AWS Module 1-10 Knowledge Checks

Where can a customer go to get more details about Amazon Elastic Compute Cloud (Amazon EC2) billing activity that took the place 3 months ago? Amazon EC2 Dashboard. AWS Cost Explorer. AWS Trusted Advisor Dashboard. AWS CloudTrail logs stored in Amazon Simple Storage Service (Amazon S3).

Amazon Cost Explorer.

Which of the following is a compute service? (Select the best ans)

Amazon EC2

Which of these are ways to access AWS core services? (Choose 3)

- AWS Management Console - AWS Command Line Interface (AWS CLI) - Software Development Kits (SDKs)

what are the advantages of cloud computing over computing on-premises?

all of the above (avoid large capital purchases / use 0n-demand capacity / go global in mins / increase speed and agility)

Which definition describes a VPC? A. A VPN in the AWS Cloud. B. An extension of an on-premises network into AWS. C. A logically isolated virtual network that you define in the AWS Cloud. D. A fully managed service that extends the AWS Cloud to customer premises.

C. A logically isolated virtual network that you define in the AWS Cloud. ** A VPC is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment.

Several On-Demand Instances in Amazon EC2 must launch at random times and run for limited durations. They must have application and package configurations that are determined at launch time. Which solution provides the most efficient way to automatically build these instances? A. AMI. B. AWS CloudFormation. C. AWS OpsWorks. D. AWS Elastic Beanstalk

C. AWS OpsWorks

What service helps you centrally manage billing; control access, compliance and security; and share resources across multiple AWS accounts? A. AWS IAM. B. AWS Control Tower. C. AWS Organisations. D. AWS VPC peering

C. AWS Organisations. ** Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups of governance. You can also simplify billing by setting up a single payment method for all of your AWS accounts.

You have a VPC with a public subnet and a secure subnet. All EC2 instances in the secure subnet must be able to communicate with specific internet addresses. How can you control traffic with a network ACL? A. Add rules to the default network ACL to allow traffic from and to allowed internet addresses. B. Add rules to the default network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic. C. Add rules to the custom network ACL to allow traffic from and to allowed internet addresses. D. Add rules to the custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.

C. Add rules to the custom network ACL to allow traffic from and to allowed internet addresses. ** Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.

You want to quickly set up a secure implementation of an Amazon FSx for Windows File Server that follows AWS best practices. Which solution should you use? A. An AMI on AWS Marketplace. B. AWS CloudFormation Designer. C. An AWS Quick Start. D. An AWS CloudFormation template that you downloaded from the internet

C. An AWS Quick Start.

Which statement is true about the pricing model on aws? In most cases, there is per gigabyte charge for inbound data transfer. Storage is typically charged per gigabyte. Compute is typically charged as a monthly fee based on instance type. Outbound charges are free up to a per account limit.

Storage is typically charged per gigabyte. **Note: Storage is typically charged based on how many gigabytes you use. For services that use tiered pricing, the per gigabyte cost is less when you use more.

which of these is NOT a cloud computing model ?

System administration as a service

what is the pricing model that enables AWS customers to pay for resources on an as-needed basis ?

Pay as you go

Which of these is NOT a benefit of cloud computing over on-premises computing ? (select the best ans)

Pay for racking, stacking, and powering servers

How do you horizontally scale an Amazon Aurora database? A. By adding Aurora Replica instances. B. By increasing the size of the buffer cache configuration. C. By creating Amazon CloudWatch alarms. D. By changing the instant type

A. By adding Aurora Replica instances. ** An Amazon Aurora cluster is made up of a primary Aurora DB instance and one or more Aurora replicas. You can scale horizontally by adding replicas.

What are the benefits of using AWS organizations? (Choose two). Replaces existing aws identity and access management (IAM) policies with service control policies (SCP) which are simplier to manage. Provides the ability to create groups of accounts and then attach policies to a group. Provides the ability to create an unlimited number of nested organizational units (OU's) to support your desired structure. Simplifies automating account creation and management by using API's. Prevents any restrictions from being put on the root user that is associated with the main organization in an account.

-Provides the ability to create groups of accounts and then attach policies to a group. -Simplifies automating account creation and management by using API's.

A video producer must regularly transfer several video files to Amazon Simple Storage Service (Amazon 53). The files range from 100-700 MB. The internet connection has been unreliable, causing some uploads to fail. Which solution provides the fastest, most reliable, and most cost-effective way to transfer these files to Amazon S3? A) Amazon S3 multipart uploads. B) AWS Snowball. C) AWS Snowmobile. D) AWS Management Console.

A) Amazon S3 multipart uploads. ** When using multipart uploads, an upload failure requires a restart of only failed part uploads instead of restarting the entire file upload. This method provides a better solution for unreliable connections.

Which qualities vary by AWS Region? (Select TWO.). A) Cost-effectiveness of workloads. B) Data privacy. C) High availability of workloads. D) Service and feature availability. E)Capacity for more customers.

A) Cost-effectiveness of workloads. D) Service and feature availability. ** Each AWS Region has its own pricing schedule, and service and feature availabilities vary by Region. Check to make sure that the Region that is selected for an architecture has the required services and features.

A company is interested in using Amazon Simple Storage Service(Amazon S3) alone to host their website, instead of a traditional webserver. Which types of content does Amazon 53 support for static web hosting? (Select THREE.) A) HTML files and image files. B) Client-side scripts C) Server-side scripts. D) Dynamic HTML files. E) Video and sound files.

A) HTML files and image files. B) Client-side scripts. E) Video and sound files. ** HTML files and image files are static content that can be hosted by using Amazon S3 static web hosting. Client-side scripts, video, and sound files create dynamic presentations, but they are static content because their files do not change on the web server.

A company must create a common place to store shared files. Which requirements does Amazon Simple Storage Service (Amazon 53) support? (Select TWO). A) Recover deleted files. B) Maintain different versions of files. C) Lock a file so that only one person at a time can edit it. D) Attach comments to files. E) Compare file contents between files.

A) Recover deleted files. B) Maintain different versions of files. ** Amazon S3 object versioning enables maintenance of different versions and recovery of deleted files. It is not enabled by default, and it must be enabled on a bucket.

What does AWS Direct Connect provide? A. A dedicated network connection from an on-premises network to AWS that uses 802.1q. B. A private telecommunications circuit from an on-premises network direct into AWS that uses Point-to-Point Protocol. C. An encrypted tunnel that connects an on-premises network to AWS over the internet. D. An extension of the AWS Cloud into customer data centers that uses AWS hardware installed on premises

A. A dedicated network connection from an on-premises network to AWS that uses 802.1q. ** AWS Direct Connect establishes a connection between an on-premises network and AWS through a Direct Connect location. It uses IEEE 802.1q virtual LAN (VLAN) tagging to separate traffic across the connection.

A company wants to deploy their simple website in AWS. It consists of HTML, server-side PHP code, and client-side JavaScript code. The website must be highly available to a global audience. What can you create that will provide the simplest method to bring the sit online quickly? A. A load-balanced environment in AWS Elastic Beanstalk. B. An Amazon S3 bucked with static web hosting. C. An AWS CloudFormation stack that deploys a highly available architecture in a VPC. D. An AWS OpsWorks stack that deploys a highly available architecture in a VPC

A. A load-balanced environment in AWS Elastic Beanstalk.

Which techniques should you use to secure an Amazon DynamoDB? (Select THREE). A. AWS Identity Access Management (IAM) policies to define access at the table, row and column levels. B. Security groups to control network access to individual instances. C. An Amazon Virtual Private Cloud (VPC) gateway endpoint to prevent traffic from traversing the internet. D. A Virtual Private Gateway (VGW) to filter traffic from restricted networks. E. A Virtual Private Cloud (VPC) to provide instance isolation and firewall protection. F. Encryption to protect sensitive data.

A. AWS Identity Access Management (IAM) policies to define access at the table, row and column levels C. An Amazon Virtual Private Cloud (VPC) gateway endpoint to prevent traffic from traversing the internet F. Encryption to protect sensitive data. ** IAM controls access to tables and data in DynamoDB. A VPC gateway endpoint provides a route to DynamoDB that does not traverse the internet. Data in DynamoDB is encrypted by default; it is a good idea to use client-side encryption to encrypt sensitive data in transit. Amazon Virtual Private Cloud (VPC)

Because of a natural disaster, a company moved a secondary data center to a temporary facility with internet connectivity. It needs a secure connection to the company's VPC that must be operational as soon as possible. The data center will move again in 2 weeks. Which option meets the requirements? A. AWS Site-to-Site VPN. B. AWS Direct Connect. C. VPC peering. D. VPC endpoints.

A. AWS Site-to-Site VPN. ** An AWS Site-to-Site VPN connection can be quickly established across the internet. The connection can be terminated when it is no longer needed.

Which attributes are reasons to choose Amazon Elastic Compute Cloud (Amazon EC2)? (Select TWO). A. Ability to run any type of workload. B. Ability to run serverless applications. C. AWS management of operating system patches. D. AWS management of operating system security. E. Complete control of computing resources.

A. Ability to run any type of workload. E. Complete control of computing resources. **Use Amazon EC2 when complete control, down to the operating-system level, is required. Amazon EC2 can run any type of workload, including web, application, database, and media servers. An EC2 instance can run any workload that a physical server can run.

A company must build a highly available website that uses server-side scripts to serve dynamic HTML. Which solution provides the highest availability for the least cost and complexity? A. An Auto Scaling group launches Amazon EC2 instances, which are served by an Application Load Balancer. DNS name resolution points to the load balancer. B. Amazon S3 hosts the website. DNS name resolution points to the S3 bucket. C. An Auto Scaling group launches Amazon EC2 instances, which are served by an Application Load Balancer. Amazon Route 53 uses latency-based routing. D. A second web server is deployed in another Region. Amazon Route 53 uses failover routing for disaster recovery (DR).

A. An Auto Scaling group launches Amazon EC2 instances, which are served by an Application Load Balancer. DNS name resolution points to the load balancer. ** The autoscaling group can automatically launch instances to handle increased load, and terminate instances when they become unhealthy or when the load decreases. The application load balancer is highly available and distributes the load across the instances.

How can you grant the same level of permissions to multiple users within an account? A. Apply an AWS Identity & Access Management (IAM) policy to an IAM group. B. Apply an AWS Identity & Access Management (IAM) policy to an IAM role. C. Create a resource-based policy. D. Create an organization in AWS Organizations.

A. Apply an AWS IAM policy to an IAM group. ** By defining the permissions in an IAM policy and putting the users in a group, you can set the same level of permissions to all users in that group.

A company's security administrator requires that EC2 instances in a specific subnet must connect to Amazon DynamoDB through a VPC endpoint. The company's network standards require that the infrastructure support high availability. Which action meets these architecture requirements without adding another subnet? A. Associate a single VPC endpoint with the subnet. B. Associate two VPC endpoints with the subnet. C. Associate two VPC endpoints with the subnet and use Elastic Load Balancing. D. Associate VPC endpoints using an Auto Scaling group that is connected to Elastic Load Balancing.

A. Associate a single VPC endpoint with the subnet. ** VPC endpoints are horizontally scaled, redundant, and highly available.

A group of consultants requires access to an EC2 instance from the internet, for 3 consecutive days each week. The instance is shut down the rest of the week. The VPC has internet access. How should you assign the IPv4 address to the instance to give the consultants access? A. Associate an Elastic IP with the EC2 instance. B. Enable automatic address assignment for the subnet. C. Enable automatic address assignment for the EC2 instance. D. Assign the address in the operating system (OS) boot configuration.

A. Associate an Elastic IP with the EC2 instance. ** Using an Elastic IP address helps to ensure that the instance has the same internet address.

You must perform a heterogenous migration from your on-premises facility to a database in a virtual private cloud (VPC). You will use AWS Snowball Edge and AWS Database Migration Service (AWS DMS). At which point do you use AWS Schema Conversion Tool (AWS SCT)? A. At the start, to extract the data from the source database into the Snowball Edge, before shipping the device. B. After extracting the data from the source database by using AWS DMS, but before shipping the Snowball Edge. C. After the data is in the VPC, but before using AWS DMS to load the data into the target database. D. After using AWS DMS to load the data into the target database in the VPC.

A. At the start, to extract the data from the source database into the Snowball Edge, before shipping the device. ** Because AWS SCT connects to a database engine, you should run it locally. The alternative is a homogenous migration to a database in Amazon Web Services (AWS) first, which is less efficient.

Systems in a secure subnet in a VPC must access a bucket in Amazon S3. Which solution stops traffic from crossing the internet? A. Create a VPC gateway endpoint for Amazon S3. B. Use a private IP address for the system. C. Use the private IP address of Amazon S3. D. Create a VPC peering connection to Amazon S3

A. Create a VPC gateway endpoint for Amazon S3. ** A VPC gateway endpoint adds a route for the Amazon S3 prefix list to the subnet route tables that you select. The route keeps traffic between the subnet and S3 inside Amazon network, instead of using the default behavior of routing traffic across the internet.

Which option is a good way to preview changes before implementing them in AWS CloudFormation Designer? A. Create a change set. B. Run Update Stack. C. Run Detect Drift. D. Visually inspect template

A. Create a change set.

Which scenarios are good use cases for Amazon DynamoDB? (Select THREE). A. Database for serverless architectures. B. Applications that require ACID transactions. C. Applications that combine data from many tables. D. Graph database to trace relationships between entities. E. Document database for JavaScript Object Notation (JSON)-based documents. F. Binary large object (BLOB) storage

A. Database for serverless architectures. B. Applications that require ACID transactions. E. Document database for JavaScript Object Notation (JSON)-based documents. ** Amazon DynamoDB is a serverless service, so it works well with serverless computing. DynamoDB supports ACID transactions through Amazon DB Transactions. DynamoDB can store and query data as JSON-like documents, which simplifies application development.

Which feature does Amazon FSx for Windows File Server provide? A. Fully managed Windows file servers. B. Microsoft AD server for Windows file servers. C. Backup solution for on-premises Windows file servers. D. Amazon management agent for Windows file serve

A. Fully managed Windows file servers ** FSx for Windows File Server provides fully managed windows file servers, which are built on Microsoft Windows Server.

Which use cases indicate that a non-relational database might be a better solution than a relational database? (Select TWO). A. Horizontal scaling for massive data volume. B. ACID compliance for all database transactions. C. Data with unpredictable attributes. D. Strong read-after-write consistency. E. High availability and fault tolerance

A. Horizontal scaling for massive data volume. C. Data with unpredictable attributes. ** For data volume, non-relational databases scale horizontally and relational databases scale vertically. Non-relational databases can handle data with unpredictable attributes. Relational databases use strict schemas, so data attributes must be identified in advance.

All of the EC2 instances in a subnet can communicate with a certain IPv4 network on the internet. How should you modify the security groups or current custom network ACL to deny traffic to and from several restricted addresses in that network? A. In the network ACL, deny traffic to and from the restricted addresses. B. In the security groups, deny traffic to and from the restricted addresses. C. In the network ACL, allow traffic only to and from address ranges that exclude the restricted addresses. D. In the security groups, allow traffic only to and from addresses ranges that exclude the restricted addresses.

A. In the network ACL, deny traffic to and from the restricted addresses. ** This solution is the easiest way to deny traffic to and from individual addresses. You can specify the individual address, or a range of addresses, to deny. These rules should have lower rule numbers than rules that allow traffic to and from the wider network.

What are some reasons to use automation to provision resources? (Select TWO). A. Lack of version control with manual process. B. Automation requirement for creating some resources. C. Alignment with the reliability design principle. D. Greater expense with manual processes. E. Automation requirement for high availability

A. Lack of version control with manual process. and C. Alignment with the reliability design principle.

Which descriptions of Amazon EC2 pricing options are correct? (Select TWO). A. On-Demand Instances enable you to pay for compute capacity by usage time, with no long-term commitments. B. Reserved Instances are physical servers that are reserved exclusively for your use. C. Savings Plans are budgeting tools that help you manage Amazon EC2 costs. D. Dedicated Hosts are servers that are dedicated to one purpose, such as a firewall. E. Spot Instances offer spare compute capacity at discounted prices, and can be interrupted

A. On-Demand Instances enable you to pay for compute capacity by usage time, with no long-term commitments. E. Spot Instances offer spare compute capacity at discounted prices, and can be interrupted ** With on-demand instances you can pay for compute capacity based on your usage, Also, by using spot instances you can achieve cost savings due to discounted prices.

What does AWS OpsWorks do? (Select THREE). A. Provides managed Chef instances. B. Automates operational tasks across AWS resources. C. Provides managed Kubernetes clusters. D. Automates server configuration, deployment and management. E. Provides managed Puppet instances. F. Automates containerized application deployment at scale

A. Provides managed Chef instances. D. Automates server configuration, deployment and management. E. Provides managed Puppet instances.

You detected that the demand on a fleet of Amazon EC2 instances in an Auto Scaling group increases by a set amount each day. Which type of scaling is the most appropriate for this scenario? A. Scheduled. B. Dynamic. C. Predictive. D. Manual.

A. Scheduled. ** Scheduled scaling is most appropriate when you have a well established pattern on demand.

How does identity federation increase security for an application that is built in AWS? A. Users can use SSO to access the application through an existing authenticated identity. B. The application can synchronize users' user names and passwords in AWS IAM with their social media accounts. C. The browser can establish a trust relationship with the application to bypass the need for MFA. D. Users can log into their IAM accounts to log into on premises systems

A. Users can use SSO to access the application through an existing authenticated identity. ** Authenticating users through a trusted identity broker and store eliminates the need to create, manage, and secure user accounts for the application within the application itself or in AWS.

What are the benefits of using an Amazon Machine Image (AMI)? (Select THREE). A. Using an AMI as a server backup for Amazon EC2 instances. B. Automating security group settings for instances. C. Selling or sharing software solutions packaged as an AMI. D. Migrating data from on-premises to Amazon EC2 instances. E. Launching instances with the same configuration.

A. Using an AMI as a server backup for Amazon EC2 instances. C. Selling or sharing software solutions packaged as an AMI. E. Launching instances with the same configuration. ** AMI's contain EC2 instance configuration, so instances that are launched from the same AMI have the same configuration. AMI's are images of EC2 instances, so they can be used as backups. Vendors sell software solutions that are packaged as AMI's through AWS marketplace.

For certain services like amazon elastic compute cloud (Amazon EC2) and amazon relational database service (Amazon RDS) you can invest in reserved capacity. What options are available for reserved instances? (Choose 3). AURI. MURI. NURI. PURI. DURI.

AURI, NURI, PURI.

What aws tool lets you explore AWS services and create an estimate for the cost of your use cases on AWS? (Select the best answer). AWS Pricing Calculator. AWS Budgets. AWS Cost and Usage Report. AWS Billing Dashboard.

AWS Pricing Calculator. **Note: The AWS Pricing Calculator lets you model your solutions before building them, explore the price points and calculations behind your estimate, and find the available instance types and contract terms that meet your needs.

Which scenarios represent a good use for Amazon Simple Storage Service (Amazon S3)? (Select TWO.) A) Housing the root volume of a live operating system. B) Providing a mountable file system for Linux-based workloads. C) Backing up critical data. D) Exposing a virtual tape library to on-premises backup systems. E) Storing computation and analytics data

C) Backing up critical data. E) Storing computation and analytics data ** Amazon S3 is a good choice to back up critical data, for cloud-based and on-premises systems. Amazon S3 can also store computation and large-scale analytics data, such as for financial transaction analysis, clickstream analytics, and media transcoding.

Amazon Simple Storage Service (Amazon S3) provide a good solution for which of the following use cases? A) A data warehouse for business intelligence. B) An internet accessible storage location for video files that an external website accesses. C) Hourly storage of frequently accessed temporary files. D) A cluster for traditional Apache Spark and Apache Hadoop installations to process big data

B) An internet accessible storage location for video files that an external website accesses. ** Web developers can use Amazon S3 to store large video files without provisioning storage. External websites can access these files by using cross-origin resource sharing (CORS).

A company wants to use an S3 bucket to store sensitive data. Which actions can they take to protect their data? (Select TWO.) A) Uploading unencrypted files to Amazon S3 because Amazon S3 encrypts the files by default. B) Enabling server-side encryption on the 53 bucket before uploading sensitive data. C) Enabling server-side encryption on the 53 bucket after uploading sensitive data. D) Using client-side encryption to protect data in transit. E) Using Secure File Transfer Protocol (SFTP) to connect directly to Amazon 53.

B) Enabling server-side encryption on the 53 bucket before uploading sensitive data. D) Using client-side encryption to protect data in transit. ** Amazon S3 server side encryption must be enabled on a bucket before uploading objects. Existing objects must be re-uploaded to be encrypted at rest. Server-side encryption does not encrypt data in transit; use client-side encryption instead.

Which Amazon Simple Storage Service (Amazon S3) unaccelerated data transfers have an associated cost? (Select TWO.) A) IN from the internet. B) OUT to the internet. C) OUT to other AWS Regions. D) OUT to other AWS services in the same AWS Region. E) OUT to Amazon CloudFront

B) OUT to the internet. C) OUT to other AWS Regions. ** Data transfer OUT to the internet has been tiered pricing per gigabyte (GB). Data transfer OUT to other AWS services has a cost per GB. Check the Amazon S3 pricing documentation for current pricing.

A technology company's employees log into their AWS accounts through AWS IAM users. They have administrator access and access to the root users. Which resource can prevent them from deleting the AWS CloudTrail Logs. A. An IAM policy that is attached to each IAM user. B. A service control policy (SCP) that is attached to the organizational unit (OU). C. An Amazon S3 bucket policy that is attached to logging buckets. D. IAM users with administrative access can override the S3 bucket policies

B. A service control policy (SCP) that is attached to the organizational unit (OU). ** In AWS Organizations, applying an SCP to the OU can prevent employees from deleting the logs. The SCP cannot be overridden by any user (including the root user) of the AWS accounts in the OU.

A company is implementing a system to back up on-premises systems to AWS. Which network connectivity method will provide a solution with consistent performance? A. AWS Site-to-Site VPN. B. AWS Direct Connect. C. AWS peering. D. AWS endpoints.

B. AWS Direct Connect. ** AWS Direct Connect creates a dedicated private network connection that does not cross the internet. Because of this, it has more consistent performance than an internet connection.

Which services can you use to enable identity federation for your applications that are built in AWS? (Select TWO). A. AWS WAF. B. AWS KMS. C. AWS STS. D. AWS CloudHSM. E. Amazon Cognito

B. AWS KMS. D. AWS CloudHSM. **

Which statement that compares a database service that Amazon Web Services (AWS) manages with a database on an Amazon Elastic Compute Cloud (EC2) instance is true? A. You do not need to configure backups for a database on a managed database service. B. AWS manages DB patches for a database on a managed database service. C. AWS manages operating system (OS) patches for a database on an EC2 instance. D. You do not need to configure backups for a database on an EC2 instance.

B. AWS manages DB patches for a database on a managed database service. ** AWS patches the database system as part of a managed database service, which enables you to focus on your application. AWS managed database services also provide high availability, scalability, and backups as built-in options that you can configure.

What is the AWS CloudFormation Designer? A. A source code repository for AWS CloudFormation templates. B. A tool for automating deployments. C. A graphical design interface for creating AWS CloudFormation templates. D. A collection of reusable templates

C. A graphical design interface for creating AWS.

A company has three VPCs. VPC A, B and C have CIDR blocks that do not overlap. Both A and C have separate VPC peering connections with B. However, A cannot communicate with C. What is the simplest and most cost-effective way to enable full communication between A and C? A. Add routes to B to enable traffic between A and C through B. B. Add a peering connection between A and C, and route traffic between A and C through the peering connection. C. Link all three VPCs through a transit VPC, and route all traffic through the transit VPC. D. Create VPC endpoints in A and C for the individual hosts that need to communicate with each other.

B. Add a peering connection between A and C, and route traffic between A and C through the peering connection. ** VPC peering is point-to-point. Full connectivity between any two VPC's requires a separate peering connection. Connecting all VPCs in a group by using VPC peering requires a full mesh network.

You are configuring a bastion host to access EC2 instances in a VPC. What must you do to the security groups? (Select TWO). A. Add a rule to the bastion host to deny all traffic from the internet. B. Add a rule to the bastion host to allow traffic from your source IP address. C. Add a rule to the bastion host to allow return traffic to your source IP address. D. Add a rule to the private subnet EC2 instances to allow traffic from the bastion host security group. E. Add a rule to the private subnet EC2 instances to allow return traffic to the bastion host security group.

B. Add a rule to the bastion host to allow traffic from your source IP address. D. Add a rule to the private subnet EC2 instances to allow traffic from the bastion host security group. ** You must modify the security group of each instance to allow traffic. Following the principle of least privilege, the security groups should limit traffic to only those systems that need access. You can allow traffic to IP addresses and other security groups.

Which examples are good use cases for Amazon Relational Database Service (Amazon RDS)? (Select THREE). A. Thousands of distributed concurrent writes per second. B. An application that requires the database to enforce syntax rules. C. An application that requires complex joins of data. D. A petabyte-scale data warehouse. E. Running a Microsoft SQL Server in AWS. F. Database for serverless architectures

B. An application that requires the database to enforce syntax rules. C. An application that requires complex joins of data. E. Running a Microsoft SQL Server in AWS. ** Amazon RDS supports Microsoft SQL Server and many other popular relational database engines. It is useful when the application offloads syntax enforcement to the database, and when data queries include complex joins of data from many tables. E. Running a Microsoft SQL Server in AWS.

What is AWS Elastic Beanstalk? A. An easy-to-use cloud platform that offers you everything that you need to build an application or website, and a cost-effective, monthly plan. B. An easy-to-use service for deploying and scaling web applications and services that are developed with common web development languages and platforms. C. A serverless compute engine for containers that works with both Amazon ECS and Amazon EKS. D. A set of tools and services that enable mobile and frontend web developers to build secure, scalable, full-stack applications that are powered by AWS

B. An easy-to-use service for deploying and scaling web applications and services that are developed with common web development languages and platforms.

It is possible to create an NFS share on an Amazon EBS-backed Linux instance by installing and configuring an NFS server on the instance. In this way, multiple Linux systems can share the file system of that instance. Which advantages does Amazon EFS provide, compared to this solution? (Select TWO). A. Strong consistency. B. Automatic scaling. C. High availability. D. File locking. E. No need for backups.

B. Automatic scaling. C. High availability. ** As a fully managed service, Amazon EFS provides high availability. An NFS server on an instance is a single point of failure, which can become overloaded. Amazon EFS also scales automatically, and you pay for only what you use. Amazon EBS does not scale automatically.

Which statement about Amazon EC2 Auto Scaling is accurate? A. It requires the customer to purchase Reserved Instances. B. It can launch Amazon EC2 instances in multiple Availability Zones. C. It can launch Amazon EC2 instances, but customers must terminate instances after they are no longer needed. D. It can only launch new Amazon EC2 instances based on a schedule

B. It can launch Amazon EC2 instances in multiple Availability Zones.

How does AWS IAM evaluate a policy? A. It checks for explicit allow statements before it checks for explicit deny statements. B. It checks for explicit deny statements before it checks for explicit allow statements. C. If there is no explicit deny statement or explicit allow statement, users will have access by default. D. An explicit deny statement does not override an explicit allow statement.

B. It checks for explicit deny statements before it checks for explicit allow statements.

Which techniques should you use to secure an Amazon Relational Database Service (RDS) database? (Select THREE). A. AWS Identity and Access Management (IAM) policies to define access at the table, row and column levels. B. Security groups to control network access to individual instances. C. An Amazon Virtual Private Cloud (VPC) gateway endpoint to prevent traffic from traversing the internet. D. A Virtual Private Gateway (VGW) to filter traffic from restricted networks. E. A Virtual Private Cloud (VPC) to provide instance isolation and firewall protection. F. Encryption to protect sensitive data.

B. Security groups to control network access to individual instances. E. A Virtual Private Cloud (VPC) to provide instance isolation and firewall protection. F. Encryption to protect sensitive data. ** Because Amazon RDS uses server instances, they deploy in an Amazon VPC, and you control network access to them by using security groups. It is always a good idea to use encryption to protect sensitive data in Amazon RDS, both at rest and in transit.

A small company is deciding which service to use for an enrollment system for their online training website. Choices are MySQL on Amazon EC2, MySQL in Amazon RDS and Amazon DynamoDB. Which combination of use cases suggests using Amazon RDS? (Select THREE). A. Data and transactions must be encrypted to protect personal information. B. The data is highly structured. C. Student, course, and registration data are stored in many different tables. D. The enrollment system must be highly available. E. The company doesn't want to manage database patches.

B. The data is highly structured. C. Student, course, and registration data are stored in many different tables. E. The company doesn't want to manage database patches. ** AWS manages the database patches and updates for Amazon RDS and Dynamo DB. Amazon RDS is better for uses cases that require complex joins of data from many different tables. It is also better when the data is highly structured (the database uses a strict schema).

A small game company is designing an online game, where thousands of players can create their own in-game objects. The current design uses a MySQL database in Amazon RDS to store data for player-created objects. Which use cases suggest that DynamoDB might be a better solution? (Select TWO). A. A set of common attributes that all player-created objects have. B. Unpredictable attributes for player-created objects. C. Large number of player-created objects, each with different attributes. D. Quick search and retrieval of player-created objects. E. High amount of read activity on player-created objects

B. Unpredictable attributes for player-created objects. C. Large number of player-created objects, each with different attributes. ** Because players create their own objects, the object attributes are unpredictable and the database schema cannot be determined beforehand. A large number of objects, each with potentially different attributes, is a good use case for Amazon DynamoDB.

Users in location A connect to an application in Region A. Users in location B connect to the same application in Region B. If the application in Region A becomes unhealthy, clients in location A must be redirected to the application in Region B. Which solution can meet this requirement? A. Use an Application Load Balancer with Amazon CloudWatch alarms. B. Use geolocation routing with failover records in Amazon Route 53. C. Use latency-based routing in Amazon Route 53 with Amazon CloudWatch alarms. D. Use geo-proximity routing and a Network Load Balancer that is attached to the both Regions.

B. Use geolocation routing with failover records in Amazon Route 53. ** Geolocation routing enables the separation of traffic based on location. A failover record that points to the application in Region B enables failover if the application in Region A becomes unhealthy.

What are the four support plans offered by aws support? (Select the best answer). Basic, Developer, Business, Enterprise. Basic, Startup, Business, Enterprise. Free, Bronze, Silver, Gold. All support is free.

Basic, Developer, Business, Enterprise.

A company is migrating 100 terabytes (TB) of data from their on-premises data center to Amazon Simple Storage Service (Amazon S3). The company connects to Amazon Web Services (AWS) by using a single 155 megabits per second (Mbps) internet connection. Which data transfer option is the fastest and most cost-effective? A) AWS Management Console. B) Amazon S3 multipart uploads. C) AWS Snowball. D) AWS Snowmobile.

C) AWS Snowball. ** AWS Snowball is good for transferring dozens of TB to petabytes (PB) of data to AWS. Local data transfer to a Snowball device is faster than transferring directly to Amazon S3 over the internet. Transfer time to AWS depends on physical package shipping times.

Which combination of actions enables direct internet access for IPv4 hosts in a VPC? (Select THREE). A. Enabling DNS resolution for the VPC. B. Configuring the VPC domain name in a DHCP options set. C. Configuring hosts to have or obtain an internet-routable address. D. Creating a default route that points to the virtual private gateway. E. Creating a route for 0.0.0.0/0 that points to the internet gateway. F. Configuring security groups and network ACLs to permit internet traffic

C. Configuring hosts to have or obtain an internet-routable address. E. Creating a route for 0.0.0.0/0 that points to the internet gateway. F. Configuring security groups and network ACLs to permit internet traffic. ** Hosts need internet-routable addresses that are obtained statically, dynamically, or by address translation. The default route is 0.0.0.0/0 and it must point to the internet gateway. All traffic passes through security groups and network ACL's, which must allow the flow.

A team of developers needs access to several services and resources in a VPC for 9 months. How can you use AWS IAM to enable access for them? A. Create a IAM user for the developer team and attach the required IAM policies. B. Create a IAM user for each developer, and attach the required IAM policies to each IAM user. C. Create a IAM user for each developer, put them all in an IAM group, and attach the required IAM policies to the IAM group. D. Create a single IAM user for the developer team, place it in an IAM group, and attach the required IAM policies to the IAM group.

C. Create a IAM user for each developer, put them all in an IAM group, and attach the required IAM policies to the IAM group. ** Attaching policies to groups applies the same access rules to all members of the group. It also automatically applies the access rules to new users that are added to the group, and removes those access rules from users that are removed from the group.

You have created an AWS account for your own personal development and testing. You want your account to stay within the AWS Free Tier and not to generate unexpected costs. Which approach will work and requires the least effort? A. Log into the AWS Management Console each month and check your billing dashboard. B. Create a service control policy (SCP) to restrict all services that are not included in the AWS Free Tier. C. Create an Amazon CloudWatch alarm to send you an email message when the account billing exceeds $0. D. Create an Amazon CloudWatch metric to monitor account billing and limit it to $0

C. Create an Amazon CloudWatch alarm to send you an email message when the account billing exceeds $0.

Which actions are best practices for designing a VPC? (Select THREE). A. Match the size of the VPC CIDR block to the number of hosts that are required for a workload. B. Use the same CIDR block as your on-premises network. C. Divide the VPC network range evenly across all Availability Zones available. D. Create one subnet per Availability Zone for each group of hosts that have unique routing requirements. E. Reserve some address space for future use.

C. Divide the VPC network range evenly across all Availability Zones available. D. Create one subnet per Availability Zone for each group of hosts that have unique routing requirements. E. Reserve some address space for future use. ** Running out of addresses might require complicated network re-addressing. Adding more CIDR blocks to a VPC is possible, but is not a solution for inadequate planning. Distributing subnets and hosts across Availability zones

Which statement describes Identity & Access Management (IAM) users? A. IAM users are used to control access to a specific AWS resource. B. IAM user names can represent a collection of individuals. C. Every IAM user for an account must have a unique name. D. Every IAM user name is unique across AWS accounts.

C. Every IAM user for an account must have a unique name. ** IAM user names only need to be unique within an account.

How does Amazon DynamoDB perform automatic scaling? A. It adds and removes database instances in response to changes in traffic. B. It adds read replicas in response to increased read demand. C. It adjusts the provisioned throughput capacity in response to traffic patterns. D. It changes the instance type in response to changes in processing load.

C. It adjusts the provisioned throughput capacity in response to traffic patterns. ** Amazon Dynamo DB uses the AWS application Auto scaling service to adjust the provisioned throughput capacity on your behalf. When the workload decreases, application autoscaling decreases the throughput so that you do not pay for unused provisioned capacity.

A workload requires high read/write access to large local datasets. Which instance types would perform best for this workload? (Select TWO). A. General purpose. B. Compute optimized. C. Memory optimized. D. Accelerated computing. E. Storage optimized.

C. Memory optimized. E. Storage optimized. ** Memory optimized instances are designed for processing large datasets in memory. Storage optimized instances are designed for workloads that require high, sequential read/write access to very large datasets on local storage.

A fleet of Amazon EC2 instances launch in an Auto Scaling group. The instances run an application that uses a custom protocol on TCP port 42000. Connections from client systems on the internet must balance across the instances. Which load balancing solution ensures the highest availability? A. Round-robin DNS. B. Application Load Balancer. C. Network Load Balancer. D. Instance-based load balancer.

C. Network Load Balancer. ** A network load balancer can handle any TCP, UDP, and TLS traffic. As a feature of Elastic Load Balancing, a network load balancer is highly available.

A transactional workload on an Amazon EC2 instance performs high amounts of frequent read and write operations. Which Amazon EBS volume type is best for this workload? A. General purpose solid state drive (SSD). B. Cold hard disk drive (HDD). C. Provisioned IOPS solid state drive (SSD). D. Throughput optimized hard disk drive (HDD).

C. Provisioned IOPS solid state drive (SSD). ** Provisioned IOPS SSD EBS volumes are optimized for I/O-intensive workloads.

A company has three high-performance computing instances that must communicate with each other. The company would like to achieve maximum network performance between the instances. The most important requirement is that these systems do not share the same rack. Which placement strategy should they use? A. Cluster. B. Partition. C. Spread. D. Default

C. Spread. ** The spread placement strategy ensures that the instances are placed in separate hardware racks, each with its own network and power source. This strategy minimizes the risk of correlated hardware failures.

A system administrator must change the instance types of multiple running Amazon EC2 instances. The instances were launched with a mix of Amazon EBS-backed AMIs and instance store-backed AMIs. Which method is a valid way to change the instance type? A. Change the instance type of an Amazon EBS-backed instance without stopping it. .B. Change the instance type of an instance store-backed instance without stopping it. C. Stop an Amazon EBS-backed instance, change its instance type, and start the instance. D. Stop an instance store-backed instance, change its instance type, and start the instance.

C. Stop an Amazon EBS-backed instance, change its instance type, and start the instance. ** Change the instance type of an EBS-backed instance by stopping it first.

A company's VPC has the CIDR block 172.16.0.0/21 (2048 addresses). It has two subnets (A and B). Each subnet must support 100 usable addresses now, but this number is expected to rise to as most 254 usable addresses soon. Which subnet addressing scheme meets the requirements and follows AWS best practices? A. Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (128 addresses). B. Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (128 addresses). C. Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses). D. Subnet A: 172.16.0.0/22 (1042 addresses) Subnet B: 172.16.4.0/22 (1024 addresses)

C. Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses). ** These CIDR blocks are the next larger size from /24. AWS reserves five addresses per subnet, so each CIDR block has 507 usable addresses. This scheme provides room for the growth requirement.

A fleet of Amazon EC2 instances are launched in an Auto Scaling group behind an Elastic Load Balancing load balancer. The EC2 instances must maintain 50 percent average CPU utilization. Which type of scaling provides the simplest way to achieve this requirement? A. Step scaling. B. Simple scaling. C. Target tracking scaling. D. Manual scaling.

C. Target tracking scaling. ** Target tracking scaling provides average central processing unit (CPU) utilization as a standard target metric. You can specify the target value and let Amazon EC2 Auto Scaling handle the rest.

Which statements describe AWS IAM roles? (Select TWO). A. They are uniquely associated to an individual. B. They can only be used by accounts associated to the person who creates the role. C. They can be assumed by individuals, applications or services. D. They provide temporary security credentials. E. They provide permanent security credentials

C. They can be assumed by individuals, applications or services. D. They provide temporary security credentials. ** IAM roles only provide credentials after the individual, application, or service has assumed the role.

A company wants to migrate their on-premises Oracle database to Amazon Aurora MySQL. Which process describes the high-level steps? A. Use AWS Database Migration Service (AWS DMS) to migrate from the Oracle database to Amazon Aurora MSQL. B. Use AWS Database Migration Service (AWS DMS) to migrate the data, and then use AWS Schema Conversion Tool to convert the schema. C. Use AWS Schema Conversion Tool to convert the schema, and then use AWS Database Migration Service (AWS DMS) to migrate the data. D. Use AWS Schema Conversion Tool to synchronously convert the schema and migrate the data.

C. Use AWS Schema Conversion Tool to convert the schema, and then use AWS Database Migration Service (AWS DMS) to migrate the data. ** AWS SCT analyzes the schema of the source database, does the conversion, and then creates the schema in the target database. AWS DMS then copies the data to the target database.

A company has two VPCs. VPC A has a CIDR block on 10.1.0.6/16. VPC B has a CIDR block of 10.2.0.0/16. Both VPCs belong to the same AWS account. What is the simplest way to connect the two VPCs so that they can route all traffic between them? A. AWS Site-to-Site VPN. B. AWS Direct Connect. C. VPC peering. D. VPC endpoints

C. VPC peering. ** VPC peering enables full network connectivity between two VPC's in the same account or in different accounts.

A customer service team accesses case data daily for up to 30 days. Cases can be reopened and require immediate access for 1 year after they are closed. Which solution meets the requirements and is the most cost-efficient? A) Store all case data in 53 Standard so that it is available whenever needed. B) Store case data in S3 Standard. Use a lifecycle policy to move the data into S3 Standard-Infrequent Access (53 Standard-IA) after 30 days. C) Store case data in S3 Standard. Use a lifecycle policy to move the data into Amazon S3 Glacier after 30 days. D) Store case data in 53 Intelligent-Tiering to automatically move data between tiers based on access frequency.

D) Store case data in 53 Intelligent-Tiering to automatically move data between tiers based on access frequency.

What is a AWS Site-to-Site VPN? A. A service that provides SSL-encrypted links between websites in AWS. B. A solution that provides encrypted sessions between AWS and on-premises systems by using TLS. C. A service that provides the ability to access AWS and on-premises networks by using OpenVPN clients. D. A solutions that provides a connection between a VPC and an on-premises network by using IPsec.

D. A solutions that provides a connection between a VPC and an on-premises network by using IPsec. ** AWS Site-to-Site VPN creates an encrypted connection by using IPsec. The connection is often across the internet, but it can also be used to encrypt a connection across AWS Direct Connect.

What is AWS CloudFormation? A. A package of all of the information that is needed to launch an Amazon EC2 instance. B. A template that describes your infrastructure. C. A description of best practices for designing an AWS implementation. D. An AWS service that you can use to create, model and manage AWS resources

D. An AWS service that you can use to create, model and manage AWS resources

A company uses a single AWS Direct Connect connection between their on-premises network and their VPC. They want to ensure that the network connectivity is highly available by adding a backup connection. Which network connectivity method provides most cost-effective solution for the backup connection? A. Another AWS Direct Connect connection through the same Direct Connect location. B. Another AWS Direct Connect connection through a different Direct Connect location. C. An on-demand AWS Client VPN connection across the internet. D. An on-demand AWS Site-to-Site VPN connection across the internet.

D. An on-demand AWS Site-to-Site VPN connection across the internet. ** An on-demand AWS Site-to-Site VPN connection can be quickly established across the internet, as needed. The connection can be terminated when it is not needed.

How do you vertically scale an Amazon RDS database? A. By adding read replicas. B. By creating dedicated read and write nodes. C. By sharding the database. D. By changing the instance class.

D. By changing the instance class.

What is the simplest way to connect 100 VPCs together? A. Create a hub-and-spoke network by using AWS VPN CloudHub. B. Chain VPCs together by using VPC peering. C. Connect each VPC to all the other VPCs by using VPC peering. D. Connect the VPCs to AWS Transit Gateway.

D. Connect the VPCs to AWS Transit Gateway. ** AWS Transit Gateway connects VPCs and on-premises networks through a central hub, and can scale to connect thousands of VPCs.

Which statement describes a resource-based policy? A. It can be applied to any AWS resource. B. It can be an AWS managed policy. C. It is attached to a user or group. D. It is always an inline policy.

D. It is always an inline policy. ** Inline policies are embedded directly into a single user, group, role, or resource.

A company wants to run a highly available web tier by using two EC2 instances and a load balancer. Which design is valid and provides the highest availability? A. One subnet in one Availability Zone. The subnet contains two EC2 instances. B. One subnet, which spans two Availability Zones. Each Availability Zone contains one EC2 instance. C. Two different subnets in the same Availability Zone. Each subnet contains one EC2 instance. D. Two different subnets, one per Availability Zone. Each subnet contains one EC2 instance.

D. Two different subnets, one per Availability Zone. Each subnet contains one EC2 instance. ** A problem in one availability zone does not affect both EC2 instances.

An application requires the MAC address of the host Amazon EC2 instance. The architecture uses an AWS Auto Scaling group to dynamically launch and terminate instances. Which way is best for the application to obtain the MAC address? A. Write the MAC address in the application configuration of each instance. B. Include the MAC address in the AMI that is used to launch all of the instances in the AWS Auto Scaling Group. C. Include the MAC address in a custom AMI for each instance in the AWS Auto Scaling group. D. Use the user data of each instance to access the MAC address through the instance metadata.

D. Use the user data of each instance to access the MAC address through the instance metadata. ** Because the AWS Auto Scaling group launches the instances, the MAC address of each instance is unpredictable. The user data script can access the MAC address from the instance metadata when the instance starts, and then notify the application.

Several EC2 instances launch in a VPC that has internet access. These instances should not be accessible from the internet, but they must be able to download updates from the internet. How should the instances launch? A. With Elastic IP addresses, in a subnet with a default route to an internet gateway. B. With public IP addresses, in a subnet with a default route to an internet gateway. C. Without public IP addresses, in a subnet with a default route to an internet gateway. D. Without public IP addresses, in a subnet with a default route to a NAT gateway

D. Without public IP addresses, in a subnet with a default route to a NAT gateway ** A NAT gateway provides the EC2 instances with internet-routable source addresses for sessions that EC2 instances initiate. However, it does not enable internet access to the instances.

As AWS grows the cost of doing business is reduced and savings are passed back to the customer with lower pricing. What is this optimization called? (Select the best answer). Expenditure Awareness. Economies of Scale. Matching supply and demand. EC2 Right Sizing.

Economies of Scale.

Which of the following are NOT benefits of AWS Cloud computing? (choose 2 )

Multiple procurement cycles / High latency

T or F? Cloud computing provides a simple way to access servers, storage, databases, and a broad set of application services over the internet. You own the network-connected hardware required for these services and Amazon Web Services provisions what you need.

F

True or false? To receive the discounted rate associated with Reserved Instances, you must make a full, upfront payment for the term of the agreement. True. False.

False.

True of false? Unlimited services are available with the AWS Free Tier to new AWS customers for 12 months following their AWS sign-up date. True False

False. **Note: The AWS Free Tier applies to certain services and options.

T or F? AWS owns and maintains the network-connected hardware required for application services, while you provision and use what you need.

True

True or false? AWS offers a variety of services at no charge.For example, Amazon Virtual Private Cloud, AWS Identity and Access Management, Consolidated Billing, AWS Elastic Beanstalk, AWS Auto Scaling, AWS OpsWorks, and AWS Cloud Formation. However, you might be charged for other AWS services that you use in conjunction with these services. True False

True.

Economies of scale result from _____. (Select the best ans)

having hundred of thousands of customers aggregated in the cloud