AWS Sol Arch - Mock Exam2

In S3 server-side encryption (SSE-S3), you manage encryption/decryption of your data, the encryption keys, and related tools.

A client of yours has a huge amount of data stored on Amazon S3, but is concerned about someone stealing it while it is in transit. You know that all data is encrypted in transit on AWS, but which of the following is wrong when describing server-side encryption on AWS?

All data stored on Glacier is protected with AES-256 serverside encryption.

A company wants to review the security requirements of Glacier. Which of the below mentioned statements is true with respect to the AWS Glacier data security?

Every packet sent in the AWS network uses Internet Protocol Security (IPsec). Correct statements are - - Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access. - Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission. - Customers may encrypt the input data before they upload it to Amazon S3.

A customer enquires about whether all his data is secure on AWS and is especially concerned about Elastic Map Reduce (EMR) so you need to inform him of some of the security features in place for AWS. Which of the below statements would be an incorrect response to your customers enquiry?

You can use the BitTorrent protocol but only for objects that are less than 5 GB in size.

A friend wants you to set up a small BitTorrent storage area for him on Amazon S3. You tell him it is highly unlikely that AWS would allow such a thing in their infrastructure. However you decide to investigate. Which of the following statements best describes using BitTorrent with Amazon S3?

A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.

A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open. Which of the following is correct in regards to those security groups?

In the event of a disaster to your AWS infrastructure you should be able to quickly launch resources in Amazon Web Services (AWS) to ensure business continuity. The following are some key steps you should have in place for preparation: 1. Set up Amazon EC2 instances to replicate or mirror data. 2. Ensure that you have all supporting custom software packages available in AWS. 3. Create and maintain AMIs of key servers where fast recovery is required. 4. Regularly run these servers, test them, and apply any software updates and configuration changes. 5. Consider automating the provisioning of AWS resources.

A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following is important when thinking about being able to quickly launch resources in AWS to ensure business continuity in case of a disaster?

Hadoop is an open source Java software framework

A major finance organisation has engaged your company to set up a large data mining application. Using AWS you decide the best service for this is Amazon Elastic MapReduce(EMR) which you know uses Hadoop. Which of the following statements best describes Hadoop?

Attach one more volume with RAID 1 configuration.

A user has attached 1 EBS volume to a VPC instance. The user wants to achieve the best fault tolerance of data possible. Which of the below mentioned options can help achieve fault tolerance?

Configure the security group of EC2 with a rule that sources ELB's security group

A user has configured a website and launched it using the Apache web server on port 80. The user is using ELB with the EC2 instances for Load Balancing. What should the user do to ensure that the EC2 instances accept requests only from ELB?

The IP addresses belong to EC2 Classic; so they cannot be assigned to VPC

A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. The user has 3 elastic IPs and is trying to assign one of the Elastic IPs to the VPC instance from the console. The console does not show any instance in the IP assignment screen. What is a possible reason that the instance is unavailable in the assigned IP console?

The user can add availability zones on the fly from the AWS console

A user has created an ELB with the availability zone US-East-1A. The user wants to add more zones to ELB to achieve High Availability. How can the user add more zones to the existing ELB?

The user should attach an IAM role to the EC2 instance with necessary permissions for making API calls to DynamoDB.

A user has created an application which will be hosted on EC2. The application makes API calls to DynamoDB to fetch certain data. The application running on this instance is using the SDK for making these calls to DynamoDB. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

AWS Simple Queue Service

A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to retrieve the picture accordingly and send the picture to EC2 for processing. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario?

Instance with the nearest billing hour in US-East-1A

A user has defined an AutoScaling termination policy to first delete the instance with the nearest billing hour. AutoScaling has launched 3 instances in the US-East-1A region and 2 instances in the US-East-1B region. One of the instances in the US-East-1B region is running nearest to the billing hour. Which instance will AutoScaling terminate first while executing the termination action?

Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI

A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating another small instance in Europe. How can the user achieve DR?

SQS

A user is making a scalable web application with compartmentalization. The user wants the log module to be accessible by all the application functionalities in an asynchronous way. Each module of the application sends data to the log module, and based on the resource availability it will process the logs. Which AWS service helps achieving this functionality?

Send an email using DKIM with SES.

A user is sending bulk emails using AWS SES. The emails are not reaching some of the targeted audience because they are not authorized by the ISPs. How can the user ensure that the emails are all delivered?

AWS will throw an error saying that the AMI is deregistered

A user is trying to launch a similar EC2 instance from an existing instance with the option "Launch More like this". The AMI of the selected instance is deleted. What will happen in this case?

multi AZ

A user wants to achieve High Availability with PostgreSQL DB. Which of the below mentioned functionalities helps achieve HA?

Amazon S3, Amazon SNS, Amazon SQS, Amazon Glacier and Amazon EBS.

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. In addition to supporting IAM user policies, some services support resource-based permissions. Which of the following services are supported by resource-based permissions?

Credential reports are downloaded XML files. Correct ones - - You can use the report to audit the effects of credential lifecycle requirements, such as password rotation. - You can get a credential report using the AWS Management Console, the AWS CLI, or the IAM API. - You can grant permissions to an auditor so that he or she can download the report directly.

After a major security breach your manager has requested a report of all users and their credentials in AWS. You discover that in IAM you can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, MFA devices, and signing certificates. Which following statement is incorrect in regards to the use of credential reports?

Kinesis

After deciding that EMR will be useful in analysing vast amounts of data for a gaming website that you are architecting you have just deployed an Amazon EMR Cluster and wish to monitor the cluster performance. Which of the following tools cannot be used to monitor the cluster performance?

A placement group can span multiple Availability Zones. Correct statements on limitations are - - Although launching multiple instance types into a placement group is possible, this reduces the likelihood that the required capacity will be available for your launch to succeed. - The name you specify for a placement group name must be unique within your AWS account. - A placement group can span peered VPCs

After setting up a Virtual Private Cloud (VPC) network, a more experienced cloud engineer suggests that to achieve low network latency and high network throughput you should look into setting up a placement group. You know nothing about this, but begin to do some research about it and are especially curious about its limitations. Which of the below statements is wrong in describing the limitations of a placement group?

Set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or less than or equal to (<=) that value.

After setting up some EC2 instances, you now need to set up a monitoring solution to track these instances, and to send you an email when the CPU hits a certain threshold. Which statement below best describes what thresholds you can set to trigger a CloudWatch Alarm?

ELB uses a four-tier, key-based architecture for encryption. ADVANTAGES OF ELB - - When used in an Amazon VPC, ELB supports creation and management of security groups associated with your Elastic Load Balancing to provide additional networking and security options. - ELB offers clients a single point of contact, and can also serve as the first line of defense against attacks on your network. - ELB supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use secure HTTP (HTTPS) connections.

Amazon Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all availability zones within a region. Elastic Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits. Which of the following is not an advantage of ELB over an on-premise load balancer?

The EC2 instance follows the rules of both the subnets

An EC2 instance is connected to an ENI (Elastic Network Interface) in one subnet. What happens when you attach an ENI of a different subnet to this EC2 instance?

- Data replication. - Data encryption. - Data snapshot.

An organization has a statutory requirement to protect the data at rest for data stored in EBS volumes. Which of the below mentioned options can the organization use to achieve data protection?

5

By default how many EIPs is each AWS account limited to on a per region basis?

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

Can I change the EC2 security groups after an instance is launched in EC2-Classic?

Yes, if configured with the Auto Scaling group

Can a user get a notification of each instance start / terminate configured with Auto Scaling?

No

Can you specify the security group that you created for a VPC when you launch an instance in EC2-Classic?

Yes

Does DynamoDB support in-place atomic updates?

The US-East-1a availability zone for George and Ray can be different.

George has launched three EC2 instances inside the US-East-1a zone with his AWS account. Ray has launched two EC2 instances in the US-East-1a AZ from his AWS account. Which one of the below mentioned statements will help George and Ray understand the availability zone (AZ) concept better?

The number of ENIs you can attach varies by instance type.

Having just set up your first Amazon Virtual Private Cloud (Amazon VPC) network, which defined a default network interface, you decide that you need to create and attach an additional network interface, known as an elastic network interface (ENI) to one of your instances. Which of the following statements is true regarding attaching network interfaces to your instances in your VPC?

Active-active failover

Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement?

Luna Backup HSM.

In AWS CloudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a:

specify the URL of the load balancer for the domain name of your origin server

In Amazon CloudFront, if you use Amazon EC2 instances as custom origins with CloudFront, it is recommended to_____.

Cluster

In Amazon EC2 Container Service components, what is the name of a logical grouping of container instances on which you can place tasks?

5

In Amazon EC2, how many Elastic IP addresses can you have by default?

Yes

In DynamoDB, could you use IAM to grant access to Amazon DynamoDB resources and API actions?

Data persists in the instance store.

In EC2, what happens to the data in an instance store if an instance reboots (either intentionally or unintentionally)?

A Hosted Zone refers to a selection of resource record sets hosted by Route 53.

In Route 53, what does a Hosted Zone refer to?

Because most reachability issues are resolved by automated processes in less than 20 minutes and do not require any action on the part of the customer

In the context of AWS support, why must an EC2 instance be unreachable for 20 minutes instead of allowing customers to open tickets immediately?

No

Is it required to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices?

Create a VPC Peering connection between both VPCs.

Mike is appointed as Cloud Consultant in Netcrak Inc. Netcrak has the following VPCs set-up in the US East Region: A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24 Netcrak Inc is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24. Which one of the following solutions should Mike recommend to Netcrak Inc?

AWS uses the techniques detailed in DoD 5220.22-M to destroy data as part of the decommissioning process.

Once again your customers are concerned about the security of their sensitive data and with their latest enquiry ask about what happens to old storage devices on AWS. What would be the best answer to this question?

latency-based routing; weighted resource record sets

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions and if you have more than one Amazon EC2 instance in one or more regions, you can use _______ to route traffic to the correct region for fastest response and then use _______ to route traffic to instances within the region, based on weights that you specify.

reserved for the root device

Select the correct statement: Within Amazon EC2, when using Linux instances, the device name /dev/sda1 is _____.

partition group

The AWS CloudHSM service defines a resource known as a high-availability (HA) ________________, which is a virtual partition that represents a group of partitions, typically distributed between several physical HSMs for high-availability.

to read or modify the table directly, without a middle-tier service

The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants ______.

false

True or False: In Amazon Route 53, you can create a hosted zone for a top-level domain (TLD).

Data is deleted.

What happens to data on an non-root instance store volume of an EBS-backed EC2 instance if it is terminated or if it fails?

"Table", a collection of Items; "Items", with Keys and one or more Attribute; and "Attribute", with Name and Value.

What is the data model of DynamoDB?

Use instance metadata

What would be the best way to retrieve the public IP address of your EC2 instance using the CLI?

createVolumePermission

When controlling access to Amazon EC2 resources, each Amazon EBS Snapshot has a ______ attribute that controls which AWS accounts can use the snapshot.

It starts when Amazon EC2 initiates the boot sequence of an AMI instance.

When does the billing of an Amazon EC2 system begin?

Internal DNS name

Which DNS name can only be resolved within Amazon EC2?

Execution role

Which IAM role do you use to grant AWS Lambda permission to access a DynamoDB Stream?

The user account has reached the maximum EC2 instance limit Correct reasons for EC2 termination after launch - - The AMI is missing. It is the required part - The user account has reached the maximum volume limit - The snapshot is corrupt

Which of the following choices is not a reason why an instance might immediately terminate after launch?

Instances, Amazon Machine Images (AMIs), Key Pairs, Amazon EBS Volumes, Firewall, Elastic IP address, Tags, and Virtual Private Clouds (VPCs)

Which of the following features are provided by Amazon EC2?

In the EC2-VPC platform, the Elastic IP Address (EIP) does not remain associated with the instance when you stop it. Correct ones - - In the EC2-Classic platform, if you disassociate an Elastic IP Address (EIP) from the instance, the instance is automatically assigned a new public IP address within a few minutes. - In the EC2-Classic platform, stopping the instance disassociates the Elastic IP Address (EIP) from it. - In the EC2-VPC platform, if you have attached a second network interface to an instance, when you disassociate the Elastic IP Address (EIP) from that instance, a new public IP address is not assigned to the instance automatically; you'll have to associate an EIP with it manually.

Which of the following statements is NOT true about using Elastic IP Address (EIP) in EC2-Classic and EC2-VPC platforms?

You can't change the outbound rules for EC2-Classic. However, you can add and remove rules to a group at any time.

Which of the following statements is true of Amazon EC2-Classic security groups?

You can't terminate, stop, or delete a resource based solely on its tags.

Which of the following statements is true of tagging an Amazon EC2 resource?

STATUS_CHECK_FAILED Correct allowed actions - ALARM, OK, INSUFFICIENT_DATA

Which one of the following answers is not a possible state of Amazon CloudWatch Alarm? An alarm has three possible states: > OK—The metric is within the defined threshold > ALARM—The metric is outside of the defined threshold > INSUFFICIENT_DATA—The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state Similar to how each alarm is always in one of three states, each specific data point reported to CloudWatch falls under one of three categories: > good (within the threshold) > bad (violating the threshold) > missing

endpoint

While using the EC2 GET requests as URLs, the _____ is the URL that serves as the entry point for the web service.

Metrics for CloudWatch are available only when you choose the US East (N. Virginia)

You are architecting a highly-scalable and reliable web application which will have a huge amount of content .You have decided to use Cloudfront as you know it will speed up distribution of your static and dynamic web content and know that Amazon CloudFront integrates with Amazon CloudWatch metrics so that you can monitor your web application. Because you live in Sydney you have chosen the the Asia Pacific (Sydney) region in the AWS console. You have configured it but no CloudFront metrics seem to be appearing in the CloudWatch console. What is the most likely reason from the possible choices below for this?

Read Replicas

You are building infrastructure for a data warehousing solution and an extra request has come through that there will be a lot of business reporting queries running all the time and you are not sure if your current DB instance will be able to handle it. What would be the best solution for this?

All traffic should be routed via Internet Gateway. So, a route should be created with 0.0.0.0/0 as a source, and your Internet Gateway as your target.

You are configuring a new VPC for one of your clients for a cloud migration project, and only a public subnet will be in place. After you have created your VPC, you created a new subnet, a new internet gateway, and attached your internet gateway to your VPC. When you launched your first instance into your VPC, you realized that you aren't able to connect to the instance, even if it is configured with an elastic IP. What should be done to get this instance internet connectivity?

Route 53 natively supports ELB with an internal health check. Turn "Evaluate target health" on and "Associate with Health Check" off and R53 will use the ELB's internal health check.

You are in the process of creating a Route 53 DNS failover to direct traffic to two EC2 zones. Obviously, if one fails, you would like Route 53 to direct traffic to the other region. Each region has an ELB with some instances being distributed. What is the best way for you to configure the Route 53 health check?

You can improve load and response times to user actions and queries and also reduce the cost associated with scaling web applications.

You are looking at ways to improve some existing infrastructure as it seems a lot of engineering resources are being taken up with basic management and monitoring tasks and the costs seem to be excessive. You are thinking of deploying Amazon ElasticCache to help. Which of the following statements is true in regards to ElasticCache?

to an EBS volume with 2 TB of available space

You are migrating an internal server on your DC to an EC2 instance with EBS volume. Your server disk usage is around 500GB so you just copied all your data to a 2TB disk to be used with AWS Import/Export. If you want all the data transferred in one import job, where can the data be imported once it arrives at Amazon?

Some services support resource-level permissions only for some actions.

You are setting up some IAM user policies and have also become aware that some services support resource-based permissions, which let you attach policies to the service's resources instead of to IAM users or groups. Which of the below statements is true in regards to resource-level permissions?

VPC with a Public Subnet Only and Hardware VPN Access

You are setting up your first Amazon Virtual Private Cloud (Amazon VPC) network so you decide you should probably use the AWS Management Console and the VPC Wizard. Which of the following is not an option for network architectures after launching the "Start VPC Wizard" in Amazon VPC page on the AWS Management Console?

An IAM user assigned a bucket policy to an Amazon S3 bucket and didn't specify the root user as a principal

You are signed in as root user on your account but there is an Amazon S3 bucket under your account that you cannot access. What is a possible reason for this?

You must have IP connectivity to the instance from the network you are connecting from.

You can seamlessly join an EC2 instance to your directory domain. What connectivity do you need to be able to connect remotely to this instance?

Yes

You have a Business support plan with AWS. One of your EC2 instances is running Microsoft Windows Server 2008 R2 and you are having problems with the software. Can you receive support from AWS for this software?

You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You have a lot of data stored in the AWS Storage Gateway and your manager has come to you asking about how the billing is calculated, specifically the Virtual Tape Shelf usage. What would be a correct response to this?

EBS

You have been asked to set up a database in AWS that will require frequent and granular updates. You know that you will require a reasonable amount of storage space but are not sure of the best option. What is the recommended storage option when you run a database on an instance with the above criteria?

Force IAM users to contact an account administrator when the user has entered his password incorrectly. CORRECT ONES - - Require specific character types. - Allow all IAM users to change their own passwords. - Prevent IAM users from reusing previous passwords.

You have been asked to tighten up the password policies in your organization after a serious security breach, so you need to consider every possible security measure. Which of the following is not an account password policy for IAM Users that can be set?

Billing commences when Amazon EC2 initiates the boot sequence of an AMI instance and billing ends when the instance terminates and you pay for total number of hours consumed including partial hours.

You have been doing a lot of testing of your VPC Network by deliberately failing EC2 instances to test whether instances are failing over properly. Your customer who will be paying the AWS bill, asks you if he is being charged for all these instances. You try to explain him how the billing works on EC2 instances to the best of your knowledge. What would be an appropriate response to give to the customer in regards to this?

M3 instances are configured with more swap memory than M1 instances.

You have been using T2 instances as your CPU requirements have not been that intensive. However you now start to think about larger instance types and start lookig at M1 and M3 instances. You are a little confused as to the differences between them as they both seem to have the same ratio of CPU and memory. Which statement below is incorrect as to why you would use one over the other?

It's more secure than normal upload. Benefits - - Quick recovery from any network issues. - Pause and resume object uploads. - You can begin an upload before you know the final object size.

You have just discovered that you can upload your objects to Amazon S3 using Multipart Upload API. You start to test it out but are unsure of the benefits that it would provide. Which of the following is not a benefit of using multipart uploads?

STOPPED Correct EMR cluster states - STARTING, BOOTSTRAPPING, WAITING

You have just finshed setting up an advertisement server in which one of the obvious choices for a service was Amazon Elastic Map Reduce( EMR) and are now troubleshooting some weird cluster states that you are seeing. Which of the below is not an Amazon EMR cluster state?

HTTP, HTTPS , TCP, and SSL

You have just set up your first Elastic Load Balancer (ELB) but it does not seem to be configured properly. You discover that before you start using ELB, you have to configure the listeners for your load balancer. Which protocols does ELB use to support the load balancing of applications?

11 min

You have setup an Auto Scaling group. The cool down period for the Auto Scaling group is 7 minutes. The first instance is launched at t+3 minutes, while the second instance is launched at t+4 minutes. How many minutes after time "t" will Auto Scaling accept another scaling activity request?

Because they provide unrestricted access to your AWS resources.

You log in to IAM on your AWS console and notice the following message. "Delete your root access keys." Why do you think IAM is requesting this?

Resources Optional - Mappings, Description, Conditions

You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?

The load balancer must reside in a subnet that is connected to the internet using the internet gateway.

You need to create a load balancer in a VPC network that you are building. You can make your load balancer internal (private) or internet-facing (public). When you make your load balancer internal, a DNS name will be created, and it will contain the private IP address of the load balancer. An internal load balancer is not exposed to the internet. When you make your load balancer internet-facing, a DNS name will be created with the public IP address. If you want the Internet-facing load balancer to be connected to the Internet, where must this load balancer reside?

Attaching another network interface to an instance is a valid method to increase or double the network bandwidth to or from the dual-homed instance Correct ones - - You can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach). - You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must reside in the same Availability Zone. - When launching an instance from the CLI or API, you can specify the network interfaces to attach to the instance for both the primary (eth0) and additional network interfaces.

You need to create a management network using network interfaces for a virtual private cloud (VPC) network. Which of the following statements is incorrect pertaining to Best Practices for Configuring Network Interfaces.

CloudFormation is much more powerful than Elastic Beanstalk, because you can actually design and script custom resources

You need to develop and run some new applications on AWS and you know that Elastic Beanstalk and CloudFormation can both help as a deployment mechanism for a broad range of AWS resources. Which of the following statements best describes the differences between Elastic Beanstalk and CloudFormation?

Oracle Data Pump

You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend you use to accomplish this?

It can export from Glacier

You need to migrate a large amount of data into the cloud that you have stored on a hard disk and you decide that the best way to accomplish this is with AWS Import/Export and you mail the hard disk to AWS. Which of the following statements is incorrect in regards to AWS Import/Export?

Amazon SES console

You need to quickly set up an email-sending service because a client needs to start using it in the next hour. Amazon Simple Email Service (Amazon SES) seems to be the logical choice but there are several options available to set it up. Which of the following options to set up SES would best meet the needs of the client?

DB security groups, and VPC security groups

You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information stored in it. What are all the possible security groups that RDS uses?

Is stateful: Return traffic is automatically allowed, regardless of any rules. Correct statements - - Supports allow rules and deny rules. - Operates at the subnet level (second layer of defense). - Automatically applies to all instances in the subnets it's associated with.

You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: security groups and network access control lists (ACLs). You have already looked into security groups and you are now trying to undersand ACLs. Which statement below is incorrect in relation to ACLs?

HTTP

You've created your first load balancer and have registered your EC2 instances with the load balancer. Elastic Load Balancing routinely performs health checks on all the registered EC2 instances and automatically distributes all incoming requests to the DNS name of your load balancer across your registered, healthy EC2 instances. By default, the load balancer uses the ___ protocol for checking the health of your instances.

Ports 22,1433,3389

Your manager has asked you to set up a public subnet with instances that can send and receive internet traffic, and a private subnet that can't receive traffic directly from the internet, but can initiate traffic to the internet (and receive responses) through a NAT instance in the public subnet. Hence, the following 3 rules need to be allowed: Inbound SSH traffic. Web servers in the public subnet to read and write to MS SQL servers in the private subnet Inbound RDP traffic from the Microsoft Terminal Services gateway in the public private subnet What are the respective ports that need to be opened for this?

AWS VPN CloudHub

Your manager has just given you access to multiple VPN connections that someone else has recently set up between all your company's offices. She needs you to make sure that the communication between the VPNs is secure. Which of the following services would be best for providing a low-cost hub-and-spoke model for primary or backup connectivity between these remote offices?

Backups to Amazon S3 be performed through the database management system.

Your organization is in the business of architecting complex transactional databases. For a variety of reasons, this has been done on EBS. What is AWS's recommendation for customers who have architected databases using EBS for backups?

- Reduced bandwidth costs. - Compatibility with all AWS services. - Private connectivity to your Amazon VPC.

benefits of using Direct Connect beyond cost savings