Scaling D.It is specific to an instance Type E.It can be used to lower Total Cost of Ownership (TCO) of a system

A, D, and E are true as described in these two articles: https://forums.aws.amazon.com/thread.jspa?threadID=56501 https://aws.amazon.com/blogs/aws/new-modify-ec2-reserved-instance-reservations/ And C is true, as described here: https://forums.aws.amazon.com/thread.jspa?threadID=56501 So, A,C,D and E are all (now) correct

Which of the following platforms are supported by Elastic Beanstalk? Choose 2 answers A.Apache Tomcat B.IBM Websphere C.Oracle JBoss D.Jetty E.NET

A, E

Which of the following statements about SWF are true? Choose 3 answers A.SWF uses deciders and workers to complete tasks B.SWF requires at least 1 EC2 instance per domain C.SWF triggers SNS notifications on task assignment D.SWF requires an S3 bucket for workflow storage E.SWF tasks are assigned once and never duplicated F.SWF workflow executions can last up to a year

A, E, F

In AWS, which security aspects are the customer's responsibility? Choose 4 answers A.Security Group and ACL (Access Control List) settings B.Decommissioning storage devices C.Patch management on the EC2 instance's operating system D.Life-cycle management of IAM credentials E.Controlling physical access to compute resources F.Encryption of EBS (Elastic Block Storage) volumes

A,C,D,F. http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf B E are aws reposibility. Under the AWS shared responsibility model, AWS provides a global secure infrastructure and foundation compute, storage, networking and database services, as well as higher level services. https://aws.amazon.com/compliance/shared-responsibility-model/

A Hadoop cluster contains one master instance group that contains one master node, a core instance group containing one or more core node and an optional task node instance group, which can contain any number of task nodes. Which type of node can you remove from a running job flow? A. task node B. core node C. master node D. None of them

A.

A is a logical entity that enables creating a cluster of instances by launching instances as part of a group, In addition it provides low latency, full bisection 10 Gigabit Ethernet bandwidth connectivity between instances in the group. A. Cluster Placement Group B. AWS Direct Connect C. Multi AZ D. AWS Storage Gateway

A.

A secret access key is used in conjunction with the access key ID to cryptographically sign programmatic AWS requests. Signing a request identifies the sender and prevents the request from being altered. What can you generate secret access keys for? A. All of these B. AWS account D. Individual IAM users C. Temporary sessions

A.

Amazon RDS databases do not have a GUI in the AWS console. Choose the correct answer: A. True B. False

A.

What fault-isolating technique is described below: Instead of spreading traffic from all customers across every node, you can group the instances together. For example, if you have eight instances for your service, you might create four groups of two instances each (two instances for some redundancy within each group) and distribute each customer to a specific group. In this way, you are able to reduce the impact on customers in direct proportion to the number of groups you have. A. Shuffle Sharding B. Stack Sharding C. Split Sharding D. Fault Sharding

A.

An application stores payroll information nightly in DynamoDB for a large number of employees across hundreds of offices. Item attributes consist of individual name, office identifier, and cumulative daily hours. Managers run reports for ranges of names working in their office. One query is. "Return aII Items in this office for names starting with A through E". Which table configuration will result in the lowest impact on provisioned throughput for this query? A.Configure the table to have a range index on the name attribute, and a hash index on the office identifier B.Configure a hash index on the name attribute and no range index C.Configure the table to have a hash index on the name attribute, and a range index on the office identifier

A.

By setting proper permissions on the object level, you can allow the public to download the object via a URL. Choose the correct answer: A. True B. False

A.

CIoudWatch alarms are based on thresholds you create for specific CIoudWatch metrics. Choose the correct answer: A. True B. False

A.

Can we access the metrics data for a terminated Amazon EC2 instance or a deleted Elastic Load Balancer? A. Yes, Amazon CloudWatch stores metrics for terminated Amazon EC2 instances or deleted Elastic Load Balancers for 2 weeks B. Yes. Amazon CIoudWatch stores metrics for terminated Amazon EC2 instances or deleted Elastic Load Balancers for a month. C. No. CIoudWatch metrics would be deleted automatically D. Yes. Amazon CIoudWatch stores metrics for terminated Amazon EC2 instances or deleted Elastic Load Balancers for 1 week.

A.

EC2 stands for Elastic Compute Cloud. Choose the correct answer: A. True B. False

A.

IAM is where you manage your AWS users and their access to AWS features and services. Choose the correct answer: A. True B. False

A.

If a message is retrieved from a queue in Amazon SQS, how long is the message inaccessible to other users by default? A.30 seconds B.0 seconds C.1 hour D.1 day E.forever

A.

If a user has access to S3 through a group with an S3 policy attached, what happens if that user is removed from the group? Choose the correct answer: A. The user no longer has access to S3 B. Users can't be granted access to services through IAM groups C. You cannot attach policies to groups D. The user still has access to S3

A.

Multi-Factor Authentication (MFA) is an important part of account security that should be set on your "root" account. Choose the correct answer: A. True B. False

A.

RDS stand for Relational Database Service. Choose the correct answer: A. True B. False

A.

S3 is a bulk storage service where you can store any type of file. Choose the correct answer: A. True B. False

A.

Subscribers consist can consist of HTTP, SMS and email endpoints. Choose the correct answer: A. True B. False

A.

What is the S3 feature that allows to you store and access older iterations of objects? Choose the correct answer: A. Versioning B. Lifecycles C. S3 Backups D. Glacier

A.

Which API would you use to query Availability Zones that are available to you? A. DescribeAvailabilityZones B. GetAIIAvaiIabiItyZones C. ListAIIAvaiIabiItyZones D. QueryAvaiIabiIityZones

A.

Which code snippet below returns the URL of a load balanced web site created in CIoudFormation with an AWS::EIasticLoadBaIancing::LoadBaIancer resource name "EIasticLoad Balancer"? A."Fn::Join" : ["". ["http://", {"Fn::GetAtr" : ["EIasticLoadBaIancer","DNSName"]}]] B."Fn::Join" : [".", ["http://", {"Ref" : "EIasticLoadBaIancerDNSName"}]] C."Fn::Join" : ["". ["http://", {"Ref" : "EIasticLoadBaIancerUrI"}]] D."Fn::Join" : ["". ["http://", {"Fn::GetAtr" : ["EIasticLoadBaIancer","UrI"]}]]

A.

Which method can be used to prevent an IP address block from accessing public objects in an S3 bucket? A. Create a bucket policy and apply it to the bucket B. Create an ACL and apply it to all objects in the bucket C. Create a NACL and attach it to the VPC of the bucket D. Modify the IAM policies of any users that would access the bucket

A.

Which of the following is NOT part of security group? A. List of usernames B. List of protocols C. IP address ranges D. Ports

A.

Which of the following is an example of a good DynamoDB hash key schema for provisioned throughput efficiency? A.User ID, where the application has many different users. B.Status Code where most status codes are the same C.Device ID, where one is by far more popular than all the others. D.Game Type, where there are three possible game types

A.

Which of the following is the correct statement regarding Availability Zones? A. A distinct location within a region that is insulated from failures in other Availability Zones. B. A collection of regions that together make up an Availability Zone. C. The timeframe a particular service is available for use by authorized users D. Another name for an entire region which contains AWS instances.

A.

Which service would you use to control access to content by allowing or blocking web requests based on criteria that you specify, such as header values or the IP addresses that the requests originate from. This service helps to protect against common web exploits that could affect application availability, compromise security, or consume excessive resources. A.AWS WAF B. EC2 C. Cloudfront D. S3

A.

You have an existing website called example.com that points to a specific IP address. You now want to create three subdomains that point to the same IP address. To reduce maintanance which domain record type should you choose? A. CNAME B. A C. MX D. TXT

A.

When you put objects in Amazon S3, what is the indication that an object was successfully stored? A.A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation was successful. B.Amazon S3 is engineered for 99.999999999% durability. Therefore there is no need to confirm that data was inserted. C.A success code is inserted into the S3 object metadata. D.Each S3 account has a special bucket named _s3_logs. Success codes are written to this bucket with a timestamp and checksum.

A. To ensure that data is not corrupted traversing the network, use the Content-MD5 form field. When you use this form field, Amazon S3 checks the object against the provided MD5 value. If they do not match, Amazon S3 returns an error. The status code returned to the client upon successful upload if success_action_redirect is not specified. Accepts the values 200, 201, or 204 (default). Source: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html

Which approach would you use if you wanted an EC2 instance that matched a particular configuration but wanted to avoid dependencies to configuration services or third-party repositories? A. Golden Images B. Bootstrapping

A. Certain AWS resource types like Amazon EC2 instances, Amazon RDS DB instances, Amazon Elastic Block Store (Amazon EBS) volumes, etc, can be launched from a golden image: a snapshot of a particular state of that resource. When compared to the bootstrapping approach, a golden image results in faster start times and removes dependencies to configuration services or third-party repositories.

What is one key difference between an Amazon EBS-backed and an instance-store backed instance? A.Amazon EBS-backed instances can be stopped and restarted. B.Instance-store backed instances can be stopped and restarted. C.Auto scaling requires using Amazon EBS-backed instances. D.Virtual Private Cloud requires EBS backed instances.

A. Characteristic Amazon EBS-Backed Amazon Instance Store-Backed Boot time Usually less than 1 minute Usually less than 5 minutes Size limit 16 TiB 10 GiB Root device volume Amazon EBS volume Instance store volume Data persistence By default, the root volume is deleted when the instance terminates.* Data on any other Amazon EBS volumes persists after instance termination by default. Data on any instance store volumes persists only during the life of the instance. Data on any instance store volumes persists only during the life of the instance. Data on any Amazon EBS volumes persists after instance termination by default. Upgrading The instance type, kernel, RAM disk, and user data can be changed while the instance is stopped. Instance attributes are fixed for the life of an instance. Charges You're charged for instance usage, Amazon EBS volume usage, and storing your AMI as an Amazon EBS snapshot. You're charged for instance usage and storing your AMI in Amazon S3. AMI creation/bundling Uses a single command/call Requires installation and use of AMI tools Stopped state Can be placed in stopped state where instance is not running, but the root volume is persisted in Amazon EBS Cannot be in stopped state; instances are running or terminated

What is the maximum number of S3 Buckets available per AWS account? A. 100 per region B. there is no limit C. 100 per account D. 500 per account E. 100 per IAM user

A. 100 per region

After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue? A. Disabling the Source/Destination Check attribute on the NAT instance B. Attaching an Elastic IP address to the instance in the private subnet C. Attaching a second Elastic Network Interface (ENI) to the NAT instance, and placing it in the private subnet D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

A. Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance. You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

A customer has a single 3-TB volume on-premises that is used to hold a large repository of images and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical volume. The customer is becoming increasingly constrained with their local storage capacity and wants an off-site backup of this data, while maintaining low-latency access to their frequently accessed dat a. Which AWS Storage Gateway configuration meets the customer requirements? A.Gateway-Cached volumes with snapshots scheduled to Amazon S3 B.Gateway-Stored volumes with snapshots scheduled to Amazon S3 C.Gateway-Virtual Tape Library with snapshots to Amazon S3 D.Gateway-Virtual Tape Library with snapshots to Amazon Glacier

A. I will go with A. Since company need "low latency" access to "frequently" access data that is provided by Cached volumes as per below http://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html

***Which of the following cannot be used in Amazon EC2 to control who has access to specific Amazon EC2 instances? A.Security Groups B.IAM System C.SSH keys D.Windows passwords

A. Security Groups is the correct answer, security Groups defined what can be access (services) not Who B. IAM System (where you can create all users and role) so it is about who and what C. SSH keys is is Who D. Windows passwords this is also Who. B. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to the operating system of specific Amazon EC2 instances. There's no method in the IAM system to allow or deny access to the operating system of a specific instance.

You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the internet. Why is the Internet unreachable from this instance? A.The instance does not have a public IP address. B.The internet gateway security group must allow all outbound traffic. C.The instance security group must allow all inbound traffic. D.The instance "Source/Destination check" property must be enabled.

A. To enable access to or from the Internet for instances in a VPC subnet, you must do the following: Attach an Internet gateway to your VPC. Ensure that your subnet's route table points to the Internet gateway. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address). Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

A user is sending the data to CIoudWatch using the CloudWatch API. The user is sending data 115 minutes in the future. What will CloudWatch do in this case? A. CloudWatch will accept the data B. It is not possible to send data of the future C. The user cannot send data for more than 60 minutes in the future D. It is not possible to send the data manually to CloudWatch

A. With Amazon CIoudWatch. each metric data point must be marked with a time stamp. The time stamp can be up to two weeks in the past and up to two hours into the future. If you do not provide a time stamp. CIoudWatch creates a time stamp for you based on the time the data element was received.

Regarding the attaching of ENI to an instance, what does 'coId attach' refer to? A. when the instance is being launched B. when the instance is being terminated C. when the instance is being pending D. when the instance is being stopped

A. You can attach an elastic network interface to an instance when it's running (hot attach), when it's stopped (warm attach). or when the instance is being launched (cold attach).

You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to $0.06/hr and your Spot Instance is terminated by AWS. What was the total EC2 compute cost of running your Spot Instance? A. $0.00 B. $0.02 C. $0.03 D. $0.05 E. $0.06

A. $0.00

What is the default maximum number of MFA devices in use per AWS account (at the root account level)? A. 1 B. 5 C. 15 D. 10

A. 1 http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

In the Amazon RDS which uses the SQL Server engine, what is the maximum size for a Microsoft SQL Server DB Instance with SQL Server Express edition? A. 10 GB per DB B. 100 GB per DB C. 2 TB per DB D. 1TB per DB

A. 10 GB per DB the question is deprecated.http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html The maximum storage size for a Microsoft SQL Server DB Instance is 4 TB for all instances except the SQL Server Express edition, which limits storage to a total of 300 GB. The minimum storage size for a Microsoft SQL Server DB Instance is 20 GB for the Microsoft SQL Server Express and Web Editions and 200 GB for the Standard and Enterprise Editions. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html I'd go with A for the "test correct answer."

Using Amazon CloudWatch's Free Tier, what is the frequency of metric updates which you receive? A. 5 minutes B. 500 milliseconds. C. 30 seconds D. 1 minute

A. 5 minutes Basic Monitoring metrics (at five-minute frequency) for Amazon EC2 instances are free of charge, as are all metrics for Amazon EBS volumes, Elastic Load Balancers, and Amazon RDS DB instances. https://aws.amazon.com/cloudwatch/pricing/?nc1=h_ls

What is the default VPC security group limit? A. 500 B. 50 C. 5 D. There is no limit

A. 500

What is the durability of S3 RRS? A. 99.99% B. 99.95% C. 99.995% D. 99.999999999%

A. 99.99% https://aws.amazon.com/s3/reduced-redundancy/ Designed to provide 99.99% durability and 99.99% availability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.01% of objects.

HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named _____. A. Action B. Value C. Reset D. Retrieve

A. Action http://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html

Select the correct set of options. The initial settings for the default security group are: A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other B. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other C. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other D. Allow all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other

A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other

Amazon RDS DB snapshots and automated backups are stored in A. Amazon S3 B. Amazon ECS Volume C. Amazon RDS D. Amazon EMR

A. Amazon S3 https://aws.amazon.com/rds/faqs/ Q: Where are my automated backups and DB Snapshots stored and how do I manage their retention? Amazon RDS DB snapshots and automated backups are stored in S3. You can use the AWS Management Console, the ModifyDBInstance API, or the modify-db-instance command to manage the period of time your automated backups are retained by modifying the RetentionPeriod parameter. If you desire to turn off automated backups altogether, you can do so by setting the retention period to 0 (not recommended). You can manage your user-created DB Snapshots via the "Snapshots" section of the Amazon RDS Console. Alternatively, you can see a list of the user-created DB Snapshots for a given DB Instance using the DescribeDBSnapshots API or describe-db-snapshots command and delete snapshots with the DeleteDBSnapshot API or delete-db-snapshot command.

Which of the following is a durable key-value store? A. Amazon Simple Storage Service B. Amazon Simple Workflow Service C. Amazon Simple Queue Service D. Amazon Simple Notification Service

A. Amazon Simple Storage Service

Which Amazon service can I use to define a virtual network that closely resembles a traditional data center? A. Amazon VPC B. Amazon ServiceBus C. Amazon EMR D. Amazon RDS

A. Amazon VPC

What does Amazon Elastic Beanstalk provide? A. An application container on top of Amazon Web Services. B. A scalable storage appliance on top of Amazon Web Services. C. A scalable cluster of EC2 instances. D. A service by this name doesn't exist.

A. An application container on top of Amazon Web Services. https://aws.amazon.com/elasticbeanstalk/faqs/ Q: What is AWS Elastic Beanstalk? AWS Elastic Beanstalk makes it even easier for developers to quickly deploy and manage applications in the AWS Cloud. Developers simply upload their application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring.

EBS Snapshots occur _____ A. Asynchronously B. Synchronously C. Weekly

A. Asynchronously http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume.

Regarding the attaching of ENI to an instance, what does 'warm attach' refer to? A. Attaching an ENI to an instance when it is stopped. B. This question doesn't make sense. C. Attaching an ENI to an instance when it is running D. Attaching an ENI to an instance during the launch process

A. Attaching an ENI to an instance when it is stopped. You can attach an elastic network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach). http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#best-practices-for-configuring-network-interfaces

What is the type of monitoring data (for Amazon EBS volumes) which is available automatically in 5-minute periods at no charge called? A. Basic B. Primary C. Detailed D. Local

A. Basic Monitoring Volumes with CloudWatch CloudWatch metrics are statistical data that you can use to view, analyze, and set alarms on the operational behavior of your volumes. The following table describes the types of monitoring data available for your Amazon EBS volumes. Basic Data is available automatically in 5-minute periods at no charge. This includes data for the root device volumes for EBS-backed instances. Detailed Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html

What are the four levels of AWS Premium Support? A. Basic, Developer, Business, Enterprise B. Basic, Startup, Business, Enterprise C. Free, Bronze, Silver, Gold D. All support is free

A. Basic, Developer, Business, Enterprise Q: How are the enhanced AWS Support tiers different from Basic Support? AWS Basic Support offers all AWS customers access to our Resource Center, Service Health Dashboard, Product FAQs, Discussion Forums, and Support for Health Checks - at no additional charge. Customers who desire a deeper level of support can subscribe to AWS Support at the Developer, Business, or Enterprise level. https://aws.amazon.com/premiumsupport/faqs/

What is the name of licensing model in which I can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS? A. Bring Your Own License B. Role Bases License C. Enterprise License D. License Included

A. Bring Your Own License https://aws.amazon.com/oracle/#Oracle_Licensing_-_Bring_Your_Own_or_Buy_New

How can I change the security group membership for interfaces owned by other AWS, such as Elastic Load Balancing? A. By using the service specific console or API\CLI commands B. None of these C. Using Amazon EC2 API/CLI D. Using all these methods

A. By using the service specific console or API\CLI commands http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html To change security group membership for interfaces owned by other services, such as Elastic Load Balancing, use the console or command line interface for that service.

In order to enable encryption at rest using EC2 and Elastic Block Store you need to A. Configure encryption when creating the EBS volume B. Configure encryption using the appropriate Operating Systems file system C. Configure encryption using X.509 certificates D. Mount the EBS volume in to S3 and then encrypt the bucket using a bucket policy.

A. Configure encryption when creating the EBS volume

You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly? A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI. B. Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy. C. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User. D. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

A. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

What is an isolated database environment running in the cloud (Amazon RDS) called? A. DB Instance B. DB Unit C. DB Server D. DB Volume

A. DB Instance A DB instance is an isolated database environment running in the cloud. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html

By default, EBS volumes that are created and attached to an instance at launch are deleted when that instance is terminated. You can modify this behavior by changing the value of the flag _____ to false when you launch the instance. A. DeleteOnTermination B. RemoveOnDeletion C. RemoveOnTermination D. TerminateOnDeletion

A. DeleteOnTermination By default, Amazon EBS root device volumes are automatically deleted when the instance terminates. However, by default, any additional EBS volumes that you attach at launch, or any EBS volumes that you attach to an existing instance persist even after the instance terminates. This behavior is controlled by the volume's DeleteOnTermination attribute, which you can modify. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html

A VPC public subnet is one that: A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW). B. Includes a route in its associated routing table via a Network Address Translation (NAT) instance. C. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0. D. Has the Public Subnet option selected in its configuration.

A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).

You work for a cosmetic company which has their production website on AWS. The site itself is in a two-tier configuration with web servers in the front end and database servers at the back end. The site uses using Elastic Load Balancing and Auto Scaling. The databases maintain consistency by replicating changes to each other as and when they occur. This requires the databases to have extremely low latency. Your website needs to be highly redundant and must be designed so that if one availability zone goes offline and Auto Scaling cannot launch new instances in the remaining Availability Zones the site will not go offline. How can the current architecture be enhanced to ensure this? A. Deploy your site in three different AZ's within the same region. Configure the Auto Scaling minimum to handle 50 percent of the peak load per zone. B. Deploy your website in 2 different regions. Configure Route53 with a failover routing policy and set up health checks on the primary site. C. Deploy your site in three different AZ's within the same region. Configure the Auto Scaling minimum to handle 33 percent of the peak load per zone. D. Deploy your website in 2 different regions. Configure Route53 with Weighted Routing. Assign a weight of 25% to region 1 and a weight of 75% to region 2.

A. Deploy your site in three different AZ's within the same region. Configure the Auto Scaling minimum to handle 50 percent of the peak load per zone.

Which route must be added to your routing table in order to allow connections to the Internet from your subnet? A. Destination: 0.0.0.0/0 --> Target: your Internet gateway B. Destination: 192.168.1.257/0 --> Target: your Internet gateway C. Destination: 0.0.0.0/33 --> Target: your virtual private gateway D. Destination: 0.0.0.0/0 --> Target: 0.0.0.0/24 E. Destination: 10.0.0.0/32 --> Target: your virtual private gateway

A. Destination: 0.0.0.0/0 --> Target: your Internet gateway

What does Amazon EBS stand for? A. Elastic Block Storage. B. Elastic Business Server. C. Elastic Blade Server. D. Elastic Block Store.

A. Elastic Block Storage. https://aws.amazon.com/ebs/ Amazon Elastic Block Store (EBS) Amazon Elastic Block Store (Amazon EBS) provides persistent block level storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads. With Amazon EBS, you can scale your usage up or down within minutes - all while paying a low price for only what you provision.

If I want an instance to have a public IP address, which IP address should I use? A. Elastic IP Address B. Class B IP Address C. Class A IP Address D. Dynamic IP Address

A. Elastic IP Address

What combination of the following options will protect S3 objects from both accidental deletion and accidental overwriting? A. Enable S3 versioning on the bucket. B. Access S3 data using only signed URLs. C. Disable S3 delete using an IAM bucket policy. D. Enable S3 Reduced Redundancy Storage. E. Enable multi-factor authentication (MFA) protected access.

A. Enable S3 versioning on the bucket. E. Enable multi-factor authentication (MFA) protected access.

Your company has decided to set up a new AWS account for test and dev purposes. They already use AWS for production, but would like a new account dedicated for test and dev so as to not accidentally break the production environment. You launch an exact replica of your production environment using a CloudFormation template that your company uses in production. However CloudFormation fails. You use the exact same CloudFormation template in production, so the failure is something to do with your new AWS account. The CloudFormation template is trying to launch 60 new EC2 instances in a single AZ. After some research you discover that the problem is; A. For all new AWS accounts there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased. B. For all new AWS accounts there is a soft limit of 20 EC2 instances per availability zone. You should submit the limit increase form and retry the template after your limit has been increased. C. You cannot launch more than 20 instances in your default VPC, instead reconfigure the CloudFormation template to provision the instances in a custom VPC. D. Your CloudFormation template is configured to use the parent account and not the new account. Change the account number in the CloudFormation template and relaunch the template. Submit

A. For all new AWS accounts there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.

Which of the following is not a valid configuration type for AWS Storage gateway. A. Gateway-accessed volumes B. Gateway-cached volumes C. Gateway-stored volumes D. Gateway-Virtual Tape Library

A. Gateway-accessed volumes

"41. Question A VPC public subnet is one that: 1. A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW). 2. Has the Public Subnet option selected in its configuration. 3. Includes a route in its associated routing table via a Network Address Translation (NAT) instance. 4. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0"

A. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).

When should I choose Provisioned IOPS over Standard RDS storage? A. If you use production online transaction processing (OLTP) workloads. B. If you have batch-oriented workloads C. If you have workloads that are not sensitive to consistent performance

A. If you use production online transaction processing (OLTP) workloads.

You have an EC2 security group with several running EC2 instances. You change the security group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same security group. The new rules apply: A. Immediately to all instances in the security group. B. Immediately to the new instances only. C. Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply. D. To all instances, but it may take several minutes for old instances to see the changes.

A. Immediately to all instances in the security group. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#vpc-security-groups

What does the AWS Storage Gateway provide? A. Integration of on-premises IT environments with Cloud Storage. B. A direct encrypted connection to Amazon S3. C. A backup solution that provides an on-premises Cloud storage. D. It provides an encrypted SSL endpoint for backups in the Cloud.

A. Integration of on-premises IT environments with Cloud Storage. http://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the Amazon Web Services (AWS) storage infrastructure.

By definition a public subnet within a VPC is one that; A. In it's routing table it has at least one route that uses an Internet Gateway (IGW). B. Has at least one route in it's routing table that routes via a Network Address Translation (NAT) instance. C. Where the the Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0. D. Has had the public subnet check box ticked when setting up this subnet in the VPC console.

A. In it's routing table it has at least one route that uses an Internet Gateway (IGW).

You are a student currently learning about the different AWS services. Your employer asks you to tell him a bit about Amazon's glacier service. Which of the following best describes the use cases for Glacier? A. Infrequently accessed data & data archives B. Hosting active databases C. Replicating Files across multiple availability zones and regions D. Frequently Accessed Data

A. Infrequently accessed data & data archives

Amazon RDS automated backups and DB Snapshots are currently supported for only the ______ storage engine A. InnoDB B. MyISAM

A. InnoDB Amazon RDS automated backups and DB snapshots are currently supported for all DB engines. For the MySQL DB engine, only the InnoDB storage engine is supported; use of these features with other MySQL storage engines, including MyISAM, may lead to unreliable behavior while restoring from backups. Specifically, since storage engines like MyISAM do not support reliable crash recovery, your tables can be corrupted in the event of a crash. For this reason, we encourage you to use the InnoDB storage engine. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html

Which DNS name can only be resolved within Amazon EC2? A. Internal DNS name B. External DNS name C. Global DNS name D. Private DNS name

A. Internal DNS name http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-dns.html http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html

What is the Reduced Redundancy option in Amazon S3? A. Less redundancy for a lower cost. B. It doesn't exist in Amazon S3, but in Amazon EBS. C. It allows you to destroy any copy of your files outside a specific jurisdiction. D. It doesn't exist at all

A. Less redundancy for a lower cost. http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingRRS.html In order to reduce storage costs, you can use reduced redundancy storage for noncritical, reproducible data at lower levels of redundancy than Amazon S3 provides with standard storage. Reduced Redundancy Storage (RRS) is an Amazon 53 storage option that enables customers to reduce their costs by storing noncritical. reproducible data at lower levels of redundancy than Amazon 53's standard storage. It provides a cost-effective. highly available solution for distributing or sharing content that is durably stored elsewhere. or for storing thumbnails. transcoded media, or other processed data that can be easily reproduced.

Which of the following requires a custom CloudWatch metric to monitor? A. Memory use (Memory Utilization of an EC2 instance) B. CPU use (CPU Utilization of an EC2 instance) C. Disk read operations (Disk usage activity of an EC2 instance) D. Network in (Data transfer You are tasked with setting up a Linux bastion host for access to Amazon EC2of an EC2 instance) E. Estimated charges

A. Memory use However, there's one big missing feature in CloudWatch: it doesn't monitor your instance memory utilization http://arr.gr/blog/2013/08/monitoring-ec2-instance-memory-usage-with-cloudwatch/

Is the SQL Server Audit feature supported in the Amazon RDS SQL Server engine? A. No B. Yes

A. No http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SQLServer.html#SQLServer.Concepts.General.FeatureSupport.2012 Amazon RDS currently does not support the following SQL Server features: ... - Policy-Based Management - SQL Server Audit - BULK INSERT and OPENROWSET(BULK...) features

Can the string value of 'Key' be prefixed with laws? A. No B. Only for EC2 not S3 C. Yes D. Only for S3 not EC

A. No http://docs.aws.amazon.com/cli/latest/reference/rds/list-tags-for-resource.html C case the question is asking aws the limit is on aws: please note the : at the end Key -> (string) A key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and cannot be prefixed with "aws:" or "rds:". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: "^([\p{L}\p{Z}\p{N}_.:/=+\-]*)$"). Value -> (string) A value is the optional value of the tag. The string value can be from 1 to 256 Unicode characters in length and cannot be prefixed with "aws:" or "rds:". The string can only contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: "^([\p{L}\p{Z}\p{N}_.:/=+\-]*)$"). Reply

Can I move a Reserved Instance from one Region to another? A. No, Each Reserved Instance is associated with a specific Region B1. Yes, But you need to get approval from AWS Support B2. Yes, But you don't need consult AWS. C. Only if they are moving into GovCloud D. Only if they are moving to US East from another region

A. No https://aws.amazon.com/rds/faqs/ Q: Can I move a Reserved Instance from one Region or Availability Zone to another? Each Reserved Instance is associated with a specific Region, which is fixed for the lifetime of the reservation and cannot be changed. Each reservation can, however, be used in any of the available AZs within the associated Region.

Making your snapshot public shares all snapshot data with everyone. Can the snapshots with AWS Marketplace product codes be made public? A. No B. Yes

A. No See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html#d0e80912 To make the snapshot public, choose Public. This is not a valid option for encrypted snapshots or snapshots with AWS Marketplace product codes.

Does Amazon RDS for SQL Server currently support importing data into the msdb database? A. No B. Yes

A. No http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Snapshots.html https://aws.amazon.com/blogs/aws/amazon-rds-for-sql-server-support-for-native-backuprestore-to-amazon-s3/

Can a 'user' be associated with multiple AWS accounts? A. No B. Yes

A. No http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html Each IAM user is associated with one and only one AWS account. Because users are defined within your AWS account, they don't need to have a payment method on file with AWS. Any AWS activity performed by users in your account is billed to your account.

When using consolidated billing there are two account types. What are they? A. Paying account and Linked account B. Parent account and Child account C. Main account and Sub account. D. Main account and Secondary account.

A. Paying account and Linked account You sign up for Consolidated Billing in the AWS Billing and Cost Management console, and designate your account as a payer account. Now your account can pay the charges of the other accounts, which are called linked accounts. The payer account and the accounts linked to it are called a Consolidated Billing account family. Source: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

How can software determine the public and private IP addresses of the EC2 instance that it is running on? A. Query the local instance metadata. B. Query the local instance userdata. C. Query the appropriate Amazon CloudWatch metric. D. Use an ipconfig or ifconfig command.

A. Query the local instance metadata.

The Amazon EC2 web service can be accessed using the _____ web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document. A. SOAP B. DCOM C. CORBA D. XML-RPC

A. SOAP http://docs.aws.amazon.com/AWSECommerceService/latest/DG/WSDLLocation.html This interface is described by a Web Services Description Language (WSDL) document, which defines the operations and security model for the particular service. The WSDL references an XML Schema document, which strictly defines the data types that might appear in SOAP requests and responses. For more information on WSDL and SOAP

Because of the extensibility limitations of striped storage attached to Windows Server, Amazon RDS does not currently support increasing storage on a _____ DB Instance. A. SQL Server B. MySQL C. Oracle

A. SQL Server https://aws.amazon.com/rds/faqs/ Q: How do I scale the compute resources and/or storage capacity associated with my Amazon RDS Database Instance? Please note that for SQL Server, because of the extensibility limitations of striped storage attached to a Windows Server environment, Amazon RDS does not currently support increasing storage. While we plan to support this functionality in the future, we recommend you to provision storage based on anticipated future storage growth. In the interim, if you need to increase the storage of a SQL Server DB Instance, you will need to export the data, create a new DB Instance with increased storage, and import the data into it. Please refer to the data import guide for SQL Server for more information.

What are the valid methodologies for encrypting data on S3? A. Server Side Encryption (SSE)-S3, SSE-C, SSE-KMS or a client library such as Amazon S3 Encryption Client. B. Server Side Encryption (SSE)-S3, SSE-A, SSE-KMS or a client library such as Amazon S3 Encryption Client. C. Server Side Encryption (SSE)-S3, SSE-C, SSE-SSL or a client library such as Amazon S3 Encryption Client. D. Server Side Encryption (SSE)-S3, SSE-C, SSE-SSL or a server library such as Amazon S3 Encryption Client.

A. Server Side Encryption (SSE)-S3, SSE-C, SSE-KMS or a client library such as Amazon S3 Encryption Client.

_____ embodies the "share-nothing" architecture and essentially involves breaking a large database into several smaller databases. A. Sharding B. Failure recovery C. Federation D. DDL operations

A. Sharding https://forums.aws.amazon.com/thread.jspa?messageID=203052 Sharding Sharding embodies the "share-nothing" architecture and essentially just involves breaking a larger database up into smaller databases. Common ways to split a database are: Splitting tables that are not joined in the same query onto different hosts Duplicating a table across multiple hosts and then splitting where a row goes.

How many relational database engines does RDS currently support? A. Six: Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB B. Just two: MySQL and Oracle. C. Five: MySQL, PostgreSQL, MongoDB, Cassandra and SQLite. D. Just one: MySQL.

A. Six: Amazon Aurora, Oracle, Microsoft SQL Server, PostgreSQL, MySQL and MariaDB https://aws.amazon.com/rds/?nc1=h_ls Outdated question, but A is CLOSE to the correct answer Amazon RDS provides you six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server. Amazon Relational Database Service (Amazon RDS) makes it easy to set up. operate. and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks. freeing you up to focus on your applications and business. Amazon RDS provides you six familiar database engines to choose from. including Amazon Aurora. Oracle. Microsoft SQL Server. PostgreSQL. MySQL and MariaDB.

What does the command 'ec2-run-instances ami-e3a5408a -n 20 -g appserver' do? A. Start twenty instances as members of appserver group. B. Creates 20 rules in the security group named appserver C. Terminate twenty instances as members of appserver group. D. Start 20 security groups

A. Start twenty instances as members of appserver group.

When using IAM to control access to your RDS resources, the key names that can be used are case sensitive. For example, aws:CurrentTime is NOT equivalent to AWS:currenttime. A. TRUE B. FALSE

A. TRUE Explanation: The Question is Specific to RDS. There are two ways to specify conditions in an IAM policy for Amazon RDS: Using Condition Keys Using Custom Tags Note: Condition keys are case sensitive. Link : http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAM.Conditions.html

Automated backups are enabled by default for a new DB Instance. A. TRUE B. FALSE

A. TRUE http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html Automated backup is an Amazon RDS feature that automatically creates a backup of your DB instance. Automated backups are enabled by default for a new DB instance.

The new DB Instance that is created when you promote a Read Replica retains the backup window period. A. TRUE B. FALSE

A. TRUE http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote The new DB instance that is created when you promote a Read Replica retains the backup retention period, backup window period, and parameter group of the former Read Replica source.

Please select the most correct answer regarding the persistence of the Amazon Instance Store: A. The data on an instance store volume persists only during the life of the associated Amazon EC2 instance B. The data on an instance store volume is lost when the security group rule of the associated instance is changed. C. The data on an instance store volume persists even after associated Amazon EC2 instance is deleted

A. The data on an instance store volume persists only during the life of the associated Amazon EC2 instance http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots (intentionally or unintentionally), data in the instance store persists. However, data in the instance store is lost under the following circumstances: The underlying disk drive fails The instance stops The instance terminates

When trying to grant an amazon account access to S3 using access control lists what method of identification should you use to identify that account with? A. The email address of the account or the canonical user ID B. The AWS account number C. The ARN D. An email address with a 2FA token Submit

A. The email address of the account or the canonical user ID

If I have multiple Read Replicas for my master DB Instance and I promote one of them, what happens to the rest of the Read Replicas? A. The remaining Read Replicas will still replicate from the older master DB Instance B. The remaining Read Replicas will be deleted C. The remaining Read Replicas will be combined to one read replica

A. The remaining Read Replicas will still replicate from the older master DB Instance See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote If a source DB instance has several Read Replicas, promoting one of the Read Replicas to a DB instance has no effect on the other replicas.

Amazon S3 buckets in all other regions (other than US Standard) provide read-after-write consistency for PUTS of new objects. A. True B. False

A. True

Disabling automated backups disables the point-in-time recovery feature. A. True B. False

A. True

If I modify a DB Instance or the DB parameter group associated with the instance, I should reboot the instance for the changes to take effect? A. True B. False

A. True

It is possible to transfer a reserved instance from one Availability Zone to another. A. True B. False

A. True

Reserved Instances are available for Multi-AZ Deployments. A. True B. False

A. True

SQL Server stores logins and passwords in the master database. A. True B. False

A. True

You are deploying an application on EC2 that must call AWS APIs. What method of securely passing credentials to the application should you use? A. Use AWS Identity and Access Management roles for EC2 instances. B. Pass API credentials to the instance using instance userdata. C. Embed the API credentials into your JAR files. D. Store API credentials as an object in Amazon Simple Storage Service.

A. Use AWS Identity and Access Management roles for EC2 instances.

A______ is an individual, system, or application that interacts with AWS programmatically. A. User B. AWS Account C. Group D. Role

A. User https://aws.amazon.com/iam/faqs/ A user can be an individual, system, or application requiring access to AWS services. (As per Vladams Post) http://docs.aws.amazon.com/IAM/latest/UserGuide/id.html A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.

Do the Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? A. No B. Only if instructed to when created C. Yes

C. Yes

What does Amazon EC2 provide? A. Virtual servers in the Cloud. B. A platform to run code (Java, PHP, Python), paying on an hourly basis. C. Computer Clusters in the Cloud. D. Physical servers, remotely managed by the customer.

A. Virtual servers in the Cloud. Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

Can I initiate a "forced failover" for my Oracle Multi-AZ DB Instance deployment? A. Yes B. Only in certain regions C. Only in VPC D. No

A. Yes http://aws.amazon.com/rds/faqs/#46 Amazon RDS will automatically failover without user intervention under a variety of failure conditions. In addition, Amazon RDS provides an option to initiate a failover when rebooting your instance. You can access this feature via the AWS Management Console or when using the RebootDBInstance API call.

A group can contain many users. Can a user belong to multiple groups? A. Yes B. No C. Only if they are using two factor authentication D. Only in VPC

A. Yes http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Does Route 53 support MX Records? A. Yes B. It supports CNAME records, but not MX records. C. No D. Only Primary MX records. Secondary MX records are not supported.

A. Yes http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ResourceRecordTypes.html#MXFormat

Is the encryption of connections between my application and my DB Instance using SSL for the MySQL server engines available? A. Yes B. Only in VPC C. Only in certain regions D. No

A. Yes https://aws.amazon.com/rds/faqs/

Can I attach more than one policy to a particular entity? A. Yes always B. Only if within GovCloud C. No D. Only if within VPC

A. Yes always http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

Are you able to integrate a multi-factor token service with the AWS Platform? A. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform. B. No, you cannot integrate multi-factor token devices with the AWS platform. C. Yes, you can integrate private multi-factor token devices to authenticate users to the AWS platform.

A. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html

Does AWS allow for the use of Multi Factor Authentication tokens? A. Yes, with both hardware or virtual MFA devices B. Yes, but only virtual MFA devices. C. Yes, but only physical (hardware) MFA devices. D. No

A. Yes, with both hardware or virtual MFA devices

You're running an application on-premises due to its dependency on non-x86 hardware and want to use AWS for data backup. Your backup application is only able to write to POSIX-compatible block-based storage. You have 140TB of data and would like to mount it as a single folder on your file server Users must be able to access portions of this data while the backups are taking place. What backup solution would be most appropriate for this use case? A.Use Storage Gateway and configure it to use Gateway Cached volumes. B.Configure your backup software to use S3 as the target for your data backups. C.Configure your backup software to use Glacier as the target for your data backups. D.Use Storage Gateway and configure it to use Gateway Stored volumes.

A. You cannot use cached storage for posix compatible storage. It will corrupt data from cache loss. B. & C. You cannot use S3 as a posix compatible strage. D. It can be used a Posix compatible storage and Each gateway-stored volume can store up to 16 TB of data. Data written to the volume is stored on your on-premises hardware and asynchronously backed up to AWS for point-in-time snapshots. Each gateway-stored gateway can support up to 32 volumes for a maximum of 512 TB of data (32 volumes, each 16 TB in size). Answer is D.

After creating a new AWS account, you use the API to request 40 on-demand EC2 instances in a single AZ. After 20 successful requests, subsequent requests failed. What could be a reason for this issue, and how would you resolve it? A. You encountered a soft limit of 20 instances per region. Submit the limit increase form and retry the failed requests once approved. B. AWS allows you to provision no more than 20 instances per Availability Zone. Select a different Availability Zone and retry the failed request. C. You need to use Amazon Virtual Private Cloud (VPC) in order to provision more than 20 instances in a single Availability Zone. Simply terminate the resources already provisioned and re-launch them all in a VPC. D. You encountered an API throttling situation and should try the failed requests using an exponential decay retry algorithm.

A. You encountered a soft limit of 20 instances per region. Submit the limit increase form and retry the failed requests once approved.

My Read Replica appears "stuck" after a Multi-AZ failover and is unable to obtain or apply updates from the source DB Instance. What do I do? A. You will need to delete the Read Replica and create a new one to replace it. B. You will need to disassociate the DB Engine and re associate it. C. The instance should be deployed to Single AZ and then moved to Multi- AZ once again D. You will need to delete the DB Instance and create a new one to replace it.

A. You will need to delete the Read Replica and create a new one to replace it. "Q: My Amazon RDS for MySQL Read Replica appears "stuck" after a Multi-AZ failover and is unable to obtain or apply updates from the source DB Instance. What do I do? .... To resolve the current issue, you will need to delete the Read Replica and create a new one to replace it. " https://aws.amazon.com/rds/faqs/

The SQL Server _____ feature is an efficient means of copying data from a source database to your DB Instance. It writes the data that you specify to a data file, such as an ASCII file. A. bulk copy B. group copy C. dual copy D. mass copy

A. bulk copy The SQL Server bulk copy feature is an efficient means of copying data from a source database to your DB Instance. Bulk copy writes the data that you specify to a data file, such as an ASCII file. You can then run bulk copy again to write the contents of the file to the destination DB Instance. Source: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.html

While performing volume status checks using volume status checks, if the status is insufficient-data, if the status is 'insufficient-data', what does it mean? A. checks may still be in progress on the volume B. check has passed C. check has failed D. there is no such status

A. checks may still be in progress on the volume

Your company has an on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst In web traffic due to a company announcement Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly improve your infrastructures ability to handle unexpected increases in traffic. The application currently consists of 2 tiers A web tier which consists of a load balancer and several Linux Apache web servers as well as a database tier which hosts a Linux server hosting a MySQL database. Which scenario below will provide full site functionality, while helping to improve the ability of your application in the short timeframe required? A.Offload traffic from on-premises environment Setup a CloudFront distribution and configure CloudFront to cache objects from a custom origin Choose to customize your object cache behavior, and select a TTL that objects should exist in cache. B.Migrate to AWS Use VM import 'Export to quickly convert an on-premises web server to an AMI create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffic Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database. C.Failover environment: Create an S3 bucket and configure it tor website hosting Migrate your DNS to Route53 using zone (lie import and leverage Route53 DNS failover to failover to the S3 hosted website. D.Hybrid environment Create an AMI which can be used of launch web serfers in EC2 Create an Auto Scaling group which uses the * AMI to scale the web tier based on incoming traffic Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted in AWS.

A. correct... You can have CloudFront sit in front of your on-prem web environment, via a custom origin (the origin doesn't have to be in AWS). This would protect against unexpected bursts in traffic by letting CloudFront handle the traffic that it can out of cache, thus hopefully removing some of the load from your on-prem web servers. B. incorrect for two reasons... First, there is nothing in the question to say that the existing Apache web servers are VMs. They might be physical servers, for all we can tell from the question, so VM import/export may not be usable at all. Second, you wouldn't want just a read replica out in AWS. If your website instances in AWS are taking the brunt of the incoming burst of traffic, they may have to do both reads and writes, and you don't want to force them to talk all the way back to your on-prem DB to do writes. That's just going to add a lot of latency. And even after the writes are made to your on-prem DB, they still have to replicate back out to the read replica in AWS, which is asynchronous, and could lead to inconsistencies. (User has just clicked to add an item to their shopping cart, and master DB is aware, but read replica DB hasn't been informed by the master DB yet, so the user doesn't see it in their cart.) C. incorrect for two reasons... First, because it doesn't provide any ability to absorb unexpected bursts in traffic, it merely provides you a failover refuge if your on-prem environment falls over dead from the load. Second, nothing in the question indicates 100% of the content is static content. If you have any dynamic content at all (which you probably do have, since there's a back-end database there for some reason), S3 wouldn't get it done. D. incorrect because you cannot (currently) use an ELB to share load with an on-prem web server. (You have to specially configure an ELB to even be able to share load across AZs. On-prem is right out.) In theory, you could configure a weighted load-sharing entry in Route53, with a portion of the traffic going to your on-prem load-balancer, and the remainder of the traffic going to your ELB. But that's not what D is stating.

If I want my instance to run on a single-tenant hardware, which value do I have to set the instance's tenancy attribute to? A. dedicated B. isolated C. one D. reserved

A. dedicated http://aws.amazon.com/ec2/dedicated-hosts/

You are hosting a website in Ireland called aloud.guru and you decide to have a static DR site available on S3 in the event that your primary site would go down. Your bucket name is also called "acloudguru". What would be the S3 URL of the static website? A. https://acloudguru.s3-website-eu-west-1.amazonaws.com B. https://s3-eu-east-1.amazonaws.com/acloudguru C. https://acloudguru.s3-website-us-east-1.amazonaws.com D. https://s3-eu-central-1.amazonaws.com/acloudguru

A. https://acloudguru.s3-website-eu-west-1.amazonaws.com

A _____ is a document that provides a formal statement of one or more permissions. A. policy B. permission C. Role D. resource

A. policy http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

A/An _____ acts as a firewall that controls the traffic allowed to reach one or more instances. A. security group B. ACL C. IAM D. Private IP Addresses

A. security group http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. A security group acts as a virtual firewall that controls the traffic for one or more instances.

In regards to IAM you can edit user properties later, but you cannot use the console to change the _____. A. user name B. password C. default group

A. user name To change a user's name or path, you must use the AWS CLI, Tools for Windows PowerShell, or AWS API. There is no option in the console to rename a user. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_renaming

***Your company plans to host a large donation website on Amazon Web Services (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS. Which service should you use? A.Amazon RDS with provisioned IOPS up to the anticipated peak write throughput. B.Amazon Simple Queue Service (SOS) for capturing the writes and draining the queue to write to the database. C.Amazon ElastiCache to store the writes until the writes are committed to the database. D.Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughput.

A: While Amazon DynamoDB tackles the core problems of database scalability, management, performance, and reliability, it does not have all the functionality of a relational database. It does not support complex relational queries (e.g. joins) or complex transactions. If your workload requires this functionality, or you are looking for compatibility with an existing relational engine, you may wish to run a relational engine on Amazon RDS or Amazon EC2. While relational database engines provide robust features and functionality, scaling a workload beyond a single relational database instance is highly complex and requires significant time and expertise. As such, if you anticipate scaling requirements for your new application and do not need relational features, Amazon DynamoDB may be the best choice for you. B: SQS is a pull model I do not know of a method how DBMS can pull data from Queue. SQS is generally used for decoupling applications and not for databases C: Elasticache is a MemCached used for Read not for write D: Though this can be one plausible option moreover its a choice of DB engine. Since I donn't wish to lose any data I would still choose a DB with ACID properties.

Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose 2 answers A.Supported on all Amazon EBS volume types B.Snapshots are automatically encrypted C.Available to all instance types D.Existing volumes can be encrypted E.shared volumes can be encrypted

AB https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html

A company is storing data on Amazon Simple Storage Service (S3). The company's security policy mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3 answers A.Use Amazon S3 server-side encryption with AWS Key Management Service managed keys. B.Use Amazon S3 server-side encryption with customer-provided keys. C.Use Amazon S3 server-side encryption with EC2 key pair. D.Use Amazon S3 bucket policies to restrict access to the data at rest. E.Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key. F.Use SSL to encrypt the data while in transit to Amazon S3.

ABE, all these are encryption at rest. C is nonsence D is not encryption, its access security F is encryption in transit A, B - http://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html E: Alternatively you can use your own encryption libraries to encrypt data before storing it in Amazon S3.

Which of the following instance types are available as Amazon EBS-backed only? Choose 2 answers A.General purpose T2 B.General purpose M3 C.Compute-optimized C4 D.Compute-optimized C3 E.Storage-optimized 12

AC http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html

Which of the following notification endpoints or clients are supported by Amazon Simple Notification Service? Choose 2 answers A.Email B.CloudFront distribution C.File Transfer Protocol D.Short Message Service E.Simple Network Management Protocol

AD SNS Supported Endpoints Email Notifications Amazon SNS provides the ability to send Email notifications SMS Notifications Amazon SNS provides the ability to send and receive Short Message Service (SMS) notifications to SMS-enabled mobile phones and smart phones

A company is preparing to give AWS Management Console access to developers Company policy mandates identity federation and role-based access control. Roles are currently assigned using groups in the corporate Active Directory. What combination of the following will give developers access to the AWS console? (Select 2) Choose 2 answers A.AWS Directory Service AD Connector B.AWS Directory Service Simple AD C.AWS Identity and Access Management groups D.AWS identity and Access Management roles E.AWS identity and Access Management users

AD https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/ Assign users to roles Now that AD Connector is configured and you've created a role, your next job is to assign users or groups to those IAM roles http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html

Which of the following services natively encrypts data at rest within an AWS region? Choose 2 answers A.AWS Storage Gateway B.Amazon DynamoDB C.Amazon CloudFront D.Amazon Glacier E.Amazon Simple Queue Service

AD is correct. Storage Gateway will actually persist the data to EBS, S3 and Glacier - ALL 3 of which support server side encryption of data, while at rest.

8) Amazon S3 can use what type of server side encryption?

AE8256 Further Reading httgs://Iinuxacademy-com/cg/courses/Iesson/course/118/Iesson/7/moduIe/11

"15. Question Which service alias record is not free when using with Route 53? 1. ELB 2. CloudFront 3. AS 4. S3"

AS

You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion? A.Amazon Kinesis B.AWS Data Pipeline C.Amazon AppStream D.Amazon Simple Queue Service

Agree on A: https://aws.amazon.com/streaming-data/

You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance? A.Use multi-part upload. B.Add a random prefix to the key names. C.Amazon S3 will automatically manage performance at this scale. D.Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key names

Agree with B Background: http://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-considerations.html

***You have been asked to design the storage layer for an application. The application requires disk performance of at least 100,000 IOPS in addition, the storage layer must be able to survive the loss of an individual disk. EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3 TB.Which of the following designs will meet these objectives'? A.Instantiate an 12 8xlarge instance in us-east-1a Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instance Provision 3×1 TB EBS volumes attach them to the instance and configure them as a second RAID 0 volume Configure synchronous, block-level replication from the ephemeralbacked volume to the EBS-backed volume. B.Instantiate an 12 8xlarge instance in us-east-1a create a raid 0 volume using the four 800GB SSD ephemeral disks provide with the Instance Configure synchronous block-level replication to an Identically configured Instance in us-east-1b. C.Instantiate a c3 8xlarge Instance In us-east-1 Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100 000 lOPS Attach the volume to the instance. D.Instantiate a c3 8xlarge instance in us-east-i provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volume Ensure that EBS snapshots are performed every 15 minutes. E.Instantiate a c3 8xlarge Instance in us-east-1 Provision 3x1TB EBS volumes attach them to the instance, and configure them as a single RAID 0 volume Ensure that EBS snapshots are performed every 15 minutes.

Agree with B is the answer. As per I read, the question asked : "...survive the loss of an individual disk, EC2 instance, or Availability Zone without any data loss..." A: does not provide loss prevention for EC2, although it provide enough storage capacity (4SSD*800GB > 3TB). C: does not provide any means for loss prevention of data or ec2 or AZs D: AWS advice not to use RAID5. And like 'C', D does not provide means for sustaining loss E: using only 1 instance, no means for loss prevention of EC2.

"14. Question Which record type queries are free when using Route 53? 1. 1. AAAA 2. 3. TXT 3. 2. MX 4. 4. Alias"

Alias

An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would protect the sensitive data on an Amazon EBS volume? A.Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Remount the Amazon EBS volume. B.Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume. C.Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBS volume. D.Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume

Also see Amazon's recommendation here: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html To migrate data between encrypted and unencrypted volumes 1. Create your destination volume (encrypted or unencrypted, depending on your need) by following the procedures in Creating an Amazon EBS Volume. 2. Attach the destination volume to the instance that hosts the data to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance. 3. Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use. For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there. 4. Copy the data from your source directory to the destination volume. It may be most convenient to use a bulk-copy utility for this. B is the right answer.

"45. Question Which of the following is a durable key-value store? 1. Amazon Simple Queue Service 2. Amazon Simple Workflow Service 3. Amazon Simple Storage Service 4. Amazon Simple Notification Service"

Amazon Simple Storage Service

A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company's requirements? A.Virtual Private Network connection. AWS Directory Services, and ClassicLink B.Virtual Private Network connection. AWS Directory Services, and Amazon Workspaces C.AWS Directory Service, Amazon Workspaces, and AWS Identity and Access Management D.Amazon Elastic Compute Cloud, and AWS Identity and Access Management

Ans: B Source: https://aws.amazon.com/directoryservice/faqs/ Q: How do I create an AD Connector to connect to my on-premises directory? You can use the AWS Management Console to create an AD Connector to connect your existing, on-premises Microsoft Active Directory to AWS. You will need to configure an Amazon Virtual Private Cloud (VPC) with a hardware VPN connection to your on-premises environment, or provision a dedicated connection with AWS Direct Connect. Once you've set up this integration, you will need to provide some basic information such as the name of your on-premises Microsoft Active Directory, DNS servers to discover Microsoft Active Directory, and an account name and password that you've pre-created in your Microsoft Active Directory. This is a limited privilege account used by AD Connector to authenticate and connect to one of the domain controllers and proxy various authentication, domain join, and look-up requests.

Which of the following are use cases for Amazon DynamoDB? Choose 3 answers A.Storing BLOB data. B.Managing web sessions. C.Storing JSON documents. D.Storing metadata for Amazon S3 objects. E.Running relational joins and complex updates. F.Storing large amounts of infrequently accessed data.

Answer BCD https://aws.amazon.com/dynamodb/faqs/ Q: When should I use Amazon DynamoDB vs a relational database engine on Amazon RDS or Amazon EC2? Q: Can I use the AWS Management Console to view and edit JSON documents? Yes. The AWS Management Console provides a simple UI for exploring and editing the data stored in your DynamoDB tables, including JSON documents http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuidelinesForItems.html

You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the Internet for product updates. The depots and distributions are accessible via third party CONs by their URLs. You want to explicitly deny any other outbound connections from your VPC instances to hosts on the internet. Which of the following options would you consider? A.Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes. B.Implement security groups and configure outbound rules to only permit traffic to software depots. C.Move all your instances into private VPC subnets remove default routes from all routing tables and add specific routes to the software depots and distributions only. D.Implement network access control lists to all specific destinations, with an Implicit deny as a rule.

Answer is A A. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes. Organizations usually implement proxy solutions to provide URL and web content filtering, IDS/IPS, data loss prevention, monitoring, and advanced threat protection. https://d0.awsstatic.com/aws-answers/Controlling_VPC_Egress_Traffic.pdf

You currently operate a web application In the AWS US-East region The application runs on an auto-scaled layer of EC2 instances and an RDS Multi-AZ database Your IT security compliance officer has tasked you to develop a reliable and durable logging solution to track changes made to your EC2.IAM And RDS resources. The solution must ensure the integrity and confidentiality of your log dat a. Which of these solutions would you recommend? A.Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. B.Create a new cloudTrail with one new S3 bucket to store the logs Configure SNS to send log file delivery notifications to your management system Use IAM roles and S3 bucket policies on the S3 bucket mat stores your logs. C.Create a new CloudTrail trail with an existing S3 bucket to store the logs and with the global services option selected Use S3 ACLs and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. D.Create three new CloudTrail trails with three new S3 buckets to store the logs one for the AWS Management console, one for AWS SDKs and one for command line tools Use IAM roles and S3 bucket policies on the S3 buckets that store your logs.

Answer is A A. Create a new CloudTrail trail with one new S3 bucket to store the logs and with the global services option selected Use IAM roles S3 bucket policies and Multi Factor Authentication (MFA) Delete on the S3 bucket that stores your logs. A - Single New bucket with global services option for IAM and MFA delete for confidentiality B,C,D incorrect as: B- Missing Global Services for IAM C- Existing bucket prevents confidentiality D- 3 buckets not needed, Missing Global services options

A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this? A.Create a new peering connection Between Prod and Dev along with appropriate routes. B.Create a new entry to Prod in the Dev route table using the peering connection as the target. C.Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target. D.The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

Answer is A One VPC Peered with Multiple VPCs http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-full-access.html#one-to-many-vpcs-full-access VPC A is peered with all other VPCs, but the other VPCs are not peered to each other. The VPCs are in the same AWS account and do not have overlapping CIDR blocks. Note None of the other VPCs can send traffic directly to each other through VPC A. VPC peering does not support transitive peering relationships, nor edge to edge routing. You must create a VPC peering connection between the other VPCs in order to route traffic between them

You are responsible for a legacy web application whose server environment is approaching end of life You would like to migrate this application to AWS as quickly as possible, since the application environment currently has the following limitations: The VM's single 10GB VMDK is almost full Me virtual network interface still uses the 10Mbps driver, which leaves your 100Mbps WAN connection completely underutilized It is currently running on a highly customized. Windows VM within a VMware environment: You do not have me installation media This is a mission critical application with an RTO (Recovery Time Objective) of 8 hours. RPO (Recovery Point Objective) of 1 hour. How could you best migrate this application to AWS while meeting your business continuity requirements? A.Use the EC2 VM Import Connector for vCenter to import the VM into EC2. B.Use Import/Export to import the VM as an ESS snapshot and attach to EC2. C.Use S3 to create a backup of the VM and restore the data into EC2. D.Use me ec2-bundle-instance API to Import an Image of the VM into EC2

Answer is A https://aws.amazon.com/blogs/aws/ec2-vm-import-connector/

Your department creates regular analytics reports from your company's log files All log data is collected in Amazon S3 and processed by daily Amazon Elastic MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse. Your CFO requests that you optimize the cost structure for this system. Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data? A.Use reduced redundancy storage (RRS) for PDF and csv data in Amazon S3. Add Spot instances to Amazon EMR jobs Use Reserved Instances for Amazon Redshift. B.Use reduced redundancy storage (RRS) for all data in S3. Use a combination of Spot instances and Reserved Instances for Amazon EMR jobs use Reserved instances for Amazon Redshift. C.Use reduced redundancy storage (RRS) for all data in Amazon S3 Add Spot Instances to Amazon EMR jobs Use Reserved Instances for Amazon Redshitf. D.Use reduced redundancy storage (RRS) for PDF and csv data in S3 Add Spot Instances to EMR jobs Use Spot Instances for Amazon Redshift.

Answer is A - Agree with Sandeep A. Use reduced redundancy storage (RRS) for PDF and csv data in Amazon S3. Add Spot instances to Amazon EMR jobs Use Reserved Instances for Amazon Redshift. C- not possible as it is for temporary purpose core nodes should be reserved for the capacity that is required until your cluster completes(temporary) EMR uses spot instances, only AWS GovCloud (US) region does not support spot instances. B,c- in any case not recommended RRS all Data D-It is not possible as Redshift recommends reserved instances. Reserved Instances (a.k.a. Reserved Nodes) are appropriate for steady-state production workloads, and offer significant discounts over On-Demand pricing. https://aws.amazon.com/redshift Last but not the least its A because : Q: What are some EMR best practices? If you are running EMR in production you should specify an AMI version, Hive version, Pig version, etc. to make sure the version does not change unexpectedly (e.g. when EMR later adds support for a newer version). If your cluster is mission critical, only use Spot instances for task nodes because if the Spot price increases you may lose the instances. In development, use logging and enable debugging to spot and correct errors faster. If you are using GZIP, keep your file size to 1-2 GB because GZIP files cannot be split. Click here to download the white paper on Amazon EMR best practices. https://aws.amazon.com/elasticmapreduce/faqs/

A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements? A.Enable AWS CloudTrail for the load balancer. B.Enable access logs on the load balancer. C.Install the Amazon CloudWatch Logs agent on the load balancer. D.Enable Amazon CloudWatch metrics on the load balancer.

Answer is B I know this has already been said many times in this post, just putting it together http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/access-log-collection.html Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and to troubleshoot issues.

Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers A.An Alias record can map one DNS name to another Amazon Route 53 DNS name. B.A CNAME record can be created for your zone apex. C.An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere. D.TTL can be set for an Alias record in Amazon Route 53. E.An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.

Answer is A&C https://aws.amazon.com/route53/faqs/ Amazon Route 53 offers 'Alias' records (an Amazon Route 53-specific virtual record). Alias records are used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3 buckets that are configured as websites. Alias records work like a CNAME record in that you can map one DNS name (example.com) to another 'target' DNS name (elb1234.elb.amazonaws.com). http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html A CNAME record can point to any DNS record hosted anywhere, including to the resource record set that Amazon Route 53 automatically creates when you create a policy record.

A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier? A. Elastic Load Balancing, Amazon EC2, and Auto Scaling B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3 C. Amazon RDS with Multi-AZ and Auto Scaling D. Amazon EC2, Amazon DynamoDB, and Amazon S3

Answer is A. This is about scaling the web tier and no other tier. What services should you leverage to enable an elastic and scalable web tier? Exam taking tip, when you see answers that are both correct. There is something in the question that points to one. The Answer is in the question.

Your company is in the process of developing a next generation pet collar that collects biometric information to assist families with promoting healthy lifestyles for their pets Each collar will push 30kb of biometric data In JSON format every 2 seconds to a collection platform that will process and analyze the data providing health trending information back to the pet owners and veterinarians via a web portal Management has tasked you to architect the collection platform ensuring the following requirements are met. Provide the ability for real-time analytics of the inbound biometric data Ensure processing of the biometric data is highly durable. Elastic and parallel The results of the analytic processing should be persisted for data mining Which architecture outlined below win meet the initial requirements for the collection platform? A.Utilize S3 to collect the inbound sensor data analyze the data from S3 with a daily scheduled Data Pipeline and save the results to a Redshift Cluster. B.Utilize Amazon Kinesis to collect the inbound sensor data, analyze the data with Kinesis clients and save the results to a Redshift cluster using EMR. C.Utilize SQS to collect the inbound sensor data analyze the data from SQS with Amazon Kinesis and save the results to a Microsoft SQL Server RDS instance. D.Utilize EMR to collect the inbound sensor data, analyze the data from EUR with Amazon Kinesis and save me results to DynamoDB.

Answer is B https://aws.amazon.com/about-aws/whats-new/2014/02/20/analyze-streaming-data-from-amazon-kinesis-with-amazon-elastic-mapreduce/

If an application is storing hourly log files from thousands of instances from a high traffic web site, which naming scheme would give optimal performance on 53? A.Sequenfial B. HH-DD-MM-YYYY-Iog_instanceID C.YYYY-MM-DD-HH-Iog_instanceID D.instanceID_Iog-HH-DD-MM-YYYY E.instanceID_Iog-YYYY-MM-DD-HH

Answer is B C?

You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access? A.Deploy a NAT instance into the public subnet. B.Assign an Elastic IP address to the fourth instance. C.Configure a publically routable IP Address in the host OS of the fourth instance. D.Modify the routing table for the public subnet.

Answer is B. A. Public subnet does not use NAT to access internet: wrong C. when you assign a public IP / EIP, you don't configure it in the host OS but you configure it in AWS console (or using API) D. Routing table is not the root cause of the issue becouse "You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others"

What is a placement group? A.A collection of Auto Scaling groups in the same region B.A feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections C.A collection of authorized CloudFront edge locations for a distribution D.A collection of Elastic Load Balancers in the same Region or Availability Zone

Answer is B: " A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in a low-latency, 10 Gigabits per second (Gbps) network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both." http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

Which of the following features ensures even distribution of traffic to Amazon EC2 instances in multiple Availability Zones registered with a load balancer? A. Elastic Load Balancing request routing B. An Amazon Route 53 weighted routing policy C. Elastic Load Balancing cross-zone load balancing D. An Amazon Route 53 latency routing policy

Answer is C Cross-zone load balancing is always enabled for an Application Load Balancer and is disabled by default for a Classic Load Balancer. If cross-zone load balancing is enabled, the load balancer distributes traffic evenly across all registered instances in all enabled Availability Zones. If cross-zone load balancing is disabled, the load balancer distributes traffic evenly across all enabled Availability Zones. For example, suppose that you have 10 instances in Availability Zone us-west-2a and 2 instances in us-west-2b. If cross-zone load balancing is disabled, the requests are distributed evenly between us-west-2a and us-west-2b. As a result, the 2 instances in us-west-2b serve the same amount of traffic as the 10 instances in us-west-2a. However, if cross-zone load balancing is enabled, the load balancer distributes incoming requests evenly across all 12 instances. http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html

If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a predetermined private IP address you should: A.Launch the instance from a private Amazon Machine Image (AMI). B.Assign a group of sequential Elastic IP address to the instances. C.Launch the instances in the Amazon Virtual Private Cloud (VPC). D.Launch the instances in a Placement Group. E.Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.

Answer is C http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html When you launch an instance into a VPC, a primary private IP address from the IPv4 address range of the subnet is assigned to the default network interface (eth0) of the instance.

You are implementing AWS Direct Connect. You intend to use AWS public service end points such as Amazon S3, across the AWS Direct Connect link. You want other Internet traffic to use your existing link to an Internet Service Provider. What is the correct way to configure AWS Direct connect for access to services such as Amazon S3? A.Configure a public Interface on your AWS Direct Connect link Configure a static route via your AWS Direct Connect link that points to Amazon S3 Advertise a default route to AWS using BGP. B.Create a private interface on your AWS Direct Connect link. Configure a static route via your AWS Direct connect link that points to Amazon S3 Configure specific routes to your network in your VPC. C.Create a public interface on your AWS Direct Connect link Redistribute BGP routes into your existing routing infrastructure advertise specific routes for your network to AWS. D.Create a private interface on your AWS Direct connect link. Redistribute BGP routes into your existing routing infrastructure and advertise a default route to AWS.

Answer is C : To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. After you have created a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US. To begin using your virtual interface, you need to advertise at least one prefix using BGP, up to a maximum of 100 prefixes. Reference : http://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html http://jayendrapatil.com/aws-direct-connect-dx/ https://aws.amazon.com/directconnect/faqs/

You are configuring your company's application to use Auto Scaling and need to move user state information. Which of the following AWS services provides a shared data store with durability and low latency? A.AWS ElastiCache Memcached B.Amazon Simple Storage Service C.Amazon EC2 instance storage D.Amazon DynamoDB

Answer is D. A: Elasticache Memcached is shared and low latency, but not very durable. B: S3 is both shared and amazingly durable, but it has trouble in the latency C: Instance storage ok for low latency, but it is neither shared nor durable. D: DynamoDB is perfect for this: it is a "shared data store with durability and low latency", and it offers strongly consistent reads. http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their backup and archive infrastructure. The customer plans to use third-party software to support this integration. Which approach will limit the access of the third party software to only the Amazon S3 bucket named "companybackup"? A.A custom bucket policy limited to the Amazon S3 API in thee Amazon Glacier archive "company-backup" B.A custom bucket policy limited to the Amazon S3 API in "company-backup" C.A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive "company-backup". D.A custom IAM user policy limited to the Amazon S3 API in "company-backup".

Answer is D. http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html

You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the fastest method of getting the data into Amazon Glacier? A.Amazon Glacier multipart upload B.AWS Storage Gateway C.VM Import/Export D.AWS Import/Export

Answer is D. read carefully the question: "the fastest method". If you use multipart upload your upload speed is always 1Mbps. Amazon Import/Export is the fastest way. http://docs.aws.amazon.com/amazonglacier/latest/dev/uploading-archive-mpu.html

***You are deploying an application to collect votes for a very popular television show. Millions of users will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation. Which service should you use? A.Amazon DynamoDB B.Amazon Redshift C.Amazon Kinesis D.Amazon Simple Queue Service

Answer is DynamoDB "This example looks at using AWS Lambda and Amazon API Gateway to build a dynamic voting application, which receives votes via SMS, aggregates the totals into Amazon DynamoDB, and uses Amazon Simple Storage Service (Amazon S3)to display the results in real time." Source: http://www.allthingsdistributed.com/2016/06/aws-lambda-serverless-reference-architectures.html The main function of DynamoDB is to store data. Where as the main function of "Kinesis" is to analyze data in real-time. The requirement in the question is to find an AWS service which provides highly available "datastore". Also, Kinesis keeps data for 7 days maximum which does not fit the use case: https://aws.amazon.com/kinesis/streams/faqs/ In my opinion C is the right answer.

How can you secure data at rest on an EBS volume? A.Attach the volume to an instance using EC2's SSL interface. B.Write the data randomly instead of sequentially. C.Encrypt the volume using the S3 server-side encryption service. D.Create an IAM policy that restricts read and write access to the volume. E.Use an encrypted file system on top of the EBS volume.

Answer is E: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: Data at rest inside the volume All data moving between the volume and the instance All snapshots created from the volume

Disabling automated backups ______ disable the point-in-time recovery. A.if configured to can B.will never C.will

Answer is c: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html Disabling Automated Backups You may want to temporarily disable automated backups in certain situations; for example, while loading large amounts of data. Important We highly discourage disabling automated backups because it disables point-in-time recovery. If you disable and then re-enable automated backups, you are only able to restore starting from the time you re-enabled automated backups. In these examples, you disable automated backups for a DB instance by setting the backup retention parameter to 0. AWS Management Console To disable automated backups immediately Sign in to the AWS Management Console and open the Amazon RDS console at https://console.aws.amazon.com/rds/. In the navigation pane, click DB Instances, and then select the check box next to the DB instance you want to modify. Click the Modify button. The Modify DB Instance window appears. Select 0 in the Backup Retention Period drop-down list box. Check the Apply Immediately check box. Click the OK button.

"10. You are using an Amazon EBS volume as a root partition and you need your Amazon EBS volume to persist outside the life of the instance. If you want this to happen you need to set the Delete On Terminate flag to what value? A. ""N"" B. ""Y"" C. ""MAX"" D. ""ON""

Answer: A

"15. You are about to close a deal for a company to build a large scale AWS network but they are concerned about the security of ""the cloud"", and rightly so. Which of the following is not a Built-in Security Feature of AWS? A. Everything listed here is an AWS Built-in Security Feature B. Dedicated connection option C. Isolated GovCloud D. Private Subnets"

Answer: A

"17. Your company has been storing a lot of data in Amazon Glacier and has asked for an inventory of what is in there exactly. So you have decided that you need to download a vault inventory. Which of the following statements is incorrect in relation to Vault Operations in Amazon Glacier? A. You can use Amazon Simple Queue Service (Amazon SQS) notifications to notify you when the job completes. B. You can use Amazon Simple Notification Service (Amazon SNS) notifications to notify you when the job completes. C. Downloading a vault inventory is an asynchronous operation. D. A vault inventory refers to the list of archives in a vault."

Answer: A

"20. You are checking the workload on some of your General Purpose (SSD) and Provisioned IOPS (SSD) volumes and it seems that the I/O latency is higher than you require. You should probably check the _____________ to make sure that your application is not trying to drive more IOPS than you have provisioned. A. Average queue length B. Cache C. Volume sizes D. Acknowledgement from the storage subsystem"

Answer: A

"27. You have been asked to build AWS infrastructure for disaster recovery for your local applications and within that you should use an AWS Storage Gateway as part of the solution. Which of the following best describes the function of an AWS Storage Gateway? A. Connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and AWS's storage infrastructure. B. Is a storage service optimized for infrequently used data, or ""cold data."" C. Accelerates transferring large amounts of data between the AWS cloud and portable storage devices . D. To store and retrieve any amount of data at any time, from anywhere on the web."

Answer: A

"31. One of the criteria for a new deployment is that the customer wants to use AWS Storage Gateway. However you are not sure whether you should use gateway-cached volumes or gateway-stored volumes or even what the differences are. Which statement below best describes those differences? A. Gateway-stored lets you store your data locally in storage volumes whilst gateway-cached lets you create storage volumes and mount them iSCSI devices. B. Gateway-cached is up to 10 times faster than gateway-stored. C. Gateway-cached lets you store your data locally in storage volumes whilst gateway-stored lets you create storage volumes and mount them iSCSI devices. D. Gateway-cached is free whilst gateway-stored is not."

Answer: A

You can modify the backup retention period; valid values are 0 (for no backup retention) to a maximum of ___________ days. A. 45 B. 35 C. 15 D. 5

B. 35 Example for RDS: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html

"32. You have been storing massive amounts of data on Amazon Glacier for the past 2 years and now start to wonder if there are any limitations on this. What is the correct answer to your question? A. The total volume of data and number of archives you can store are unlimited. B. The total volume of data is limited but the number of archives you can store are unlimited. C. The total volume of data is limited and the number of archives you can store are limited. D. The total volume of data is unlimited but the number of archives you can store are limited."

Answer: A

"36. You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS? A. Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. B. Amazon SQS is a non-distributed queuing system. C. Amazon SQS is for single-threaded sending or receiving speeds. D. Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds."

Answer: A

"41. You need to migrate a large amount of data into the cloud that you have stored on a hard disk and you decide that the best way to accomplish this is with AWS Import/Export and you mail the hard disk to AWS. Which of the following statements is incorrect in regards to AWS Import/Export? A. It can export from Amazon Glacier. B. It can import to Amazon S3 C. It can export from Amazon S3 D. It can Import to Amazon Glacier"

Answer: A

"45. After setting up a Virtual Private Cloud(VPC) network a more experienced cloud engineer suggests that to achieve low network latency and high network throughput you should look into setting up a placement group. You know nothing about this but begin to do some research about it and are especially curious about it's limitations. Which of the below statements is wrong in describing the limitations of a placement group? A. A placement group can span multiple Availability Zones. B. The name you specify for a placement group a name must be unique within your AWS account. C. You can't merge placement groups. D. Although launching multiple instance types into a placement group is possible, this reduces the likelihood that the required capacity will be available for your launch to succeed."

Answer: A

"49. You want to use Route53 to direct your www sub-domain to an elastic load balancer fronting your web servers. What kind of record set should you create? A. CNAME B. NS C. AAAA D. A"

Answer: A

"54. An organization has three separate AWS accounts, one each for development, testing and production. The organization wants the testing team to have access to certain AWS resources of the production account. How can the organization achieve this? A. Create the IAM roles with cross account access. B. Create the IAM users with cross account access. C. Create the IAM user in a test account and allow it access to the production environment with the IAM policy. D. It is not possible to access resources of one account by another account."

Answer: A

"40. Having come up with the solution of ""read replicas"" to solve the issue of a lot reporting queries running all the time on one of your databases you think you may have to create more than 1 replica. At this point in time, how many read replicas for a given DB Instance does Amazon RDS allow you to create? A. 3 B. 1 per Availability Zone C. 5 D. 2"

Answer: C

"55. An EC2 instance is connected to an ENI (Elastic Network Interface) in one subnet. What happens when you attach an ENI of a different subnet to this EC2 instance? A. The EC2 instance follows the rules of both the subnets B. The EC2 instance follows the rules of the older subnet C. Not possible, cannot be connected to 2 ENIs D. The EC2 instance follows the rules of the newer subnet"

Answer: A

"9. Upon completing some major infrastructure for a website you now need to start thinking about the best storage options for the content. the site will have frequently accessed static content that may benefit from edge delivery—like popular website images, videos, media files or software downloads. What do you think would be the best option for this type of content? A. Amazon CloudFront B. Amazon Glacier C. Amazon S3 D. AWS Import/Export"

Answer: A

3. You are very concerned about security on your network in regards to all the programmers testing APIs and SDKs and you have no idea about what is happening. You think CloudTrail may help but are not sure what it does.Which of the following statements best describes the AWS service CloudTrail? A. With AWS CloudTrail you can get a history of AWS API calls and related events for your account. B. With AWS CloudTrail you can get a history of CloudFormation JSON scripts used for your account. C. With AWS CloudTrail you can get a history of IAM users for your account. D. With AWS CloudTrail you can get a history of alarms for your account.

Answer: A

5. You have been given a scope to deploy some AWS infrastructure for a large organisation. The requirements are that you will have a lot of EC2 instances but may need to add more when the average utilization of your Amazon EC2 fleet is high and conversely remove them when CPU utilization is low. Which AWS services would be best to use to accomplish this? A. Auto Scaling, Amazon CloudWatch and Elastic Load Balancing. B. Auto Scaling, Amazon CloudWatch and AWS Elastic Beanstalk C. AWS Elastic Beanstalk , Amazon CloudWatch and Elastic Load Balancing. D. AWS Elastic Beanstalk , Amazon CloudWatch and Elastic Load Balancing.

Answer: A

6. You are about to sit for the "AWS Solutions Architect - Associate" exam but the night before have realised the only thing you don't understand is Auto Scaling but remember that any Auto Scaling group that you create requires a launch configuration. So you decide to sign in to AWS and see if you can set one up now. However you are not sure where you can create a launch configuration manually. Which of the following options can be used to create a launch configuration manually for an Auto Scaling group A. AWS Management Console, AWS CLI ,Auto Scaling CLI or CreateLaunchConfig API. B. AWS CLI ,Auto Scaling CLI or CreateLaunchConfig API. C. AWS CLI only. D. AWS Management Console, Auto Scaling CLI or CreateLaunchConfig API.

Answer: A

8. You have just set up your first Elastic Load Balancer(ELB) but it does not seem to be configured properly. You discover that before you start using ELB, you have to configure the listeners for your load balancer. Which protocols does ELB use to support the load balancing of applications? A. HTTP, HTTPS , TCP, and SSL B. HTTP and HTTPS C. HTTP, TCP, and SSL D. HTTP, HTTPS , TCP, SSL and SSH

Answer: A

When a Simple Queue Service message triggers a task that takes 5 minutes to complete, which process below will result in successful processing of the message and remove it from the queue while minimizing the chances of duplicate processing? A. Retrieve the message with an increased visibility timeout, process the message, delete the message from the queue B. Retrieve the message with an increased visibility timeout, delete the message from the queue, process the message C. Retrieve the message with increased Delay Seconds, process the message, delete the message from the queue D. Retrieve the message with increased Delay Seconds, delete the message from the queue, process the message

Answer: A

Which of the following are valid SNS delivery transports? Choose 2 answers A. HTTP B. UDP C. SMS D. DynamoDB E. Named Pipes

Answer: A,C

In AWS, which secun'ty aspects are the customer's responsibility? Choose 4 answers A. Life-cycle management of IAM credentials B. Decommissioning storage devices C. Security Group and AOL (Access Control List) settings D. Encryption of EBS (Elastic Block Storage) volumes E. Controlling physical access to compute resources F. Patch management on the EC2 instance's operating system

Answer: A.B,C.F

"11. You have been launching all your EC2 instances without a VPC for some time now. You have just finished building yourself a VPC network and are now thinking that next time you launch an instance you should launch it into your VPC. Which of the following is not a benefit of launching your instances into a VPC instead of EC2-Classic? A. You can change security group membership for your instances while they're running B. All things listed here are beneficial. C. You can control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering) D. You can define network interfaces, and attach one or more network interfaces to your instances"

Answer: B

"12. You need to set up a complex Network Infrastructure for your organisation that will be reasonably easy to deploy, replicate, control and track changes on. Which AWS service would be best to use to help you accomplish this? A. Amazon Route 53 B. AWS CloudFormation C. AWS CloudTrail D. Elastic Load Balancing"

Answer: B

"14. After setting up some EC2 instances you now need to set up a monitoring solution to keep track of these instances and to send you an email when the CPU hits a certain threshold. Which statement below best describes what thresholds you can set to trigger a CloudWatch Alarm? A. Set a target value and choose whether the alarm will trigger when the value hits this threshold B. Set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or less than or equal to (<=) that value. C. Thresholds need to be set in IAM not CloudWatch D. Only default thresholds can be set you can't choose your own thresholds."

Answer: B

"22. Amazon S3 allows you to set per-file permissions to grant read and/or write access. However you have decided that you want an entire bucket with 100 files already in it to be accessible to the public. You don't want to go through 100 files individually and set permissions. What would be the best way to do this? A. Move the files to a new bucket. B. Add a bucket policy to the bucket. C. Move the bucket to a new region D. Use Amazon EBS instead of S3"

Answer: B

"35. You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Multi-AZ deployment. You now start to worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure? A. Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure. B. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure. C. Your database will not resume operation without manual administrative intervention. D. Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure."

Answer: B

"37. You realise that the latest AWS infrastructure that you are deploying needs some extra storage space to accomodate the huge volume of data that is expected. You decide to use the AWS management console to create a new bucket in S3 to store this data. Which of the following is an invalid bucket name when you are creating a new bucket on AWS in S3? A. my.data.bucket B. .mydatabucket C. mydatabucket D. mydatabucket.2"

Answer: B

"39. You have been requested to design a database solution for a large production database and you decide that the best solution might be Amazon RDS Multi-AZ deployment. When you provision a Multi-AZ DB Instance, Amazon RDS automatically creates a ______________________________________________. A. Primary and Standby DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ) B. Primary DB Instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ) C. Primary DB Instance and synchronously replicates the data to a standby instance in the same Availability Zone (AZ) D. Primary DB Instance and asynchronously replicates the data to a standby instance in a different Availability Zone (AZ)"

Answer: B

"46. Which one of the followings can't be used as an origin server with Amazon CloudFront? A. A web server running in your infrastructure B. Amazon Glacier C. Amazon S3 D. A web server running on Amazon EC2 instances"

Answer: B

"47. Which one of the below is not a AWS Storage Service? A. Amazon S3 B. Amazon CloudFront C. Amazon EBS D. Amazon Glacier"

Answer: B

"50. You have created a Route 53 latency record set from your domain to a machine in Northern Virginia and a similar record to a machine in Sydney. When a user located in U S visits your domain he will be routed to: A. Both, Northern Virginia and Sydney B. Northern Virginia C. Depends on the Weighted Resource Record Sets D. Sydney"

Answer: B

"52. In Amazon VPC, you have created a subnet with CIDR 10.0.2.0/24. How many usable IP addresses are available to you? A. 256 B. 251 C. 250 D. 255"

Answer: B

"58. A user wants to increase the durability and availability of the EBS volume. Which of the below mentioned actions should he perform? A. Access EBS regularly. B. Take regular snapshots. C. Create EBS with higher capacity. D. Create an AMI."

Answer: B

"61. An organization has created an application which is hosted on the AWS EC2 instance. The application stores images to S3 when the end user uploads to it. The organization does not want to store the AWS secure credentials required to access the S3 inside the instance. Which of the below mentioned options is a possible solution to avoid any security threat? A. Since the application is hosted on EC2, it does not need credentials to access S3. B. Use the IAM role and assign it to the instance. C. Use the IAM based single sign between the AWS resources and the organization application. D. Use the X.509 certificates instead of the access and the secret access keys."

Answer: B

2. You have been told to tighten up the security of your VPC infrastructure by the senior security engineer and he suggests using AWS Multi-Factor Authentication (AWS MFA). You are not exactly sure what this means. Which of the following is not correct in regards to MFA? A. It is an additional layer of security for accessing AWS services. B. It prevents simultaneous multi-user logins C. It is called multi-factor authentication because more than one authentication factor is checked before access is granted D. You get this single-use code from an authentication device that you keep in your physical possession.

Answer: B

An Amazon S3 bucket, "myawsbucket" is configured with website hosting in Tokyo region, what is the region-specific website endpoint? A. www.myawsbucket.ap-northeast-1.amazonaws.com B. myawsbucket.s3-website-ap-northeast-1.amazonawscom C. myawsbucket.amazonaws.com D. myawsbucket.tokyoamazonaws.com

Answer: B

Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability The SOS consumers poll the imaging queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can Company B reduce the number of empty responses? A. Set the imaging queue visibility Timeout attribute to 20 seconds B. Set the Imaging queue ReceiveMessageWaitTimeSeconds attribute to 20 seconds C. Set the imaging queue MessageRetentionPeriod attribute to 20 seconds D. Set the DelaySeconds parameter of a message to 20 seconds

Answer: B

What happens, by default, when one of the resources in a Cloud Formation stack cannot be created? A.Previously-created resources are kept but the stack creation terminates. B.Previously-created resources are deleted and the stack creation terminates. C.The stack creation continues, and the final results indicate which steps failed. D.Cloud Formation templates are parsed in advance so stack creation is guaranteed to succeed.

Answer: B

What type of block cipher does Amazon S3 offer for server side encryption? A. Triple DES B. Advanced Encryption Standard C. Blowfish D. RC5

Answer: B

Which statements about DynamoDB are true? Choose 2 answers A. DynamoDB uses a pessimistic locking model B. DynamoDB uses optimistic concurrency control C. DynamoDB uses conditional writes for consistency D. DynamoDB restricts item access during reads E. DynamoDB restricts item access during writes

Answer: B,C

"16. You need to create a load balancer in a VPC network that you are building. You can make your load balancer internal (private) or Internet-facing (public). When you make your load balancer internal, a DNS name will be created, and it will contain the private IP address of the load balancer. Internal load balancer is not exposed to the internet. When you make your load balancer Internet-facing, a DNS name will be created with the public IP address. If you want the Internet-facing load balancer to be connected to the Internet where must this load balancer reside? A. The load balancer must be completely outside of your VPC B. The load balancer must reside in a subnet that is not connected to the Internet. C. The load balancer must reside in a subnet that is connected to the Internet using the Internet gateway. D. The load balancer must not reside in a subnet that is connected to the Internet."

Answer: C

"19. An existing client comes to you and says that he has heard that launching instances into a VPC (virtual private cloud) is a better strategy than launching instances into a EC2 -classic which he knows is what you currently do. You suspect that he is correct and he has asked you to do some research about this and get back to him. Which of the following statements is true in regards to what ability launching your instances into a VPC instead of EC2-Classic gives you? A. Assign multiple IP addresses to your instances B. Add an additional layer of access control to your instances in the form of network access control lists (ACL) C. All of the things listed here. D. Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering)"

Answer: C

"26. You have been given a scope to set up a AWS Media Sharing Framework for a new start up phot sharing company similar to flickr. The first thing that comes to mind about this is that it will obviously need a huge amount of persistant data storage for this framework. Which of the following storage options would be appropriate for persistent storage? A. AWS Import/Export or AWS Storage Gateway B. AWS Import/Export or Amazon CloudFront C. Amazon EBS volumes or Amazon S3 D. Amazon Glacier or AWS Import/Export"

Answer: C

"28. You have set up a default VPC(Virtual Private Cloud) Network and you now need to associate a public IP address to that network so as to enable access to it from the outside world and a private IP for internal use. Which of the following statements is true in relation to these IP addresses? A. A public IP address is assigned by default, I need to manually assign a private IP address. B. I need to manually assign a private IP address and a public IP address as it is bad security practice to assign them automatically. C. A private IP address and a public IP address is already assigned by default. D. A private IP address is assigned by default, I need to manually assign a public IP address."

Answer: C

"34. You have just set up a VPC(Virtual Private Cloud) for a client and you now need to think about making this network as secure as possible with Security groups and Network ACLs(access control lists). Which of the following statements is incorrect in regards to Security groups and ACLs for your VPC? A. Network ACLs are stateless: Return traffic must be explicitly allowed by rules. B. Security groups supports allow rules only whilst ACLs supports allow rules and deny rules. C. ACLs operate at the instance level (first layer of defense). D. Security groups evaluate all rules before deciding whether to allow traffic."

Answer: C

"51. A user is setting up a VPC with a Single Public Subnet using the VPC wizard, which of the following answers is correct? A. A VPC with CIDR /16 and a subnet with CIDR /24 are created, and routing is set-up to flow the traffic between the subnet and the Internet gateway B. A VPC with CIDR /16 and a subnet with CIDR /24 are created, and a Internet gateway is attached to the VPC C. A VPC with CIDR /16 and a subnet with CIDR /24 are created, an Internet gateway is attached to the VPC and routing is set-up to flow the traffic between the subnet and the Internet gateway D. A VPC with CIDR /16 and a subnet with CIDR /24 are created"

Answer: C

"57. A user is sending bulk emails using AWS SES. The mails are not reaching to some of the targeted audience as it is not authorized by some of the ISPs. How can the user ensure that the mails are delivered to all? A. Authorized the ISP by sending mails from the development account. B. Send an email using SMTP with SES. C. Send an email using DKIM with SES. D. Raise a ticket with AWS support to get it authorized with ISP."

Answer: C

"59. A company wants to review the security requirements of Glacier. Which of the below mentioned statements is true with respect to the AWS Glacier data security? A. The data stored on Glacier is not encrypted by default. B. All data stored on Glacier is protected with AES-128 serverside encryption. C. All data stored on Glacier is protected with AES-256 serverside encryption. D. The user can set the serverside encryption flag to encrypt the data stored on Glacier."

Answer: C

"60. A user is planning a big website hosting after 6 months which will require instances with very high configurations. Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during a demo? A. Launch all the instances as part of the cluster group to ensure resource availability. B. Pre-warm all the instances one month prior to ensure resource availability. C. Procure all the instance as reserved instances beforehand D. Request AWS right now to procure the dedicated instance after 6 months."

Answer: C

7. You log in to IAM on your AWS console and notice the following message. "Delete your root access keys." Why do you think IAM is requesting this? A. Because the root access keys are the same for all users. B. Because the root access keys expire after 1 week. C. Because they provide unrestricted access to your AWS resources. D. Because the root access keys will expire as soon as you log out.

Answer: C

A company is running a batch analysis every hour on their main transactional DB. running on an RDS MySQL instance to populate their central Data Warehouse running on Redshift During the execution of the batch their transactional applications are very slow When the batch completes they need to update the top management dashboard with the new data The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required The on-premises system cannot be modified because is managed by another team. How would you optimize this scenario to solve performance issues and automate the process as much as possible? A.Replace RDS with Redshift for the batch analysis and SNS to notify the on-premises system to update the dashboard B.Replace ROS with Redsnift for the oaten analysis and SQS to send a message to the on-premises system to update the dashboard C.Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard D.Create an RDS Read Replica for the batch analysis and SQS to send a message to the on-premises system to update the dashboard.

Answer: C I don't think redshift can be used for OLTP. Q: When would I use Amazon Redshift vs. Amazon RDS? Both Amazon Redshift and Amazon RDS enable you to run traditional relational databases in the cloud while offloading database administration. Customers use Amazon RDS databases both for online-transaction processing (OLTP) and for reporting and analysis. Amazon Redshift harnesses the scale and resources of multiple nodes and uses a variety of optimizations to provide order of magnitude improvements over traditional databases for analytic and reporting workloads against very large data sets. Amazon Redshift provides an excellent scale-out option as your data and query complexity grows or if you want to prevent your reporting and analytic processing from interfering with the performance of your OLTP workload.

When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions? Choose 2 answers A. Amazon DynamoDB B. Amazon Elastic Compute Cloud (EC2) C. Amazon Elastic Load Balancing D. Amazon Simple Notification Service (SNS) E. Amazon Simple Storage Service (S3)

B, C because other services are HA by default

When using a large Scan operation in DynamoDB, what technique can be used to minimize the impact of a scan on a table's provisioned throughput? A. Set a smal - ogae size for the scan B. Use parallel scans C. Define a range index on the D. Prewarm the table by updating all items

Answer: C Consider option A

Which Dynamo DB limits can be raised by contacting AWS support? Choose 2 answers A.The number of hash keys per account B.The maximum storage used per account C.The number of tables per account D.The number of local secondary indexes per account E.The number of provisioned throughput units per account

Answer: C, E

Which of the following services are included at no additional cost with the use of the AWS platform? Choose 2 answers A. Simple Storage Service B. Elastic Compute Cloud C. Auto Scaling D. Elastic Load Balancing E. Cloud Formation F. Simple Workflow Service

Answer: C, E

"13. You are setting up a very complex financial services grid and so far it has 5 Elastic IP (EIP) addresses. You go to assign another EIP address however you can't as by default, all accounts are limited to 5 Elastic IP addresses per region. What is the reason for this? A. Hardware restrictions B. There are only 5 network interfaces per instance C. For security reasons D. Public (IPV4) internet addresses are a scarce resource"

Answer: D

"18. You need to set up a security certificate for a client's e-commerce website as it will use the HTTPS protocol. Which AWS service do you need to access to manage your SSL server certificate? A. Amazon Route 53 B. AWS Elastic Beanstalk C. AWS Directory Service D. AWS Identity & Access Management"

Answer: D

"21. You are setting up a VPC and you need to set up a public subnet within that VPC. What following requirement must be met for this subnet to be considered a public subnet? A. Subnet's traffic is not routed to an Internet gateway B. Subnet's traffic is not routed to an Internet gateway but has its traffic routed to a virtual private gateway. C. Subnet's traffic is routed to an Internet gateway but has its traffic routed to a virtual private gateway. D. Subnet's traffic is routed to an Internet gateway"

Answer: D

"23. Your manager has requested for you to set up a public subnet with instances that can ireceive and send Internet traffic, and a private subnet that. can't receive traffic directly from the Internet. However, it can initiate traffic to the Internet (and receive responses) through a NAT instance in the publ c subnet. Hence, the following 3 rules need to be allowed 1. Inbound SSH traffic. 2. Web servers in the public subnet to read and write to MS SQL servers in the private subnet 3. Inbound RDP traffic from the Microsoft Terminal Services gateway in the public private subnet What are the respective ports that need to be opened for this? A. Ports 22,1433, 3398 B. Ports 22,1343, 3839 C. Ports 22,1343, 3306 D. Ports 22,1433,3389"

Answer: D

Security Groups allow you to set both allow AND deny rules. Choose the correct answer: A. True B. False

B.

"24.rCloudFront isran AWS web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, and image files, to end users. CloudFront delivers your content through a wo ldwide netwo k of data centers called edge locations. If an object (your content) in an edge location isn't frequently requested, CloudFront might evict the object—remove the object before its expiration date—to make room for objects that are more popular. By default, each object automatically expires after ___ hours. A. 2 B. 16 C. 48 D. 24"

Answer: D

"25. You are setting up your first Amazon Virtual Private Cloud (Amazon VPC) network so you decide you should probably use the AWS Management Console and the VPC Wizard. Which of the following is not an option for network architectures after launching the ""Start VPC Wizard"" in Amazon VPC page on the AWS Management Console? A. VPC with Public and Private Subnets and Hardware VPN Access B. VPC with a Single Public Subnet Only C. VPC with a Private Subnet Only and Hardware VPN Access D. VPC with a Public Subnet Only and Hardware VPN Access"

Answer: D

"29. You have some very sensitive data stored on AWS S3 and want to try every possible alternative to keeping it secure in regards to access control. What are the mechanisms available for access control on AWS S3? A. (IAM) policies, Access Control Lists (ACLs) and bucket policies. B. (IAM) policies, Access Control Lists (ACLs), bucket policies, and encryption. C. (IAM) policies, bucket policies, and query string authentication. D. (IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication."

Answer: D

"30. You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message ""Certificate: <certificate-id> is being used by CloudFront."" Which of the following statements is probably the reason why you are getting this error? A. You can't delete SSL certificates . You need to request it from AWS. B. Before you can delete an SSL certificate you need to set up https on your server. C. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM D. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate."

Answer: D

"33. You have been setting up an Amazon Virtual Private Cloud (Amazon VPC) for your company which includes of course setting up subnets. Security is also a concern and you are not sure which is the best security practice for securing subnets in your VPC. Which statement below is correct in describing the protection of AWS resources in each subnet? A. You can only use access control lists (ACL) B. You don't need any security in subnets. C. You can use multiple layers of security, including security groups,network access control lists (ACL) and CloudHSM D. You can use multiple layers of security, including security groups and network access control lists (ACL)."

Answer: D

"38. You have set up an Elastic Load Balancer(ELB) with the usual default settings which routes each request independently to the application instance with the smallest load. However someone has requested for you to bind a user's session to a specific application instance so as to ensure that all requests coming from the user during the session will be sent to the same application instance. AWS has a feature to do this. What is it called? A. Tagging B. Connection Draining C. Proxy Protocol D. Sticky session"

Answer: D

"42. You are building a system to distribute confidential documents to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly? A. Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy. B. Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User. C. Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN). D. Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI."

Answer: D

"43. You are setting up a large size infrastructure for an organisation who has large amounts of media that needs to be transcoded into different formats for play back on mobile devices, tablets, web browsers, and connected televisions. You think that Amazon Elastic Transcoder will do this job so you start to set it up and discover that the Elastic Transcoder has a number components. What are those components? A. Jobs,Pipelines,Presets , Notifications and AppStreams B. Jobs,Pipelines and Notifications. C. Jobs and Presets. D. Jobs,Pipelines,Presets and Notifications."

Answer: D

"44. You cannot get access to your AWS console so you revert to using the CLI which you are not so familiar with. Which of the following commands is not a valid CLI command for EC2 instances A. ec2-accept-vpc-peering-connection B. ec2-allocate-address C. ec2-associate-address D. ec2-attach-network-interfaces"

Answer: D

"48. An edge location refers to which Amazon Web Service? A. An edge location is a Zone within an AWS Region B. An edge location is an AWS Region C. An edge location is refered to the network configured within a Zone or Region D. An edge location is the location of the data center used for Amazon CloudFront."

Answer: D

"53. Using Amazon Simple Storage Service(S3), you are hosting your static website, so you have created a bucket called ""examplebucket"" in the US East region and configured it as a website. What is the URL to request the photo.jpg object, which is stored at the root level in the bucket? A. http://examplebucket.s3-website-us-east-1.aws.com/photo.jpg B. http://examplebucket.com/photo.jpg C. http://examplebucket.s3-website-us-east-1.static.amazonaws.com/photo.jpg D. http://examplebucket.s3-website-us-east-1.amazonaws.com/photo.jpg"

Answer: D

"56. A user is planning to host a mobile game on EC2 which sends notifications to active users on either high score or the addition of new features. The user should get this notification, when he is online on the mobile. Which of the below mentioned AWS services can help achieve this functionality? A. AWS Simple Queue Service. B. AWS Simple Email Service. C. AWS Mobile Communication Service. D. AWS Simple Notification Service."

Answer: D

1. You receive the following request from a client to quickly deploy a static website for them, specifically on AWS. The requirements are low-cost, reliable, online storage and a reliable and cost-effective way to route customers to the website and a way to deliver content with low latency and high data transfer speeds so that visitors to his website don't experience unnecessary delays. What do you think would be the minimum AWS services that could fulfil the client's request? A. Amazon S3 and Amazon Route 53. B. Amazon S3, Amazon Route 53, Amazon CloudFront and Amazon VPC. C. Amazon Route 53, Amazon CloudFront and Amazon VPC. D. Amazon S3, Amazon Route 53 and Amazon CloudFront

Answer: D

4. You are setting up some CloudWatch alarms for instances that run batch payroll processing which will only run for a period of time and then complete their work. Hence you want Cloudwatch to automatically stop or terminate these instances when you no longer need them to be running to save money. Which of the following would be the best action to take in regards to this? A. Cloudwatch cannot interfere with running instances. B. TERMINATE the instance C. Either STOP or TERMINATE the instance D. STOP the instance

Answer: D

Company C has recently launched an online commerce site for bicycles on AWS. They have a "Product" DynamoDB table that stores details for each bicycle, such as, manufacturer, color, price, quantity and size to display in the online store. Due to customer demand, they want to include an image for each bicycle along with the existing details. Which approach below provides the least impact to provisioned throughput on the Product" table? A. Serialize the image and store it in multiple DynamoDB tables B. Create an "Images" DynamoDB table to store the Image with a foreign key constraint to the "Product" table C. Add an image data type to the "Product" table to store the images in binary format D. Store the images in Amazon S3 and add an 83 URL pointer to the "Product" table item for each image

Answer: D

How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on? A.Query the appropriate Amazon Cloud Watch metric. B.Use ip config or ip config command. C.Query the local instance user data. D.Query the local instance metadata.

Answer: D

Which of the following statements about SQS is true? A. Messages will be delivered exactly once and messages will be delivered in First in, First out order B. Messages will be delivered exactly once and message delivery order is indeterminate C. Messages will be delivered one or morle times and messages will be delivered in First in, First out order D. Messages will be delivered one or more times and message delivery order is indeterminate

Answer: D

You have written an application that uses the Elastic Load Balancing service to spread traffic to several web servers. Your users complain that they are sometimes forced to login again in the middle of using your application, after they have already logged in. This is not behavior you have designed. What is a possible solution to prevent this happening? A. Use instance memory to save session state. B. Use instance storage to save session state. C. Use EBS to save session state D. Use EIastiCache to save session state. E. Use Glacier to save session slate.

Answer: D

What are the three main components of SNS? Choose the correct answer: A. Senders, receivers and endpoints B. Topics, subscriber and publishers C. Topics, endpoints and publishers D. Subscribers, publishers and lists

B.

You are migrating a legacy client-server application to AWS The application responds to a specific DNS domain (e g www example com) and has a 2-tier architecture, with multiple application servers and a database server Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket A Multi-AZ RDS MySQL instance will be used for the database. During the migration you can change the application code but you have to file a change request. How would you implement the architecture on AWS In order to maximize scalability and high ability? A.File a change request to implement Proxy Protocol support In the application Use an EL8 with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different AZs. B.File a change request to Implement Cross-Zone support in the application Use an EL8 with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs. C.File a change request to implement Latency Based Routing support in the application Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different AZs. D.File a change request to implement Alias Resource support in the application Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs.

Answer:A https://aws.amazon.com/blogs/aws/elastic-load-balancing-adds-support-for-proxy-protocol/

A read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically. What AWS services should be used meet these requirements? A.Stateless instances for the web and application tier synchronized using Elasticache Memcached in an autoscaimg group monitored with CloudWatch. And RDSwith read replicas B.Stateful instances for me web and application tier in an autoscaling group monitored with CloudWatch and RDS with read replicas C.Stateful instances for the web and application tier in an autoscaling group monitored with CloudWatch. And multi-AZ RDS D.Stateless instances for the web and application tier synchronized using ElastiCache Memcached in an autoscaling group monitored with CloudWatch and multi-AZ RDS

Any kind of browsing where your actions on a webserver are read-only can be stateless. Multi AZ provides redundancy, not scale. A. Stateless instances for the web and application tier synchronized using Elasticache Memcached in an autoscaimg group monitored with CloudWatch. And RDSwith read replicas

8) When can you add a secondary index to a table?

Anytime if it is a global index

"44. Question What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection between an on-premises data center and an Amazon VPC virtual private gateway? 1. Use a dedicated network address translation instance in the public subnet 2. Establish a dedicated networking connection using AWS Direct Connect. 3. Assign a static Internet-routable IP address to an Amazon VPC customer gateway. 4. Modify the main route table to allow traffic to a network address translation instance."

Assign a static Internet-routable IP address to an Amazon VPC customer gateway.

"36. Question You have an Amazon Virtual Private Cloud (VPC) with a public subnet. Three Amazon Elastic Compute Cloud (EC2) instances currently running inside the subnet can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same Amazon Machine Image (AMI) and security group configuration you used for the others, but find that this instance cannot be accessed from the Internet. What should you do to enable Internet access? 1. Assign an elastic IP address to the fourth instance 2. Modify the routing table for the public subnet 3. Deploy a NAT instance into the public subnet 4. Configure a publically routable IP address in the host OS of the fourth instance."

Assign an elastic IP address to the fourth instance

1) What best describes how you are charged for using Auto Scaling?

Auto Scaling is free to use, but you are responsible to pay for any AWS resources that Auto Scaling provisions

Which set of Amazon S3 features helps to prevent and recover from accidental data loss? A.Object lifecycle and service access logging B.Object versioning and Multi-factor authentication C.Access controls and server-side encryption D.Website hosting and Amazon S3 policies

B Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite In addition to that, they have made it a requirement that delete operations on versioned data can only be done using MFA (Multi factor authentication).

A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure mat AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised? A.Enable Multi-Factor Authentication for your AWS root account. B.Assign an IAM role to the Amazon EC2 instance. C.Store the AWS Access Key ID/Secret Access Key combination in software comments. D.Assign an IAM user to the Amazon EC2 Instance.

B Use roles for applications that run on Amazon EC2 instances Applications that run on an Amazon EC2 instance need credentials in order to access other AWS services. To provide credentials to the application in a secure way, use IAM roles. A role is an entity that has its own set of permissions, but that isn't a user or group. Roles also don't have their own permanent set of credentials the way IAM users do. In the case of Amazon EC2, IAM dynamically provides temporary credentials to the EC2 instance, and these credentials are automatically rotated for you. Source:http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-roles-with-ec2

You need a persistent and durable storage to trace call activity of an IVR (Interactive Voice Response) system. Call duration is mostly in the 2-3 minutes timeframe. Each traced call can be either active or terminated. An external application needs to know each minute the list of currently active calls, which are usually a few calls/second. Put once per month there is a periodic peak up to 1000 calls/second for a few hours The system is open 24/7 and any downtime should be avoided. Historical data is periodically archived to files. Cost saving is a priority for this project. What database implementation would better fit this scenario, keeping costs as low as possible? A.Use RDS Multi-AZ with two tables, one for -Active calls" and one for -Terminated calls". In this way the "Active calls_ table is always small and effective to access. B.Use DynamoDB with a "Calls" table and a Global Secondary Index on a "IsActive'" attribute that is present for active calls only In this way the Global Secondary index is sparse and more effective. C.Use DynamoDB with a 'Calls" table and a Global secondary index on a 'State" attribute that can equal to "active" or "terminated" in this way the Global Secondary index can be used for all Items in the table. D.Use RDS Multi-AZ with a "CALLS" table and an Indexed "STATE* field that can be equal to 'ACTIVE" or - TERMINATED" In this way the SOL query Is optimized by the use of the Index.

B http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuidelinesForGSI.html#GuidelinesForGSI.SparseIndexes The idea behind sparse indexes is that only items with isActive = "y" will be in the index, so require less storage and processing than your main table

***A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and also use this information for their internal security and access audits. Which of the following will meet the Customer requirement? A.Enable AWS CloudTrail to audit all Amazon S3 bucket access. B.Enable server access logging for all required Amazon S3 buckets. C.Enable the Requester Pays option to track access via AWS Billing D.Enable Amazon S3 event notifications for Put and Post.

B if its just for internal audit, then Server access logging, I assume is sufficient: http://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html For external audits I would go for CloudTrail: http://docs.aws.amazon.com/AmazonS3/latest/dev/cloudtrail-logging.html

What is Oracle SQL Developer? A.An AWS developer who is an expert in Amazon RDS using both the Oracle and SQL Server DB engines B.A graphical Java tool distributed without cost by Oracle. C.It is a variant of the SQL Server Management Studio designed by Microsoft to support Oracle DBMS functionalities D.A different DBMS released by Microsoft free of cost

B Oracle SQL Developer is the Oracle Database IDE. A free graphical user interface, Oracle SQL Developer allows database users and administrators to do their database tasks in fewer clicks and keystrokes. A productivity tool, SQL Developer's main objective is to help the end user save time and maximize the return on investment in the Oracle Database technology stack. http://www.oracle.com/technetwork/developer-tools/sql-developer/what-is-sqldev-093866.html

What happens to the data on an instance if the instance reboots (intentionally or unintentionally)? A.Data will be lost B.Data persists C.Data may persist however cannot be sure

B http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html The data in an instance store persists only during the lifetime of its associated instance. If an instance reboots (intentionally or unintentionally), data in the instance store persists. However, data in the instance store is lost under the following circumstances: The underlying disk drive fails The instance stops The instance terminates

In the Amazon cloudwatch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A.FreeStorage B.FreeStorageSpace C.FreeStorageVolume D.FreeDBStorageSpace

B http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/rds-metricscollected.html FreeStorageSpace The amount of available storage space.

What does the following command do with respect to the Amazon EC2 security groups? ec2-create-group CreateSecurityGroup A.Groups the user created security groups in to a new group for easy access. B.Creates a new security group for use with your account. C.Creates a new group inside the security group. D.Creates a new rule inside the security group.

B http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html A security group is for use with instances either in the EC2-Classic platform or in a specific VPC http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-CreateSecurityGroup.html

A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex queries and table joins. Which configuration provides the solution for the company's requirements? A.MySQL Installed on two Amazon EC2 Instances in a single Availability Zone B.Amazon RDS for MySQL with Multi-AZ C.Amazon ElastiCache D.Amazon DynamoDB

B not D because: While Amazon DynamoDB tackles the core problems of database scalability, management, performance, and reliability, it does not have all the functionality of a relational database. It does not support complex relational queries (e.g. joins) or complex transactions. If your workload requires this functionality, or you are looking for compatibility with an existing relational engine, you may wish to run a relational engine on Amazon RDS or Amazon EC2. Source: https://aws.amazon.com/dynamodb/faqs/

Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers A.Each subnet spans at least 2 Availability Zones to provide a high-availability environment. B.Each subnet maps to a single Availability Zone. C.CIDR block mask of/25 is the smallest range supported. D.By default, all subnets can route between each other, whether they are private or public. E.Instances in a private subnet can communicate with the Internet only if they have an Elastic IP

B & D -> Though E is possible but the main subject used is the EC2 instance not the subnet. Even though we know the right Answers it is sometimes good to know why the other Answers are wrong. A. Is wrong because a subnet maps to a single AZ. C. Is wrong because /28 is the smallest subnet, amazon takes first four and last addresses per subnet. E. Is wrong because a private subnet needs a NAT appliance.

A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions. The divisions want to maintain administrative control of the discrete AWS resources they consume and keep those resources separate from the resources of other divisions. Which of the following options, when used together will support the autonomy/control of divisions while enabling corporate IT to maintain governance and cost oversight? Choose 2 answers A.Use AWS Consolidated Billing and disable AWS root account access for the child accounts. B.Enable IAM cross-account access for all corporate IT administrators in each child account. C.Create separate VPCs for each division within the corporate IT AWS account. D.Use AWS Consolidated Billing to link the divisions' accounts to a parent corporate account. E.Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account's Amazon S3 'Log' bucket.

B & D are correct when used in combination with each other. B: http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html D: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html C is theoretically correct by itself, but does not work well with the other choices since it involves only a single AWS account, and the other possibly correct choices (B & D) both involve separate AWS accounts. The question specifically states "Which of the following options, when used together". So C is out. A is incorrect because you don't want to disable root access to the child accounts (well, except for their access keys for API calls, deleting those is OK). E is incorrect because it's the exact opposite of a best practice to centralize logs/security audit info across multiple corporate AWS accounts: https://aws.amazon.com/answers/account-management/aws-multi-account-security-strategy/

You have deployed a web application targeting a global audience across multiple AWS Regions under the domain name.example.com. You decide to use Route53 Latency-Based Routing to serve web requests to users from the region closest to the user. To provide business continuity in the event of server downtime you configure weighted record sets associated with two web servers in separate Availability Zones per region. Dunning a DR test you notice that when you disable all web servers in one of the regions Route53 does not automatically direct all users to the other region. What could be happening? (Choose 2 answers) A.Latency resource record sets cannot be used in combination with weighted resource record sets. B.You did not setup an http health check tor one or more of the weighted resource record sets associated with me disabled web servers. C.The value of the weight associated with the latency alias resource record set in the region with the disabled servers is higher than the weight for the other region. D.One of the two working web servers in the other region did not pass its HTTP health check. E.You did not set "Evaluate Target Health" to "Yes" on the latency alias resource record set associated with example com in the region where you disabled the servers.

B & E is correct. A is wrong because: ..you might use latency alias resource record sets to select a region close to a user and use weighted resource record sets for two or more resources within each region to protect against the failure of a single endpoint or an Availability Zone... From this link: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-complex-configs.html#dns-failover-complex-configs-eth-no E is right because: http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover-complex-configs.html#dns-failover-complex-configs-eth-no

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an iPsec VPN. The application must authenticate against the on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user. Which two approaches can satisfy these objectives? (Choose 2 answers) A.Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket. B.The application authenticates against LOAP and retrieves the name of an IAM role associated with the user. The application then cails the IAM Security Token Service to assume that IAM role The application can use the temporary credentials to access the appropriate S3 bucket. C.Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credentials The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket. D.The application authenticates against LDAP the application then calls the AWS identity and Access Management (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket. E.The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.

B and C are the right answers. See http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html And http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer's end, however the customer is unable to connect from EC2 instances inside its VPC to servers residing in its datacenter. Which of the following options provide a viable solution to remedy this situation? (Choose 2 answers) A.Add a route to the route table with an iPsec VPN connection as the target. B.Enable route propagation to the virtual pinnate gateway (VGW). C.Enable route propagation to the customer gateway (CGW). D.Modify the route table of all Instances using the 'route' command. E.Modify the Instances VPC subnet route table by adding a route back to the customer's on-premises environment.

B and E. Customer Gateways are for VPN connections only where as Virtual Private Gateways are also a requirement for Direct Connect. See: https://aws.amazon.com/directconnect/faqs/ Using AWS Direct Connect with Amazon Virtual Private Cloud Q. What are the technical requirements for virtual interfaces to VPCs?

You need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers A.Set permissions on the object to public read during upload. B.Configure the bucket ACL to set all objects to public read. C.Configure the bucket policy to set all objects to public read. D.Use AWS Identity and Access Management roles to set the bucket to public read. E.Amazon S3 objects default to public read, so no action is needed.

B is Wrong: AC are correct. https://aws.amazon.com/articles/5050 You can use ACLs to grant permissions to individual AWS accounts; however, it is strongly recommended that you do not grant public access to your bucket using an ACL. So the recommended approach is create bucket policy, but not ACL. Following link give you an example about how to make the bucket content public. http://docs.aws.amazon.com/AmazonS3/latest/dev/HostingWebsiteOnS3Setup.html#step2-add-bucket-policy-make-content-public

What are the three states of a CIoudWatch alarm? Choose the correct answer: A. Like, dislike, ok B. Alarm, insufficient data, ok C. ok, alarm, not enough data D. Failure, ok, insufficeint data

B.

Out of the stripping options available for the EBS volumes, which one has the following disadvantage : 'Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe.' ? A.Raid 0 B.RAID 1+0 (RAID 10) C.Raid 1 D.Raid

B is correct A - Cannot be A b/c it says compared to RAID 0, this is RAID 0 C - Cannot be C b/c question asks *Out of the striping options*, RAID 1 is not striped, see https://en.wikipedia.org/wiki/Standard_RAID_levels or excerpt below RAID 1 consists of an exact copy (or mirror) of a set of data on two or more disks; a classic RAID 1 mirrored pair contains two disks. This configuration offers no parity, striping, or spanning of disk space across multiple disks, since the data is mirrored on all disks belonging to the array, and the array can only be as big as the smallest member disk. Not sure what D is here, but if it's RAID 5/6 not 'RAID' then those are not recommended on AWS and they also would not double IO b/c they use parity disks with their striped disks.

A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are behind a public lacing ELB Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API. How should they architect their solution? A.Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances. B.Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway. C.Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB. D.Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.

B is incorrect as you do not have insight into the public ip associated with a VPC Internet Gateways. C is incorrect as ELB receives a public DNS name. D would exceed the maximum of 4 whitelisting IP addresses. Which leaves A as the correct answer.

You are building an automated transcription service in which Amazon EC2 worker instances process an uploaded audio file and generate a text file. You must store both of these files in the same durable storage until the text file is retrieved. You do not know what the storage capacity requirements are. Which storage option is both cost-efficient and scalable? A.Multiple Amazon EBS volume with snapshots B.A single Amazon Glacier vault C.A single Amazon S3 bucket D.Multiple instance stores

B is not the right answer because of its long retrieval time and there is nothing in the question that says retrieval time of several hours is suitable. https://aws.amazon.com/glacier/ "Amazon Glacier is optimized for infrequently accessed data where a retrieval time of several hours is suitable." C is the right answer.

Your application provides data transformation services. Files containing data to be transformed are first uploaded to Amazon S3 and then transformed by a fleet of spot EC2 instances. Files submitted by your premium customers must be transformed with the highest priority. How should you implement such a system? A. Use a DynamoDB table with an attribute defining the priority level. Transformation instances will scan the table for tasks, sorting the results by priority level. B. Use Route 53 latency based-routing to send high priority tasks to the closest transformation instances. C. Use two SQS queues, one for high priority messages, the other for default priority. Transformation instances first poll the high priority queue; if there is no message, they poll the default priority queue. D. Use a single SQS queue. Each message contains the priority level. Transformation instances poll high-priority messages first.

B is not the right answer because transformation instances are not running all the time since they are spot instances. C is a good option, however you need to take SQS message retention into account: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/MessageLifecycle.html "SQS automatically deletes messages that have been in a queue for more than maximum message retention period. The default message retention period is 4 days. However, you can set the message retention period to a value from 60 seconds to 1209600 seconds (14 days) with SetQueueAttributes."

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance? A.The outbound security group needs to be modified to allow outbound traffic. B.The outbound network ACL needs to be modified to allow outbound traffic. C.Nothing, it can be accessed from any IP address using SSH. D.Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.

B is right: at ACL: Need to open TCP Port 1024-65535 at Outbound Rules "Allows outbound responses to the remote computer. Network ACLs are stateless, therefore this rule is required to allow response traffic for inbound requests." http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer than expected, resulting in poor application performance. Which method will help improve performance of your application? A.Enable enhanced networking B.Use Amazon S3 multipart upload C.Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency. D.Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance

B is the answer because of the following (pay attention to the word parallel ): Using multipart upload provides the following advantages: - Improved throughput—You can upload parts in parallel to improve throughput. - Quick recovery from any network issues—Smaller part size minimizes the impact of restarting a failed upload due to a network error. - Pause and resume object uploads—You can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or abort the multipart upload. - Begin an upload before you know the final object size—You can upload an object as you are creating it. http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html

What best describes IOPS? (choose two) Choose the 2 correct answers: A. Read/write performance of the Instance Type B. Input/output operations per second C. Read/write performance of storage volumes D. Input/output operations per sector

B, C

You require the ability to analyze a customer's clickstream data on a website so they can do behavioral analysis. Your customer needs to know what sequence of pages and ads their customer clicked on. This data will be used in real time to modify the page layouts as customers click through the site to increase stickiness and advertising click-through. Which option meets the requirements for captioning and analyzing this data? A.Log clicks in weblogs by URL store to Amazon S3, and then analyze with Elastic MapReduce B.Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers C.Write click events directly to Amazon Redshift and then analyze with SQL D.Publish web clicks by session to an Amazon SQS queue men periodically drain these events to Amazon RDS and analyze with sol

B is the right answer. Use Amazon Kinesis Streams to collect and process large streams of data records in real time. http://docs.aws.amazon.com/streams/latest/dev/introduction.html

After an Amazon VPC instance is launched, can I change the VPC security groups it belongs to? A. Only if the tag "VPC_Change_Group" is true B. Yes. You can. C. No. You cannot. D. Only if the tag "VPC Change Group" is true

B is the right answer. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

You are developing a new mobile application and are considering storing user preferences in AWS.2w This would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size Additionally 5 million customers are expected to use the application on a regular basis. The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements? A.Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials B.Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access. C.Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data .The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials. D.Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user' S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.

B is the right answer. Source: https://aws.amazon.com/blogs/aws/fine-grained-access-control-for-amazon-dynamodb/ D is not the right answer because S3 doesn't bring significant value while making it more complex. If the data size of each item is over 400K than it would be the right answer. See http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html#limits-items The maximum item size in DynamoDB is 400 KB, which includes both attribute name binary length (UTF-8 length) and attribute value lengths (again binary length). The attribute name counts towards the size limit.

A customer has a 10 GB AWS Direct Connect connection to an AWS region where they have a web application hosted on Amazon Elastic Computer Cloud (EC2). The application has dependencies on an on-premises mainframe database that uses a BASE (Basic Available. Sort stale Eventual consistency) rather than an ACID (Atomicity. Consistency isolation. Durability) consistency model. The application is exhibiting undesirable behavior because the database is not able to handle the volume of writes. How can you reduce the load on your on-premises database resources in the most cost-effective way? A.Use an Amazon Elastic Map Reduce (EMR) S3DistCp as a synchronization mechanism between the onpremises database and a Hadoop cluster on AWS. B.Modify the application to write to an Amazon SQS queue and develop a worker process to flush the queue to the on-premises database. C.Modify the application to use DynamoDB to feed an EMR cluster which uses a map function to write to the on-premises database. D.Provision an RDS read-replica database on AWS to handle the writes and synchronize the two databases using Data Pipeline.

B should be the answer. A & C utilize AWS elastic map reduce's technologies which I could not find any relationship to the question's requirement. D utilizes "synchronize the two databases using Data Pipeline" but this way, customer need to store database at both side: on-premise DB, and AWS' RDS DB, hence violate it's prior requirement of "...mainframe database that uses a BASE..." https://aws.amazon.com/sqs/faqs/

You are designing the network infrastructure for an application server in Amazon VPC Users will access all the application instances from the Internet as well as from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. How would you design routing to meet the above requirements? A.Configure a single routing Table with a default route via the Internet gateway Propagate a default route via BGP on the AWS Direct Connect customer router Associate the routing table with all VPC subnets. B.Configure a single routing table with a default route via the internet gateway Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router Associate the routing table with all VPC subnets. C.Configure a single routing table with two default routes: one to the internet via an Internet gateway the other to the on-premises network via the VPN gateway use this routing table across all subnets in your VPC. D.Configure two routing tables one that has a default route via the Internet gateway and another that has a default route via the VPN gateway Associate both routing tables with each VPC subnet.

B) is the right answer because def. route must be set to Inet GW to reach ANY Inet destinations and specific routes propagatin via BGP to learn on-premises router which AWS subnets are available via AWS DC link.

A user has setup Auto Scaling with ELB on the EC2 instances. The user wants to configure that whenever the CPU utilization is below 10%. Auto Scaling should remove one instance. How can the user configure this? A. Use CIoudWatch to monitor the data and Auto Scaling to remove the instances using scheduled actions B. Configure CloudWatch to send a notification to the Auto Scaling group when the CPU Utilization is less than 10% and configure the Auto Scaling policy to remove the instance C. The user can get an email using SNS when the CPU utilization is less than 10%. The user can use the desired capacity of Auto Scaling to remove the instance D. Configure CIoudWatch to send a notification to Auto Scaling Launch configuration when the CPU utilization is less than 10% and configure the Auto Scaling policy to remove the instance

B.

Amazon Aurora offers free tier usage. Choose the correct answer: A. True B. False

B.

Amazon CIoudFront currently supports GET, HEAD, POST, PUT, PATCH, DELETE and OPTIONS requests- Which of the following requests could be cached? A. PUT B. OPTIONS C. DELETE D. POST

B.

Amazon CIoudFront is a content-delivery web service that speeds up the distribution of your website's dynamic, static, and streaming content by making it available from a global network of edge locations. Which protocols does it support? A. HTTP B. FTP C. TCP D. RTMP

B.

Amazon Elastic Block Store (Amazon EBS) volumes provide durable block-level storage for use with Amazon EC2 instances (virtual machines). Amazon EBS volumes are off-instance storage that persists independently from the running life of a single Amazon EC2 instance. Which type would you choose for l/O-intensive workloads, relational databases,and NoSQL databases? A. Amazon EBS Magnetic B. Amazon EBS Provisioned IOPS C. Amazon EBS ZX1 D. Amazon EBS General Purpose

B.

Amazon Glacier is an extremely low-cost storage service that provides highly secure, durable, and flexible storage for data archiving and online backup. Which of the following will you NOT be charged for when using Glacier? A. Storage (per GB per month) B. Data transfer in (per GB per month) C. Requests (per thousand UPLOAD and RETRIEVAL requests per month) D. Data transfer out (per GB per month)

B.

An S3 bucket name can have any name and format you like. Choose the correct answer: A. True B. False

B.

Company A has an S3 bucket containing premier content that th I intend to make available to only paid subscribers of their website. The S3 bucket curre Iy as default permissions of all objects being private to prevent inadvertent exposure of the p emier content to non-paying website visitors. How can Company A provide only pa subscribers the ability to download a premier content file in the S3 bucket? A.Apply a bucket policy that grants anonymous users to download the content from the S3 bucket B.Generate a pre-signed object URL for the premier content file when a paid subscriber requests a download C.Add a bucket policy that requires Multi-Factor Authentication for requests to access the S3 bucket objects D.Enable server side encryption on the S3 bucket for data protection against the non-paying website visitors

B.

DDoS attacks at their core create an availability problem, as the goal of attackers is to render resources unusable for legitimate end users. Consequently, you can leverage failover capabilities within AWS to reduce your vulnerability to availability problems caused by DDoS attacks. Which of the following is a protocol exhausting attack? A. HTTP GET/POST flood B. SYN flood C. None of these D. UDP flood

B.

EBS Volumes are your instances processing power (CPU). Choose the correct answer: A. True B. False

B.

For web distributions, you can specify whether you want CIoudFront to include query straight forwards requests to your origin. How many objects would CIoudFront cache if you had the following URL's? http://123.cloudfront.netIimg/cat.jpg?parameter1=a http://123.cloudfront.net/img/cat.jpg?parameter1=b A.1 B.2 C.0 D.4

B.

If l want an instance to have a public IP address, which IP address should I use? A. Domain IP Address B. Elastic IP Address C. Host IP Address D. Dynamic IP Address

B.

If you were to remove the route to the IGW from a route table, what would happen to traffic inside the VPC? Choose the correct answer: A. Traffic would still be able to reach the Internet since the IGW is still attached to the VPC B. Traffic could be sent between Eo2 instances inside the VPC but would not reach the Internet C. EC2 instances inside the VPC would not be able to communicate with each other D. None of the above

B.

In dynamo db, The DeleteTable operation deletes a table and all of its items. After a DeleteTable request, the specified table is in the DELETING state until DynamoDB completes the deletion. If the table is in the ACTIVE state, you can delete it. If a table is in CREATING or UPDATING states, then DynamoDB returns a______ A. ResouceProhibitedException B. ResourceInUseException C. LimitExceededException D. ResourceNotFoundException

B.

In some cases, Multi-AZ deployments utilize synchronous physical replication to keep data on the standby up-to-date with the primary. In other cases a synchronous logical replication is used to achieve the same result, Which technology below uses logical replication? A. MySQL B. SQL Server C. PostgreSQL D. Oracle

B.

One way you can save money with AWS is by taking advantage of the platform's elasticity. Plan to implement Auto Scaling for as many Amazon EC2 workloads as possible, so that you horizontally scale up when needed and scale down and automatically reduce your spend when you don't need all that capacity anymore. Which of the following DOES require capacity decisions? A. ELB B. Amazon EC2 C. AWS Lambda D. CloudFront

B.

Public IP addresses are assigned to every EC2 instance by default, and Private IP addresses are optional and must be manually configured. Choose the correct answer: A. True B. False

B.

What best describes the definition of SNS? Choose the correct answer: A. SNS's main components are senders, receivers and topics. B. SNS allows you to automate the sending of email and text messages, based on events that happen in your AWS account. C. SNS is how you monitor AWS resources. D. SNS simplifies the communication between two AWS resources.

B.

What best describes the difference between RDS and DynamoDB? Choose the correct answer: A. DynamoDB offers several different database engines, while RDS offers just one. B. RDS databases store data in tables using columns and rows, while DynamoDB stores data in JSON-Iike, name-value documents. C. RDS offers NoSQL databases and DynamoDB offers SQL databases. D. There is no difference.

B.

What happens if the application component fails before deleting the message in SQS? If your system doesn't call DeleteMessage for that message before the visibility timeout expires? A. the message will be moved to dead letter queue and no longer will be available for component access B. the message again becomes visible to the ReceiveMessage calls placed by the components in your system and it will be received again C. the message again becomes visible in the queue, however it wont be available for ReceiveMessage calls D. the message will be deleted automatically by AWS system APIs

B.

What happens to my Amazon running EC2 instances if I delete my Auto Scaling Group? A. you have to terminate instance manually before delete auto scaling group B. the instances will be terminated and the Auto Scaling group will be deleted C. the instances will be terminated and the Auto Scaling group will not be deleted. D. the instances won't get affected and the Auto Scaling group will be deleted.

B.

What item operation allows the retrieval of multiple items from a DynamoDB table in a single API call? A.GetItem B.BatchGetItem C.GetMuItipIeItems D.GetItem Range

B.

Which API call would you use to put or delete multiple items in one or more tables with Amazon DynamoDB? A. GetAIIItem B. BatchWriteItem C. Batch Deleteltem D. BatchGetltem

B.

Which DB deployment type has a synchronous standby replica in another Availability Zone? A. Single-AZ B. MuIti-AZ

B.

Which ECZ API call would you use to requests a reboot of one or more instances? A. RestartInstances B. RebootInstances C. RebootAIIlnstances D. Stoplnstances

B.

Which of the following redundancy types uses failover as it's recovery process? A. active redundancy B. standby redundancy

B.

Which version of Amazon Kinesis would you use if you wanted multi-stage processing using specialized algorithms, for example in building a recommendations engine? A. Amazon Kinesis Firehose B. Amazon Kinesis Streams C. None of these options would suffice D. Amazon Kinesis Analytics

B.

You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instances are not being terminated What do you need to do to ensure trial instances marked unhealthy by the ELB will be terminated and replaced? A. Increase the value for the Health check interval set on the Elastic Load Balancer B. Add an Elastic Load Balancing health check to your Auto Scaling group C. Change the health check set on the Elastic Load Balancer to use TCP rather than HTTP checks D. Change the thresholds set on the Auto Scaling group health check

B.

You receive a frantic call from a new DBA who accidentally dropped a table containing all your customers.Which Amazon RDS feature will allow you to reliably restore your database to within 5 minutes of when the mistake was made? A. Multi-AZ RDS B. RDS automated backup C. RDS read replicas D. RDS snapshots

B.

Your application is trying to upload a 6 GB file to Simple Storage Service and receive a "Your proposed upload exceeds the maximum allowed object size." error message. What is a possible solution for this? A.None. Simple Storage Service objects are limited to 5 GB B.Use the multi-part upload API for this object C.Use the large object upload API for this object D.Contact support to increase your object size limit E.Upload to a different region

B.

Your company wants to reduce expenditure by optimizaing the spend on Amazon EC2 instances. Which one would reduce the cost the MOST? A. On-Demand instance B. Reserved Instances

B.

Are Reserved Instances available for Multi-AZ Deployments? A.Only for Cluster Compute instances B.Yes for all instance types C.Only for M3 instance types D.No

B. https://aws.amazon.com/rds/faqs/?nc1=h_ls#reserved-instances Q: Are Reserved Instances available for Multi-AZ Deployments? Yes. When you call the DescribeReservedDBInstancesOfferings API, simply look for the Multi-AZ options listed among the DB Instance configurations available for purchase. If you want to purchase a reservation for a DB Instance with synchronous replication across multiple Availability Zones, specify one of these offerings in your PurchaseReservedDBInstancesOffering cal

Which technique can be used to integrate AWS IAM (Identity and Access Management) with an on-premise LDAP (Lightweight Directory Access Protocol) directory service? A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials. B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP. C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials. D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated. E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.

B. A SAML assertion should be generated by an identity provider and then pass it to AWS Security Token Service by the client. As I see it, B answer: "Use SAML to enable SSO" is very imprecise. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html

If your DB instance runs out of storage space or file system resources, its status will change to_____ and your DB Instance will no longer be available A. storage-overflow B. storage-full C. storage-exceed D. storage-overage

B. https://aws.amazon.com/ko/premiumsupport/knowledge-center/rds-out-of-storage/ If your database instance runs out of storage, its status will change to storage-full. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html

You must assign each server to at least _____ security group? A. 4 B. 3 C. 1 D. 2

C. 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

Your customer is willing to consolidate their log streams (access logs application logs security logs etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours? What is the best approach to meet your customer's requirements? A.Send all the log events to Amazon SQS. Setup an Auto Scaling group of EC2 servers to consume the logs and apply the heuristics. B.Send all the log events to Amazon Kinesis develop a client process to apply heuristics on the logs Configure Amazon Cloud Trail to receive custom logs, use EMR to apply heuristics the logs C.Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3 use EMR to apply heuristics on the logs

B. Amazon Kinesis Streams allows for real-time data processing. With Amazon Kinesis Streams, you can continuously collect data as it is generated and promptly react to critical information about your business and operations. https://aws.amazon.com/kinesis/streams/ Definitely B, due to the trigger phrase "real-time", which I ran through Google Translate, and it translated to "Kinesis" using language "AWS cert exam". Kinesis would also accomplish the requirement to retain logs for 12 hours for further analysis, since the default retention period for Kinesis is 24 hours. (Which is also the minimum, you can increase it up to 168 hours)

By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates? A. Remain as is B. Terminate C. Hibernate D. Pause

B. By default, elastic network interfaces that are automatically created and attached to instances using the console are set to terminate when the instance terminates. However, network interfaces created using the command line interface aren't set to terminate when the instance terminates. Source:http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#change_term_behavior

IAM's Policy Evaluation Logic always starts with a default ____________ for every request, except for those that use the AWS account's root security credentials b A.Permit B.Deny C.Cancel

B. The evaluation logic follows these rules: By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.) An explicit allow overrides this default. An explicit deny overrides any allows. http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Regarding Amazon EBS is the following statement TRUE or FALSE? You are able to attach multiple EBS volumes to a single Eo2 instance and also attach multiple Eo2 instances to one EBS volume. A. TRUE B. FALSE

B. While you are able to attach multiple volumes to a single instance, attaching multiple instances to one volume is not supported at this time.

REST or Query requests are HTTP or HTTPS requests that use an HTTP verb (such as GET or POST) and a parameter named Action or Operation that specifies the API you are calling. A. FALSE B. TRUE

B. http://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html Query requests are HTTP or HTTPS requests that use the HTTP verb GET or POST and a Query parameter named Action.

You have a video transcoding application running on Amazon EC2. Each instance polls a queue to find out which video should be transcoded, and then runs a transcoding process. If this process is interrupted, the video will be transcoded by another instance based on the queuing system. You have a large backlog of videos which need to be transcoded and would like to reduce this backlog by adding more instances. You will need these instances only until the backlog is reduced. Which type of Amazon EC2 instances should you use to reduce the backlog in the most cost efficient way? A. Reserved instances B. Spot instances C. Dedicated instances D. On-demand instances

B. https://aws.amazon.com/ec2/faqs/ Spot instances provide the ability for customers to purchase compute capacity with no upfront commitment, at hourly rates usually lower than the On-Demand rate. Spot instances allow you to specify the maximum hourly price that you are willing to pay to run a particular instance type. Amazon EC2 sets a Spot Price for each instance type in each availability zone, which is the hourly price all customers will pay to run a Spot instance for that given period. The Spot Price fluctuates based on supply and demand for instances, but customers will never pay more than the maximum price they have specified. If the Spot Price moves higher than a customer's maximum price, the customer's instance will be shut down by Amazon EC2. Other than those differences, Spot instances perform exactly the same as On-Demand or Reserved Instances. See here for more details on Spot instances.

In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send _____ minute metrics to Amazon CloudWatch. A. 3 B. 1 C. 5 D. 2

B. 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html Detailed Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch. http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ebs-metricscollected.html Amazon Elastic Block Store (Amazon EBS) sends data points to CloudWatch for several metrics. Amazon EBS General Purpose SSD (gp2), Throughput Optimized HDD (st1) , Cold HDD (sc1), and Magnetic (standard) volumes automatically send five-minute metrics to CloudWatch. Provisioned IOPS SSD (io1) volumes automatically send one-minute metrics to CloudWatch

What is the maximum response time for a Business level Premium Support case? A. 120 seconds B. 1 hour C. 10 minutes D. 12 hours

B. 1 hour https://aws.amazon.com/premiumsupport/compare-plans/ As if you go for maximum than it's 24 hours though its not an option here. Case Severity and Response Times Urgent: < 1 hour High: < 4 hours Normal: < 12 hours Low: < 24 hours

You can modify the backup retention period for AWS RDS. Valid values are 0 (for no backup retention) to a maximum of _____ days. A. 45 B. 35 C. 15 D. 5

B. 35

Which service enables AWS customers to manage users and permissions in AWS? A. AWS Access Control Service (ACS) B. AWS Identity and Access Management (IAM) C. AWS Identity Manager (AIM) D. AWS Security Groups

B. AWS Identity and Access Management (IAM) http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).

Which of the following will occur when an EC2 instance in a VPC with an associated Elastic IP is stopped and started? (Choose 2 answers) A. The Elastic IP will be dissociated from the instance B. All data on instance-store devices will be lost C. All data on EBS (Elastic Block Store) devices will be lost D. The ENI (Elastic Network Interface) is detached E. The underlying host for the instance is changed

B. All data on instance-store devices will be lost E. The underlying host for the instance is changed

If I want to run a database in an Amazon instance, which is the most recommended Amazon storage option? A. Amazon Instance Storage B. Amazon EBS C. You can't run a database inside an Amazon instance. D. Amazon S3

B. Amazon EBS Amazon EBS is the recommended storage option when you run a database on an instance. You can use Amazon S3 to store backup copies of your data and applications. Amazon EC2 uses Amazon S3 to store EBS snapshots and instance store-backed AMIs. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html

_____ is a durable, block-level storage volume that you can attach to a single, running Amazon EC2 instance. A. Amazon S3 B. Amazon EBS C. Amazon EFS D. All of these

B. Amazon EBS http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance.

You are developing a highly available web application using stateless web servers. Which services are suitable for storing session state data? Choose 3 answers A. Amazon CloudWatch B. Amazon Relational Database Service (RDS) C. Elastic Load Balancing D. Amazon ElastiCache E. AWS Storage Gateway F. Amazon DynamoDB

B. Amazon Relational Database Service (RDS) D. Amazon ElastiCache F. Amazon DynamoDB

What happens when you create a topic on Amazon SNS? A. The topic is created, and it has the name you specified for it. B. An ARN (Amazon Resource Name) is created. C. You can create a topic on Amazon SQS, not on Amazon SNS. D. This question doesn't make sense.

B. An ARN (Amazon Resource Name) is created. http://docs.aws.amazon.com/sns/latest/dg/CreateTopic.html

What does Amazon Elastic Beanstalk provide? A. A scalable storage appliance on top of Amazon Web Services. B. An application container on top of Amazon Web Services. C. A service by this name doesn't exist. D. A scalable cluster of EC2 instances.

B. An application container on top of Amazon Web Services. https://aws.amazon.com/elasticbeanstalk/faqs/ Q: What is AWS Elastic Beanstalk? AWS Elastic Beanstalk makes it even easier for developers to quickly deploy and manage applications in the AWS Cloud. Developers simply upload their application, and Elastic Beanstalk automatically handles the deployment details of capacity provisioning, load balancing, auto-scaling, and application health monitoring.

You have developed a new web application in us-west-2 that requires six Amazon Elastic Compute Cloud (EC2) instances running at all times. You have three availability zones available in that region (us-west-2a, us-west-2b, and us-west-2c). You need 100 percent fault tolerance if any single Availability Zone in us-west-2 becomes unavailable. How would you do this, each answer has 2 answers, select the answer with BOTH correct answers. A. Answer 1 - Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances. Answer 2 - Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances B. Answer 1 - Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Answer 2 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. C. Answer 1 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances. Answer 2 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. D. Answer 1 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. Answer 2 - Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances.

B. Answer 1 - Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Answer 2 - Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.

You work for a famous bakery who are deploying a hybrid cloud approach. Their legacy IBM AS400 servers will remain on premise within their own datacenter however they will need to be able to communicate to the AWS environment over a site to site VPN connection. What do you need to do to establish the VPN connection? A. Connect to the environment using AWS Direct Connect. B. Assign a public IP address to your Amazon VPC Gateway. C. Create a dedicated NAT and deploy this to the public subnet. D. Update your route table to add a route for the NAT to 0.0.0.0/0.

B. Assign a public IP address to your Amazon VPC Gateway.

You work for a construction company that has their production environment in AWS. The production environment consists of 3 identical web servers that are launched from a standard Amazon linux AMI using Auto Scaling. The web servers are launched in to the same public subnet and belong to the same security group. They also sit behind the same ELB. You decide to do some test and dev and you launch a 4th EC2 instance in to the same subnet and same security group. Annoyingly your 4th instance does not appear to have internet connectivity. What could be the cause of this? A. You need to update your routing table so as to provide a route out for this instance. B. Assign an elastic IP address to the fourth instance. C. You have not configured a NAT in the public subnet. D. You have not configured a routable IP address in the host OS of the fourth instance.

B. Assign an elastic IP address to the fourth instance.

What are the two types of licensing options available for using Amazon RDS for Oracle? A. BYOL and Enterprise License B. BYOL and License Included C. Enterprise License and License Included D. Role based License and License Included

B. BYOL and License Included https://aws.amazon.com/rds/oracle/ You can run Amazon RDS for Oracle under two different licensing models - "License Included" and "Bring-Your-Own-License (BYOL)".

How can I change the security group membership for interfaces owned by other AWS services, such as Elastic Load Balancing? A. using all these methods B. By using the service specific console or API\CLI commands C. None of these

B. By using the service specific console or API\CLI commands

If you have chosen Multi-AZ deployment, in the event of an outage of your primary DB Instance, Amazon RDS automatically switches to the standby replica. The automatic failover mechanism simply changes the ______ record of the main DB Instance to point to the standby DB Instance. A. DNAME B. CNAME C. TXT D. MX

B. CNAME "When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB Instance to point at the standby, which is in turn promoted to become the new primary" https://aws.amazon.com/rds/faqs/

A customer's nightly EMR job processes a single 2-TB data file stored on Amazon Simple Storage Service (S3). The EMR job runs on two On-Demand core nodes and three On-Demand task nodes. Which of the following may help reduce the EMR job completion time? Choose 2 answers A. Use three Spot Instances rather than three On-Demand instances for the task nodes. B. Change the input split size in the MapReduce job configuration. C. Use a bootstrap action to present the S3 bucket as a local filesystem. D. Launch the core nodes and task nodes within an Amazon Virtual Cloud. E. Adjust the number of simultaneous mapper tasks. F. Enable termination protection for the job flow.

B. Change the input split size in the MapReduce job configuration. E. Adjust the number of simultaneous mapper tasks.

What is the maximum groups an IAM user be a member of? A. 20 B. 5 C. 10 D. 15

C. 10

What are the Amazon EC2 API tools? A. They don't exist. The Amazon EC2 AMI tools, instead, are used to manage permissions. B. Command-line tools to the Amazon EC2 web service. C. They are a set of graphical tools to manage EC2 instances. D. They don't exist. The Amazon API tools are a client interface to Amazon Web Services.

B. Command-line tools to the Amazon EC2 web service. Amazon EC2 API Tools AWS Command Line https://aws.amazon.com/tools/ https://aws.amazon.com/developertools/351

You run a website which hosts videos and you have two types of members, premium fee paying members and free members. All videos uploaded by both your premium members and free members are processed by a fleet of EC2 instances which will poll SQS as videos are uploaded. However you need to ensure that your premium fee paying members videos have a higher priority than your free members. How do you design SQS? A. SQS allows you to set priorities on individual items within the queue, so simply set the fee paying members at a higher priority than your free members. B. Create two SQS queues, one for premium members and one for free members. Program your EC2 fleet to poll the premium queue first and if empty, to then poll your free members SQS queue. C. SQS would not be suitable for this scenario. It would be much better to use SNS to encode the videos. Submit

B. Create two SQS queues, one for premium members and one for free members. Program your EC2 fleet to poll the premium queue first and if empty, to then poll your free members SQS queue.

What does ec2-create-group do with respect to the Amazon EC2 security groups? A. Creates a new rule inside the security group. B. Creates a new security group for use with your account. C. Creates a new group inside the security group. D. Groups the user created security groups in to a new group for easy access.

B. Creates a new security group for use with your account.

What does the ec2-create-group command do with respect to the Amazon EC2 security groups? A. Groups the user created security groups in to a new group for easy access. B. Creates a new security group for use with your account. C. Creates a new group inside the security group. D. Creates a new rule inside the security group.

B. Creates a new security group for use with your account.

Which is an operational process performed by AWS for data security? A. AES-256 encryption of data stored on any shared storage device B. Decommissioning of storage devices using industry-standard practices C. Background virus scans of EBS volumes and EBS snapshots D. Replication of data across multiple AWS Regions E. Secure wiping of EBS data when an EBS volume is unmounted

B. Decommissioning of storage devices using industry-standard practices

You working in the media industry and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security. A. Save the API credentials to your php files. B. Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it. C. Save your API credentials in a public Github repository. D. Pass API credentials to the instance using instance userdata.

B. Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it.

Which of the following services allows you root access (i.e. you can login using SSH)? A. Elastic Load Balancer B. Elastic Map Reduce C. Elasticache D. RDS

B. Elastic Map Reduce

Which of the following cannot be used in EC2 to control who has access to specific EC2 instances? A. Security Groups B. IAM System C. SSH keys D. Windows passwords

B. IAM System

You are a solutions architect working for a biotech company who is pioneering research in immunotherapy. They have developed a new cancer treatment that may be able to cure up to 94% of cancers. They store their research data on S3, however recently an intern accidentally deleted some critical files. You've been asked to prevent this from happening in the future. What options below can prevent this? A. Make sure the interns can only access data on S3 using signed URLs. B. Enable S3 versioning on the bucket & enable Enable Multifactor Authentication (MFA) on the bucket. C. Use S3 Infrequently Accessed storage to store the data on. D. Create an IAM bucket policy that disables deletes. Submit

B. Enable S3 versioning on the bucket & enable Enable Multifactor Authentication (MFA) on the bucket.

Amazon Web Services offer 3 different levels of support, which of the below are valid support levels. A. Corporate, Business, Developer B. Enterprise, Business, Developer C. Enterprise, Business, Free Tier D. Enterprise, Company, Free Tier

B. Enterprise, Business, Developer

Typically, you want your application to check whether a request generated an error before you spend any time processing results. The easiest way to find out if an error occurred is to look for an ______ node in the response from the Amazon RDS API. A. Incorrect B. Error C. FALSE

B. Error Typically, you want your application to check whether a request generated an error before you spend any time processing results. The easiest way to find out if an error occurred is to look for an Error node in the response from the Amazon RDS API. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/APITroubleshooting.html

Can I detach the primary (eth0) network interface when the instance is running or stopped? A. Yes B. No C. Depends on the state of the interface at the time

B. No "You cannot detach a primary network interface from an instance. " http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

True or False: Manually created DB Snapshots are deleted after the DB Instance is deleted. A. TRUE B. FALSE

B. FALSE If you choose not to create a final DB snapshot, you will not be able to later restore the DB instance to its final state. When you delete a DB instance, all automated backups are deleted and cannot be recovered. Manual DB snapshots of the instance are not deleted. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html

Amazon EC2 has no Amazon Resource Names (ARNs) because you can't specify a particular Amazon EC2 resource in an IAM policy. A. TRUE B. FALSE

B. FALSE http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policy-structure.html#EC2_ARN_Format http://blogs.aws.amazon.com/security/post/Tx29HCT3ABL7LP3/Resource-level-Permissions-for-EC2-Controlling-Management-Access-on-Specific-Ins

True or False: Common points of failures like generators and cooling equipment are shared across Availability Zones. A. TRUE B. FALSE

B. FALSE. The idea of AZ is to increase the availability. If you share generator or cooling system for different A-Z, once the generator/cooling system is down, all A-Zs are down. It contradicts the original purpose.

Amazon S3 buckets in all other regions (other than US Standard) do not provide eventual consistency for overwrite PUTS and DELETES. A. True B. False

B. False

Amazon S3 buckets in the US Standard region do not provide eventual consistency. A. True B. False

B. False

New database versions will automatically be applied to AWS RDS instances as they become available. A. True B. False

B. False

Placement Groups can be created across 2 or more Availability Zones. A. True B. False

B. False

You can have 1 subnet stretched across multiple availability zones. A. True B. False

B. False

You can select a specific Availability Zone in which to place your DynamoDB Table A. True B. False

B. False

In Amazon CloudWatch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A. FreeStorage B. FreeStorageSpace C. FreeStorageVolume D. FreeDBStorageSpace

B. FreeStorageSpace

When should I choose Provisioned IOPS over Standard RDS storage? A. If you have batch-oriented workloads B. If you use production online transaction processing (OLTP) workloads. C. If you have workloads that are not sensitive to consistent performance D. If you infrequently read or write to the drive.

B. If you use production online transaction processing (OLTP) workloads. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html Amazon RDS provisions that IOPS rate and storage for the lifetime of the DB instance or until you change it. Provisioned IOPS storage is optimized for I/O intensive, online transaction processing (OLTP) workloads that have consistent performance requirements. Provisioned IOPS helps performance tuning

You are a security architect working for a large antivirus company. The production environment has recently been moved to AWS and is in a public subnet. You are able to view the production environment over HTTP however when your customers try to update their virus definition files over a custom port, that port is blocked. You log in to the console and you allow traffic in over the custom port. How long will this take to take effect? A. Straight away but to the new instances only. B. Immediately. C. After a few minutes this should take effect. D. Straight away to the new instances, but old instances must be stopped and restarted before the new rules apply.

B. Immediately.

How are the EBS snapshots saved on Amazon S3? A. Exponentially B. Incrementally C. EBS snapshots are not stored in the Amazon S3 D. Decrementally

B. Incrementally http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html You can back up the data on your EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs. When you delete a snapshot, only the data unique to that snapshot is removed. Active snapshots contain all of the information needed to restore your data (from the time the snapshot was taken) to a new EBS volume.

Amazon RDS automated backups and DB Snapshots are currently supported for only the ______ storage engine. A. MyISAM B. InnoDB

B. InnoDB

Can an EBS volume be attached to more than one EC2 instance at the same time? A. No B. Yes. C. Only EC2-optimized EBS volumes. D. Only in read mode.

B. Yes

You are a systems administrator and you need to monitor the health of your production environment. You decide to do this using Cloud Watch, however you notice that you cannot see the health of every important metric in the default dash board. Which of the following metrics do you need to design a custom cloud watch metric for, when monitoring the health of your EC2 instances? A. CPU Usage B. Memory usage C. Disk read operations D. Network in E. Estimated charges

B. Memory usage

Does Amazon RDS allow direct host access via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection? A. Yes B. No C. Depends on if it is in VPC or not

B. No Amazon RDS supports access to databases using any standard SQL client application. Amazon RDS does not allow direct host access. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.html

Is Federated Storage Engine currently supported by Amazon RDS for MySQL? A. Only for Oracle RDS instances B. No C. Yes D. Only in VPC

B. No The Federated Storage Engine is currently not supported by Amazon RDS for MySQL. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html

Can we attach an EBS volume to more than one EC2 instance at the same time? A. Yes B. No C. Only EC2-optimized EBS volumes. D. Only in read mode.

B. No http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance.

If an Amazon EBS volume is the root device of an instance, can I detach it without stopping the instance? A. Yes but only if Windows instance B. No C. Yes D. Yes but only if a Linux instance

B. No "If an EBS volume is the root device of an instance, you must stop the instance before you can detach the volume." http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html

What is the minimum charge for the data transferred between Amazon RDS and Amazon EC2 Instances in the same Availability Zone? A. USD 0.10 per GB B. No charge. It is free. C. USD 0.02 per GB D. USD 0.01 per GB

B. No charge. It is free. https://aws.amazon.com/rds/pricing/ Data transferred between Amazon RDS and Amazon EC2 Instances in the same Availability Zone is priced as follows Using a private IP address is free. Using a public or Elastic IP address is $0.01 per GB

What are the different types of virtualization available on EC2? A. Pseudo-Virtual (PV) & Hardware Virtual Module (HSM) B. Para-Virtual (PV) & Hardware Virtual Machine (HVM) C. Pseudo-Virtual (PV) & Hardware Virtual Machine (HVM) D. Para-Virtual (PV) & Hardware Virtual Module (HSM) Submit

B. Para-Virtual (PV) & Hardware Virtual Machine (HVM)

What does Amazon RDS stand for? A. Regional Data Server. B. Relational Database Service. C. Nothing. D. Regional Database Service.

B. Relational Database Service.

Select the most correct answer: The device name /dev/sda1 (within Amazon EC2 ) is _____ A. Possible for EBS volumes B. Reserved for the root device C. Recommended for EBS volumes D. Recommended for instance store volumes

B. Reserved for the root device The following table lists the available device names for Linux instances. The number of volumes that you can attach to your instance is determined by the operating system. For more information http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html The root device is typically /dev/sda1 (Linux) or xvda (Windows).

You have an EC2 instance which needs to find out both its private IP address and its public IP address. To do this you need to; A. Run IPCONFIG (Windows) or IFCONFIG (Linux) B. Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/ C. Retrieve the instance Userdata from http://169.254.169.254/latest/meta-data/ D. Use the following command; AWS EC2 displayIP

B. Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/

You work for a major news network in Europe. They have just released a new app which allows users to report on events as and when they happen using their mobile phone. Users are able to upload pictures from the app and then other users will be able to view these pics. Your organization expects this app to grow very quickly, essentially doubling it's user base every month. The app uses S3 to store the media and you are expecting sudden and large increases in traffic to S3 when a major news event takes place (as people will be uploading content in huge numbers). You need to keep your storage costs to a minimum however and it does not matter if some objects are lost. Which storage media should you use to keep costs as low as possible? A. S3 - Infrequently Accessed Storage. B. S3 - Reduced Redundancy Storage (RRS). C. Glacier. D. S3 - Provisioned IOPS.

B. S3 - Reduced Redundancy Storage (RRS).

Which of the following is NOT a valid SNS subscribers? A. Lambda B. SWF C. SQS D. Email E. HTTPS F. SMS

B. SWF

Select the correct set of steps for exposing the snapshot only to specific AWS accounts: A. Select public for all the accounts and check mark those accounts with whom you want to expose the snapshots and click save. B. SelectPrivate, enter the IDs of those AWS accounts, and clickSave. C. SelectPublic, enter the IDs of those AWS accounts, and clickSave. D. SelectPublic, mark the IDs of those AWS accounts as private, and clickSave.

B. SelectPrivate, enter the IDs of those AWS accounts, and clickSave."To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts" http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html "To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts" http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html

What does Amazon SES stand for? A. Simple Elastic Server. B. Simple Email Service. C. Software Email Solution. D. Software Enabled Server.

B. Simple Email Service.

What does Amazon SWF stand for? A. Simple Web Flow B. Simple Work Flow C. Simple Wireless Forms D. Simple Web Form

B. Simple Work Flow Q: What is Amazon SWF? Amazon Simple Workflow Service (SWF) is a web service that makes it easy to coordinate work across distributed application components https://aws.amazon.com/swf/faqs/

You are a solutions architect working for a company that specializes in ingesting large data feeds (using Kinesis) and then analyzing these feeds using Elastic Map Reduce (EMR). The results are then stored on a custom MySQL database which is hosted on an EC2 instance which has 3 volumes, the root/boot volume, and then 2 additional volumes which are striped in to a RAID 1. Your company recently had an outage and lost some key data and have since decided that they will need to run nightly back ups. Your application is only used during office hours, so you can afford to have some down time in the middle of the night if required. You decide to take a snapshot of all three volumes every 24 hours. In what manner should you do this? A. Take a snapshot of each volume independently, while the EC2 instance is running. B. Stop the EC2 instance and take a snapshot of each EC2 instance independently. Once the snapshots are complete, start the EC2 instance and ensure that all relevant volumes are remounted. C. Add two additional volumes to the existing RAID 0 volume and mirror these volumes creating a RAID 10. Take a snap of only the two new volumes. D. Create a read replica of the existing EC2 instance and then take your snapshots from the read replica and not the live EC2 instance.

B. Stop the EC2 instance and take a snapshot of each EC2 instance independently. Once the snapshots are complete, start the EC2 instance and ensure that all relevant volumes are remounted.

Before I delete an EBS volume, what can I do if I want to recreate the volume later? A. Create a copy of the EBS volume (not a snapshot) B. Store a snapshot of the volume C. Download the content to an EC2 instance D. Back up the data in to a physical disk

B. Store a snapshot of the volume After you no longer need an Amazon EBS volume, you can delete it. After deletion, its data is gone and the volume can't be attached to any instance. However, before deletion, you can store a snapshot of the volume, which you can use to re-create the volume later. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html

You are designing a site for a new start up which generates cartoon images for people automatically. Customers will log on to the site, upload an image which is stored in S3. The application then passes a job to AWS SQS and a fleet of EC2 instances poll the queue to receive new processing jobs. These EC2 instances will then turn the picture in to a cartoon and will then need to store the processed job somewhere. Users will typically download the image once (immediately), and then never download the image again. What is the most commercially feasible method to store the processed images? A. Rather than use S3, store the images inside a BLOB on RDS with Multi-AZ configured for redundancy. B. Store the images on S3 RRS, and create a lifecycle policy to delete the image after 24 hours. C. Store the images on glacier instead of S3. D. Use elastic block storage volumes to store the images.

B. Store the images on S3 RRS, and create a lifecycle policy to delete the image after 24 hours.

When you perform a restore operation to a point in time or from a DB Snapshot, a new DB Instance is created with a new endpoint. A. FALSE B. TRUE

B. TRUE

When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user. A. FALSE B. TRUE C. This is configurable

B. TRUE When you use the AWS Management Console to delete an IAM user, IAM automatically deletes the following information for you: The user Any group memberships—that is, the user is removed from any IAM groups that the user was a member of Any password associated with the user Any access keys belonging to the user All inline policies embedded in the user (policies that are applied to a user via group permissions are not affected) Note Any managed policies attached to the user are detached from the user when the user is deleted. Managed policies are not deleted when you delete a user. Any associated MFA device Source: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_manage.html#id_users_deleting_console

Without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use. A. FALSE B. TRUE

B. TRUE http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-setup.html AWS Identity and Access Management (IAM) helps you securely control access to Amazon Web Services (AWS) and your account resources. IAM can also keep your account credentials private. With IAM, you can create multiple IAM users under the umbrella of your AWS account or enable temporary access through identity federation with your corporate directory. In some cases, you can also enable access to resources across AWS accounts. Without IAM, however, you must either create multiple AWS accounts—each with its own billing and subscriptions to AWS products—or your employees must share the security credentials of a single AWS account. In addition, without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use.

You are charged for the IOPS and storage whether or not you use them in a given month? A. FALSE B. TRUE

B. TRUE https://aws.amazon.com/ebs/pricing/ http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html Provisioned IOPS Storage Costs Because Provisioned IOPS storage reserves resources for your use, you are charged for the resources whether or not you use them in a given month. When you use Provisioned IOPS storage, you are not charged the monthly Amazon RDS I/O charge. If you prefer to pay only for I/O that you consume, a DB instance that uses magnetic storage may be a better choice. For Amazon RDS pricing information, see the Amazon RDS product page.

True or False: When you perform a restore operation to a point in time or from a DB Snapshot, a new DB Instance is created with a new endpoint. A. FALSE B. TRUE

B. TRUE https://aws.amazon.com/rds/faqs/ Please note: When you perform a restore operation to a point in time or from a DB Snapshot, a new DB Instance is created with a new endpoint (the old DB Instance can be deleted if so desired). This is done to enable you to create multiple DB Instances from a specific DB Snapshot or point in time.

If you add a tag that has the same key as an existing tag on a DB Instance, the new value overwrites the old value. A. FALSE B. TRUE

B. TRUE If you add a tag that has the same key as an existing tag on that resource, the new value overwrites the old value. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html

When you add a rule to a DB security group, you do not need to specify port number or protocol. A. Depends on the RDMS used B. TRUE C. FALSE

B. TRUE http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html DB Security Groups Each DB security group rule enables a specific source to access a DB instance that is associated with that DB security group. The source can be a range of addresses (e.g., 203.0.113.0/24), or an EC2 security group. When you specify an EC2 security group as the source, you allow incoming traffic from all EC2 instances that use that EC2 security group. Note that DB security group rules apply to inbound traffic only; outbound traffic is not currently permitted for DB instances. You do not need to specify a destination port number when you create DB security group rules; the port number defined for the DB instance is used as the destination port number for all rules defined for the DB security group. DB security groups can be created using the Amazon RDS APIs or the Amazon RDS page of the AWS Management Console. For more information about working with DB security groups, see Working with DB Security Groups.

By default, what happens to ENIs that are automatically created and attached to EC2 instances when the attached instance terminates? A. Remain as is B. Terminate C. Hibernate D. Pause

B. Terminate

Amazon S3 provides; A. Unlimited File Size for Objects B. Unlimited Storage C. A great place to run a No SQL database from D. The ability to act as a web server for dynamic content (i.e. can query a database)

B. Unlimited Storage

After an Amazon EC2-VPC instance is launched, can I change the VPC security groups it belongs to? A. No B. Yes C. Only if you are the root user D. Only if the tag "VPC_Change_Group" is true

B. Yes

After an EC2-VPC instance is launched, can I change the VPC security groups it belongs to? A. Only if the tag "VPC_Change_Group" is true B. Yes C. No D. Only if the tag "VPC Change Group" is true

B. Yes

Do the Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? A. Only if instructed to when created B. Yes C. No

B. Yes Data persistence An EBS volume is off-instance storage that can persist independently from the life of an instance. You continue to pay for the volume usage as long as the data persists. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html#EBSFeatures

Can I encrypt connections between my application and my DB Instance using SSL? A. No B. Yes C. Only in VPC D. Only in certain regions

B. Yes Q: Can I encrypt connections between my application and my DB Instance using SSL? Yes, this option is currently supported for the MySQL, MariaDB, SQL Server, PostgreSQL, and Oracle engines. https://aws.amazon.com/rds/faqs/

If I modify a DB Instance or the DB parameter group associated with the instance, should I reboot the instance for the changes to take effect? A. No B. Yes

B. Yes http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html Most modifications to a DB instance can be applied immediately or applied during the next maintenance window. Some modifications, such as parameter group changes, require that you manually reboot your DB instance for the change to take effect. Some modifications result in an outage because Amazon RDS must reboot your DB instance for the change to take effect.

Will my standby RDS instance be in the same Region as my primary? A. Only for Oracle RDS types B. Yes C. Only if configured at launch D. No

B. Yes https://aws.amazon.com/rds/faqs/?nc1=h_ls Q: Will my standby be in the same Region as my primary? Yes. Your standby is automatically provisioned in a different Availability Zone of the same Region as your DB Instance primary.

Will I be charged if the DB instance is idle? A. No B. Yes C. Only is running in GovCloud D. Only if running in VPC

B. Yes https://aws.amazon.com/ec2/faqs/ Q: What defines billable EC2 instance-hours? Instance-hours are billed for any time your instances are in a "running" state. If you no longer wish to be charged for your instance, you must "stop" or "terminate" the instance to avoid being billed for additional instance-hours. Billing starts when an instance transitions into the running state.

A startup company hired you to help them build a mobile application, that will ultimately store billions of images and videos in S3. The company is lean on funding, and wants to minimize operational costs, however, they have an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases in traffic to and from S3, and need to ensure that it can handle the performance needs of their application. What other information must you gather from this customer in order to determine whether S3 is the right option? A. You must know how many customers the company has today, because this is critical in understanding what their customer base will be in two years. B. You must find out the total number of requests per second at peak usage. C. You must know the size of the individual objects being written to S3, in order to properly design the key namespace. D. In order to build the key namespace correctly, you must understand the total amount of storage needs for each S3 bucket.

B. You must find out the total number of requests per second at peak usage.

You work in the genomics industry and you process large amounts of genomic data using a nightly Elastic Map Reduce (EMR) job. This job processes a single 3 Tb file which is stored on S3. The EMR job runs on 3 on-demand core nodes and four on-demand task nodes. The EMR job is now taking longer than anticipated and you have been asked to advise how to reduced the completion time? A. Use four Spot Instances for the task nodes rather than four On-Demand instances. B. You should reduce the input split size in the MapReduce job configuration and then adjust the number of simultaneous mapper tasks so that more tasks can be processed at once. C. Store the file on Elastic File Service instead of S3 and then mount EFS as an independent volume for your core nodes. D. Configure an independent VPC in which to run the EMR jobs and then mount EFS as an independent volume for your core nodes. E. Enable termination protection for the job flow.

B. You should reduce the input split size in the MapReduce job configuration and then adjust the number of simultaneous mapper tasks so that more tasks can be processed at once.

Location of Instances are _____ A. Regional B. based on Availability Zone C. Global

B. based on Availability Zone http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-regions-availability-zones

Security Groups can't _____. A. be nested more than 3 levels B. be nested at all C. be nested more than 4 levels D. be nested more than 2 levels

B. be nested at all http://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html Groups can't be nested; they can contain only users, not other groups.

Amazon S3 doesn't automatically give a user who creates a _____ permission to perform other actions on that bucket or object. Therefore, in your IAM policies, you must explicitly give users permission to use the Amazon S3 resources they create. A. file B. bucket or object C. bucket or file D. object or file

B. bucket or object Amazon S3 doesn't automatically give a user who creates a bucket or object permission to perform other actions on that bucket or object. Therefore, in your IAM policies, you must explicitly give users permission to use the Amazon S3 resources they create. http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html

Amazon Glacier is designed for: (Choose 2 answers) A. active database storage. B. infrequently accessed data. C. data archives. D. frequently accessed data. E. cached session data.

B. infrequently accessed data. C. data archives.

What is the command line instruction for running the remote desktop client in Windows? A. desk.cpl B. mstsc

B. mstsc

Every user you create in the IAM system starts with ______. A. full permissions B. no permissions C. partial permissions

B. no permissions http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html#NoDefaultPermissions

If I scale the storage capacity provisioned to my DB Instance by mid of a billing month, how will I be charged? A. you will be charged for the highest storage capacity you have used B. on a proration basis C. you will be charged for the lowest storage capacity you have used

B. on a proration basis See https://aws.amazon.com/rds/faqs/#15 If you scale your provisioned storage capacity within the month, your bill will be pro-rated.

Fill in the blanks: "To ensure failover capabilities, consider using a _____ for incoming traffic on a network interface". A. primary public IP B. secondary private IP C. secondary public IP D. add on secondary IP

B. secondary private IP See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#creating-a-management-network To ensure failover capabilities, consider using a secondary private IPv4 for incoming traffic on a network interface. In the event of an instance failure, you can move the interface and/or secondary private IPv4 address to a standby instance.

What is the default per account limit of Elastic IPs? A. 1 B. 3 C. 5 D. 0

C. 5

Is it possible to access your EBS snapshots? A. Yes, through the Amazon S3 APIs. B. Yes, through the Amazon EC2 APIs. C. No, EBS snapshots cannot be accessed; they can only be used to create a new EBS volume. D. EBS doesn't provide snapshots.

B. snapshots are only available through the Amazon EC2 API. https://aws.amazon.com/ebs/faqs/?nc1=h_ls

If your DB instance runs out of storage space or file system resources, its status will change to _____ and your DB Instance will no longer be available. A. storage-overflow B. storage-full C. storage-exceed D. storage-overage

B. storage-full

Which is the default region in AWS? A. eu-west-1 B. us-east-1 C. us-east-2 D. ap-southeast-1

B. us-east-1 All the main AWS services (except Route 53 & CloudFront) allow you to select which region you would like to use. The US East (N. Virginia) is the default region. You can change the region by using the dropdown menu in the top right of the management console.

A 3-tier e-commerce web application is current deployed on-premises and will be migrated to AWS for greater scalability and elasticity The web server currently shares read-only data using a network distributed file system The app server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast The database tier uses shared-storage clustering to provide database fall over capability, and uses several read slaves for scaling Data on all servers and the distributed file system directory is backed up weekly to off-site tapes Which AWS storage and database architecture meets the requirements of the application? A.Web servers, store read-only data in S3, and copy from S3 to root volume at boot time App servers snare state using a combination or DynamoDB and IP unicast Database use RDS with multi-AZ deployment and one or more Read Replicas Backup web and app servers backed up weekly via Mils database backed up via DB snapshots. B.Web servers store -read-only data in S3, and copy from S3 to root volume at boot time App servers share state using a combination of DynamoDB and IP unicast Database, use RDS with multi-AZ deployment and one or more read replicas Backup web servers app servers, and database backed up weekly to Glacier using snapshots. C.Web servers store read-only data In S3 and copy from S3 to root volume at boot time App servers share state using a combination of DynamoDB and IP unicast Database use RDS with multi-AZ deployment Backup web and app servers backed up weekly via AM is. database backed up via DB snapshots D.Web servers, store read-only data in an EC2 NFS server, mount to each web server at boot time App servers share state using a combination of DynamoDB and IP multicast Database use RDS with multl-AZ deployment and one or more Read Replicas Backup web and app servers backed up weekly via Mils database backed up via DB snapshots

B: can't directly backup EBS snapshots to Glacier. C: misses DB read replicas D: AWS does not support IP Multicast. Thus, A is the right answer. https://d0.awsstatic.com/whitepapers/Storage/AWS%20Storage%20Services%20Whitepaper-v9.pdf

You nave multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers A. Amazon EC2 placement groups B. Enhanced networking C. Amazon PV AMI D. Amazon HVM AMI E. Amazon Linux F. Amazon VPC

BDF A - Not supported for multi-AZ B - Enhanced Networking is a given. C or D? - I ruled out C because of this: Paravirtual guests traditionally performed better with storage and network operations than HVM guests because they could leverage special drivers for I/O that avoided the overhead of emulating network and disk hardware, whereas HVM guests had to translate these instructions to emulated hardware. Now these PV drivers are available for HVM guests, so operating systems that cannot be ported to run in a paravirtualized environment (such as Windows) can still see performance advantages in storage and network I/O by using them. With these PV on HVM drivers, HVM guests can get the same, or better, performance than paravirtual guests. E - Enhanced networking is supported on both Windows and Linux.... F - The instance needs to be in a VPC to enable enhanced networking.

Does Dynamic DB support in-place atomic updates? A. It is not defined B. No C. Yes D. It does support in-place non-atomic updates

C is correct. Q: Does DynamoDB support in-place atomic updates? Amazon DynamoDB supports fast in-place updates. You can increment or decrement a numeric attribute in a row using a single API call. Similarly, you can atomically add or remove to sets, lists, or maps. Source: https://aws.amazon.com/dynamodb/faqs/

A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increases the fault tolerance of the connection to VPC-1? Choose 2 answers A.Establish a hardware VPN over the internet between VPC-2 ana the on-premises network. B.Establish a hardware VPN over the internet between VPC-1 and the on-premises network. C.Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2. D.Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1. E.Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

BE is the right answer. http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html

10) While working with the AWS API you receive the following error message: 409 Conflict. What might be the cause of this error?

Bucket already exists S3 error messages utilize HTTP error codes Further Reading httsz/linuxacademy.com/cp/courses/lesson/course/118/Iesson/6/module/11

9) How can you increase your DynamoDB table limit in a region?

By contacting AWS and requesting a limit increase

"10. Question How can an instance be copied to another region? 1. 2. There is no way to copy an instance to another region 2. 1. By creating an AMI and copy it to another region 3. 4. First instance's root volume is detached. Then a new instance is created in another region. Finally detached volume can be attached to new instance as root device 4. 3. By stopping instance and using copy option"

By creating an AMI and copy it to another region

Games-R-Us is launching a new game app for mobile devices. Users will log into the game using their existing Facebook account and the game will record player data and scoring information directly to a DynamoDB table. What is the most secure approach for signing requests to the DynamoDB API? A.Create an IAM user with access credentials that are distributed with the mobile app to sign the requests B.Distribute the AWS root account access credentials with the mobile app to sign the requests C.Request temporary security credentials using web identity federation to sign the requests D.Establish cross account access between the mobile app and the DynamoDB table to sign the requests

C

The Trusted Advisor service provides insight regarding which four categories of an AWS account? A.Security, fault tolerance, high availability, and connectivity B.Security, access control, high availability, and performance C.Performance, cost optimization, security, and fault tolerance D.Performance, cost optimization, access control, and connectivity

C Based of: https://aws.amazon.com/premiumsupport/trustedadvisor/

When will you incur costs with an Elastic IP address (EIP)? A.When an EIP is allocated. B.When it is allocated and associated with a running instance. C.When it is allocated and associated with a stopped instance. D.Costs are incurred regardless of whether the EIP is associated with a running instance.

C If you no longer need an Elastic IP address, we recommend that you release it (the address must not be associated with an instance). You incur charges for any Elastic IP address that's allocated for use with EC2-Classic but not associated with an instance. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

What is the minimum time Interval for the data that Amazon CloudWatch receives and aggregates? A.One second B.Five seconds C.One minute D.Three minutes E.Five minutes

C Q: What is the minimum granularity for the data that Amazon CloudWatch receives and aggregates? The minimum granularity supported by CloudWatch is 1 minute data points. Many metrics are received and aggregated at 1-minute intervals. Some are received at 3-minute or 5-minute intervals. https://aws.amazon.com/cloudwatch/faqs/

While creating the snapshots using the command line tools, which command should I be using? A.ec2-deploy-snapshot B.ec2-fresh-snapshot C.ec2-create-snapshot D.ec2-new-snapshot

C http://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshot.html

What does the following command do with respect to the Amazon EC2 security groups? ec2-revoke RevokeSecurityGroupIngress A.Removes one or more security groups from a rule. B.Removes one or more security groups from an Amazon EC2 instance. C.Removes one or more rules from a security group. D.Removes a security group from our account.

C Removes one or more ingress rules from a security group. The values that you specify in the revoke request (for example, ports) must match the existing rule's values for the rule to be removed. http://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html

SQL Server __________ store logins and passwords in the master database. A.can be configured to but by default does not B.doesn't C.does

C http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Procedural.Importing.Snapshots.html SQL Server stores logins and passwords in the master database. Because Amazon RDS doesn't grant access to the master database, you cannot directly import logins and passwords into your destination DB instance. There are two authentications Windows authetication The credentials for which are not stored in SQl Server database and managed by windows/AD. There would be entry for windows autheticated logins in master database with respective SID but password would be with Active directory. SQL Server authetication. For 2nd we have password stored in hash format you can see it from sys.sql_logins. The information about SQl server logins are stored in master database and each login has SID repective to it. Only SA login has same SID no matter what server it is. That is why when you move database by backup restore mechanism users are moved not logins and you finally have to create logins(if already not there) and map it to users. This is generally called as troubleshooting orpahned users

What is the maximum write throughput I can provision for a single Dynamic DB table? A.1,000 write capacity units B.100,000 write capacity units C.Dynamic DB is designed to scale without limits, but if you go beyond 10,000 you have to contact AWS first. D.10,000 write capacity units

C https://aws.amazon.com/dynamodb/faqs/ Q: What is the maximum throughput I can provision for a single DynamoDB table? DynamoDB is designed to scale without limits However, if you wish to exceed throughput rates of 10,000 write capacity units or 10,000 read capacity units for an individual table, you must first contact Amazon through this online form. If you wish to provision more than 20,000 write capacity units or 20,000 read capacity units from a single subscriber account you must first contact us using the form described above. Q: Is there a limit to how much throughput I can get out of a single table? No, you can increase the throughput you have provisioned for your table using UpdateTable API or in the AWS Management Console. DynamoDB is able to operate at massive scale and there is no theoretical limit on the maximum throughput you can achieve. DynamoDB automatically divides your table across multiple partitions, where each partition is an independent parallel computation unit. DynamoDB can achieve increasingly high throughput rates by adding more partitions. If you wish to exceed throughput rates of 10,000 writes/second or 10,000 reads/second, you must first contact Amazon through this online form.

A US-based company is expanding their web presence into Europe. The company wants to extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-1) region. Which of the following options would enable an equivalent experience for users on both continents? A.Use a public-facing load balancer per region to load-balance web traffic, and enable HTTP health checks. B.Use a public-facing load balancer per region to load-balance web traffic, and enable sticky sessions. C.Use Amazon Route 53, and apply a geolocation routing policy to distribute traffic across both regions. D.Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across both regions.

C http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted

An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling needs to terminate an EC2 instance by default, AutoScaling will: Choose 2 answers A.Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the instance. B.Terminate the instance with the least active network connections. If multiple instances meet this criterion, one will be randomly selected. C.Send an SNS notification, if configured to do so. D.Terminate an instance in the AZ which currently has 2 running EC2 instances. E.Randomly select one of the 3 AZs, and then terminate an instance in that AZ.

C & D http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AutoScalingBehavior.InstanceTermination.html http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html C: For example, if you configure your Auto Scaling group to use the autoscaling: EC2_INSTANCE_TERMINATE notification type, and your Auto Scaling group terminates an instance, it sends an email notification. This email contains the details of the terminated instance, such as the instance ID and the reason that the instance was terminated. D:Auto Scaling determines whether there are instances in multiple Availability Zones. If so, it selects the Availability Zone with the most instances and at least one instance that is not protected from scale in. If there is more than one Availability Zone with this number of instances, Auto Scaling selects the Availability Zone with the instances that use the oldest launch configuration.

You are designing an SSUTLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient. Which of the following options would you consider for configuring the web server infrastructure? (Choose 2 answers) A.Configure ELB with TCP listeners on TCP/4d3. And place the Web servers behind it. B.Configure your Web servers with EIPS Place the Web servers in a Route53 Record Set and configure health checks against all Web servers. C.Configure ELB with HTTPS listeners, and place the Web servers behind it. D.Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your CloudFront distribution.

C & D. Explanation: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-listener-config.html HTTPS/SSL Listeners You can create an HTTPS load balancer with the following security features. SSL Server Certificates If you use HTTPS or SSL for your front-end listener, you must deploy an X.509 certificate (SSL server certificate) on your load balancer. The load balancer decrypts requests from clients before sending them to the back-end instances (known as SSL termination). For more information, see SSL/TLS Certificates for Classic Load Balancers. https://aws.amazon.com/cloudfront/custom-ssl-domains/ Custom SSL Options for Amazon CloudFront Custom SSL certificate support lets you deliver content over HTTPS using your own domain name and your own SSL certificate. This gives visitors to your website the security benefits of CloudFront over an SSL connection that uses your own domain name in addition to lower latency and higher reliability.

Which of the following are correct statements with policy evaluation logic in AWS Identity and Access Management? Choose 2 answers A.An explicit deny does not override an explicit allow B.By default, all request are allowed C.An explicit allow overrides default deny. D.An explicit allow overrides an explicit deny E.By default, all requests are denied

C & E

Which of the following are valid statements about Amazon S3? Choose 2 answers A.S3 provides read-after-write consistency for any type of PUT or DELETE. B.Consistency is not guaranteed for any type of PUT or DELETE. C.A successful response to a PUT request only occurs when a complete object is saved. D.Partially saved objects are immediately readable with a GET after an overwrite PUT. E.S3 provides eventual consistency for overwrite PUTS and DELETES.

C and E are reasonable Q: What data consistency model does Amazon S3 employ? Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES. Source: https://aws.amazon.com/s3/faqs/ more details: http://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html#ConsistencyModel Amazon S3 never adds partial objects; if you receive a success response, Amazon S3 added the entire object to the bucket. Source: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html

Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of their personal documents. Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose 3 Answers) A.Setting up a federation proxy or identity provider B.Using AWS Security Token Service to generate temporary tokens C.Tagging each folder in the bucket D.Configuring IAM role E.Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket

C defnitiely does not solve any problem. Not sure why it is selected. E. "Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket". Does not make sense for several users. Not a scalable solution. This leaves us with A, B, D

You've been hired to enhance the overall security posture for a very large e-commerce site They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3 They are using a combination of RDS and DynamoOB for their dynamic data and then archiving nightly into S3 for further processing with EMR They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack? A.Recommend mat they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to tneirvPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. B.Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. C.Add a WAF tier by creating a new ELB and an AutoScalmg group of EC2 Instances running a host-based WAF They would redirect Route 53 to resolve to the new WAF tier ELB The WAF tier would thier pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group D.Remove all but TLS 1 2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality

C is correct A: too expensive and complex B: would not protect against new sources D: there is no such thing as Advanced Protocol Filtering on ELB.

You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. Which alternatives should you consider? (Choose 2 answers) A.Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets Configure a DNS A record that points to the NAT instance public IP address. B.Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers Configure a Route53 CNAME record to your CloudFront distribution. C.Place all your web servers behind EL8 Configure a Route53 CNMIE to point to the ELB DNS name. D.Assign BPs to all web servers. Configure a Route53 record set with all EIPs. With health checks and DNS failover. E.Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP.

C is possible if the domain is not an apex domain and hence C is feasible assuming website will start with subdomain http://WWW.domainname.com D is feasible Option A: NAT instance doesn't make a sense here Option E: ELB with an EIP (we assign EIP's to instances) So A&E are ruled out. Choosing between B,C & D Option B is wrong as it says "origin to point to the private IP addresses of your Web servers" (Private IP Address pointing) So Answer -> C&D

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances. The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instanceid. In addition an x 509 certificates must Designed by the customer's Key management service in order to be trusted for authentication. Which of the following configurations will support these requirements? A.Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure me Auto Scaling group to launch instances with this role Have the instances bootstrap get the certificate from Amazon S3 upon first boot. B.Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the launched instances generate a certificate signature request with the instance's assigned instance-id to the Key management service for signature. C.Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance. D.Configure the launched instances to generate a new certificate upon first boot Have the Key management service poll the AutoScaling group for associated instances and send new instances a certificate signature (hat contains the specific instance-id.

C is the right answer and here's why: The certificate must be signed by the customers key management service and this is the only option. Using S3 wont have it unique, embedding in AMI wont make it unique, Generating a new certificate by itself would defeat the requirement of getting it signed by customers key management service. A - Accessing from S3 was fine but how can the file be unique when every time autoscaling generates different instances and instance-id.. Thats not predictable B - Embedding a certificate in AMI cannot make the certificate unique. D - As the EC2 instances must generate unique X.509 certificate and this must be specific to the instance id. The EC2 instance can generate the certificate itself BUT it is clearly mentioned that the certificate must be signed by the customers key management service and not self signed.

Is there a method in the IAM system to allow or deny access to a specific instance? A. Only for VPC based instances B. Yes C. No

C is the right answer. B is wrong because IAM doesn't control access to login to instances. See https://aws.amazon.com/blogs/security/demystifying-ec2-resource-level-permissions/

Your company previously configured a heavily used, dynamically routed VPN connection between your onpremises data center and AWS. You recently provisioned a DirectConnect connection and would like to start using the new connection. After configuring DirectConnect settings in the AWS Console, which of the following options win provide the most seamless transition for your users? A.Delete your existing VPN connection to avoid routing loops configure your DirectConnect router with the appropriate settings and verity network traffic is leveraging DirectConnect. B.Configure your DireclConnect router with a higher 8GP priority man your VPN router, verify network traffic is leveraging Directconnect and then delete your existing VPN connection. C.Update your VPC route tables to point to the DirectConnect connection configure your DirectConnect router with the appropriate settings verify network traffic is leveraging DirectConnect and then delete the VPN connection. D.Configure your DireclConnect router, update your VPC route tables to point to the DirectConnect connection, configure your VPN connection with a higher BGP pointy. And verify network traffic is leveraging the DirectConnect connection.

C is the right answer. Q. Can I use AWS Direct Connect and a VPN Connection to the same VPC simultaneously? Yes. However, only in fail-over scenarios. The Direct Connect path will always be preferred, when established, regardless of AS path prepending. https://aws.amazon.com/directconnect/faqs/

You are designing a photo sharing mobile app the application will store all pictures in a single Amazon S3 bucket. Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3. You want to configure security to handle potentially millions of users in the most secure manner possible. What should your server-side application do when a new user registers on the photo-sharing mobile application? A.Create a set of long-term credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app and use them to access Amazon S3. B.Record the user's Information in Amazon RDS and create a role in IAM with appropriate permissions. When the user uses their mobile app create temporary credentials using the AWS Security Token Service 'AssumeRole' function Store these credentials in the mobile app's memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app. C.Record the user's Information In Amazon DynamoDB. When the user uses their mobile app create temporary credentials using AWS Security Token Service with appropriate permissions Store these credentials in the mobile app's memory and use them to access Amazon S3 Generate new credentials the next time the user runs the mobile app. D.Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3. E.Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to access Amazon S3.

C is the right answer. Kirrim did the perfect analysis. See documentation here: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html The following are the default maximums for IAM entities: Groups in an AWS account: 100 Users in an AWS account: 5000 If you need to add a large number of users, consider using temporary security credentials. For more information about temporary security credentials, go to Temporary Security Credentials. Roles in an AWS account: 250

Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances. Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to: - launch, start stop, and terminate development resources. - launch and start production instances. A.Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection. B.Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources. C.Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances D.Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.

C is wrong because it does not disable user from terminating instances. D is wrong because it does not differentiate between production and development instances. B is the right answer, see here: https://aws.amazon.com/blogs/security/resource-level-permissions-for-ec2-controlling-management-access-on-specific-instances/

EC2 instances are launched from Amazon Machine images (AMIS). A given public AMI can: A.be used to launch EC2 Instances in any AWS region. B.only be used to launch EC2 instances in the same country as the AMI is stored. C.only be used to launch EC2 instances in the same AWS region as the AMI is stored. D.only be used to launch EC2 instances in the same AWS availability zone as the AMI is stored

C.

Please select the Amazon EC2 resource which cannot be tagged(Select 2 answers) A. Network ACL B. Internet Gateway C. Key Pair D. Elastic IP E. Route Table

C, D

You need to configure an Amazon 53 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers A. Amazon 53 objects default to public read, so no action is needed B. Use AWS Identity and Access Management roles to set the bucket to public read C. Configure the bucket policy to set all objects to public read D. Configure the bucket ACL to set all objects to public read E. Set permissions on the object to public read during upload

C, D You can use ACLs to grant permissions to individual AWS accounts; however. it is strongly recommended that you do not grant public access to your bucket using an ACL. So the recommended approach is create bucket policy. but not ACL. You must grant read permission on the specific objects to make them publicly accessible so that your users can view them on your website. You make objects publicly readable by using either the object ACL or by writing a bucket policy

How is provisioned throughput affected by the chosen consistency model when readingdata from a DynamoDB table? A.Strongly consistent reads use the same amount of throughput as eventually consistent reads B.Strongly consistent reads use variable through put depending on read activity C.Strongly consistent reads use more throughput than eventually consistent reads. D.Strongly consistent reads use less throughput than eventually consistent reads

C.

Which DynamoDB limits can be raised by contacting AWS support? Choose 2 answers A.The number of hash keys per account B.The maximum storage used per account C.The number of tables per account D.The number of local secondary indexes per account E.The number of provisioned throughput units per account

C, E

When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes? A.Data is automatically saved in an EBS volume. B.Data is unavailable until the instance is restarted. C.Data will be deleted and will no longer be accessible. D.Data is automatically saved as an EBS snapshot.

C, read question carefully! Non-relevant part of question: "When en EC2 EBS-backed (EBS root) ..." Relevant, as Lee pointed out: "data on any ephemeral store volumes" Question is about "ephemeral store volumes", not about "EBS-backed (EBS root)". http://docs.aws.amazon.com/ElasticMapReduce/latest/DeveloperGuide/emr-storage-instancestore.html "An instance store provides the default ephemeral block-level storage for your instance." "Instance store devices persist for the lifetime of either your cluster or your instance" Data on ephemeral store volumes is lost after stop

A user has setup an EBS backed instance and attached 2 EBS volumes to it. The user has setup a CIoudWatch alarm on each volume for the disk data. The user has stopped the EC2 instance and detached the E85 volumes. What will be the status of the alarms on the EBS volume? A. OK B. Alarm C. Insufficient Data D. The EBS cannot be detached until all the alarms are removed

C.

A user has stored data on an encrypted EBS volume. The user wants to share the data with his customer's AWS account. How can user achieve this? A. Copy the data to an unencrypted volume and then share B. If both the accounts are using the same encryption key then the user can share the volume directly C. Take a snapshot and share the snapshot with a customer D. Create an AMI from the volume and share the AMI

C.

Availability Zones allow for this type of cloud architecture: Choose the correct answer: A. Elastic architecture B. Streamlined architecture C. Highly available and fault tolerant architecture D. None of the above

C.

Company D is running their corporate website on Amazon S3 accessed from http//www.companyd.com. Their marketing team has published new web fonts to a separate S3 bucket accessed by the $3 endpoint https://53-us-west1.amazonaws.com/cdfonts. While testing the new web fonts, Company D recognized the web fonts are being blocked by the browser. What should Company D do to prevent the web fonts from being blocked by the browser? A.Create a policy on the cdfonts bucket to enable access to everyone B.Add the Content-Mo5 header to the request for webfonts in the cdfonts bucket from the website C.Configure the cdfonts bucket to allow cross-origin requests by creating a CORS configurafion D.Enable versioning on the cdfonts bucket for each web font

C.

If you have an object that is easily reproducible and must be quickly accessible, what would be the best storage class to use for it? Choose the correct answer: A. Infrequent Access B. Glacier C. Reduced Redundancy D. Standard

C.

If you want to grant S3 access to an EC2 instance, what should you do? Choose the correct answer: A. Call your system admin for assistance B. Attach an S3 full access policy to the EC2 instance C. Create an EC2 Role and attach an S3 access policy to it D. Create a user for the EC2 instance with an S3 policy attached to it

C.

What feature MUST be used to change an object's storage class to Glacier? Choose the correct answer: A. Versioning B. Multi-part upload C. Lifecycles D. You can manually set Glacier as a storage class

C.

Which API would you use to get information(status, primary key schema, indexes) about the table with Amazon DynamoDB? A. DetaiIsTabIe B. DescTable C. DescribeTable D. GetTabIeMetaData

C.

Which of the following best describes an AMI? Choose the correct answer: A. An image of an EBS volume B. A firewall C. A prepreconflgured package that provides the information required to launch an EC2 instance D .The EC2 instance's hardware configuration

C.

Which of the following is NOT a component of EC2? Choose the correct answer: A. Amazon Machine Images B. Block storage C. Screen resolution D. Instance type

C.

Which of the following is chosen as the default region when making an API call with an AWS SDK? A.ap-northeast-l B.us-west-Z C.us-east-l D.eu-west-l E.us-centraI-l

C.

You are configuring your company application to use Auto Scaling, and need to move user state information. Which of the following AWS services provides a shared data store with durability and low latency? A. Amazon EC2 instance storage B. AWS ElastiCache Memcached C. Amazon Simple Storage Service D. Amazon DynamoDB

C.

You are providing AWS consulting services for a company developing a new mobile application that will be leveraging Amazon SNS Mobile Push for push notifications. In order to send direct notification messages to individual devices each device registration identifier or token needs to be registered with SNS; however the developers are not sure of the best way to do this. You advise them to: A.Call the CreatePIatformEndPoint API function to register multiple device tokens. B.Bulk upload the device tokens contained in a CSV file via the AWS Management Console. C.Let the push notification service (e.g. Amazon Device Messaging) handle the registration. D.Implement a token vending service to handle the registration.

C.

Using Amazon IAM, can I give permission based on organizational groups? A.Yes but only in certain cases B.No C.Yes always

C. IAM Groups An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. http://docs.aws.amazon.com/IAM/latest/UserGuide/id.html

You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make? A.Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer. B.Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer. C.Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer. D.Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.

C. A load balancer accepts incoming traffic from clients and routes requests to its registered EC2 instances in one or more Availability Zones. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/how-elb-works.html Updated Security Whitepaper link: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

A meteorological system monitors 600 temperature gauges, obtaining temperature samples every minute and saving each sample to a DynamoDB table. Each sample involves writing 1K of data and the writes are evenly distributed over time. How much write throughput is required for the target table? A.3600 write capacity units B.1 write capacity unit C. 10 write capacity units D.60 write capacity units E.600 write capacity units

C. 500 gauges per minute therefore 600/60 = 10 gauges per second conditional rights = 10 x lKB = 10 writes

Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties? A.Instance user data B.Resource tags C.Instance metadata D.Amazon Machine Image

C. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-retrieval

In the Amazon cloud watch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A. FreeStorage B. FreeStorageVolume C. FreeStorageSpace D. FreeDBStorageSpace

C. Amazon Relational Database Service sends metrics to CIoudWatch for each active database instance every minute. Detailed monitoring is enabled by default. FreeStorageSpace: The amount of available random access memory. Units: Bytes

A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection? A.The security group is not configured properly B.The instance CPU is heavily loaded C.The user has provided the wrong user name for the OS login D. The access key to connect to the instance is wrong

C. Host key not found. Permission denied (public key). or Authentication failed. permission denied If you connect to your instance using SSH and get any of the following errors. Host key not found in [directory]. Permission denied (public key). or Authentication failed. permission denied. verify that you are connecting with the appropriate user name for your AMI and that you have specified the proper private key (.pem) file for your instance.

On the Amazon S3, the object you request does not exist and you did not have the s3:ListBucket permission also. S3 will return? A. HTTP status code 402 ("permission denied") B. HTTP status code 404 ("no such key") error C. HTTP status code 403 ("access denied") D. HTTP status code 401 ("access denied")

C. If the object you request does not exist. the error Amazon S3 returns depends on whether you also have the s3:ListBucket permission. If you have the s3:ListBucket permission on the bucket. Amazon S3 will return an HTTP status code 404 ("no such key") error. If you don't have the s3:ListBucket permission. Amazon S3 will return an HTTP status code 403 ("access denied") error.

A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content for a web-based property. The customer is storing objects using the Standard Storage class. Where are the customers objects replicated? A.A single facility in eu-west-1 and a single facility in eu-central-1 B.A single facility in eu-west-1 and a single facility in us-east-1 C.Multiple facilities in eu-west-1 D.A single facility in eu-west-1

C. Objects stored in a region never leave the region unless you explicitly transfer them to another region. For example, objects stored in the EU (Ireland) region never leave it. Source: http://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html#Regions

A t2.medium EC2 instance type must be launched with what type of Amazon Machine Image (AMI)? A.An Instance store Hardware Virtual Machine AMI B.An Instance store Paravirtual AMI C.An Amazon EBS-backed Hardware Virtual Machine AMI D.An Amazon EBS-backed Paravirtual AMI

C. Some Closing Thoughts My personal experiments have led me to believe that the T2's are going to be a really nice fit for a very wide variety of use cases. I'm looking forward to hearing your feedback! Although the comparison is necessarily inexact, it is reasonable to map previous generations of EC2 instances to the T2 instances like this: t1.micro to t2.micro m1.small to t2.small m1.medium to t2.medium Replacing your previous generation instances with the equivalent T2 instances will give you significantly better performance at under half the cost. If you are planning to do this (I certainly am), don't forget that the T2 instances do not include any local (instance) storage and that you'll need to use one or more EBS volumes instead. The T2 instances use Hardware Virtualization (HVM) in order to get the best possible performance from the underlying CPU and you will need to use an HVM AMI. https://aws.amazon.com/blogs/aws/low-cost-burstable-ec2-instances/ Answer c

What happens if a user tries to access a service that has not yet been integrated with IAM? A. The service returns an "IAM not integrated" error B. AWS allows to access the service with full permission C. The service returns an "Access denied" error D. AWS allows to access the service with limited permission

C. What happens if a user tries to access a service that has not yet been integrated with IAM? The service returns an "Access denied" error.

The one-time payment for Reserved Instances is __________ refundable if the reservation is cancelled. A. always B. in some circumstances C. never

C. the one-time fee is non-refundable. https://aws.amazon.com/ec2/purchasing-options/reserved-instances/buyer/

In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send _____ minute metrics to Amazon CloudWatch. A. 5 B. 2 C. 1 D. 3

C. 1

A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario? A. It will delete the subnet as well as terminate the instances B. It will delete teh subnet and make the EC2 instance as a part of the default subnet C. It will not allow the user to delete the subnet until the instances are terminated D. The subnet can never be deleted independently, but the user has to delete the VPC first

C. Deleting Your VPC You can delete your VPC at any time (for example. if you decide it's too small). However. you must terminate all instances in the VPC first. When you delete a VPC using the Amazon VPC console. we delete all its components. such as subnets. security groups. network ACLs. route tables. Internet gateways. VPC peering connections. and DHCP options.

How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another? A. Detach the volume and attach it to another EC2 instance in the other AZ. B. Simply create a new volume in the other AZ and specify the original volume as the source. C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ. D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

C. See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html: These snapshots can be used to create multiple new EBS volumes, expand the size of a volume, or move volumes across Availability Zones.

You are building a solution for a customer to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement? A. Amazon VPC peering B. Elastic IP Addresses C. AWS Direct Connect D. Amazon VPC virtual private gateway

C. https://aws.amazon.com/directconnect/faqs/ Q. What connection speeds are supported by AWS Direct Connect? 1Gbps and 10Gbps ports are available.Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners supporting AWS Direct Connect. Q. How does AWS Direct Connect differ from an IPSec VPN Connection? A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

What are characteristics of Amazon S3? Choose 2 answers A.S3 allows you to store objects of virtually unlimited size. B.S3 offers Provisioned IOPS. C.S3 allows you to store unlimited amounts of data. D.S3 should be used to host a relational database. E.Objects are directly accessible via a URL.

C. & E. C: https://aws.amazon.com/s3/faqs/ Q: How much data can I store? The total volume of data and number of objects you can store are unlimited. Individual Amazon S3 objects can range in size from a minimum of 0 bytes to a maximum of 5 terabytes. The largest object that can be uploaded in a single PUT is 5 gigabytes. For objects larger than 100 megabytes, customers should consider using the Multipart Upload capability. E: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingBucket.html Amazon S3 supports both virtual-hosted-style and path-style URLs to access a bucket.

What does a "Domain" refer to in Amazon SWF? A. A security group in which only tasks inside can communicate with each other B. A special type of worker C. A collection of related Workflows D. The DNS record for the Amazon SWF service

C. A collection of related Workflows Domains provide a way of scoping Amazon SWF resources within your AWS account. All the components of a workflow, such as the workflow type and activity types, must be specified to be in a domain. It is possible to have more than one workflow in a domain; however, workflows in different domains cannot interact with each other. http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domain.html

What is Amazon Glacier? A. It's a security tool that allows to "freeze" an EC2 instance and perform computer forensics on it. B. A security tool that allows to "freeze" an EBS volume and perform computer forensics on it. C. A low-cost storage service that provides secure and durable storage for data archiving and backup. D. You mean Amazon "Iceberg": it's a low-cost storage service.

C. A low-cost storage service that provides secure and durable storage for data archiving and backup.

What is Amazon Glacier? A. There is no such thing B. A security tool that allows "freezing" an EBS volume to perform computer forensics on it. C. A low-cost storage service that provides secure and durable storage for data archiving and backup. D. A security tool that allows "freezing" an EC2 instance to perform computer forensics on it.

C. A low-cost storage service that provides secure and durable storage for data archiving and backup. https://aws.amazon.com/glacier/ Amazon Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup.

What does Amazon ElastiCache provide? A. A service by this name doesn't exist. Perhaps you mean Amazon CloudCache. B. A virtual server with a huge amount of memory. C. A managed In-memory cache service. D. An Amazon EC2 instance with the Memcached software already pre-installed.

C. A managed In-memory cache service.

What does Amazon Route53 provide? A. A global Content Delivery Network. B. None of these. C. A scalable Domain Name System. D. An SSH endpoint for Amazon EC2.

C. A scalable Domain Name System. https://aws.amazon.com/route53/

What does Amazon CloudFormation provide? A. The ability to setup Autoscaling for Amazon EC2 instances. B. None of these. C. A template resource creation for Amazon Web Services. D. A template to map network resources for Amazon Web Services.

C. A template resource creation for Amazon Web Services. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you.

The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. A. Amazon RDS B. AWS Integrity Management C. AWS Identity and Access Management D. Amazon EMR

C. AWS Identity and Access Management https://aws.amazon.com/documentation/iam/?nc1=h_ls

What can I access by visiting the URL: http://status.aws.amazon.com/ ? A. Amazon Cloud Watch B. Status of the Amazon RDS DB C. AWS Service Health Dashboard D. AWS Cloud Monitor

C. AWS Service Health Dashboard

You are creating your own relational database on an EC2 instance and you need to maximize IOPS performance. What can you do to achieve this goal? A. Add a single additional volume to the EC2 instance with provisioned IOPS. B. Create the database on an S3 bucket. C. Add multiple additional volumes with provisioned IOPS and then create a RAID 0 stripe across those volumes. D. Attach the single volume to multiple EC2 instances so as to maximize performance.

C. Add multiple additional volumes with provisioned IOPS and then create a RAID 0 stripe across those volumes.

What are the initial settings of an user created security group? A. Allow all inbound traffic and Allow no outbound traffic B. Allow no inbound traffic and Allow no outbound traffic C. Allow no inbound traffic and Allow all outbound traffic D. Allow all inbound traffic and Allow all outbound traffic

C. Allow no inbound traffic and Allow all outbound traffic See http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#creating-your-own-security-groups The following are the default rules for a security group that you create: • Allows no inbound traffic • Allows all outbound traffic

Which Amazon Storage behaves like raw, unformatted, external block devices that you can attach to your instances? A. None of these. B. Amazon Instance Storage C. Amazon EBS D. All of these

C. Amazon EBS An EBS volume behaves like a raw, unformatted, external block device that you can attach to a single instance. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Storage.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

Fill in the blanks: Resources that are created in AWS are identified by a unique identifier called an _____. A. Amazon Resource Number B. Amazon Resource Name tag C. Amazon Resource Name D. Amazon Reesource Namespace

C. Amazon Resource Name http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) uniquely identify AWS resources. We require an ARN when you need to specify a resource unambiguously across all of AWS, such as in IAM policies, Amazon Relational Database Service (Amazon RDS) tags, and API calls.

What action is required to establish a VPC VPN connection between an on-premises data center and an Amazon VPC virtual private gateway? A. Modify the main route table to allow traffic to a network address translation instance. B. Use a dedicated network address translation instance in the public subnet. C. Assign a static Internet-routable IP address to an Amazon VPC customer gateway. D. Establish a dedicated networking connection using AWS Direct Connect.

C. Assign a static Internet-routable IP address to an Amazon VPC customer gateway.

You have an VPC with a public subnet. Three EC2 instances currently running inside the subnet can successfully communicate with other hosts on the internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the Internet. What should you do to enable Internet access? A. Deploy a NAT instance into the public subnet. B. Modify the routing table for the public subnet. C. Assign an elastic IP address to the fourth instance. D. Configure a publicly routable IP address in the host OS of the fourth instance.

C. Assign an elastic IP address to the fourth instance.

You are appointed as your company's Chief Security Officer and you want to be able to track all changes made to your AWS environment, by all users and at all times, in all regions. What AWS service should you use to achieve this? A. CloudAudit B. CloudWatch C. CloudTrail D. CloudDetective

C. CloudTrail

You have a high performance compute application and you need to minimize network latency between EC2 instances as much as possible. What can you do to achieve this? A. Use Elastic Load Balancing to load balance traffic between availability zones B. Create a CloudFront distribution and to cache objects from an S3 bucket at Edge Locations. C. Create a placement group within an Availability Zone and place the EC2 instances within that placement group. D. Deploy your EC2 instances within the same region, but in different subnets and different availability zones so as to maximize redundancy.

C. Create a placement group within an Availability Zone and place the EC2 instances within that placement group.

Will my standby RDS instance be in the same Availability Zone as my primary? A. Only for Oracle RDS types B. Only if configured at launch C. Yes D. No

D. No

Amazon Glacier is designed for: Choose 2 answers A. Frequently accessed data B. Active database storage C. Data archives D. Infrequently accessed data E. Cached session data

C. Data archives D. Infrequently accessed data

You are inserting 1000 new items every second in a DynamoDB table. Once an hour these items are analyzed and then are no longer needed. You need to minimize provisioned throughput, storage, and API calls. Given these requirements, what is the most efficient way to manage these Items after the analysis? A. Retain the items in a single table B. Delete items individually over a 24 hour period C. Delete the table and create a new table per hour D. Create a new table per hour

C. Delete the table and create a new table per hour

You have a business-critical two-tier web app currently deployed in two AZs in a single region, using Elastic Load Balancing and Auto Scaling. The app depends on synchronous replication (very low latency connectivity) at the database layer. The application needs to remain fully available even if one application AZ goes off-line, and Auto Scaling cannot launch new instances in the remaining Availability Zones. How can the current architecture be enhanced to ensure this? A. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 50 percent peak load per Region. B. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 100 percent peak load per region. C. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone. D. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 33 percent peak load per zone.

C. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone.

When automatic failover occurs, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use the _____ to return information about events related to your DB Instance. A. FetchFailure B. DescribeFailure C. DescribeEvents D. FetchEvents

C. DescribeEvents Q: Will I be alerted when automatic failover occurs? Yes, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use the DescribeEvents to return information about events related to your DB Instance, or click the "DB Events" section of the AWS Management Console Source: https://aws.amazon.com/rds/faqs/

What is the maximum write throughput I can provision per table for a single DynamoDB table? A. 5,000 us east, 1,000 all other regions B. 100,000 us east, 10, 000 all other regions C. Designed to scale without limits, but if you go beyond 40,000 us east/10,000 all other regions you have to contact AWS first. D. There is no limit

C. Designed to scale without limits, but if you go beyond 40,000 us east/10,000 all other regions you have to contact AWS first.

Which of the services below do you get root access to? A. Elasticache & Elastic MapReduce B. RDS & DynamoDB C. EC2 & Elastic MapReduce D. Elasticache & DynamoDB

C. EC2 & Elastic MapReduce

Which AWS instance address has the following characteristics? :"If you stop an instance, its Elastic IP address is unmapped, and you must remap it when you restart the instance." A. None of these B. EC2-VPC Addresses C. EC2-Classic Addresses

C. EC2-Classic Addresses http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html Stopping an instance EC2-Classic If you stop an instance, its Elastic IP address is disassociated, and you must reassociate the Elastic IP address when you restart the instance. EC2-VPC If you stop an instance, its Elastic IP address remains associated. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#VPC_EIP_EC2_Differences

By default, when an EBS volume is attached to a Windows instance, it may show up as any drive letter on the instance. You can change the settings of the _____ Service to set the drive letters of the EBS volumes per your specifications. A. EBSConfig Service B. AMIConfig Service C. Ec2Config Service D. Ec2-AMIConfig Service

C. Ec2Config Service http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/UsingConfig_WinAMI.html Mount all Amazon EBS volumes and instance store volumes, and map volume names to drive letters. http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/device_naming.html By default, when an EBS volume is attached to a Windows instance, it can show up as any drive letter on the instance. You can change the settings of the Ec2Config service to set the drive letters of the EBS volumes per your specifications.

Please select the Amazon EC2 resource which cannot be tagged. A. Images (AMIs, kernels, RAM disks) B. Amazon EBS volumes C. Elastic IP addresses D. VPCs

C. Elastic IP addresses http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions

In Amazon CloudWatch, which metric should I be checking to ensure that your DB Instance has enough free storage space? A. FreeStorage B. FreeStorageVolume C. FreeStorageSpace D. FreeStorageAllocation

C. FreeStorageSpace

What is the charge for the data transfer incurred in replicating data between your primary and standby? A. Same as the standard data transfer charge B. Double the standard data transfer charge C. No charge. It is free D. Half of the standard data transfer charge

C. No charge. It is free

You are a solutions architect working for a large digital media company. Your company is migrating their production estate to AWS and you are in the process of setting up access to the AWS console using Identity Access Management (IAM). You have created 5 users for your system administrators. What further steps do you need to take to enable your system administrators to get access to the AWS console? A. Generate an Access Key ID & Secret Access Key, and give these to your system administrators. B. Enable multi-factor authentication on their accounts and define a password policy. C. Generate a password for each user created and give these passwords to your system administrators. D. Give the system administrators the secret access key and access key id, and tell them to use these credentials to log in to the AWS console.

C. Generate a password for each user created and give these passwords to your system administrators.

You have uploaded a file to S3. What HTTP code would indicate that the upload was successful? A. HTTP 404 B. HTTP 501 C. HTTP 200 D. HTTP 307

C. HTTP 200

Select the incorrect statement. A. In Amazon EC2, private IP address is only returned to Amazon EC2 when the instance is stopped or terminated B. In Amazon VPC, an instance retains its private IP address when the instance is stopped. C. In Amazon VPC, an instance does NOT retain its private IP address when the instance is stopped. D. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime

C. In Amazon VPC, an instance does NOT retain its private IP address when the instance is stopped. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-private-addresses For instances launched in EC2-Classic, we release the private IPv4 address when the instance is stopped or terminated. If you restart your stopped instance, it receives a new private IPv4 address. For instances launched in a VPC, a private IPv4 address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated.

Read Replicas require a transactional storage engine and are only supported for the _____ storage engine. A. OracleISAM B. MSSQLDB C. InnoDB D. MyISAM

C. InnoDB http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html Read replicas require a transactional storage engine. Replication is only supported for the InnoDB storage engine on MySQL and the XtraDB storage engine on MariaDB.

What does the "Server Side Encryption" option on Amazon S3 provide? A. It provides an encrypted virtual disk in the Cloud. B. It doesn't exist for Amazon S3, but only for Amazon EC2. C. It encrypts the files that you send to Amazon S3, on the server side. D. It allows to upload files using an SSL endpoint, for a secure transfer.

C. It encrypts the files that you send to Amazon S3, on the server side. https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

In the Launch Db Instance Wizard, where can I select the backup and maintenance options? A. DB Instance Details B. Review C. Management Options D. Engine Selection

C. Management Options page 9 http://awsdocs.s3.amazonaws.com/RDS/latest/rds-gsg.pdf On the Management Options page, you can specify backup and maintenance options for your DB Instance. For this example, accept the default values, and then click Continue. Note that setting the Backup Retention Period to zero disables automatic backups.

In reviewing the Auto Scaling events for your application you notice that your application is scaling up and down multiple times in the same hour. What design choice could you make to optimize for cost while preserving elasticity? Choose 2 answers A. Modify the Auto Scaling policy to use scheduled scaling actions B. Modify the Auto Scaling group termination policy to terminate the oldest instance first. C. Modify the Auto Scaling group cool-down timers. D. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. E. Modify the Auto Scaling group termination policy to terminate the newest instance first.

C. Modify the Auto Scaling group cool-down timers. D. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.

Security groups act like a firewall at the instance level, whereas _____ are an additional layer of security that act at the subnet level. A. DB Security Groups B. VPC Security Groups C. Network ACLs

C. Network ACLs NACLs are subnet level with stateless rules

What function of an AWS VPC is stateless? A. Security Groups B. Elastic Load Balancers C. Network Access Control Lists D. EC2

C. Network Access Control Lists

Is there a method or command in the IAM system to allow or deny access to a specific instance? A. Only for VPC based instances B. Yes C. No

C. No

Is decreasing the storage size of a DB Instance permitted? A. Depends on the RDMS used B. Yes C. No

C. No "note that you cannot reduce storage size once it has been allocated" Source: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#CHAP_Storage.FactsAbout

You are a solutions architect working for a large oil and gas company. Your company runs their production environment on AWS and has a custom VPC. The VPC contains 3 subnets, 1 of which is public and the other 2 are private. Inside the public subnet is a fleet of EC2 instances which are the result of an autoscaling group. All EC2 instances are in the same security group. Your company has created a new custom application which connects to mobile devices using a custom port. This application has been rolled out to production and you need to open this port globally to the internet. What steps should you take to do this, and how quickly will the change occur? A. Open the port on the existing network Access Control List. Your EC2 instances will be able to communicate on this port after a reboot. B. Open the port on the existing network Access Control List. Your EC2 instances will be able to communicate over this port immediately. C. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port immediately. D. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port as soon as the relevant Time To Live (TTL) expires.

C. Open the port on the existing security group. Your EC2 instances will be able to communicate over this port immediately.

With which AWS orchestration service can you implement Chef recipes? A. CloudFormation B. Elastic Beanstalk C. Opsworks D. Lambda

C. Opsworks

In the Amazon RDS Oracle DB engine, the Database Diagnostic Pack and the Database Tuning Pack are only available with _____. A. Oracle Standard Edition B. Oracle Express Edition C. Oracle Enterprise Edition D. None of these

C. Oracle Enterprise Edition https://aws.amazon.com/rds/oracle/faqs/ Q: Which Enterprise Edition Options are supported on Amazon RDS? Following Enterprise Edition Options are currently supported under the BYOL model: Advanced Security (Transparent Data Encryption, Native Network Encryption) Partitioning Management Packs (Diagnostic, Tuning) Advanced Compression Total Recall

All Amazon EC2 instances are assigned two IP addresses at launch. Which one can only be reached from within the Amazon EC2 network? A. Multiple IP address B. Public IP address C. Private IP address D. Elastic IP Address

C. Private IP address The question state 'within' the EC2 network. This would not include the public Internet.

You work for a market analysis firm who are designing a new environment. They will ingest large amounts of market data via Kinesis and then analyze this data using Elastic Map Reduce. The data is then imported in to a high performance NoSQL Cassandra database which will run on EC2 and then be accessed by traders from around the world. The database volume itself will sit on 2 EBS volumes that will be grouped into a RAID 0 volume. They are expecting very high demand during peak times, with an IOPS performance level of approximately 15,000. Which EBS volume should you recommend? A. Magnetic B. General Purpose SSD C. Provisioned IOPS (PIOPS) D. Turbo IOPS (TIOPS)

C. Provisioned IOPS (PIOPS)

Out of the striping options available for the EBS volumes, which one has the following disadvantage : 'Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe.' ? A. Raid 5 B. Raid 6 C. Raid 1 D. Raid 2

C. Raid 1

Amazon S3 buckets in all Regions provide which of the following? A. Read-after-write consistency for PUTS of new objects AND Strongly consistent for POST & DELETES B. Read-after-write consistency for POST of new objects AND Eventually consistent for overwrite PUTS & DELETES C. Read-after-write consistency for PUTS of new objects AND Eventually consistent for overwrite PUTS & DELETES D. Read-after-write consistency for POST of new objects AND Strongly consistent for POST & DELETES

C. Read-after-write consistency for PUTS of new objects AND Eventually consistent for overwrite PUTS & DELETES

What does the ec2-revoke command do with respect to the Amazon EC2 security groups? A. Removes one or more security groups from a rule. B. Removes one or more security groups from an Amazon EC2 instance. C. Removes one or more rules from a security group. D. Removes a security group from an account.

C. Removes one or more rules from a security group.

It is advised that you watch the Amazon CloudWatch _____ metric carefully and recreate the Read Replica should it fall behind due to replication errors. A. WriteLag B. ReadReplica C. ReplicaLag D. SingleReplica

C. ReplicaLag The amount of time a Read Replica DB instance lags behind the source DB instance. Applies to MySQL, MariaDB, and PostgreSQL Read Replicas. http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/rds-metricscollected.html

Can Amazon S3 uploads resume on failure or do they need to restart? A. Restart from beginning B. You can resume them, if you flag the "resume on failure" option before uploading. C. Resume on failure D. Depends on the file size

C. Resume on failure When an error occurs during the multipart upload process, a MultipartUploadException is thrown. This exception provides access to the UploadState object, which contains information about the multipart upload's progress. The UploadState can be used to resume an upload that failed to complete. https://docs.aws.amazon.com/aws-sdk-php/v3/guide/service/s3-multipart-upload.html

In a management network scenario, which interface on the instance handles public-facing traffic? A. Primary network interface B. Subnet interface C. Secondary network interface

C. Secondary network interface

You have been asked to identify a service on AWS that is a durable key value store. Which of the services below meets this definition? A. Mobile Hub B. Kinesis C. Simple Storage Service (S3) D. Elastic File Service (EFS)

C. Simple Storage Service (S3)

What does Amazon SWF stand for? A. Simple Wireless Forms B. Simple Web Form C. Simple Work Flow D. Simple Web Flow

C. Simple Work Flow

Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement will be true? A. The instance is replaced automatically by the ELB. B. The instance gets terminated automatically by the ELB. C. The ELB stops sending traffic to the instance that failed its health check. D. The instance gets quarantined by the ELB for root cause analysis.

C. The ELB stops sending traffic to the instance that failed its health check.

Does DynamoDB support in-place atomic updates? A. It is not defined B. No C. Yes D. It does support in-place non-atomic updates

C. Yes

You require the ability to analyze a large amount of data, which is stored on Amazon S3 using Amazon Elastic Map Reduce. You are using the cc2 8x large Instance type, whose CPUs are mostly idle during processing. Which of the below would be the most cost efficient way to reduce the runtime of the job? A.Create more smaller flies on Amazon S3. B.Add additional cc2 8x large instances by introducing a task group. C.Use smaller instances that have higher aggregate I/O performance. D.Create fewer, larger files on Amazon S3.

C. Use smaller instances that have higher aggregate I/O performance. https://aws.amazon.com/elasticmapreduce/faqs/ A,D- Irrelevant B- Adding more , C'mon the situation is idle, reducing would be the option! This is the only line relevant to understanding to support C, it talks about if you need more but here the situation is for idle so think accordingly: As a general guideline, we recommend that you limit 60% of your disk space to storing the data you will be processing, leaving the rest for intermediate output. Hence, given 3x replication on HDFS, if you were looking to process 5 TB on m1.xlarge instances, which have 1,690 GB of disk space, we recommend your cluster contains at least (5 TB * 3) / (1,690 GB * .6) = 15 m1.xlarge core nodes. You may want to increase this number if your job generates a high amount of intermediate data or has significant I/O requirements.

You run an automobile reselling company that has a popular online store on AWS. The application sits behind an Auto Scaling group and requires new instances of the Auto Scaling group to identify their public and private IP addresses. How can you achieve this? A. By using Ipconfig for windows or Ifconfig for Linux. B. By using a cloud watch metric. C. Using a Curl or Get Command to get the latest meta-data from http://169.254.169.254/latest/meta-data/ D. Using a Curl or Get Command to get the latest user-data from http://169.254.169.254/latest/user-data/

C. Using a Curl or Get Command to get the latest meta-data from http://169.254.169.254/latest/meta-data/

Can I control if and when MySQL based RDS Instance is upgraded to new supported versions? A. No B. Only in VPC C. Yes

C. Yes https://aws.amazon.com/blogs/aws/amazon-rds-mysql-upgrade-and-version-management/ With DB Engine Version Management, Amazon RDS gives you additional (yet optional) control over the version of relational database software (i.e. MySQL) powering your DB Instance. The goal of this functionality is to provide you the flexibility to maintain compatibility with specific MySQL versions, test new versions with your application before deploying in production, and perform version upgrades on your own terms and timelines. Automatic Upgrade Schedule

Can I initiate a "forced failover" for my MySQL Multi-AZ DB Instance deployment? A. Only in certain regions B. Only in VPC C. Yes D. No

C. Yes http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RebootInstance.html

Does AWS Direct Connect allow you access to all Availabilities Zones within a Region? A. Depends on the type of connection B. No C. Yes D. Only when there's just one availability zone in a region. If there are more than one, only one availability zone can be accessed directly.

C. Yes https://aws.amazon.com/directconnect/faqs/ Q. What AWS region(s) can I connect to via this connection? Each AWS Direct Connect location enables connectivity to the geographically nearest AWS region. You can access all AWS services available in that region. Direct Connect locations in the US can also access the public endpoints of the other AWS regions using a public virtual interface. Q. What Availability Zone(s) can I connect to via this connection? Each AWS Direct Connect location enables connectivity to all Availability Zones within the geographically nearest AWS region.

Will I be alerted when automatic failover occurs? A. Only if SNS configured B. No C. Yes D. Only if Cloudwatch configured

C. Yes https://aws.amazon.com/rds/faqs/ Q: Will I be alerted when automatic failover occurs? Yes, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can click the "Events" section of the Amazon RDS Console or use the DescribeEvents API to return information about events related to your DB Instance. You can also use Amazon RDS Event Notifications to be notified when specific DB events occur. From the article we can see that using SNS is an optional choice however you can see the event in the "Events" section

Is there a limit to how many groups a user can be in? A. Yes for all users except root B. Yes unless special permission granted C. Yes for all users D. No

C. Yes for all users A user can be a member of maximum 10 groups http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

Are you able to integrate a multi-factor token service with the AWS Platform? A. No, you cannot integrate multi-factor token devices with the AWS platform. B. Yes, you can integrate private multi-factor token devices to authenticate users to the AWS platform. C. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform.

C. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform.

Select the correct statement: A. You don't need not specify the resource identifier while stopping a resource B. You can terminate, stop, or delete a resource based solely on its tags C. You can't terminate, stop, or delete a resource based solely on its tags D. You don't need to specify the resource identifier while terminating a resource

C. You can't terminate, stop, or delete a resource based solely on its tags http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions

You are writing to a DynamoDB table and receive the following exception:" ProvisionedThroughputExceededException". though according to your Cloudwatch metrics for the table, you are not exceeding your provisioned throughput. What could be an explanation for this? A. You haven't provisioned enough DynamoDB storage instances B. You're exceeding your capacity on a particular Range Key C. You're exceeding your capacity on a particular Hash Key D. You're exceeding your capacity on a particular Sort Key E. You haven't configured DynamoDB Auto Scaling triggers

C. You're exceeding your capacity on a particular Hash Key

While creating the snapshots using the the command line tools, which command should I be using? A. ec2-deploy-snapshot B. ec2-fresh-snapshot C. ec2-create-snapshot D. ec2-new-snapshot

C. ec2-create-snapshot

Changes to the backup window take effect ______. A. from the next billing cycle B. after 30 minutes C. immediately D. after 24 hours

C. immediately Changes to the backup window take effect immediately. The backup window cannot overlap with the weekly maintenance window for the DB instance. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html

Every user you create in the IAM system starts with ______. A. partial permissions B. full permissions C. no permissions

C. no permissions Permissions let you specify who has access to AWS resources, and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. To give a user permission to do something, you can add the permission to the user (that is, attach a policy to the user) or add the user to a group that has the desired permission. http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html

Amazon RDS creates an SSL certificate and installs the certificate on the DB Instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The _____ is stored at https://rds.amazonaws.com/doc/rds-ssl-ca-cert.pem. A. private key B. foreign key C. public key D. protected key

C. public key Amazon RDS creates an SSL certificate and installs the certificate on the DB instance when Amazon RDS provisions the instance. These certificates are signed by a certificate authority. The SSL certificate includes the DB instance endpoint as the Common Name (CN) for the SSL certificate to guard against spoofing attacks. The public key is stored at https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem.

Fill in the blanks : _____ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment. A. wildcards B. pointers C. tags D. special filters

C. tags Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html

To help you manage your Amazon EC2 instances, images, and other Amazon EC2 resources, you can assign your own metadata to each resource in the form of_____. A. special filters B. functions C. tags D. wildcards

C. tags http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html To help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of tags.

You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers) A.Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth. B.Use dedicated instances to ensure that each instance has the maximum performance possible. C.Use an Amazon CloudFront distribution for both static and dynamic content. D.Use an Elastic Load Balancer with auto scaling groups at the web. App and Amazon Relational Database Service (RDS) tiers E.Add alert Amazon CloudWatch to look for high Network in and CPU utilization. F.Create processes and capabilities to quickly add and remove rules to the instance OS firewall.

CDE. C - CloudFront can absorb attack to some extent, and you may add WAF to ward off such attacks D - you can use both external and internal facing ELBs E - is obvious A. incorrect... While it is definitely an AWS published suggestion to consider enhanced networking or even 10Gbps interfaces on an instance to assist in mitigating against high traffic floods, two ENIs cannot be used together to help balance network load. ELB always sends traffic to the primary address on the primary ENI of the instance. B. Not an AWS recommended approach for dealing with DDoS mitigation. C. Absolutely correct... Cloudfront is probably the single, best DDoS mitigation you can implement if you had to pick only one. D. This one is close, and would absolutely work as a recommended best practice for the web and app tiers. This answer might even be workable on the DB tier for DB read requests (writes would be problematic), by load-balancing across a number of read replicas using a non-ELB load-balancing mechanism, such as DNS load balancing, HAproxy, F5 instance, etc. But D states you are using ELBs to perform the load-balancing, and it is not currently possible to attach an RDS instance to an ELB, only EC2 instances. Also, D states that you are using auto scaling groups for all three tiers, and it is not currently possible to use RDS instances in an auto scaling group. E. Absolutely correct, and very helpful for auto scaling. F. Seems unlikely. Question is asking about DDoS attacks, which could come from millions of source IP addresses. Even if you could identify incoming requests as malicious (you would not always be able to separate legitimate from malicious), there could be so many malicious source IP addresses in a DDoS that this would not scale very well.

1) You decide to configure a bucket for static website hosting. As per the AWS documentation, you create a bucket named 'mybucketcom' and then you enable website hosting with an index document of 'index.html' and you leave the error document as blank. You then upload a file named 'index.html' to the bucket. After clicking on the endpoint of mybucket.com.s3-website-us-east-1.amazonaws.com you receive 403 Forbidden error. You then change the CORS configuration on the bucket so that everyone has access, however you still receive the 403 Forbidden error. What additional step do you need to do so that the endpoint is accessible to everyone?

Change the permissions on the index.html file also, so that everyone has access.

"9. Question If any change is made to a security group rule, when are these changes effective? 1. 2. Changes are automatically applied after a short period 2. 3. Changes will be effective after rebooting the instances in that security group 3. 1. Changes will be effective after 5 minutes 4. 4. Security group rules can not be changed. You have to create a new security group and assign it to instances"

Changes are automatically applied after a short period

14) Company B has many users updating the same table. At times it is not uncommon for multiple users to update the same item and attribute of an item at the same time. If user A calls an item in a table to update an attribute at the same time as user B and user B updates the table first, what can we deploy in DynamoDB to ensure User A is not updating an item that was updated since User A's table read?

Conditional Writes Explanation With a conditional write, an operation succeeds only if the item attributes meet one or more expected conditions; otherwise it returns an error

2) You have reached your account limit for the number of CIoudFormation stacks in a region. How do you increase your limit?

Contact AWS Explanation The limit for CIoudFormation stacks in a single region is 200- However, this limit can be increased by contacting AWS.

3) Auto Scaling is the process of scaling up and scaling down the number of EC2 instances based on traffic demands.

Correct

You've been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447 IGVV ig-2d8bc445 NACL acl-2080c448 Subnets and Route Tables: Web server's subnet-258Dc44d Application server's suDnet-248bc44c Database server's subnet-9189c6f9 Route Tables: rrb-218DC449 rtb-238bc44b Associations: subnet-258bc44d: rtb-2i8bc449 Subnet-248DC44C rtb-238tX44b subnet-9189c6f9 rtb-238Dc 44b You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet? A.Create a bastion and NAT Instance in subnet-248bc44c and add a route from rtb-238bc44b to subnet- 258bc44d. B.Add a route from rtD-238bc44D to igw-2d8bc445 and add a bastion and NAT instance within suonet- 248bc44c. C.Create a bastion and MAT Instance In subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. D.Create a bastion and mat instance in suDnet-258Dc44d and add a route from rtD-238Dc44D to the mat instance.

Correct answer is D, Option C will create a direct connection from App subnet to Internet gateway, which is not a best security practice .

13) Explain what the following resource in a CIoudFormation template does. Choose the best possible answer. "SNSTopic" : { "Type" : "AWS::SNS::Topic", Properties" : { "Subscription" : [{ "Protocol" : "sqs". "Endpoint" : { "Fn::GetAtt" SQSQueue", "Arn"

Creates an SNS topic and adds a subscription ARN endpoint for the SOS resource created under the logical name SQSQueue

Can I use Provisioned IOPS with VPC? A.Only Oracle based RDS B.No C.Only with MSSQL based RDS D.Yes for all RDS instances

D Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second).

You are designing a multi-platform web application for AWS The application will run on EC2 instances and will be accessed from PCs. tablets and smart phones Supported accessing platforms are Windows. MACOS. IOS and Android Separate sticky session and SSL certificate setups are required for different platform types which of the following describes the most cost effective and performance efficient architecture setup? A.Setup a hybrid architecture to handle session state and SSL certificates on-prem and separate EC2 Instance groups running web applications for different platform types running in a VPC. B.Set up one ELB for all platforms to distribute load among multiple instance under it Each EC2 instance implements ail functionality for a particular platform. C.Set up two ELBs The first ELB handles SSL certificates for all platforms and the second ELB handles session stickiness for all platforms for each ELB run separate EC2 instance groups to handle the web application for each platform. D.Assign multiple ELBS to an EC2 instance or group of EC2 instances running the common components of the web application, one ELB for each platform type Session stickiness and SSL termination are done at the ELBs.

D One ELB cannot handle different SSL certificates but since we are using sticky sessions it must be handled at the ELB level. SSL could be handled on the EC2 instances only with TCP configured ELB, ELB supports sticky sessions only in HTTP/HTTPS configurations. The way the Elastic Load Balancer does session stickiness is on a HTTP/HTTPS listener is by utilizing an HTTP cookie. If SSL traffic is not terminated on the Elastic Load Balancer and is terminated on the back-end instance, the Elastic Load Balancer has no visibility into the HTTP headers and therefore can not set or read any of the HTTP headers being passed back and forth. http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html It could be C as well, because there is only one application. And we have "the most cost effective".

In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use? A.Multiple Availability Zones B.AWS Direct Connect C.EC2 Dedicated Instances D.Placement Groups E.VPC private subnets

D A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in a low-latency, 10 Gigabits per second (Gbps) network. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

While creating the snapshots using the API, which Action should I be using? A.MakeSnapShot B.FreshSnapshot C.DeploySnapshot D.CreateSnapshot

D http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for backups, to make copies of EBS volumes, and to save data before shutting down an instance.

When an EC2 instance that is backed by an S3-based AMI is terminated, what happens to the data on the root volume? A.Data is automatically saved as an EBS snapshot. B.Data is automatically saved as an EBS volume. C.Data is unavailable until the instance is restarted. D.Data is automatically deleted.

D http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html

You are working with a customer who is using Chef configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS? A.Amazon Simple Workflow Service B.AWS Elastic Beanstalk C.AWS CloudFormation D.AWS OpsWorks

D https://aws.amazon.com/opsworks/ AWS OpsWorks is a configuration management service that uses Chef, an automation platform that treats server configurations as code. OpsWorks uses Chef to automate how servers are configured, deployed, and managed across your Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises compute environments.

Per the AWS Acceptable Use Policy, penetration testing of EC2 instances: A.May be performed by AWS, and will be performed by AWS upon customer request. B.May be performed by AWS, and is periodically performed by AWS. C.Are expressly prohibited under all circumstances. D.May be performed by the customer on their own instances with prior authorization from AWS. E.May be performed by the customer on their own instances, only if performed from EC2 instances

D https://aws.amazon.com/security/penetration-testing/ Our Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment. Permission is required for all penetration tests. To request permission. you must be logged into the AWS portal using the root credentials associated with the instances you wish to test. more info:https:/Iaws.amazon.com/security/penetration-testing/

You have deployed a three-tier web application in a VPC with a CIOR block of 10 0 0 0/28 You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances The web. Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route53 for DNS Web (raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch. Which of the following could De the root caused? (Choose 2 answers) A.The Internet Gateway (IGW) of your VPC has scaled-up adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches. B.AWS reserves one IP address In each subnet's CIDR block for Route53 so you do not have enough addresses left to launch all of the new EC2 instances. C.AWS reserves the first and the last private IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances. D.The ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches. E.AWS reserves the first tour and the last IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.

D and E D however is a little vague as ELB cant scale up, there should have been an autoscaling grp mentioned behind ELB in question for D to make sense. But D is the best of rest. E is 100% correct

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations? A.SAML-based Identity Federation B.Cross-Account Access C.AWS Identity and Access Management roles D.Web Identity Federation

D is correct. http://docs.aws.amazon.com/IAM/latest/UserGuide/idrolesproviders_oidc.html http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction "Common Scenarios for Temporary Credentials" - AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider. Question:".. allows application sign-in using an OpenID Connect-compatible identity provider". If you read the question carefully, it can be rephrased as "how does a federated-ID authenticated user access S3 objects?

***Which procedure for backing up a relational database on EC2 that is using a set of RAlDed EBS volumes for storage minimizes the time during which the database cannot be written to and results in a consistent backup? A. 1. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes B. 1. Stop the EC2 Instance. 2. Snapshot the EBS volumes C. 1. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O D. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Resume disk I/O E. 1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk I/O

D is right. From https://acloud.guru, http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html A. Plausible not fast, but not the slowest B. The slowest but highest confidence factor C. Fast , but 'Create Image' has special meaning and may not be what you are looking for. D. _Fast , and 'start EBS snapshot' sounds right _ E. Starts Fast, but waiting for the Snapshot to finish could be hours, so not correct in my opinion. Answer is B Keywords are 'consistent backup' and 'relational database' Making a consistent backup of a relational database (MSSQL, Oracle, MySQL), -> with the database engine still running <- can only be done using a "managed process" such as a backup agent, database tools or (SQL) statements executed by the database engine. A, C, D and E make a backup of the database file (system) with a running database engine. Even if you can suspend disk I/O, this does not force the database engine to flush it's (mostly HUGE) caches Even if you can suspend(/halt) disk I/O, the database engine will complain (probably crash) Even if you can suspend disk I/O and database engine accepts this, the databases (files) themselves will still be marked "open", which will result in (automatic or not) database repairs when mounted/attached from backup. Stopping the database instance will flush (respective) caches and properly close database files. As no database tooling is mentioned, the only answer which stops the database engine, is B, which stops the EC2 instance, thereby the database engine. B is the only answer which results in a consistent backup of a relational database (or at least for MSSQL, Oracle, MySQL)

Which service provides an automated security assessment that helps improve the security and compliance of applications deployed on AWS. The service automatically assesses applications for vulnerabilities or deviations from best practices. A. Amazon Redshift B. EC2 C. Elastic Beanstalk D. Amazon Inspector

D.

Your company runs a customer facing event registration site This site is built with a 3-tier architecture with web and application tier servers and a MySQL database The application requires 6 web tier servers and 6 application tier servers for normal operation, but can run on a minimum of 65% server capacity and a single MySQL database. When deploying this application in a region with three availability zones (AZs) which architecture provides high availability? A.A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer), and an application tier deployed across 2 AZs with 3 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB. and one RDS (Relational Database Service) instance deployed with read replicas in the other AZ. B.A web tier deployed across 3 AZs with 2 EC2 (Elastic Compute Cloud) instances in each A2 inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 3 AZs with 2 EC2 instances in each AZ inside an Auto Scaling Group behind an ELB and one RDS (Relational Database Service) Instance deployed with read replicas in the two other AZs. C.d A web tier deployed across 2 AZs with 3 EC2 (Elastic Compute Cloud) instances in each AZ inside an Auto Scaling Group behind an ELB (elastic load balancer) and an application tier deployed across 2 AZs with 3 EC2 instances m each AZ inside an Auto Scaling Group behind an ELS and a Multi-AZ RDS (Relational Database Service) deployment. D.A web tier deployed across 3 AZs with 2 EC2 (Elastic Compute Cloud) instances in each AZ Inside an Auto Scaling Group behind an ELB (elastic load balancer). And an application tier deployed across 3 AZs with 2 EC2 instances In each AZ inside an Auto Scaling Group behind an ELB. And a Multi-AZ RDS (Relational Database services) deployment.

D is the answer But, be noted that, Multi-AZ RDS does not provide "read ability" to standby DB. Multi-AZ RDS is better than Read-replica in the way it better for scalability, and failover support. Refer to: https://aws.amazon.com/rds/faqs/ [quote] ...it precludes the standby from being accessed directly or used for read operations...

You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances? A.Enable Source/Destination Check on the private Instances. B.Enable Source/Destination Check on the NAT instance. C.Disable Source/Destination Check on the private instances. D.Disable Source/Destination Check on the NAT instance.

D is the correct answer. By default the NAT will perform Source Checks before it forwards the packet it received from EC2 instance out to the Internet and hence Source Checks need to be disabled on the NAT instance. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck https://www.quora.com/Why-do-we-disable-source-destination-checks-on-the-NAT-instance

A company has a workflow that sends video files from their on-premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service for this scenario? A.SQS guarantees the order of the messages. B.SQS synchronously provides transcoding output. C.SQS checks the health of the worker instances. D.SQS helps to facilitate horizontal scaling of encoding tasks.

D is the only possible answer A. SQS guarantees the order of the messages. Not true, SQS does not guarantee the order of the messages at all. If your app requires messages be processed in a certain order, make sure your messages in the SQS queue have a sequence number on them. B. SQS synchronously provides transcoding output. Transcoding output would mean a piece of media (eg audio/video) that needs to be stored somewhere. Since media files are usually large binary data, this would probably be into S3 (and possibly metadata about the media file into DynamoDB, such as the S3 location, user/job that generated it, date/time it was transcoded, etc.) While S3 messages can accept binary data as a data type, you probably wouldn't want to store a output media file as an SQS message because the maximum message size is 256KB, which would severely limit how large your transcoding output file could be. Also, the maximum retention time in an SQS queue is 14 days. In the unlikely case that you were willing to accept those limitations, you'd still be limited to a maximum of 120,000 messages in the queue, which would severely limit the amount of transcoding outputs you could store across those 14 days. This scenario just isn't a good fit for an SQS queue. Drop your transcoding output files into S3, instead. C. SQS checks the health of the worker instances. SQS does not check the health of anything. If you've got a fleet of worker instances you want to monitor the health of, probably you'd want to have them in an auto-scaling group with a health check on the ASG to replace failed worker instances. D. SQS helps to facilitate horizontal scaling of encoding tasks. Yes, this is a great scenario for SQS. "Horizontal scaling" means you have multiple instances involved in the workload (encoding tasks in this case). You can drop messages indicating an encoding job needs to be performed into an SQS queue, immediately making the job notification message accessible to any number of encoding worker instances.

Your company currently has a 2-tier web application running in an on-premises data center. You have experienced several infrastructure failures in the past two months resulting in significant financial losses. Your CIO is strongly agreeing to move the application to AWS. While working on achieving buy-in from the other company executives, he asks you to develop a disaster recovery plan to help improve Business continuity in the short term. He specifies a target Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour or less. He also asks you to implement the solution within 2 weeks. Your database is 200GB in size and you have a 20Mbps Internet connection. How would you do this while minimizing costs? A.Create an EBS backed private AMI which includes a fresh install or your application. Setup a script in your data center to backup the local database every 1 hour and to encrypt and copy the resulting file to an S3 bucket using multi-part upload. B.Install your application on a compute-optimized EC2 instance capable of supporting the application's average load synchronously replicate transactions from your on-premises database to a database instance in AWS across a secure Direct Connect connection. C.Deploy your application on EC2 instances within an Auto Scaling group across multiple availability zones asynchronously replicate transactions from your on-premises database to a database instance in AWS across a secure VPN connection. D.Create an EBS backed private AMI that includes a fresh install of your application. Develop a Cloud Formation template which includes your Mil and the required EC2. Auto-Scaling and ELB resources to support deploying the application across Multiple-Ability Zones. Asynchronously replicate transactions from your onpremises database to a database instance in AWS across a secure VPN connection.

D is the right answer. A is wrong because backing up local DB of 200GB on a 20Mbps connection every hour is not reliable and consumes a lot of bandwidth (expensive). B and C are wrong as you don't need EC2 instances to be up and running because it is expensive. You rather need to be able to quickly launch them within RTO of 4 hours.

A company is building a voting system for a popular TV show, viewers win watch the performances then visit the show's website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use? A.Use CloudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first can the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance. B.Use CloudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB table to store the users vote. C.Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table. D.Use CloudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login. With Amazon service to authenticate the user, the web servers win process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queue. A set of application servers will then retrieve the items from the queue and store the result into a DynamoDB table.

D is the right answer. Problem with B and C is that with millions of visitors it is possible to exceed your provisioned throughput rate of writes to DynamoDB. Also remember that there is soft limit of 10,000 writes/second. See https://aws.amazon.com/dynamodb/faqs/#Scalability,_Availability_&_Durability Q: Is there a limit to how much throughput I can get out of a single table? If you wish to exceed throughput rates of 10,000 writes/second or 10,000 reads/second, you must first contact Amazon through this online form.

A customer has configured Elastic Load Balancer with four instances. The customer wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the customer to achieve this for ELB? A. Redshift B. Auto Scaling C. Cloud Formation D. Route 53

D.

A user has scheduled the maintenance window of an RDS DB on a particular day. Which of the below mentioned events may force to take the DB instance offline during the maintenance window? A. Enabling Read Replica B. Making the DB Multi AZ C. DB password change D. Security patching

D.

Amazon RDS detects and automatically recovers from the most common failure scenarios for Multi-AZ deployments so that you can resume database operations as quickly as possible without administrative intervention. Amazon RDS automatically performs a failover in the event of which of the following: A. Loss of availability in primary Availability Zone B. Compute unit failure on primary C. Loss of network connectivity to primary D. All of these

D.

Company XYZ is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company XYZ would like to directly save player data and scoring information from the mobile app to a DynamoDS table named Score Data When a user saves their game the progress data will be stored to the Game state SB bucket. what is the best approach for storing data to DynamoDB and S3? A. Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State 53 bucket for distribution with the mobile app. B. Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket. C. Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services. D. Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation

D.

In DynamoDB, what type of HTTP response codes indicate that a problem was found with the client request sent to the service? A.5xx HTTP response code B.200 HTTP response code C.306 HTTP response code D.4xx HTTP response code

D.

Once the files are verified they may not be required in the future unless there is some compliance issue. If the organization wants to save them in a cost effective way, which is the best possible solution? A.Amazon RRS B. Amazon S3 C. Amazon RDS D. Amazon Glacier

D.

This question relates to S3: If the object named photos/1.jpg is stored in the johnsmith bucket, then authorized users could access the object with which URL? A. http://s3.amazonaws.com/johnsmith/photos/1.jpg B. http://s3.johnsmith.amazonawscom/photos/1.jpg C. http://johnsmith.amazonaws-com/s3/photos/1.jpg D. http://johnsmith.s3.amazonaws.com/photos/1.jpg

D.

What is the format of structured notification messages sent by Amazon SNS? A.An XML object containing MessageId, UnsubscribeURL, Subject, Message and other values B.An JSON object containing MessageId, DuplicateFIag, Message and other values C.An XML object containing MessageId, DuplicateFIag, Message and other values D.An JSON object containing MessageId, unsubscribeURL, Subject, Message and other values

D.

When uploading an object, what request header can be explicitly specified in a request to Amazon S3 to encrypt object data when saved on the server side? A.x-amz-storage-class B.Content-Mo5 C.x-amz-security-token D.x-amz-server-side-encrvption

D.

When you create an encrypted EBS volume and attach it to a supported instance type, which types of data are encrypted: A. Data at rest inside the volume B. All disk l/O C. All snapshots created from the volume D. All of these

D.

Which of the following is NOT a storage class? Choose the correct answer: A. Glacier B. Infrequent Access C. Standard D. Quick Access

D.

Which product is ideal for transferring anywhere from terabytes to many petabytes of data in and out of the AWS cloud securely, especially in cases where you don't want to make expensive upgrades to your network infrastructure, frequently experience large backlogs of data, are in a physically isolated environment, or are in an area where high-speed Internet connections are not available or cost- prohibitive. In general, if loading your data over the Internet would take a week or more, you should consider what? A. Amazon S3 B. Amazon EBS Magnetic C. Amazon CloudFront D. AWS Snowball

D.

While import a disk into an EBS using the API, which Action should I be using? A. CopySnapshot B. DescribeSnapshot C. CreateSnapshot D. ImportSnapshot

D.

You attempt to store an object in the US-STANDARD region in Amazon 53, and receive a confirmation that it has been successfully stored. You then immediately make another API call and attempt to read this object. 53 tells you that the object does not exist What could explain this behavior? A.US-STANDARD imposes a 1 second delay before new objects are readable. B.You exceeded the bucket object limit, and once this limit is raised the object will be visible. C.Objects in Amazon 53 do not become visible until they are replicated to a second region. D.US-STANDARD uses eventual consistency and it can take time for an object to be readable in a bucket

D.

You have decided to store some data in the cloud via AWS. Which service would you choose to store archive data, with low cost and immediate access? A. Amazon Glacier B. Amazon CIoudFront C. Amazon EC2 Instance Storage D. Amazon S3

D.

You're configuring a new Security Group for your EC2 instance and want to follow security best practice. Under the Inbound rules tab which Rule Type would you commonly use with a Custom IP range? A. HTTP B. FTP C. HTTPS D. RDP

D.

Is there a limit to the number of groups you can have? A. Yes for all users except root B. No C. Yes unless special permission granted D. Yes for all users

D. http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html

Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications.What is the monthly charge for using the public data sets? A. A 1 time charge of 10$ for all the datasets. B. 1$ per dataset per month C. 10$ per month for all the datasets D. There is no charge for using the public data sets

D. https://aws.amazon.com/public-data-sets/ " Public Datasets on AWS provides a centralized repository of public datasets that can be seamlessly integrated into AWS cloud-based applications. AWS is hosting the public datasets at no charge for the community, and like all AWS services, users pay only for the compute and storage they use for their own applications. Learn more about Public Datasets on AWS "

A user is planning to use AWS services for his web application. If the user is trying to set up his own billing management system for AWS, how can he configure it? A. It is not possible for the user to create his own billing management service with AWS B. Enable the AWS CIoudWatch alarm which will provide APIs to download the alarm data C. Use AWS billing APIs to download the usage report of each service from the AWS billing console D. Set up programmatic billing access. Download and parse the bill as per the requirement

D. AWS provides an option to have programmatic access to billing. Programmatic Billing Access leverages the existing Amazon Simple Storage Service.

Choose the correct AWS database service for the following requirements: Large volumes of structured data to persist and query using standard SQL and existing business intelligence tools High performance at scale as data and query complexity grows A. Amazon DynamoDB B. Amazon RDS C. Amazon EIastiCache D. Amazon Redshift

D. Amazon Redshift is a fast managed petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools.

If you're unable to connect via SSH to your EC2 instance, which of the following should you check and possibly correct to restore connectivity? A. Adjust Security Group to permit egress traffic over TCP port 443 from your IP. B. Configure the IAM role to permit changes to security group settings. C. Modify the instance security group to allow ingress of ICMP packets from your IP. D. Adjust the instance's Security Group to permit ingress traffic over port 22 from your IP. E. Apply the most recently released Operating System security patches.

D. In a VPC everything is allowed out by default

After creating a new IAM user which of the following must be done before they can successfully make API calls? A.Add a password to the user. B.Enable Multi-Factor Authentication for the user. C.Assign a Password Policy to the user. D.Create a set of Access Keys for the user.

D. Programmatic access: If the user needs to make API calls or use the AWS CLI or the Tools for Windows PowerShell, create an access key (an access key ID and a secret access key) for that user. http://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html

You have been asked to propose a multi-region deployment of a web-facing application where a controlled portion of your traffic is being processed by an alternate region. Which configuration would achieve that goal? A. Elastic Load Balancing with health checks enabled B. Auto Scaling with scheduled scaling actions set C. Route53 record sets with latency based routing policy D. Route53 record sets with weighted routing policy

D. Use the weighted routing policy when you have multiple resources that perform the same function (for example. web servers that serve the same website) and you want Amazon Route 53 to route traffic to those resources in proportions that you specify (for example. one quarter to one server and three quarters to the other). For more information about weighted resource record sets

In the context of MySQL, version numbers are organized as MySQL version = X.Y.Z. What does X denote here? A. release level B. minor version C. version number D. major version

D. MySQL version = X.Y.Z X = Major version, Y = Release level, Z = Version number within release series. From the Amazon RDS standpoint, a version change would be considered major if either major version or release level is being changed. Example: going from 5.6.X -> 5.7.X. A version change would be considered minor if the version number within the release is being changed. Example: going from 5.6.27 -> 5.6.29.

You have developed a new web application that offers users the chance to buy music at a discounted rate through partnerships with local recording companies. You want to host this app in AWS but you don't want the overhead of managing the infrastructure. Which option should you choose? A. EC2 B. Cloudfront C. Amazon Redshift D. AWS Elastic Beanstalk

D. Elastic Beanstalk is a web service for deploying and managing applications in the AWS cloud without worrying about the infrastructure that runs those applications.

You must assign each server to at least _____ security group A. 3 B. 2 C. 4 D. 1

D. 1 http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group Your AWS account automatically has a default security group per VPC and per region for EC2-Classic. If you don't specify a security group when you launch an instance, the instance is automatically associated with the default security group.

What is the maximum response time for a Business level Premium Support case? A. 30 minutes B. You always get instant responses (within a few seconds). C. 10 minutes D. 1 hour

D. 1 hour

If you are using Amazon RDS Provisioned IOPS storage with MySQL and Oracle database engines, you can scale the throughput of your database Instance by specifying the IOPS rate from _____ . A. 1,000 to 1,00,000 B. 100 to 1,000 C. 10,000 to 1,00,000 D. 1,000 to 10,000

D. 1,000 to 10,000 https://aws.amazon.com/rds/mysql/ https://aws.amazon.com/ebs/details/

You must increase storage size in increments of at least _____ % A. 40 B. 20 C. 50 D. 10

D. 10 http://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html AllocatedStorage The new storage capacity of the RDS instance. Changing this setting does not result in an outage and the change is applied during the next maintenance window unless ApplyImmediately is set to true for this request. Constraints: Value supplied must be at least 10% greater than the current value. Values that are not at least 10% greater than the existing value are rounded up so that they are 10% greater than the current value.

What is the maximum key length of a tag? A. 512 Unicode characters B. 64 Unicode characters C. 256 Unicode characters D. 128 Unicode characters

D. 128 Unicode characters http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html Maximum key length: 128 Unicode characters

A Provisioned IOPS SSD volume must be at least _____ GB in size. A. 1 B. 6 C. 20 D. 4

D. 4

You have been asked to create VPC for your company. The VPC must support both Internet-facing web applications (ie they need to be publicly accessible) and internal private applications (i.e. they are not publicly accessible and can be accessed only over VPN). The internal private applications must be inside a private subnet. Both the internet-facing and private applications must be able to leverage at least three Availability Zones for high availability. At a minimum, how many subnets must you create within your VPC to achieve this? A. 5 B. 3 C. 4 D. 6

D. 6

You have been tasked with creating a VPC network topology for your company. The VPC network must support both Internet-facing applications and internally-facing applications accessed only over VPN. Both Internet-facing and internally-facing applications must be able to leverage at least three AZs for high availability. At a minimum, how many subnets must you create within your VPC to accommodate these requirements? A. 2 B. 3 C. 4 D. 6

D. 6

Within the IAM service a GROUP is regarded as a: A. A collection of AWS accounts B. It's the group of EC2 machines that gain the permissions specified in the GROUP. C. There's no GROUP in IAM, but only USERS and RESOURCES. D. A collection of users.

D. A collection of users. Use groups to assign permissions to IAM users Instead of defining permissions for individual IAM users, it's usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.), define the relevant permissions for each group, and then assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to the group. That way, you can make changes for everyone in a group in just one place. As people move around in your company, you can simply change what IAM group their IAM user belongs to. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions

You have started a new role as a solutions architect for an architectural firm that designs large sky scrapers in the Middle East. Your company hosts large volumes of data and has about 250Tb of data on internal servers. They have decided to store this data on S3 due to the redundancy offered by it. The company currently has a telecoms line of 2Mbps connecting their head office to the internet. What method should they use to import this data on to S3 in the fastest manner possible. A. Upload it directly to S3 B. Purchase and AWS Direct connect and transfer the data over that once it is installed. C. AWS Data pipeline D. AWS Import/Export

D. AWS Import/Export

In Identity and Access Management, when you first create a new user, certain security credentials are automatically generated. Which of the below are valid security credentials? A. Access Key ID, Authorized Key B. Private Key, Secret Access Key C. Private Key, Authorized Key D. Access Key ID, Secret Access Key

D. Access Key ID, Secret Access Key

While launching an RDS DB instance, on which page I can select the Availability Zone? A. Review B. DB Instance Details C. Management Options D. Additional Configuration

D. Additional Configuration In the document 2013,user can select AZ in additinal configuration page http://awsdocs.s3.amazonaws.com/RDS/latest/rds-gsg.pdf

IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information. A. Read Only Access B. Power User Access C. AWS CloudFormation Read Only Access D. Administrator Access

D. Administrator Access To clarify the confusion: AWS account information is about account's contact information, payment currency etc. You don't need your AWS administrator to access that. But you need them to have all other access, including IAM - ability to create users etc.

Through which of the following interfaces is AWS Identity and Access Management available? A. AWS Management Console B. Command line interface (CLI) C. IAM Query API D. All of the above

D. All of the above Accessing IAM: 1 - AWS Management Console 2 - AWS Command Line Tools 3 - AWS SDKs (i.e. Existing libraries) 4 - IAM HTTPS API http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html#intro-accessing You can work with AWS Identity and Access Management in any of the following ways. AWS Management Console AWS Command Line Tools AWS SDKs (AWS provides SDKs (software development kits) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, etc.). IAM HTTPS API

Which Amazon storage do you think is the best for my database-style applications that frequently encounter many random reads and writes across the dataset. A. None of these B. Amazon Instance Storage C. Any of these D. Amazon EBS

D. Amazon EBS "Amazon EBS is particularly helpful for database-style applications that frequently encounter many random reads and writes across the data set." http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html

Without _____, you must either create multiple AWS accounts, each with its own billing and subscriptions, or your employees must share the security credentials of a single AWS account. A. Amazon RDS B. Amazon Glacier C. Amazon EMR D. Amazon IAM

D. Amazon IAM

Without _____, you must either create multiple AWS accounts-each with its own billing and subscriptions to AWS products-or your employees must share the security credentials of a single AWS account. A. Amazon RDS B. Amazon Glacier C. Amazon EMR D. Amazon IAM

D. Amazon IAM http://docs.aws.amazon.com/IAM/latest/UserGuide/getting-setup.html Without IAM, however, you must either create multiple AWS accounts—each with its own billing and subscriptions to AWS products—or your employees must share the security credentials of a single AWS account. In addition, without IAM, you cannot control the tasks a particular user or system can do and what AWS resources they might use.

Amazon RDS supports SOAP only through _____. A. HTTP or HTTPS B. TCP/IP C. HTTP D. HTTPS

D. HTTPS Amazon RDS supports SOAP only through HTTPS http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/using-soap-api.html

When you resize the Amazon RDS DB instance, Amazon RDS will perform the upgrade during the next maintenance window. If you would rather perform the change now, specify the _____ option. A. ApplyNow B. ApplySoon C. ApplyThis D. ApplyImmediately

D. ApplyImmediately http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Modifying.html Modifying an Amazon RDS DB Instance and Using the Apply Immediately Parameter Most modifications to a DB instance can be applied immediately or applied during the next maintenance window. Some modifications, such as parameter group changes, require that you manually reboot your DB instance for the change to take effect. Some modifications result in an outage because Amazon RDS must reboot your DB instance for the change to take effect. Note When you modify some DB instance settings, an outage occurs because the DB instance is rebooted. Review the impact to your database and applications before modifying your DB instance settings. When you modify a DB instance, you have the option of applying the changes immediately by selecting the Apply Immediately option in the AWS Management Console, using the -apply-immediately parameter when using the AWS CLI, or setting the ApplyImmediately parameter to true when using the Amazon RDS API.

What happens to the I/O operations while you take a database snapshot? A. I/O operations to the database are suspended for an hour while the backup is in progress. B. I/O operations to the database are sent to a Replica (if available) for a few minutes while the backup is in progress. C. I/O operations will be functioning normally D. I/O operations to the database are suspended for a few minutes while the backup is in progress.

D. I/O operations to the database are suspended for a few minutes while the backup is in progress.

Amazon SWF is designed to help users do what? A. Design graphical user interface interactions B. Manage user identification and authorization C. Store Web content D. Coordinate synchronous and asynchronous tasks which are distributed and fault tolerant.

D. Coordinate synchronous and asynchronous tasks which are distributed and fault tolerant. https://aws.amazon.com/swf/faqs/ Q: What is Amazon SWF? Amazon Simple Workflow Service (SWF) is a web service that makes it easy to coordinate work across distributed application components. Amazon SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. Tasks represent invocations of various processing steps in an application which can be performed by executable code, web service calls, human actions, and scripts. The coordination of tasks involves managing execution dependencies, scheduling, and concurrency in accordance with the logical flow of the application. With Amazon SWF, developers get full control over implementing processing steps and coordinating the tasks that drive them, without worrying about underlying complexities such as tracking their progress and keeping their state. Amazon SWF also provides the AWS Flow Framework to help developers use asynchronous programming in the development of their applications. By using Amazon SWF, developers benefit from ease of programming and have the ability to improve their applications' resource usage, latencies, and throughputs.

While creating an EC2 snapshot using the API, which Action should I be using? A. MakeSnapShot B. FreshSnapshot C. DeploySnapshot D. CreateSnapshot

D. CreateSnapshot

Is creating a Read Replica of another Read Replica supported? A. Only in VPC B. Yes C. Only in certain regions D. No

D. No

Please select the Amazon EC2 resource which can be tagged. A. Key pairs B. Elastic IP addresses C. Placement groups D. EBS snapshots

D. EBS snapshots http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html

What's an ECU? A. Extended Cluster User. B. None of these. C. Elastic Computer Usage. D. Elastic Compute Unit

D. Elastic Compute Unit

What does Amazon ELB stand for? A. Elastic Linux Box B. Encrypted Linux Box C. Encrypted Load Balancing D. Elastic Load Balancer

D. Elastic Load Balancer

While signing in REST/ Query requests, for additional security, you should transmit your requests using Secure Sockets Layer (SSL) by using _____. A. HTTP B. Internet Protocol Security(IPsec) C. TLS (Transport Layer Security) D. HTTPS

D. HTTPS http://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/using-query-api.html For additional security, you should transmit your requests using Secure Sockets Layer (SSL) by using HTTPS.

What is a Security Group? A. None of these. B. A list of users that can access Amazon EC2 instances. C. An Access Control List (ACL) for AWS resources. D. It acts as a virtual firewall that controls the traffic for one or more instances.

D. It acts as a virtual firewall that controls the traffic for one or more instances.

You work for a toy company that has a busy online store. As you are approaching christmas you find that your store is getting more and more traffic. You ensure that the web tier of your store is behind an Auto Scaling group, however you notice that the web tier is frequently scaling, sometimes multiple times in an hour, only to scale back after peak usage. You need to prevent this so that Auto Scaling does not scale as rapidly, just to scale back again. What option would help you to achieve this? A. Configure Auto Scaling to terminate your oldest instances first, then adjust your CloudWatch alarm. B. Configure Auto Scaling to terminate your newest instances first, then adjust your CloudWatch alarm. C. Change your Auto Scaling so that it only scales at scheduled times. D. Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.

D. Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.

Is creating a Read Replica of another Read Replica supported? A. Only in certain regions B. Only with MSSQL based RDS C. Only for Oracle RDS types D. No

D. No https://aws.amazon.com/rds/faqs/ Q: Can I create a Read Replica of another Read Replica? Amazon RDS for MySQL and MariaDB: You can create a second-tier Read Replica from an existing first-tier Read Replica. By creating a second-tier Read Replica, you may be able to move some of the replication load from the master database instance to a first-tier Read Replica. Please note that a second-tier Read Replica may lag further behind the master because of additional replication latency introduced as transactions are replicated from the master to the first tier replica and then to the second-tier replica. Amazon RDS for PostgreSQL: Read Replicas of Read Replicas are not currently supported.

When running my DB Instance as a Multi-AZ deployment, can I use the standby for read or write operations? A. Yes B. Only with MSSQL based RDS C. Only for Oracle RDS instances D. No

D. No https://aws.amazon.com/rds/faqs/?nc1=h_ls Q: When running my DB Instance as a Multi-AZ deployment, can I use the standby for read or write operations? No, the standby replica cannot serve read requests. Multi-AZ deployments are designed to provide enhanced database availability and durability, rather than read scaling benefits. As such, the feature uses synchronous replication between primary and standby. Our implementation makes sure the primary and the standby are constantly in sync, but precludes using the standby for read or write operations. If you are interested in a read scaling solution, please see the FAQs on Read Replicas.

What does specifying the mapping /dev/sdc=none do when launching an EC2 instance? A. Prevents /dev/sdc from creating the instance. B. Prevents /dev/sdc from deleting the instance. C. Set the value of /dev/sdc to 'zero'. D. Prevents /dev/sdc from attaching to the instance.

D. Prevents /dev/sdc from attaching to the instance. http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ApiReference-cmd-RegisterImage.html

You are a solutions architect who has been asked to do some consulting for a US company that produces re-useable rocket parts. They have a new web application that needs to be built and this application must be stateless. Which three services could you use to achieve this? A. AWS Storage Gateway, Elasticache & ELB B. ELB, Elasticache & RDS C. Cloudwatch, RDS & DynamoDb D. RDS, DynamoDB & Elasticache.

D. RDS, DynamoDB & Elasticache.

What does RRS stand for when talking about S3? A. Redundancy Removal System B. Relational Rights Storage C. Regional Rights Standard D. Reduced Redundancy Storage

D. Reduced Redundancy Storage https://aws.amazon.com/s3/reduced-redundancy/?nc1=h_ls

While creating an Amazon RDS DB, your first task is to set up a DB ______ that controls what IP addresses or EC2 instances have access to your DB Instance. A. Security Pool B. Secure Zone C. Security Token Pool D. Security Group

D. Security Group http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_SettingUp.html#CHAP_SettingUp.SecurityGroup Your DB instance will most likely be created in a VPC. Security groups provide access to the DB instance in the VPC. They act as a firewall for the associated DB instance, controlling both inbound and outbound traffic at the instance level. DB instances are created by default with a firewall and a default security group that prevents access to the DB instance. You must therefore add rules to a security group that enable you to connect to your DB instance. Use the network and configuration information you determined in the previous step to create rules to allow access to your DB instance.

What does Amazon S3 stand for? A. Simple Storage Solution. B. Storage Storage Storage (triple redundancy Storage). C. Storage Server Solution. D. Simple Storage Service.

D. Simple Storage Service.

Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud- based applications. What is the monthly charge for using the public data sets? A. A 1 time charge of 10$ for all the datasets. B. 1$ per dataset per month C. 10$ per month for all the datasets D. There is no charge for using the public data sets

D. There is no charge for using the public data sets

You have an application running in us-west-2 that requires six EC2 instances running at all times. With three AZs available in that region (us-west-2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent fault tolerance if any single AZ in us-west-2 becomes unavailable? Choose 2 answers A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances B. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with no EC2 instances C. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c with two EC2 instances D. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances E. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances

D. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances E. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances

What are the two permission types used by AWS? A. Resource-based and Product-based B. Product-based and Service-based C. Service-based D. User-based and Resource-based

D. User-based and Resource-based http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html Permissions can be assigned in two ways: as identity-based or as resource-based. Identity-based, or IAM permissions are attached to an IAM user, group, or role and let you specify what that user, group, or role can do. For example, you can assign permissions to the IAM user named Bob, stating that he has permission to use the Amazon Elastic Compute Cloud (Amazon EC2) RunInstances action and that he has permission to get items from an Amazon DynamoDB table named MyCompany. The user Bob might also be granted access to manage his own IAM security credentials. Identity-based permissions can be managed or inline.

To view information about an Amazon EBS volume, open the Amazon EC2 console, go to EC2, click _____ in the Navigation pane. A. EBS B. Describe C. Details D. Volumes

D. Volumes http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-describing-volumes.html To view information about an EBS volume using the console Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. In the navigation pane, choose Volumes. To view more information about a volume, select it.

Which of the following is not a service of the security category of the AWS trusted advisor service? A. Security Groups - Specific Ports Unrestricted B. MFA on Root Account C. IAM Use D. Vulnerability scans on existing VPCs.

D. Vulnerability scans on existing VPCs.

Does Amazon Route 53 support NS Records? A. Yes, it supports Name Service records. B. No C. It supports only MX records. D. Yes, it supports Name Server records.

D. Yes, it supports Name Server records. https://aws.amazon.com/route53/faqs/ Q. Which DNS record types does Amazon Route 53 support? Amazon Route 53 currently supports the following DNS record types: A (address record) AAAA (IPv6 address record) CNAME (canonical name record) MX (mail exchange record) NAPTR (name authority pointer record) NS (name server record) PTR (pointer record) SOA (start of authority record) SPF (sender policy framework) SRV (service locator) TXT (text record)

What will be the status of the snapshot until the snapshot is complete. A. running B. working C. progressing D. pending

D. pending Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

Is there any way to own a direct connection to Amazon Web Services? A. You can create an encrypted tunnel to VPC, but you don't own the connection. B. Yes, it's called Amazon Dedicated Connection. C. No, AWS only allows access from the public Internet. D. Yes, it's called Direct Connect

D. Yes, it's called Direct Connect https://aws.amazon.com/directconnect/ AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

A _____ is a storage device that moves data in sequences of bytes or bits (blocks). Hint: These devices support random access and generally use buffered I/O. A. block map B. storage block C. mapping device D. block device

D. block device http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html A block device is a storage device that moves data in sequences of bytes or bits (blocks). These devices support random access and generally use buffered I/O. Examples include hard disks, CD-ROM drives, and flash drives.

To retrieve instance metadata or userdata you will need to use the following IP Address; A. http://127.0.0.1 B. http://192.168.0.254 C. http://10.0.0.1 D. http://169.254.169.254

D. http://169.254.169.254

Fill in the blanks: The base URI for all requests for instance metadata is _____ A. http://254.169.169.254/latest/ B. http://169.169.254.254/latest/ C. http://127.0.0.1/latest/ D. http://169.254.169.254/latest/

D. http://169.254.169.254/latest/ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta-data/

In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics: A. web server visible metrics such as number failed transaction requests B. operating system visible metrics such as memory utilization C. database visible metrics such as number of connections D. hypervisor visible metrics such as CPU utilization

D. hypervisor visible metrics such as CPU utilization, disk I/O, network I/O

Which EC2 API call would you use to retrieve a list of Amazon Machine Images (AMIs)? A.DescnbeInstances B.You cannot retrieve a list of AMIs as there are over 10,000 AMIs C.GetAMIs D.DescribeImages E.DescribeAMIs

D. or B?

A _____ is the concept of allowing (or disallowing) an entity such as a user, group, or role some type of access to one or more resources. A. user B. AWS Account C. resource D. permission

D. permission http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.

When you run a DB Instance as a Multi-AZ deployment, the _____ serves database writes and reads A. secondary B. backup C. stand by D. primary

D. primary https://aws.amazon.com/rds/faqs/ Q: What do "primary" and "standby" mean in the context of a Multi-AZ deployment? When you run a DB Instance as a Multi-AZ deployment, the "primary" serves database writes and reads. In addition, Amazon RDS provisions and maintains a "standby" behind the scenes, which is an up-to-date replica of the primary. The standby is "promoted" in failover scenarios. After failover, the standby becomes the primary and accepts your database operations. You do not interact directly with the standby (e.g. for read operations) at any point prior to promotion. If you are interested in scaling read traffic beyond the capacity constraints of a single DB Instance, please see the FAQs on Read Replicas.

You can use _____ and _____ to help secure the instances in your VPC. A. security groups and multi-factor authentication B. security groups and 2-Factor authentication C. security groups and biometric authentication D. security groups and network ACLs

D. security groups and network ACLs

A customer implemented AWS Storage Gateway with a gateway-cached volume at their main office. An event takes the link between the main and branch office offline. Which methods will enable the branch office to access their data? Choose 3 answers A.Use a HTTPS GET to the Amazon S3 bucket where the files are located. B.Restore by implementing a lifecycle policy on the Amazon S3 bucket. C.Make an Amazon Glacier Restore API call to load the files into another Amazon S3 bucket within four to six hours. D.Launch a new AWS Storage Gateway instance AMI in Amazon EC2, and restore from a gateway snapshot. E.Create an Amazon EBS volume from a gateway snapshot, and mount it to an Amazon EC2 instance. F.Launch an AWS Storage Gateway virtual iSCSI device at the branch office, and restore from a gateway snapshot.

DEF seems the right answer. A is certainly not right, because files persisted by Storage Gateway to S3 are not visible, let alone be accessible. https://forums.aws.amazon.com/thread.jspa?threadID=109748 B is invalid option because you cannot apply Lifecycle Policies because AWS Storage Gateway does not give you that option. Cached Volumes are never stored to Glacier and hence "C" is not a valid.

"18. Question What happens to data on ephemeral volume of an EBS-backed instance if instance is stopped and started? 1. Volume snapshot is saved in S3 2. Data persists 3. Data is deleted 4. Data is automatically copied to another volume"

Data is deleted

"49. Question You have a business-critical two-tier web app currently deployed in two AZ in a single region, using Elastic Load Balancing and Auto Scaling. The app depends on synchronous replication (very low latency connectivity) at the database layer. The application needs to remain fully available even if one application AZs goes off-line, and Auto Scaling cannot launch new instances in the remaining AZs. How can the current architecture be enhanced to ensure this? 1. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 50 percent peak load per Region. 2. Deploy in two regions using Weighted Round Robin (WRR), with Auto Scaling minimums set for 100 percent peak load per region 3. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 33 percent peak load per zone. 4. Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone."

Deploy in three Availability Zones, with Auto Scaling minimum set to handle 50 percent peak load per zone.

"48. Question Which route must be added to your routing table in order to allow connections to the Internet from your subnet? 1. Destination: 192.168.1.257/0 --> Target: your Internet gateway 2. Destination: 0.0.0.0/0 --> Target: your Internet gateway 3. Destination: 0.0.0.0/0 --> Target: 0.0.0.0/32 4. Destination: 10.0.0.0/32 --> Target: your virtual private gateway 5. Destination: 0.0.0.0/32 --> Target: your virtual private gateway"

Destination: 0.0.0.0/0 --> Target: your Internet gateway

From what services I can block incoming/outgoing IPs? A. VPC Subnet B. Security Groups C. IGW D. ELB E. NACL

E.

Amazon's Redshift uses which block size for its columnar storage? A. 2KB B. 8KB C. 16KB D. 32KB E. 1024KB / 1MB

E. 1024KB / 1MB

You need to add a route to your routing table in order to allow connections to the internet from your subnet. What route should you add? A. Destination: 192.168.1.258/0 --> Target: your Internet gateway B. Destination: 0.0.0.0/33 --> Target: your virtual private gateway C. Destination: 0.0.0.0/0 --> Target: 0.0.0.0/24 D. Destination: 10.0.0.0/32 --> Target: your virtual private gateway E. Destination: 0.0.0.0/0 --> Target: your Internet gateway

E. Destination: 0.0.0.0/0 --> Target: your Internet gateway

Which of the following is not supported by AWS Import/Export? A. Import to Amazon S3 B. Export from Amazon S3 C. Import to Amazon EBS D. Import to Amazon Glacier E. Export to Amazon Glacier

E. Export to Amazon Glacier

3) What AWS service will Lambda eventually replace?

EC2

8) Server-side encryption is about data encryption at rest. That is, Amazon S3 encrypts your data at the object level as it writes it to disk in its data centers and decrypts it for you when you go to access it. There are a few different options depending on how you choose to manage the encryption keys. One of the options is called 'Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)'. Which of the following best describes how this encryption method works?

Each object is encrypted with a unique key employing strong encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates- Explanation With this encryption option, Amazon S3 handles all of the encryption/decryption of objects, including the rotation of keys. Other options allow you to manage your own keys if you want, but not the method mentioned in the question.

2) What are the two primary ways you are charged for using Lambda?

Execution requests and execution duration

2) A VPC is a shared resource between you and many other AWS users.

False A VPC is your private, logically isolated section of AWS.

11) The following code snippet is the resources section of a CIoudFormation template that you have written. "Resources" : { "ECZInstance" : { "Type" AWS::EC2::Instance", "Properties" : { "InstanceType" : { "Ref' : "InstanceType" SecurityGroups" : [{"Ref" : "InstanceSecurityGroup" } ], "KeyName" : { "Ref" KeyName" }, "Imageld" : { "Fn::FindInMap" : ["AWSRegionArch2AMI", { "Ref" AWS::Region" }, { "Fn::FindInMap" : ["AWSlnstanceType2Arch", { "Ref" InstanceType" }, "Arch" ] } ] } } }, You have used the reference function to define your instance type as follows. "InstanceType" : { "Ref' : "InstanceType" }, The referencing function is referencing the instance type. Where is this value most likely coming from?

From the parameters section of your CIoudFormation template. Explanation The lnstanceType is most likely a parameter, which means whoever uses the template can decide what instance type to use at template creation time. Here is an example of what that might look like: "Parameters" : {"InstanceType" : { "Description" : "WebServer EC2 instance type", "Type" : "String", "Default" : "t2.small", "AIIowedVaIues" : ["t1.micro", "t2.nano", t2-micro", "t2-small"], "ConstraintDescription" : "must be a valid EC2 instance type."

***You have recently joined a startup company building sensors to measure street noise and air quality in urban areas. The company has been running a pilot deployment of around 100 sensors for 3 months Each sensor uploads 1KB of sensor data every minute to a backend hosted on AWS. During the pilot, you measured a peak or 10 IOPS on the database, and you stored an average of 3GB of sensor data per month in the database The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a PostgreSQL RDS database with 500GB standard storage. The pilot is considered a success and your CEO has managed to get the attention or some potential investors The business plan requires a deployment of at least 1O0K sensors which needs to be supported by the backend You also need to store sensor data for at least two years to be able to compare year over year Improvements. To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling Which setup win meet the requirements? A.Add an SOS queue to the ingestion layer to buffer writes to the RDS instance B.Ingest data into a DynamoDB table and move old data to a Redshift cluster C.Replace the RDS instance with a 6 node Redshift cluster with 96TB of storage D.Keep the current architecture but upgrade RDS storage to 3TB and 10K provisioned IOPS

Going with option B. it's will be more costlier than option C. by using both DynamoDB and Redshift Cluster. Though DynamoDB is faster and on SSD drives but here we IOPS are very low and we don't need high speed Database so just using Redshift would be enough!. I would go with option C. Redshift single node can support up to 16TB of Storage and we need 96TB for 24 months of data to be saved and with 6 node Redshift Cluster it makes 96TB of storage by using Eight Extra Large (8XL) has 24 HDDs with a total of 16TB of magnetic storage. So the option C. should be the right one. C. Replace the RDS instance with a 6 node Redshift cluster with 96TB of storage

2) If you are using an ELB to serve web traffic to EC2 instances, what traffic MUST be allowed on the ELB's security group, while also maintaining AWS security best practices?

HTTP/Port 80

You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this? A.User data B.EC2Config service C.IAM roles D.AWS Config

I agree with A. passing scripts at launch to ec2 instances are with user data. Linux has shell scripting and cloud-init directives. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts In addition to user-data for windows instances there is ec2 config and ssm. https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-instance-metadata.html https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-configuration-manage.html

A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement? A.Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC. B.Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere. C.Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses. D.Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.

I agree with D since it is least wrong. For D to be correct we would need Elastic IP assigned to have static public IP. With auto assign public IP will change each time instance is rebooted. So DNS name will be the only way how to connect to bastion host...

For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an appropriate solution? Choose 2 answers A.Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors B.Managing a multi-step and multi-decision checkout process of an e-commerce website C.Orchestrating the execution of distributed and auditable business processes D.Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs E.Using as a distributed session store for your web application

I definitely like B and C the best... A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors This is far more applicable scenario for a Kinesis stream. Have the sensors send data into the stream, then process out of the stream (e.g. with a Lambda function to upload to DynamoDb for further analysis, or into CloudWatch if you just wanted to plot the data from the sensors as a time series). B. Managing a multi-step and multi-decision checkout process of an e-commerce website Ideal scenario for SWF. Track the progress of the checkout process as it proceeds through the multiple steps. C. Orchestrating the execution of distributed and auditable business processes Also good for SWF. The key words in the question are "process" and "distributed". If you've got multiple components involved the process, and you need to keep them all appraised of what the current state/stage in the process is, SWF can help. D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs This is a potential scenario for Lambda, which can take an SNS notification as a triggering event. Lambda kicks off the transcoding job (or drops the piece of work into an SQS queue that workers pull from to kick off the transcoding job) E. Using as a distributed session store for your web application Not applicable for SWF at all. As for how you might want to do this, key word here is "distributed". If you wanted to store session state data for a web session on a single web server, just throw it into scratch space on the instance (e.g. ephmeral/instance-store drive mounted to the instance). But this is "distributed", meaning multiple web instances are in play. If one instance fails, you want session state to still be maintained when the user's traffic traverses a different web server. (It wouldn't be acceptable for them to have two items in their shopping cart, be ready to check out, have the instance they were on fail, their traffic go to another web instance, and their shopping cart suddenly shows up as empty.) So you save their session state off to an external session store. If the session state only needs to be maintained for, say, 24 hours, ElastiCache is a good solution. If the session state needs to be maintained for a long period of time, store it in DynamoDb.

***A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC. How should they architect their solution to achieve these goals? A.Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC. B.Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides. C.Configure servers running in the VPC using the host-based 'route' commands to send all traffic through the platform to a scalable virtualized IDS/IPS. D.Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.

I go for D. Support Document Reference https://awsmedia.s3.amazonaws.com/SEC402.pdf B. correct two VPC is not problem. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html Transitive Peering has more than 3 VPCs http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#transitive-peering. There are only two VPCs in the text.

6) Which API call is used to list all resources that belong to a CloudFormation Stack?

ListStackResources

A web-startup runs its very successful social news application on Amazon EC2 with an Elastic Load Balancer, an Auto-Scaling group of Java/Tomcat application-servers, and DynamoDB as data store. The main webapplication best runs on m2 x large instances since it is highly memory- bound Each new deployment requires semi-automated creation and testing of a new AMI for the application servers which takes quite a while ana is therefore only done once per week. Recently, a new chat feature has been implemented in nodejs and wails to be integrated in the architecture. First tests show that the new component is CPU bound Because the company has some experience with using Chef, they decided to streamline the deployment process and use AWS Ops Works as an application life cycle tool to simplify management of the application and reduce the deployment cycles. What configuration in AWS Ops Works is necessary to integrate the new chat module in the most cost-efficient and flexible way? A.Create one AWS Ops Works stack, create one AWS Ops Works layer, create one custom recipe B.Create one AWS Ops Works stack create two AWS Ops Works layers create one custom recipe C.Create two AWS Ops Works stacks create two AWS Ops Works layers create one custom recipe D.Create two AWS Ops Works stacks create two AWS Ops Works layers create two custom recipe

I like B on this one. You only need one stack to contain two layers: - one layer for the Java/Tomcat instances - one layer for DynamoDB You'd only need one custom recipe because the only OpsWorks Lifecycle Event that would be involved in rolling out the new chat feature would be "Deploy". (Or you could implement it in "Setup" if you choose to make including the chat app a new baseline standard for your instances in that layer. But even then, you'd only have one custom recipe because there would be no need to customize the "Deploy" event to install the chat app if you already installed out the chat app in "Setup".) So you'd need a custom recipe for that one lifecycle event. And it would only be used for the "Deploy" lifecycle event on the app layer, not on the DB layer.

Your company has recently extended its datacenter into a VPC on AVVS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don't want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members? A.Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AVVS Management Console. B.Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS Management Console. C.Use your on-premises SAML 2 O-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint. D.Use your on-premises SAML2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.

I take it back, it is actually C http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html

You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it. What will allow the application running inside the VPC to reach back and access its internal dependencies without being reconfigured? (Choose 3 answers) A.An AWS Direct Connect link between the VPC and the network housing the internal services. B.An Internet Gateway to allow a VPN connection. C.An Elastic IP address on the VPC instance D.An IP address space that does not conflict with the one on-premises E.Entries in Amazon Route 53 that allow the Instance to resolve its dependencies' IP addresses F.A VM Import of the current virtual machine

I think it should be ADE. -correct- A- This will facilitate the connection to on-prem. D- The IPs can't overlap. E- This one is left, since 3 wrong answers has been found. Not enough detail if this is correct or not. If this application used IPs, this wouldn't be needed. -wrong- B- It doesn't need an IGW for a VPN connection. C- it doesn't need a public IP. F- The question is about communicating from VPC to on-prem. Not about moving it to VPC.

A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture? A.A standalone Amazon EC2 instance B.Amazon RDS in a Multi-AZ configuration C.Amazon EC2 instances in a replication configuration utilizing a single Availability Zone D.Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

I think its D http://docs.aws.amazon.com/dms/latest/userguide/CHAP_Introduction.ReplicationInstance.html AWS does not provide root privileges for managed services like RDS. DynamoDB, S3, Glacier etc. For RDS. if you need Admin privileges or want to use features not enabled by RDS. you can go with the Database on EC2 approach

You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal. A.Create IAM users in the Master account with full Admin permissions. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account. B.Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts. C.Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access. D.Link the accounts using Consolidated Billing. This will give IAM users in the Master account access to resources in the Dev and Test accounts

I vote C: A. This one is incorrect because you cannot "inherit permissions" from one AWS account to another. You could get the other account holder to send you the policy document on their side and cut and paste it into your policy document if you wanted to do so, but you cannot automatically "inherit" that policy. B. Incorrect because the role for cross-account access is not created in the "Master" account. It would be created in the "Dev" and "Test" accounts that are trusting the "Master" account. (It would be a very bad scenario if the account wishing to have access to another account could create the role and everything all in their own account, without the truster account having to do anything to allow it. Any one account could take over any other account at any time. Clearly wrong.) C. This is correct. You would have users log into IAM in the "Master" account, and have the role created by the admins in the "Dev" and "Test" accounts. Those IAM users in the "Master" account would switch role either using the pre-populated URL containing the AccountID and Role Name that the Dev and Test admins sent them, or would have to know those values and input them manually. Permissions would be needed in both accounts in order for this to work: - The Master account IAM users would need to be either full Administrator or Power User access, or if not, would need to explicitly have access granted via policy to perform "Action": "sts:AssumeRole" with the resource for that action being the ARN of the other accounts' roles (which the other accounts administrators would have to send to the Master account admin) - The "Test" and "Dev" account admins would need to grant the role in their accounts access to do pretty much anything, because the scenario is asking for the Master account to have full access. Note: Srinivasu's comment is very observant. He notes that option A mentions that the Master account IAM users will have full Administrator access, thus allowing them to perform action "sts:AssumeRole", which they might not necessarily have unless they are Adminstrators or Power Users. And option C does not explicitly mention this, somewhat implying that option C may be missing this piece in the Master account. If you want to be that detailed/picky, then he is right, none of these answers are correct. But C is closest, and A is definitely wrong due to not being able to "inherit" permissions between accounts. So I'm voting C. D. This is incorrect because linking accounts for consolidated billing purposes does not give the payer account access to do anything in the linked accounts. The payer account can only see billing info for those linked accounts.

You are running a successful multitier web application on AWS and your marketing department has asked you to add a reporting tier to the application. The reporting tier will aggregate and publish status reports every 30 minutes from user-generated information that is being stored in your web application s database. You are currently running a Multi-AZ RDS MySQL instance for the database tier. You also have implemented Elasticache as a database caching layer between the application tier and database tier. Please select the answer that will allow you to successfully implement the reporting tier with as little impact as possible to your database. A.Continually send transaction logs from your master database to an S3 bucket and generate the reports off the S3 bucket using S3 byte range requests. B.Generate the reports by querying the synchronously replicated standby RDS MySQL instance maintained through Multi-AZ. C.Launch a RDS Read Replica connected to your Multi AZ master database and generate reports by querying the Read Replica. D.Generate the reports by querying the ElasliCache database caching tier.

I would choose C: A. This choice is incorrect because, while RDS may be storing SQL transaction logs on the back end for its use in point-in-time recovery, you do not have access to do anything with them. It's just one of those parts of the RDS service that AWS manages for you. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html (In that doc, search for: "Viewing, downloading, or watching transaction logs is not supported.") B. Incorrect because Multi-AZ standby DBs are not query-able for read purposes. Use a read replica for that. C. Correct, this is the easiest way to get an "out of band" copy of the database for your analysis tools to play with, while only very minimally impacting the performance on the front end. (The master DB instance would have to perform asynchronous replication operations to the read replica, which has a very small performance impact. Unless you're replicating to many read replicas in which the performance hit could become noticeable. If you need many read replicas, use Aurora, which has workarounds for this performance hit and can do up to 15 read replicas. Or if your app is married to MySQL, do read replicas of read replicas if you need more than the limit of 5 and can deal with the asynchronous replication delay.) D. This one is plausible at first glance, but in practice could impact performance more than the read replica option due to potentially very large queries that the reporting tier could be running. Also, if your cache is only maintaining the most recently-used records, you could miss pieces of the data you would want to have for reporting. Reporting would probably need access to everything across the board in your DB.

Company B is launching a new game app for mobile devices. Users will log into the game using their existing social media account to streamline data capture. Company B would like to directly save player data and scoring information from the mobile app to a DynamoDS table named Score Data When a user saves their game the progress data will be stored to the Game state S3 bucket. what is the best approach for storing data to DynamoDB and S3? A.Use an EC2 Instance that is launched with an EC2 role providing access to the Score Data DynamoDB table and the GameState S3 bucket that communicates with the mobile app via web services. B.Use temporary security credentials that assume a role providing access to the Score Data DynamoDB table and the Game State S3 bucket using web identity federation. C.Use Login with Amazon allowing users to sign in with an Amazon account providing the mobile app with access to the Score Data DynamoDB table and the Game State S3 bucket. D.Use an IAM user with access credentials assigned a role providing access to the Score Data DynamoDB table and the Game State S3 bucket for distribution with the mobile app.

I would go for answer B, since the user is logged into the game using their existing social media account. Answer A is a possible bottle neck and a possible single-point of failure; the AC2 instance. So that would not be the best approach.

"46. Question Which of the following requires a custom CloudWatch metric to monitor? 1. Network in 2. CPU use 3. Memory use 4. Disk read operations 5. Estimated charges"

Memory use

You have an application running on an EC2 Instance which will allow users to download flies from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely? A.Use the AWS account access Keys the application retrieves the credentials from the source code of the application. B.Create a IAM user for the application with permissions that allow list access to the S3 bucket launch the instance as the IAM user and retrieve the IAM user's credentials from the EC2 instance user data. C.Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role's credentials from the EC2 Instance metadata D.Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.

I would go for answer C See also: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html

6) In regards to their data consistency model, AWS states that "Amazon S3 buckets in all Regions provide read-after-write consistency for PUTS of new objects and eventual consistency for overwrite PUTS and DELETES." What does AWS actually mean when they say Read-after-write consistency for PUTS of new objects?

If you write a new key to S3, you will be able to retrieve any object immediately aftewvards- Also, any newly created object or file will be visible immediately, without any delay-

"32. Question You have an Amazon Elastic Cloud Compute (EC2) security group with several running EC2 instances. You change the security group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same security group. The new rules apply: 1. Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply. 2. Immediately to the new instances only. 3. Immediately to all instances in the security group 4. To all instances, but it may take several minutes for old instances to see the changes."

Immediately to all instances in the security group

"6. Question A new instance is launched in public VPC subnet. There is an internet gateway and a route entry as 0.0.0.0/0 but instance can not reach internet. Other instances in this subnet have no issue. How can this problem be solved? 1. 2. Instance should have either public IP or elastic IP 2. 1. NACL should be configured for outbound rule allowing for any protocol and ports 3. 3. A new security group should be created and allow outbound for any. Then instance should be attached to this security group 4. 4. instance should be terminated and relaunched again"

Instance should have either public IP or elastic IP

Your team has a tomcat-based Java application you need to deploy into development, test and production environments. After some research, you opt to use Elastic Beanstalk due to its tight integration with your developer tools and RDS due to its ease of management. Your QA team lead points out that you need to roll a sanitized set of production data into your environment on a nightly basis. Similarly, other software teams in your org want access to that same restored data via their EC2 instances in your VPC .The optimal setup for persistence and security that meets the above requirements would be the following. A.Create your RDS instance as part of your Elastic Beanstalk definition and alter its security group to allow access to it from hosts in your application subnets. B.Create your RDS instance separately and add its IP address to your application's DB connection strings in your code Alter its security group to allow access to it from hosts within your VPC's IP address block. C.Create your RDS instance separately and pass its DNS name to your app's DB connection string as an environment variable. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself. D.Create your RDS instance separately and pass its DNS name to your's DB connection string as an environment variable Alter its security group to allow access to It from hosts In your application subnets.

It can't be A as explained here: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html Elastic Beanstalk provides support for running Amazon RDS instances in your Elastic Beanstalk environment. This works great for development and testing environments, but is not ideal for a production environment because it ties the lifecycle of the database instance to the lifecycle of your application's environment. It can't be D because RDS is opened to all "hosts in your application subnets" where C only opens RDS to specific client machines in a specific security group. C is the correct answer.

***What happens to the I/O operations while you take a database snapshot in a single AZ database? A. I/O operations to the database are suspended for a few minutes while the backup is in progress. B. I/O operations to the database are sent to a Replica (if available) for a few minutes while the backup is in progress. C. I/O operations will be functioning normally D. I/O operations to the database are suspended for an hour while the backup is in progress

It could be A or C A. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CreateSnapshot.html Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. Creating this DB snapshot on a Single-AZ DB instance results in a brief I/O suspension that typically lasting no more than a few minutes. Multi-AZ DB instances are not affected by this I/O suspension since the backup is taken on the standby. C. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonRDSInstances.html During the automatic backup window, storage I/O might be briefly suspended while the backup process initializes (typically under a few seconds) and you might experience a brief period of elevated latency. No I/O suspension occurs for Multi-AZ DB deployments, because the backup is taken from the standby.

1) Which of the following is not a benefit of a query over a scan?

It does not do consistent reads Explanation A query result is an eventually consistent read but you can request it to be a strongly consistent read.

"54. Question What does the "Server Side Encryption" option an Amazon S3 provide? 1. It allows to upload files using an SSL endpoint, for a secure transfer. 2. It provides an encrypted virtual disk in the cloud 3. It doesn't exist for Amazon S3, but only for Amazon EC2 4. It encrypts the files that you send to Amazon S3, on the server side."

It encrypts the files that you send to Amazon S3, on the server side.

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CloudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which activity would be useful in defending against this attack? A.Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (internet Gateway) B.Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP C.Create 15 Security Group rules to block the attacking IP addresses over port 80 D.Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

It is D. A doesnt make sense B NAT is for outbound traffic and not inbound (in fact the reason it's is for it allow outbound traffic for private instances at the same time blocking any inbound traffic) http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html C is wrong, there is no deny rule (only allow) in Security Groups.

A Provisioned IOPS volume must be at least __________ GB in size A. 1 B. 50 C. 20 D. 10

Min: 4 GiB, Max: 16384 GiB This question is deprecated. the new limits are as follows: https://aws.amazon.com/ebs/details/ But the answer is D.

3) What is the security layer that allows/denies data from entering or exiting a subnet?

Network Access Control List (NACL)

10) The following code snippet is the parameters section of a CloudFormation template that you have written. "Parameters" : { "KeyName": { "Description" answer to the question", "Type": "AWS::ECZ::KeyPair::KeyName", } } Which of the the following is the best description of what this section will do once you run your CloudFormation template?

It will ask you to provide the name of an existing EC2 KeyPair to use Explanation Before launching the creation of our CloudFormation template, CloudFormation will ask us to choose an existing keypair name to associate with our ec2 instance(s). This Parameters section allows us to do that.

http://cdn.aiotestking.com/wp-content/uploads/aws-saa/1.jpg Refer to the architecture diagram above of a batch processing solution using Simple Queue Service (SOS) to set up a message queue between EC2 instances which are used as batch processors Cloud Watch monitors the number of Job requests (queued messages) and an Auto Scaling group adds or deletes batch servers automatically based on parameters set in Cloud Watch alarms. You can use this architecture to implement which of the following features in a cost effective and efficient manner? A.Reduce the overall lime for executing jobs through parallel processing by allowing a busy EC2 instance that receives a message to pass it to the next instance in a daisy-chain setup. B.Implement fault tolerance against EC2 instance failure since messages would remain in SQS and worn can continue with recovery of EC2 instances implement fault tolerance against SQS failure by backing up messages to S3. C.Implement message passing between EC2 instances within a batch by exchanging messages through SOS. D.Coordinate number of EC2 instances with number of job requests automatically thus Improving cost effectiveness. E.Handle high priority jobs before lower priority jobs by assigning a priority metadata field to SQS messages.

It's D. The number of jobs in the queue will determine how many EC2 instances are required. Thus being 'cost effective' and 'efficient'... https://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-using-sqs-queue.html

2) What are the main two components of Auto Scaling?

Launch configuration and Auto Scaling group

"50. Question What is the Reduced Redundancy option in Amazon S3? 1. It allows you to destroy any copy of your files outside 2. It doesn't exist in Amazon S3, but in Amazon EBS 3. Less redundancy for a lower cost 4. It doesn't exist at all"

Less redundancy for a lower cost

"53. Question Can we attach an EBS volume to more than one EC2 instance at the same time? 1. Yes 2. Only in read mode 3. No 4. Only EC2-optimized EBS volumes."

No

1) What are the current languages that Lambda supports?

Node.js, Java, C#, and Python Lambda currently supports Node.js, Java, C# and Python!

***You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: "Network error: Connection timed out" or "Error connecting to [instance], reason: -> Connection timed out: connect," You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers A.Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch. B.Verify that your IAM user policy has permission to launch Amazon EC2 instances. C.Verify that you are connecting with the appropriate user name for your AMI. D.Verify that the Amazon EC2 Instance was launched with the proper IAM role. E.Verify that your federation trust to AWS has been established.

None of the available answers is correct for the scenario. You can find this exact scenario in the AWS user guide and none of the answers listed are among the recommended troubleshooting steps: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout However, the available responses do match the troubleshooting steps for a completely different scenario further down in that same document: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectingMindTerm I think that whoever created this question got mixed up halfway through and combined the description of the "Connection timed out" scenario with the troubleshooting steps from the "Host key not found" scenario. just done the exam, scored 100% on this part. it is and A and C, although it does not make sense. The only reason it does make sense (according to amazons logic) is: - the text says the EC2 instance was created (thus no permission/iam/role problems) - security/acl checked (thus no problems with the network) only options left are those above, although the "connection timed out' makes no sense at all. So for you exam, just learn it as this: AC

Can I delete a snapshot of the root device of an EBS volume used by a registered AMI? A. Only via API B. Only via Console C. Yes D. No

Note that you can't delete a snapshot of the root device of an EBS volume used by a registered AMI. You must first deregister the AMI before you can delete the snapshot. Source: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html

For each DB Instance class, what is the maximum size of associated storage capacity? A.5GB B.1TB C.2TB D.500GB

Now it is 6TB. "You can now create MySQL, PostgreSQL, and Oracle RDS database instances with up to 6TB of storage and SQL Server RDS database instances with up to 4TB of storage when using the Provisioned IOPS and General Purpose (SSD) storage types. Existing MySQL, PostgreSQL, and Oracle RDS database instances can be scaled to these new database storage limits without any downtime." http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html#RDS_Limits.FileSize

Can I test my DB Instance against a new version before upgrading? A.No B.Yes C.Only in VPC

Obviously. http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html

"5. Question An instance running a webserver is launched in a VPC subnet. A security group and a NACL are configured to allow inbound port 80. What should be done to make web server accessible by everyone? 1. Outbound Ports 49152-65535 should be enabled on NACL 2. Outbound Port 80 rule should be enabled on both security group and NACL 3. Outbound Port 80 rule should be enabled on security group 4. All ports both inbound and outbound should be enabled on security group and NACL"

Outbound Ports 49152-65535 should be enabled on NACL

"12. Question You want to implement a HPC ( High performance computing ) system with low-latency network performance. In order to establish this, which AWS feature can be used? 1. 3. EC2 and DynamoDB 2. 2. Placement groups 3. 1. ELB and Auto scaling 4. 4. ElasticMapReduce"

Placement groups

"51. Question When you run a DB Instance as a Multi-AZ deployment, the "______" serves database writes and reads 1. Primary 2. Secondary 3. Backup 4. Stand by"

Primary

15) You are writing an AWS CIoudFormation Template to create a static 33 website configuration. The resources section of this template will be used for access control of the bucket and is defined in the 5th line of the below code snippet. What should the value of "AccessControl" be so that the owner of the bucket gets full control and all users get READ access only. "Resources" : { "S3Bucket" : { "Type" AWS::S3::Bucket", "Properties" : { "AccessControl" : "ANSWER TO THE QUESTION", "BucketName": { "Ref" : "BucketName" }, "WebsiteConflguration" lndexDocument" : "index.html", "ErrorDocument" : "error.html"

PublicRead

12) For best performance when retrieving data from a table. what "type" of API call should you perform?

Query Explanation The query API call queries the primary key field only- The scan API call will scan all fields and rows in the database for a result set. With larger tables the scan API call will have a severe reduction in performance.

"34. Question How can software determine the public and private IP addresses of the Amazon Elastic Cloud Compute instance that it is running on? 1. Query the local instance metadata. 2. Query the appropriate Amazon CloudWatch metric. 3. Use an ipconfig or ifconfig command 4. Query the local instance userdata."

Query the local instance metadata.

5) What is the proper structure of AWS Global Infrastructure?

Regions -> Availability Zones -> Data Centers -> AWS Services

7) Of the 6 available sections on a CloudFormation template (Template Description Declaration, Template Format Version Declaration, Parameters, Resources, Mappings, Outputs), which is the only one required for a CloudFormation template to be accepted?

Resources

16) fnzGetAtt is used on a CloudForrnation template to:

Return the value of an attribute from a resource on the template Explanation fnzGetAtt is an intrinsic function. Intrinsic functions pass are used to grab data that is only available at stack runtime.

A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer? A.Create an A record pointing to the IP address of the load balancer B.Create a CNAME record pointing to the load balancer DNS name. C.Create a CNAME record aliased to the load balancer DNS name. D.Create an A record aliased to the load balancer DNS name

Route 53 FAQ Q. Can I point my zone apex (example.com versus http://www.example.com) at my Elastic Load Balancer? Yes. Amazon Route 53 offers a special type of record called an 'Alias' record that lets you map your zone apex (example.com) DNS name to your ELB DNS name (i.e. elb1234.elb.amazonaws.com). IP addresses associated with Amazon Elastic Load Balancers can change at any time due to scaling up, scaling down, or software updates. Route 53 responds to each request for an Alias record with one or more IP addresses for the load balancer. Queries to Alias records that are mapped to ELB load balancers are free. These queries are listed as "Intra-AWS-DNS-Queries" on the Amazon Route 53 usage report. So the correct answer is D:

A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower Overall CPU resources for the web tier? A.Amazon EBS volume B.Amazon S3 C.Amazon EC2 instance store D.Amazon RDS instance

S3 FAQ Q: What storage classes does Amazon S3 offer? Amazon S3 offers a range of storage classes designed for different use cases. There are three highly durable storage classes including Amazon S3 Standard for general-purpose storage of frequently accessed data, Amazon S3 Standard - Infrequent Access for long-lived, but less frequently accessed data, and Amazon Glacier for long-term archive. You can learn more about those three storage classes on the Amazon S3 Storage Classes page. so Correct answer is B:

"56. Question You can use _______ and ________ to help secure the instances in your VPC. 1. Security groups and 2-factor authentication 2. Security groups and biometric authentication 3. Security groups and multi-factor authentication 4. Security groups and network ACLs"

Security groups and network ACLs

Which of the following approaches provides the lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data? A.Maintain two snapshots: the original snapshot and the latest incremental snapshot. B.Maintain a volume snapshot; subsequent snapshots will overwrite one another C.Maintain a single snapshot the latest snapshot is both Incremental and complete. D.Maintain the most current snapshot, archive the original and incremental to Amazon Glacier.

Seems Ans is C, latest snapshot will contain both incremental and complete. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to restore the volume. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebsdeleting- snapshot.html http://www.nimbo.com/blog/observations-ebs-snapshot-restorebehavior- aws/

5) Which is NOT a benefit of auto scaling?

Sending messages Auto scaling provides automation that contributes to highly available and fault tolerant architecture. Auto scaling is not used to send messages (you are thinking of SNS).

A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2 answers A.Amazon Simple Email Service B.Amazon CloudWatch C.Amazon Simple Queue Service D.Amazon Route 53 E.Amazon Simple Notification Service

So it is B&E D: can be right only if B was not exist : DNS has health check capabilities, but this is integrated with cloudWatch . Amazon Route 53 health checks integrate with CloudWatch metrics so that you can do the following: Verify that a health check is properly configured. Review the status of a health check over a specified period of time. Configure CloudWatch to send an Amazon Simple Notification Service (Amazon SNS) alert when the status of a health check is unhealthy. Note that several minutes might elapse between the time that a health check fails and the time that you receive the associated Amazon SNS notification. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-monitor-view-status.html?console_help=true#monitoring-health-checks

"7. Question An instance is launched in private VPC subnet. All security, NACL and routing definition configured as expected. A custom NAT instance is launched. Which of the following answer is right for configuring custom NAT instance? 1. 1. Source/Destination check should be disabled 2. 2. NAT instance should have public ip address configured 3. 4. NAT instance should be launched in public subnet 4. 3. NAT instance should have elastic ip address configured"

Source/Destination check should be disabled

"20. Question Which type of volume is suited for use as boot volume? 1. None of them 2. Provisioned IOPS volume 3. Standard volume 4. Ephemeral instance store volume"

Standard volume

3) Company B is using Amazon SQS to decouple their systems for scaleability. However, they need to send messages up to 456Kb in size. What might Company B do in order to send more than 256KB of data?

Store the data in S3 or DynamoDB and attach message instructions to the message for the worker to retrieve the data

"30. Question You are setting up a VPC and you need to set up a public subnet within that VPC. What following requirement must be met for this subnet to be considered a public subnet? 1. Subnet's traffic is not routed to an Internet gateway 2. Subnet's traffic is routed to an Internet gateway 3. None of these answers can be considered a public subnet 4. Subnet's traffic is not routed to an Internet gateway but has its traffic routed to a virtual private gateway."

Subnet's traffic is routed to an Internet gateway

***You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance? A.Create a load balancer, and register the Amazon EC2 instance with it B.Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin C.Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action D.Create a launch configuration from the instance using the CreateLaunchConfiguration action

The answer is C http://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_CreateAutoScalingGroup.html http://docs.aws.amazon.com/ko_kr/elasticbeanstalk/latest/dg/events.common.cpu.html A is wrong, with ELB we don't solve the problem becouse we need more instance B is wrong, it's for content delivery, the key is "Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin" Delivery is one of the job of a content distribution system. There can be other N number of jobs for a content management system - for example search the content, fetching the content, catalog the content, saving the content - many of which is not related to network issues. B could be correct if Cloudfront caches the content and then sends it to source (reverse CDN) C is correct if processing needs to be reduced D is wrong, LauchConfiguration is just a template. Creating a template does not help in this situation.

An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access to issue several API commands to discover Amazon EC2 resources running within the enterprise's account The enterprise has internal security policies that require any outside access to their environment must conform to the principles of least privilege and there must be controls in place to ensure that the credentials used by the SaaS vendor cannot be used by any other third party. Which of the following would meet all of these conditions? A.From the AWS Management Console, navigate to the Security Credentials page and retrieve the access and secret key for your account. B.Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only the actions required by the SaaS application create a new access and secret key for the user and provide these credentials to the SaaS provider. C.Create an IAM role for cross-account access allows the SaaS provider's account to assume the role and assign it a policy that allows only the actions required by the SaaS application. D.Create an IAM role for EC2 instances, assign it a policy mat allows only the actions required tor the Saas application to work, provide the role ARM to the SaaS provider to use when launching their application instances.

The answer is C, A, is out of home 🙂 B, We should not pass the credentials to any one even this SaaS vendor D, If you are intended to share the IAM role ARN to this vendor , there is a chance to get access to other third party vendor. So the right ans is C 100% sure. Since it is restricted to single account and none can access the resources in enterprise account other than this vendor even if other tries to access !! http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

4) An atomic counter allows all write requests to be applied in the order they are received by incrementing or decrementing the attribute value.

True

A newspaper organization has a on-premises application which allows the public to search its back catalogue and retrieve individual newspaper pages via a website written in Java They have scanned the old newspapers into JPEGs (approx 17TB) and used Optical Character Recognition (OCR) to populate a commercial search product. The hosting platform and software are now end of life and the organization wants to migrate Its archive to AWS and produce a cost efficient architecture and still be designed for availability and durability Which is the most appropriate? A.Use S3 with reduced redundancy lo store and serve the scanned files, install the commercial search application on EC2 Instances and configure with auto-scaling and an Elastic Load Balancer. B.Model the environment using CloudFormation use an EC2 instance running Apache webserver and an open source search application, stripe multiple standard EBS volumes together to store the JPEGs and search index. C.Use S3 with standard redundancy to store and serve the scanned files, use CloudSearch for query processing, and use Elastic Beanstalk to host the website across multiple availability zones. D.Use a single-AZ RDS MySQL instance lo store the search index 33d the JPEG images use an EC2 instance to serve the website and translate user queries into SQL. E.Use a CloudFront download distribution to serve the JPEGs to the end users and Install the current commercial search product, along with a Java Container Tor the website on EC2 instances and use Route53 with DNS round-robin.

The answer is C. Cloud search is the perfect option for the search related content.

5) When you type a domain name (Iinuxacademy.com) into a web browser, what best describes the process that occurs to deliver the website content back to the browser?

The browser sends a request to a DNS sever asking for the IP address associated with the domain name. For a web browsers to request data from a web server, it must know the IP address of the web server. If given a domain name (instead of an IP address), the browser "asks" a DNS server to translate the web domain into it's IP address.

4) If you're executing code against AWS on an EC2 instance that is assigned an IAM role, which of the following is a true statement?

The code will assume the same permissions as the EC2 role

1) DNS sewers are used to translate common language web domains into IP addresses.

True

14) In addition to CloudFormation Syntax and Functions, you need to be familiar with the available CLI commands (they start with cfn-) and API calls.

True

Your firm has uploaded a large amount of aerial image data to S3 In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ - An open source messaging system to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct? A.Use SQS for passing job messages use Cloud Watch alarms to terminate EC2 worker instances when they become idle. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage. B.Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SOS Once data is processed, C.Change the storage class of the S3 objects to Reduced Redundancy Storage. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS Once data is processed, change the storage class of the S3 objects to Glacier. D.Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idle. Once data is processed, change the storage class of the S3 object to Glacier.

The question key part to focus on is "and leverage AWS archival storage and messaging services to minimize cost." For that the storage that is the lowest cost in the answers is Glacier, in addition, the messaging cost is less for SQS then for SNS if they both exceed 1 million transactions which is free. The only answer that satisfies the above two criteria is answer C. Also, there does not seem to be an urgency in speed of messaging therefore SQS satisfies that need. SNS being more real time delivery mechanism.

2) Which of the following is true if long polling is enabled?

The reader will listen to the queue until a message is available or until timeout

13) You decide to create a bucket on AWS S3 called 'bestbucketever' and then perform the following actions in the order that they are listed here. - You upload a file to the bucket called 'file1'- You enable versioning on the bucket - You upload a file called 'file2' - You upload a file called 'file3' - You upload another file called 'fiIe2' Which of the following is true for your bucket 'bestbucketever'?

The version ID for file1 will be null, there will be 2 version IDs for file2 and 1 version ID for flle3 Explanation You can enable versioning on a bucket, even if that bucket already has objects in it. The already existing objects, though, will show their versions as null. All new objects will have version IDs.

"16. Question To protect accidental overwrites or deletions of your objects in your S3 bucket you configured versioning. Because of changes in your environment, you don't want to use versioning anymore and want to enable lifecycle rules. How can versioning be disabled? 1. After manually disabling versioning , lifecycle rules can be enabled 2. Once enabled, Versioning cannot be disabled. You can also add Lifecycle Rules for this bucket 3. When Lifecycle rules are enabled, versioning is automatically disabled 4. There is no need to disable versioning. Both lifecycle rules and versioning can work simultaneously"

There is no need to disable versioning. Both lifecycle rules and versioning can work simultaneously

2) If you are connecting to AWS from a computer, not an Eo2 instance, you need to create an AWS user, attach permissions, and use the API access key and secret access key in your Python code.

True

A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum number of subnets that need to be configured in the VPC? A. 1 B. 2 C. 3 D. 4

This is a tricky question and I would go with B for the following reasons: 1. It is implementation. 2. One site on multiple instances (2 minimal) 3. From the above two pre-requirements, there would be ELB for this approach. However, no words saying about it. 4. With ELB you do not need to have two public subnets. 5. DB may use two private subnets. http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-manage-subnets.html http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.Scenarios.html http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the instance type definition? A.Auto Scaling policy B.Auto Scaling group C.Auto Scaling tags D.Auto Scaling launch configuration

This is a tricky question. You specify instance type in a launch configuration, however you can't change a launch configuration after it is created. You can however create a new launch configuration and edit Auto Scaling group to use it instead of the old launch configuration. However "When you change the launch configuration for your Auto Scaling group, any new instances are launched using the new configuration parameters, but existing instances are not affected." - see here: http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.html Still D is the best answer.

An AWS customer runs a public blogging website. The site users upload two million blog entries a month The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication, this drops to no updates after 6 months. The customer wants to use CloudFront to improve his user's load times. Which of the following recommendations would you make to the customer? A.Duplicate entries into two different buckets and create two separate CloudFront distributions where S3 access is restricted only to Cloud Front identity B.Create a CloudFront distribution with "US'Europe price class for US/Europe users and a different CloudFront distribution with All Edge Locations' for the remaining users. C.Create a CloudFront distribution with S3 access restricted only to the CloudFront identity and partition the blog entry's location in S3 according to the month it was uploaded to be used with CloudFront behaviors. D.Create a CloudFronl distribution with Restrict Viewer Access Forward Query string set to true and minimum TTL of 0.

This question was on my SysOps exam. I think C is correct.

2) In a highly available and fault tolerant architecture with multiple EC2 instances hosting a website, what is the purpose of Route 53?

To populate external DNS servers with domain/IP address information AND to route incoming traffic to the ELB. Route 53 automatically sends your DNS record information to DNS servers AND it is also where you decide where traffic request for that domain/IP address are routed.

"17. Question Which protocol is not supported when using with Route 53 health check? 1. HTTP 2. HTTPS 3. UDP 4. TCP"

UDP

2) You successfully upload an item to the US-STANDARD region. You then immediately make another API call and attempt to read the object. What will happen?

US-STANDARD has read-after-write consistency, so you will be able to retrieve the object immediately All regions now have read-after-write consistency for PUT operations of new objects. Read- after-write consistency allows you to retrieve objects immediately after creation in Amazon 83. Other actions still follow the eventual consistency model.

"40. Question You are deploying an application an Amazon Elastic Cloud Compute (EC2) that must call AWS APIs. What method of securely passing credentials to the application should you use? 1. Pass API credentials to the instance using instance userdata. 2. Use AWS Identity and Access Management roles for EC2 instances 3. Store API credentials as an object in Amazon Simple Storage Service 4. Embed the API credentials into your JAR files."

Use AWS Identity and Access Management roles for EC2 instances

"19. Question We run a database on a m1.small instance and customers have performance issues. After investigation, database administrators asks you to improve iops performance. Which options can be used to improve iops? 1. Using Provisioned IOPS 2. Configuring Elastic load balancing and adding additional database servers 3. Using a compute optimized instance 4. Using a GPU instance"

Using Provisioned IOPS

"11. Question What is the most secure option to connect to instances without Internet connectivity in private subnet VPC? 1. 2. Using a bastion host server to connect to the instances 2. 1. Enable internet connectivity and configure security group to connect to the instances 3. 3. Enable internet connectivity and configure NACL and security group to connect to the instances 4. 4. Configure IAM policy to restrict access to the instances"

Using a bastion host server to connect to the instances

7) VPC is an abbreviation for:

Virtual Private Cloud

"31. Question How can we attach our instance store volume to another instance? 1. • 3. We can use ""detach volume"" and then attach to another instance. 2. • 2. We can use ""force detach"" and then attach to another instance 3. • 1. We can not detach or attach instance store volume 4. • 4. We can stop the instance. Detach the volume. And attach to other instance"

We can not detach or attach instance store volume

You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer's DNS name. Which options are probable causes of this behavior? Choose 2 answers A.The load balancer was not configured to use a public subnet with an Internet gateway configured B.The Amazon EC2 instances do not have a dynamically allocated private IP address C.The security groups or network ACLs are not property configured for web traffic. D.The load balancer is not configured in a private subnet with a NAT instance. E.The VPC does not have a VGW configured.

When you create an ELB/ALB you must specify the subnets it will be in. So for web facing ELB's you'd assign them to one or more public subnets (per AZ) and of course a subnet is public if i's default route is to an IGW http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-manage-subnets.html So A and C

Your company produces customer commissioned one-of-a-kind skiing helmets combining nigh fashion with custom technical enhancements Customers can show oft their Individuality on the ski slopes and have access to head-up-displays. GPS rear-view cams and any other technical innovation they wish to embed in the helmet. The current manufacturing process is data rich and complex including assessments to ensure that the custom electronics and materials used to assemble the helmets are to the highest standards Assessments are a mixture of human and automated assessments you need to add a new set of assessment to model the failure modes of the custom electronics using GPUs with CUD A. across a cluster of servers with low latency networking. What architecture would allow you to automate the existing process using a hybrid approach and ensure that the architecture can support the evolution of processes over time? Use AWS Data Pipeline to manage movement of data & meta-data and assessments Use an auto-scaling group of G2 instances in a placement group. A.across a cluster of servers with low latency networking. What architecture would allow you to automate the existing process using a hybrid approach and ensure that the architecture can support the evolution of processes over time? Use AWS Data Pipeline to manage movement of data & meta-data and assessments Use an auto-scaling group of G2 instances in a placement group. B.Use Amazon Simple Workflow (SWF) 10 manages assessments, movement of data & meta-data Use an autoscaling group of G2 instances in a placement group. C.Use Amazon Simple Workflow (SWF) lo manages assessments movement of data & meta-data Use an autoscaling group of C3 instances with SR-IOV (Single Root I/O Virtualization). D.Use AWS data Pipeline to manage movement of data & meta-data and assessments use auto-scaling group of C3 with SR-IOV (Single Root I/O virtualization).

Yes . Answer is B . Key is 'mixture of human and automated assessment's + 'low latency' . B fits both the requirements.

You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet. Which of the following options would you consider? (Choose 2 answers) A.Implement IDS/IPS agents on each Instance running In VPC B.Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic. C.Implement Elastic Load Balancing with SSL listeners In front of the web applications D.Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Yes A & D. EC2 does not allow promiscuous mode, and you cannot put something in between the ELB and the web server (like a listener or IDP)

1) You are writing an AWS CIoudFormation template and you want to assign values to properties that will not be available until runtime. You know that you can use intrinsic functions to do this but are unsure as to which part of the template they can be used in. Which of the following is correct in describing how you can currently use intrinsic functions in an AWS CIoudFormation template?

You can only use intrinsic functions in specific parts of a template. You can use intrinsic functions in resource properties, metadata attributes, and update policy attributes.

"3. Change the input split size in the MapReduce job configuration 4. Adjust the number of simultaneous mapper tasks"

You encountered a soft limit of 20 instances per region. Submit the limit increase form and retry the failed requests once approved

"37. Question A startup company hired you to help them build a mobile application, that will ultimately store billions of images and videos in Amazon Simple Storage Service (S3). The company is lean on funding, and wants to minimize operational costs, however, they have an aggressive marketing plan, and expect to double their current installation base every six months. Due to the nature of their business, they are expecting sudden and large increases in the traffic to and from S3, and need to ensure that it can handle the performance needs of their application. What other information must you gather from this customer in order to determine whether S3 is the right option? 1. You must know how many customers the company has today, because this is critical in understanding what their customer base will be in two years. 2. You must know the size of individual objects being written to S3, in order to properly design the key namespace. 3. You must find out the total number of requests per second at peak usage. 4. In order to build the key namespace correctly, you must understand the total amount of storage needs for each S3 bucket ."

You must find out the total number of requests per second at peak usage.

To serve Web traffic for a popular product your chief financial officer and IT director have purchased 10 ml large heavy utilization Reserved Instances (RIs) evenly spread across two availability zones: Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product grows even more popular and you need additional capacity As a result, your company purchases two C3.2xlarge medium utilization Ris You register the two c3 2xlarge instances with your ELB and quickly find that the ml large instances are at 100% of capacity and the c3 2xlarge instances have significant capacity that's unused Which option is the most cost effective and uses EC2 capacity most effectively? A.Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round robin B.Configure Autoscaning group and Launch Configuration with ELB to add up to 10 more on-demand mi large instances when triggered by Cloudwatch shut off c3 2xiarge instances C.Route traffic to EC2 ml large and c3 2xlarge instances directly using Route 53 latency based routing and health checks shut off ELB D.Configure ELB with two c3 2xiarge Instances and use on-demand Autoscailng group for up to two additional c3.2xlarge instances Shut on mi .large instances.

answer : A because the weighted routing policy is used when you have multiple resources that perform the same function (for example, web servers that serve the same website) and you want Amazon Route 53 to route traffic to those resources in proportions that you specify (for example, one quarter to one server and three quarters to the other). refer : http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html B. again adds more instances. We already have 2 unused instances, adding more is not the solution C. We are not sure where the traffic is from. Latency based routing may cause more problems or may not. Its a iffy choice D. is definitely not correct. We already have c3 2xlarge instances that are not used. Configuring it to a Autoscale group for up to two additional c3.2xlarge instances, does not make much sense.

A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this? A.Create a new IAM role and associated policies within the new region B.Assign the existing IAM role to the Amazon EC2 instances in the new region C.Copy the IAM role and associated policies to the new region and attach it to the instances D.Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature

answer is B, because IAM roles are global

***An ERP application is deployed across multiple AZs in a single region. In the event of failure, the Recovery Time Objective (RTO) must be less than 3 hours, and the Recovery Point Objective (RPO) must be 15 minutes the customer realizes that data corruption occurred roughly 1.5 hours ago. What DR strategy could be used to achieve this RTO and RPO in the event of this kind of failure? A.Take hourly DB backups to S3, with transaction logs stored in S3 every 5 minutes. B.Use synchronous database master-slave replication between two availability zones. C.Take hourly DB backups to EC2 Instance store volumes with transaction logs stored In S3 every 5 minutes. D.Take 15 minute DB backups stored In Glacier with transaction logs stored in S3 every 5 minutes.

answer is a Glacier takes too long to restore Replication won't let you go back in time Instance store is ephermal C is the correct answer as the EC2 Instance storage volumes are transferred faster than S3 check : http://www.rightscale.com/blog/cloud-industry-insights/network-performance-within-amazon-ec2-and-amazon-s3 It should be B. Because RPO must be 15minutes so we can't take hourly backup for that requirement

Your startup wants to implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months. Orders coming in are checked for consistency men dispatched to your manufacturing plant for production quality control packaging shipment and payment processing If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step Customers are notified via email about order status and any critical issues with their orders such as payment failure. Your case architecture includes AWS Elastic Beanstalk for your website with an RDS MySQL instance for customer data and orders. How can you implement the order fulfillment process while making sure that the emails are delivered reliably? A.Add a business process management application to your Elastic Beanstalk app servers and re-use the ROS database for tracking order status use one of the Elastic Beanstalk instances to send emails to customers. B.Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 Use the decider instance to send emails to customers. C.Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 use SES to send emails to customers. D.Use an SQS queue to manage all process tasks Use an Auto Scaling group of EC2 Instances that poll the tasks and execute them. Use SES to send emails to customers.

answer is c http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_ecommerce_checkout_13.pdf

3) Which command line commands list all current stacks in your CloudFormation service?

cfn-describe-stacks, cfn-Iist-stacks Explanation The cfn-describe-stacks command line command will list all current stacks in CIoudFormation. Taking the same naming convention you'd find that the "core" query API call to list all stacks would be DescribeStacks. The cfn-list-stacks will also return a list of our stacks, with the option to filter through different stacks statuses. Please note: 'cfn-' has been deprecated. The new naming convention would be 'describe-stacks' and 'Iist-stacks' instead. We are leaving this here because you are still likely to see the deprecated naming convention on the exam.

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC Your server's on-premises will De communicating with your VPC instances You will De establishing IPSec tunnels over the internet You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? (Choose 4 answers) A.End-to-end protection of data in transit B.End-to-end Identity authentication C.Data encryption across the Internet D.Protection of data in transit over the Internet E.Peer identity authentication between VPN gateway and customer gateway F.Data integrity protection across the Internet

http://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html IPSec VPN tunnel mode. CDEF

You have launched an EC2 instance with four (4) 500 GB EBS Provisioned IOPS volumes attached The EC2 Instance Is EBS-Optimized and supports 500 Mbps throughput between EC2 and EBS The two EBS volumes are configured as a single RAID o device, and each Provisioned IOPS volume is provisioned with 4.000 IOPS (4 000 16KB reads or writes) for a total of 16.000 random IOPS on the instance The EC2 Instance initially delivers the expected 16 000 IOPS random read and write performance Sometime later in order to increase the total random I/O performance of the instance, you add an additional two 500 GB EBS Provisioned IOPS volumes to the RAID Each volume Is provisioned to 4.000 lOPs like the original four for a total of 24.000 IOPS on the EC2 instance Monitoring shows that the EC2 instance CPU utilization increased from 50% to 70%. but the total random IOPS measured at the instance level does not increase at all. What is the problem and a valid solution? A.Larger storage volumes support higher Provisioned IOPS rates: increase the provisioned volume storage of each of the 6 EBS volumes to 1TB. B.The EBS-Optimized throughput limits the total IOPS that can be utilized use an EBS-Optimized instance that provides larger throughput. C.Small block sizes cause performance degradation, limiting the I'O throughput, configure the instance device driver and file system to use 64KB blocks to increase throughput. D.RAID 0 only scales linearly to about 4 devices, use RAID 0 with 4 EBS Provisioned IOPS volumes but increase each Provisioned IOPS EBS volume to 6.000 IOPS. E.The standard EBS instance root volume limits the total IOPS rate, change the instant root volume to also be a 500GB 4.000 Provisioned IOPS volume.

i think B http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-ec2-config.html Instance types with 10 Gigabit network connectivity support up to 800 MB/s of throughput and 48,000 16K IOPS for unencrypted Amazon EBS volumes and up to 25,000 16K IOPS for encrypted Amazon EBS volumes. Because the maximum io1 value for EBS volumes is 20,000 for io1 volumes and 10,000 for gp2 volumes, you can use several EBS volumes simultaneously to reach the level of I/O performance available to these instance types. So increase the EC2 network connectivity higher than 500MB/s would help

Your company has HQ in Tokyo and branch offices all over the world and is using a logistics software with a multi-regional deployment on AWS in Japan, Europe and US A. The logistic software has a 3-tier architecture and currently uses MySQL 5.6 for data persistence. Each region has deployed its own database In the HQ region you run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics how do you build the database architecture in order to meet the requirements'? For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region A.The logistic software has a 3-tier architecture and currently uses MySQL 5.6 for data persistence. Each region has deployed its own database In the HQ region you run an hourly batch process reading data from every region to compute cross-regional reports that are sent by email to all offices this batch process must be completed as fast as possible to quickly optimize logistics how do you build the database architecture in order to meet the requirements'? For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region B.For each regional deployment, use MySQL on EC2 with a master in the region and send hourly EBS snapshots to the HQ region C.For each regional deployment, use RDS MySQL with a master in the region and send hourly RDS snapshots to the HQ region D.For each regional deployment, use MySQL on EC2 with a master in the region and use S3 to copy data files hourly to the HQ region E.Use Direct Connect to connect all regional MySQL deployments to the HQ region and reduce network latency for the batch process

the answer is A For each regional deployment, use RDS MySQL with a master in the region and a read replica in the HQ region.

You launch an Amazon EC2 instance without an assigned AVVS identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it? A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping. B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance. C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned. D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.

the answer is D https://forums.aws.amazon.com/message.jspa?messageID=720963 As of Feb 2017 , 'B' is also valid answer. https://aws.amazon.com/blogs/security/easily-replace-or-attach-an-iam-role-to-an-existing-ec2-instance-by-using-the-ec2-console/

When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes. A. Depends on the instance type B. FALSE C. Depends on whether you use API call D. TRUE

D. TRUE http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html#bdm-instance-metadata When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes. You can use instance metadata to query the complete block device mapping. The base URI for all requests for instance metadata is http://169.254.169.254/latest/.


संबंधित स्टडी सेट्स

Foundations of Business- Chapter 4; Mathis (TCU)

View Set

Unit 3 - Section 5: Intellectual Property

View Set

Physiology Unit 2: Endocrine and Skeletal Muscle

View Set

Chapter 17: The Digestive System

View Set