AWS Cloud Practioner Exam
Which of the following is a suggestion made by an AWS Trusted Advisor? (Select two.) A. Cost optimization B. Auditing C. Serverless architecture D. Performance E. Scalability
AD
A company wants to identify the optimal AWS resource configuration for its workloads so that the company can reduce costs and increase workload performance. Which of the following services can be used to meet this requirement?
AWS Compute Optimizer - AWS Compute Optimizer recommends optimal AWS resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics. Over-provisioning resources can lead to unnecessary infrastructure costs, and under-provisioning resources can lead to poor application performance. Compute Optimizer helps you choose optimal configurations for three types of AWS resources: Amazon EC2 instances, Amazon EBS volumes, and AWS Lambda functions, based on your utilization data.
Who is the main point of contact for billing or account questions if a user has an AWS account with an Enterprise-level AWS Support plan? A. Solutions architect B. AWS Concierge Support team C. An AWS Marketplace seller D. AWS Partner Network (APN) partner
AWS Concierge Support team
AWS Shield Advanced provides expanded DDoS attack protection for web applications running on which of the following resources? (Select two) AWS CloudFormation Amazon API Gateway AWS Global Accelerator AWS Elastic Beanstalk Amazon Route 53
Amazon Route 53 AWS Global Accelerator AWS Shield Standard is activated for all AWS customers, by default. For higher levels of protection against attacks, you can subscribe to AWS Shield Advanced. With Shield Advanced, you also have exclusive access to advanced, real-time metrics and reports for extensive visibility into attacks on your AWS resources. With the assistance of the DRT (DDoS response team), AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.
Which AWS service supports the creation of visual reports from AWS Cost and Usage Report data? A. Amazon Athena B. Amazon QuickSight C. Amazon CloudWatch D. AWS Organizations
B
Which AWS service uses machine learning to help discover, monitor, and protect sensitive data that is stored in Amazon S3 buckets? A. AWS Shield B. Amazon Macie C. AWS Network Firewall D. Amazon Cognito
B
Which documentation does AWS Artifact provide? A. Amazon EC2 terms and conditions B. AWS ISO certifications C. A history of a company's AWS spending D. A list of previous-generation Amazon EC2 instance types
B
Which of the following is the customer responsible for updating and patching, according to the AWS shared responsibility model? A. Amazon FSx for Windows File Server B. Amazon WorkSpaces virtual Windows desktop C. AWS Directory Service for Microsoft Active Directory D. Amazon RDS for Microsoft SQL Server
B
Which of the following is an example of security in the AWS Cloud under the AWS shared responsibility model? A. Managing edge locations B. Physical security C. Firewall configuration D. Global infrastructure
C
EBS volume can be attached to a single instance in the same Availability Zone whereas EFS file system can be mounted on instances across multiple Availability Zones.
true
Which AWS service or feature can a company use to determine which business unit is using specific AWS resources? A. Cost allocation tags B. Key pairs C. Amazon Inspector D. AWS Trusted Advisor
A
A company wants to limit its employees' AWS access to a portfolio of predefined AWS resources.Which AWS solution should the company use to meet this requirement?
C
Which of the following AWS services support reservations to optimize costs? (Select three) S3 RDS Lambda DynamoDB DocumentDB EC2 Instances
RDS, DynamoDB, EC2 Instances In addition to Amazon EC2, reservation models are available for Amazon RDS, Amazon ElastiCache, OpenSearch Service, Amazon Redshift, and Amazon DynamoDB.
Which of the following AWS services support VPC Endpoint Gateway for a private connection from a VPC? (Select two) Amazon SQS S3 Amazon EC2 DynamoDB Amazon SNS
S3 DynamoDB A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. There are two types of VPC endpoints: interface endpoints and gateway endpoints. An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses. A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported: Amazon S3 DynamoDB Exam Alert: You may see a question around this concept in the exam. Just remember that only S3 and DynamoDB support VPC Endpoint Gateway. All other services that support VPC Endpoints use a VPC Endpoint Interface.
A company needs to install an application in a Docker container.Which AWS service eliminates the need to provision and manage the container hosts? A. AWS Fargate B. Amazon FSx for Windows File Server C. Amazon Elastic Container Service (Amazon ECS) D. Amazon EC2
A
Which AWS service or tool can be used to capture information about inbound and outbound traffic in an Amazon VPC? A. VPC Flow Logs B. Amazon Inspector C. VPC endpoint services D. NAT gateway
A
Which task does AWS perform automatically? A. Encrypt data that is stored in Amazon DynamoDB. B. Patch Amazon EC2 instances. C. Encrypt user network traffic. D. Create TLS certificates for users' websites.
A
Which of the following are included in AWS Enterprise Support? (Choose two.) A. AWS technical account manager (TAM) B. AWS partner-led support C. AWS Professional Services D. Support of third-party software integration to AWS E. 5-minute response time for critical issues
AD
A medical research startup wants to understand the compliance of AWS services concerning HIPAA guidelines. Which AWS service can be used to review the HIPAA compliance and governance-related documents on AWS?
AWS Artifact AWS Artifact is your go-to, central resource for compliance-related information that matters to your organization. It provides on-demand access to AWS' security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Different types of agreements are available in AWS Artifact Agreements to address the needs of customers subject to specific regulations. For example, the Business Associate Addendum (BAA) is available for customers that need to comply with the Health Insurance Portability and Accountability Act (HIPAA). It is not a service, it's a no-cost, self-service portal for on-demand access to AWS' compliance reports.
Which AWS service will help you receive alerts when the reservation utilization falls below the defined threshold?
AWS Budgets AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define. Reservation alerts are supported for Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache, and Amazon Elasticsearch reservations.
AWS Glue
AWS Glue - AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. AWS Glue job is meant to be used for batch ETL data processing. It cannot be used to discover and protect your sensitive data in AWS.
AWS Secrets Manager
AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. It cannot be used to discover and protect your sensitive data in AWS.
AWS Web Application Firewall (WAF) offers protection from common web exploits at which layer?
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. HTTP and HTTPS requests are part of the Application layer, which is layer 7.
A silicon valley based healthcare startup stores anonymized patient health data on Amazon S3. The CTO further wants to ensure that any sensitive data on S3 is discovered and identified to prevent any sensitive data leaks. As a Cloud Practitioner, which AWS service would you recommend addressing this use-case? Amazon Polly Amazon Macie AWS Glue AWS Secrets Manager
Amazon Macie - Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).
A company recently deployed an Amazon RDS instance in its VPC. The company needs to implement a stateful firewall to limit traffic to the private corporate network.Which AWS service or feature should the company use to limit network traffic directly to its RDS instance? A. Network ACLs B. Security groups C. AWS WAF D. Amazon GuardDuty
B
A retail company has recently migrated its website to AWS. The company wants to ensure that it is protected from SQL injection attacks. The website uses anApplication Load Balancer to distribute traffic to multiple Amazon EC2 instances.Which AWS service or feature can be used to create a custom rule that blocks SQL injection attacks? A. Security groups B. AWS WAF C. Network ACLs D. AWS Shield
B
Which AWS service or feature checks access policies and offers actionable recommendations to help users set secure and functional policies? A. AWS Systems Manager B. AWS IAM Access Analyzer C. AWS Trusted Advisor D. Amazon GuardDuty
B
Which AWS service or tool should a company use to centrally request and track service limit increases? A. AWS Config B. Service Quotas C. AWS Service Catalog D. AWS Budgets
B
Which pillar of the AWS Well-Architected Framework is designed on the idea of frequent, minor, reversible changes? A. Reliability B. Operational excellence C. Performance efficiency D. Cost optimization
B
A user is storing objects in Amazon S3. The user needs to restrict access to the objects to meet compliance obligations.What should the user do to meet this requirement? A. Use AWS Secrets Manager. B. Tag the objects in the S3 bucket. C. Use security groups. D. Use network ACLs.
B Secrets Manager is for secrets (passwords) Network ACL is a statekless firewall working on IPs, not users. Security Groups are stateful firewall, not for user permissions. In this case I'd say tags: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html "Object tags enable fine-grained access control of permissions. For example, you could grant an IAM user permissions to read-only objects with specific tags.
In which situations should a company create an IAM user instead of an IAM role? (Choose two.) A. When an application that runs on Amazon EC2 instances requires access to other AWS services B. When the company creates AWS access credentials for individuals C. When the company creates an application that runs on a mobile phone that makes requests to AWS D. When the company needs to add users to IAM groups E. When users are authenticated in the corporate network and want to be able to use AWS without having to sign in a second time
BD
Which of the following are components of an AWS Site-to-Site VPN connection? (Choose two.) A. AWS Storage Gateway B. Virtual private gateway C. NAT gateway D. Customer gateway E. Internet gateway
BD
Which AWS Support plan provides architectural guidance contextual to your specific use-cases?
Business
Permissions for which of the following are managed by service control policies (SCPs)? A. Availability Zones B. AWS Regions C. AWS Organizations D. Edge locations
C
Service control policies (SCPs) manage permissions for which of the following? A. Availability Zones B. AWS Regions C. AWS Organizations D. Edge locations
C
What is the customer's responsibility while using Amazon RDS? A. Patching and maintenance of the underlying operating system. B. Managing automatic backups of the database. C. Controlling network access through security groups D. Replacing failed instances in the event of a hardware failure.
C
Which AWS service will help protect applications running on AWS from DDoS attacks? A. Amazon GuardDuty B. AWS WAF C. AWS Shield D. Amazon Inspector
C
Which AWS services can be used to facilitate organizational change management, part of the Reliability pillar of AWS Well-Architected Framework? (Select three) AWS Trusted Advisor Amazon GuardDuty AWS CloudTrail Amazon Inspector AWS Config Amazon CloudWatch
CloudTrail, AWS Config, Amazon CloudWatch There are three best practice areas for Reliability in the cloud - Foundations, Change Management, Failure Management. Being aware of how change affects a system (change management) allows you to plan proactively, and monitoring allows you to quickly identify trends that could lead to capacity issues or SLA breaches.
VPC
Correct answer D * A VPC is a logically isolated piece of AWS cloud dedicated to your company. This means, you can run applications on overly provisioned, highly available, and redundant infrastructure setup and it is managed by AWS. All the complexity of setting up a data center with cables, server racks, hardware, power supply, etc. all are managed by AWS. * A VPC belongs to a region. * A VPC spans all availability zones. * You can have multiple VPCs per region. * VPC contains one or more subnets. * A Subnet is tied to a single availability zone. * EC2 instances launch into subnets.
A company has a serverless application that includes an Amazon API Gateway API, an AWS Lambda function, and an Amazon DynamoDB database.Which AWS service can the company use to trace user requests as they move through the application's components? A. AWS CloudTrail B. Amazon CloudWatch C. Amazon Inspector D. AWS X-Ray
D
To install a PCI-compliant workload on AWS, which of the following tasks is required? A. Use any AWS service and implement PCI controls at the application layer B. Use an AWS service that is in-scope for PCI compliance and raise an AWS support ticket to enable PCI compliance at the application layer C. Use any AWS service and raise an AWS support ticket to enable PCI compliance on that service D. Use an AWS service that is in scope for PCI compliance and apply PCI controls at the application layer Most Voted
D
What is the scope of a VPC within the AWS network? A. A VPC can span all Availability Zones globally. B. A VPC must span at least two subnets in each AWS Region. C. A VPC must span at least two edge locations in each AWS Region. D. A VPC can span all Availability Zones within an AWS Region.
D
Which AWS service or feature acts as a firewall for Amazon EC2 instances? A. Network ACL B. Elastic network interface C. Amazon VPC D. Security group
D A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instanc Network ACL, It acts as Virtual firewall that controls in bound and outbound traffic at subnet level.
Which AWS services offer gateway VPC endpoints that can be used to avoid sending traffic over the internet? (Choose two.) A. Amazon Simple Notification Service (Amazon SNS) B. Amazon Simple Queue Service (Amazon SQS) C. AWS CodeBuild D. Amazon S3 E. Amazon DynamoDB
DE
Which of the following are correct statements regarding the AWS Global Infrastructure? (Select two)
Each AWS Region consists of two or more Availability Zones Each Availability Zone (AZ) consists of one or more discrete data centers
Which of the following AWS Support plans provides access to online training with self-paced labs?
Enterprise
Which of the following is CORRECT regarding removing an AWS account from AWS Organizations? TF The AWS account must not have any Service Control Policies (SCPs) attached to it. Only then it can be removed from AWS organizations
False
A web application stores all of its data on Amazon S3 buckets. A client has mandated that data be encrypted before sending it to Amazon S3. Which of the following is the right technique for encrypting data as needed by the customer?
The act of encrypting data before sending it to Amazon S3 is termed as client-side encryption. The AWS encryption SDK is a client-side encryption library that is separate from the language-specific SDKs. You can use this encryption library to more easily implement encryption best practices in Amazon S3. Unlike the Amazon S3 encryption clients in the language-specific AWS SDKs, the AWS encryption SDK is not tied to Amazon S3 and can be used to encrypt or decrypt data to be stored anywhere.
Which of the following is CORRECT regarding removing an AWS account from AWS Organizations? TF The AWS account must be able to operate as a standalone account. Only then it can be removed from AWS organizations
True
A large enterprise with multiple VPCs in several AWS Regions around the world needs to connect and centrally manage network connectivity between its VPCs.Which AWS service or feature meets these requirements? A. AWS Direct Connect B. AWS Transit Gateway C. AWS Site-to-Site VPN D. VPC endpoints
b
Which AWS service uses edge locations? A. Amazon Aurora B. AWS Global Accelerator C. Amazon Connect D. AWS Outposts
b
Which of the following AWS services has encryption enabled by default? EBS CloudTrail Logs EFS S3
cloud trail logs By default, the log files delivered by CloudTrail to your S3 bucket are encrypted using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) Amazon EFS supports two forms of encryption for file systems, encryption of data in transit and encryption at rest. This is an optional feature and has to be enabled by user if needed. EBS. Encryption (at rest and during transit) is an optional feature for EBS and has to be enabled by the user. S3 Encryption for an S3 bucket is an additional feature and the user needs to enable it