AWS SAA-C01 Practice Exam Questions
One of your EC2 instances has been configured with a script in its User Data that runs when the instance is booted. The boot strap script makes a call to S3 to copy the required setup and configuration. When you launch the instance you notice that the script is failing because it have no access to the S3 bucket containing the resources it needs. How can you solve this problem and follow best practices for security? A) Add a bucket policy to your S3 bucket. B) Add an IAM role to the S3 bucket that will give the EC2 instance the needed permissions to the S3 bucket. C) Add the needed credentials to your boot strap script. D) Add an IAM role to the EC2 instance that will give the EC2 instance the needed permissions to the S3 bucket.
A
Which of the following are not global AWS services? (Possible Correct: 3) A) EC2 B) S3 C) DynamoDB D) Route 53 E) IAM
A, B, C Correct Answer: A Why is this correct? If a region fails where an EC2 instance is located, access to that instance will also fail. Correct Answer: B Why is this correct? If a region fails where an S3 bucket is located, access to that bucket will also fail. Correct Answer: C Why is this correct? If a region fails where a table is located, access to that table will also fail.
You have created a GP2 EBS volume in AWS. It is 1 TiB in size. What level of sustained IOPS should it deliver? A) 300 B) 10,000 C) 3,000 D) 1,000
AYour Answer: A Why is this incorrect? GP2 delivers 3 IOPS per GiB, so this would not be the correct IOPS. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html Correct Answer: C Why is this correct? GP2 delivers 3 IOPS per GiB — a volume of 1 TiB (1,000 GiB) would deliver 3,000 IOPS. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
You have been asked to provide a recommendation on the most resilient database solution available within AWS. The business requirements are that it is optimized for structured, relational data. They require multiple Availability Zones and very low latency between mirrors. Initially, two Availability Zones are required, but the selected solution needs to be able to cope with three or more. Which product would you recommend? A) Aurora B) DynamoDB C) RDS D) Athena
Correct Answer: A Why is this correct? Aurora supports more than two AZ replicas and uses a shared storage platform. It's the most suitable candidate.
You manage an application environment that consists of an EC2 instance and a MariaDB RDS SingleAZ instance. You have been asked to make sure that before an environment is terminated, backups are taken which last at least 6 months. What should you suggest? A) Run a manual snapshot of the RDS instance before it is terminated. B) Ensure backups are taken automatically and choose 6 months for the retention period. C) Instead of terminating the RDS instance leave it running for an additional 6 months. D) Detach the storage for the RDS instance and leave it in place for at least 6 months.
Correct Answer: A Why is this correct? Manual snapshots persist until you explicitly delete them.
Your team has a User Data script has been developed to bootstrap EC2 instances. The script patches the OS, downloads and installs applications, and configures services. Over time the script has grown, and it now takes around 10 minutes for an instance to complete the launch process. Which steps below will decrease launch time for the EC2 instance but maintain security and the desired functionality? A) Create a custom AMI that is already patched with needed patches, already has the applications downloaded and installed, and then you can configure the bootstrap script to perform the needed configurations. B) Make sure to copy the application, the OS, the patches and store in S3. Use your bootstrap script to point to the specific s3 bucket. C) Make sure to copy the application, the OS, the patches to the EC2 instance's EBS Volume D) Make sure to copy the application, the OS, the patches to the EC2 instance's instance store storage. Use your bootstrap script to point to the Instance Store storage.
Correct Answer: A Why is this correct? Correct, by creating a custom AMI you can bake this AMI and boot strap script in your EC2 instance.
You have an application that demands extreme database performance. It needs to handle millions of read operations per second and offer low latency. What product or combination of products would you suggest? A) DynamoDB and DAX B) Aurora and SQS C) Aurora and SNS D) DynamoDB
Correct Answer: A Why is this correct? DynamoDB Accelerator (DAX) adds performance enhancements to DynamoDB and is the best solution available to meet this scenario's demands.
Which of the following suggestions could help reduce DynamoDB running costs? A) Utilize indexes. B) Filter the attributes read from a table. C) Use Scan rather than Query operations. D) Increase RCU.
Correct Answer: A Why is this correct? Indexes allow you to define alternative partition and/or sort keys, which can allow you to use Query rather than Scan operations. Additionally, you can choose which attributes are projected into the indexes, meaning you will read less data for each ITEM retrieved. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/LSI.html https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GSI.html
Your client is currently running a MySQL RDS instance running in us-east-1a. It uses a single instance, and the client wants to add the ability to automatically, quickly, and easily failover in the event of a disaster in us-east-1a. What should you suggest? A) Enable Multi-AZ mode. B) Enable EBS replication between AZs. C) Create an RDS read replica in us-east-1b. D) Enable automated backups and recovery mode.
Correct Answer: A Why is this correct? Multi-AZ mode provides AZ resilience by adding a standby instance in another AZ and supports automatic failover. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
You launch a large cluster of instances every night to process log files. Depending upon the size of the logs, the processing time is between three and five hours. It is not critical that the process always runs on time. Which EC2 pricing model would provide the lowest cost? A) Spot B) Convertible C) On-Demand D) Scheduled reserved
Correct Answer: A Why is this correct? Spot instances can provide a discount of up to 90% off On-Demand pricing! If they are interrupted by AWS, you can hibernate the instance and resume when Spot becomes available again. Or, you can opt for Spot blocks, which will allow your instances to remain running for up to six hours without interruption.
An application you are auditing runs from 10 EC2 instances. It needs to store logs on a file system that can be accessed from all the EC2 instances natively, and those logs need to be accessible from a central location where they can get searched from the AWS console. What two AWS products should you suggest? A) CloudWatch Logs and EFS B) CloudWatch Logs and S3 C) Instance store volumes and CloudWatch Logs D) EBS and CloudTrail
Correct Answer: A Why is this correct? The Elastic File System (EFS) provides shared storage for EC2 instances and should be used when storage needs to be accessible from more than one EC2 instance. CloudWatch Logs can be used to ingest the application logs so they are accessible from the AWS console. https://aws.amazon.com/efs/when-to-choose-efs/
You are running a WordPress instance in a non-default VPC's public subnet. As part of A/B testing, you have deployed another instance in the same subnet, using the same security group, same AMI, and an instance of the same family. After provisioning the instance, you cannot access it. Which of the following actions would best assist you in troubleshooting and resolving this issue? A) Create an Elastic IP, and assign it to the new instance. B) Add a route for the new instance. C) Make sure the public IP is configured on the instance's OS. D) Configure the NAT gateway to route traffic to the new instance.
Correct Answer: A Why is this correct? The instance could have been launched without a public IP. The quickest way to test and fix this is to allocate an Elastic IP.
You are conducting an architecture review. A client has around 100 TB of important data stored as objects on S3, using the Standard storage class. They have asked you to either confirm the solution is resilient to an AZ failure or to suggest what should be done to ensure it can tolerate an AZ failure with no data loss. What should you advise the client? A) Do nothing — the solution is resilient. B) Disable S3 One Zone to ensure the data is replicated between Availability Zones. C) Use CRR to ensure the data is replicated between AZs. D) Use an S3 snapshot to ensure a backup of the S3 objects are stored in multiple Availability Zones.
Correct Answer: A Why is this correct? The question states S3 standard is used, which is resilient by design — objects are replicated across multiple Availability Zones.
Your organization I migrating over 500TB of data to S3. The data is split across 3 on-premise locations.What is the most efficient and economical way to perform this migration as quickly as possible but at a reasonable cost. A) Order some Snowball devices for each on-premise location. B) Order a Snowball device and transfer data from one location and then send that Snowball to the next on-premise location, etc. C) Set up a Direct Connect connection for each on-premise location. D) Order a Snowmobile
Correct Answer: A Why is this correct? This would be the faster and most economical solution.
Which DNS record type is generally used to point Route 53 record sets at AWS logical resources A) Alias record B) A record C) CNAME records D) SOA
Correct Answer: A Why is this correct? point to other AWS services
You are about to create an AWS Lambda function and need to give it the permissions to access Amazon S3. Which of the following would be the best approach to perform this action? A) Create an IAM user, set the username and password in the Lambda function authentication options, and then set the method to interactive. B) Create an IAM role, assign a policy to the role, and set the Lambda function to use the role. C) Store the credentials inside an S3 bucket and have the Lambda function retrieve them upon execution. D) Create an IAM user, create access keys, and enter them into your function code.
Correct Answer: B Why is this correct? With this AWS-supported approach, the function will gain access to the role permissions when it's invoked. https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html
You have 6 VPC's and need to configure AWS to allow communications between all 6 VPC. Which option below will allow communication between the VPCs with little admin overhead. A) 6 Transit Gateways B) 6 Peering Connections C) 1 Transit Gateway D) 1 VPC Peering Connection
Your Answer: A Why is this incorrect? 6 Transit Gateways is 5 Transit Gateways too many. Only 1 Transit Gateway is needed. Correct Answer: C Why is this correct? Transit Gateway allows transitive peering between VPCs
You need to design a VPC that is resilient to AZ failure from an internet access perspective. The VPC is in a four-AZ region. How many internet gateways are required to ensure multiple AZ failures won't disrupt internet connectivity? A) Zero — internet access is provided by a NAT gateway B) Four C) One D) Two
Your Answer: A Why is this incorrect? A NAT gateway can provide private instances with outgoing-only internet access, but the NAT gateway itself needs an internet gateway to function. You cannot assign more than one IGW to a VPC. Correct Answer: C Why is this correct? An IGW is resilient by design, and only one needs to be attached to a VPC in order to provide all subnets in all AZs with resilient internet connectivity. You cannot assign more than one IGW to a VPC.
Multiple directors in your company have opened AWS accounts. The Chief Security Officer has expressed a concern that accounts may be using unapproved AWS services and wants your advice. What action would you take? A) Create a new account. Contact AWS Support and have them move all IAM users into the new account. B) Create a Lambda function to delete the IAM users in each account. C) Create a CloudTrail trail to monitor the API calls in each account. D) Create an organization with AWS Organizations, and have each account join your organization. Then apply service control policies to the child accounts.
Your Answer: A Why is this incorrect? AWS Support cannot move resources between accounts. Correct Answer: D Why is this correct? Service control policies will override IAM policies that use unauthorized services.
You have been asked to suggest an AWS product which provides storage which can be mounted on linux instances, supports POSIX type permissions and can be used by multiple instances at the same time. Which option should you suggest? A) EBS B) S3 C) Storage Gateway D) EFS
Your Answer: A Why is this incorrect? Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. A broad range of workloads, such as relational and non-relational databases, enterprise applications, containerized applications, big data analytics engines, file systems, and media workflows are widely deployed on Amazon EBS. Correct Answer: D Why is this correct? Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.
You have an S3 bucket full of medical data. The bucket needs to be accessed by 100 IAM users within your AWS account, as well as two to three remote imaging operators who are employed by a partner and have IAM identities in another AWS account, and read-only access to one or two folders needs to be given to anonymous/unauthenticated identities. What method of permissions control should you use? A) Identity policies on an IAM role B) Identity policies on IAM users C) Service control policies D) Bucket policy
Your Answer: A Why is this incorrect? An IAM role could work. Users could assume the role to get access, but there are folders that need public access, so this wouldn't work for all question requirements. Correct Answer: D Why is this correct? A bucket policy could be defined to control access for all identities and the unauthenticated (public) users.
You are consulting for a client who is migrating their entire infrastructure into AWS. The client's engineers are used to managing infrastructure as code and have been using both Puppet and Chef to manage infrastructure on-premises. Which AWS product should you suggest they explore to manage infrastructure within AWS? A) Ansible B) Elastic Beanstalk C) OpsWorks D) CloudFormation
Your Answer: A Why is this incorrect? Ansible isn't an AWS product, and the question makes no mention of preexisting experience, so it's less than ideal. Correct Answer: C Why is this correct? OpsWorks is an AWS infrastructure management platform that supports Chef and Puppet. https://aws.amazon.com/opsworks/
You have been asked to architect the networking for a high-performance financial modeling application. It runs on four EC2 instances, and you need the lowest network latency and highest throughput possible. What AWS products, services, or features should you suggest? A) Burstable instances B) VPC Flow C) Spread placement group D) Cluster placement group
Your Answer: A Why is this incorrect? Burstable instances (T2 or T3) are designed for economic applications that don't need consistent CPU. Correct Answer: D Why is this correct? Cluster placement groups influence the physical placement of instances on hardware, and this allows the highest performance possible. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html
You are running an application on an EC2 instance that is extremely sensitive to variations in network performance, specifically the variation in ping times and latency. The application also devours CPU cycles when this network jitter happens, so you need to implement a solution that removes any risk of network performance degradation. What option works in this scenario? A) Ensure the VPC is running in dedicated tenancy mode. B) Ensure the instance has enhanced networking. C) Ensure you are using an X1 instance. D) Ensure the instance is EBS optimized.
Your Answer: A Why is this incorrect? Dedicated tenancy won't change network performance as required in this scenario. Correct Answer: B Why is this correct? Enhanced networking (https://aws.amazon.com/premiumsupport/knowledge-center/enable-configure-enhanced-networking/) allows high-performance networking by bypassing the need for CPU involvement in virtualizing a network interface. This increases packets per second and decreases the variability in network performance.
You are reviewing poor performance on a voting application running on DynamoDB. The table used to store votes has been allocated 5,000 WCU, but with three candidates you are achieving slightly over half of the expected write throughput to the table. Votes are written with a PK of candidate name and sort key of date and time. What could be a possible reason for the substandard performance? A) DynamoDB cannot support 5,000 writes per second — buffer the writes or use DAX to improve write performance. B) The sort key structure is the issue. C) The partition key structure is the issue. D) You are trying to do strongly consistent writes, which need 2x the WCU.
Your Answer: A Why is this incorrect? DynamoDB can scale to tens of millions of writes per second without issue. Correct Answer: C Why is this correct? Each occurrence of a PK value (candidate1, candidate 2, candidate 2) is stored in one partition. A partition can support a max of 1,000 WCU. The small range of possible PK values is the reason for the low performance.
Your CIO is reviewing the expected technical effort required to manage an AWS environment. Which of the following AWS services allow SSH connectivity into the service's underlying instances? (Possible Correct: 2) A) DynamoDB B) Amazon EMR C) Amazon RDS D) Amazon EC2
Your Answer: A Why is this incorrect? DynamoDB only provides access via APIs. There is no infrastructure to access directly. Correct Answer: B Why is this correct? EMR allows you to log in to the master node via SSH. Correct Answer: D Why is this correct? You can SSH/RDP to the operating system of your EC2 instances — for certain installation/configuration and admin tasks, it's required.
You are running an application on an EC2 instance in us-east-1a. us-east-1a fails — what options do you have to recover the application running on the EC2 instance? A) Create a new EC2 instance in us-east-1b and attach the EBS volume. B) Copy a snapshot of the EBS volume from us-east-1a to us-east-1b, recreate the EBS volume, and then create a new EC2 instance. C) The EC2 instance will recover using EC2-Recover automatically. D) If available, use a snapshot of the EBS volume to make a new volume AND then create a new EC2 instance in a different availability zone.
Your Answer: A Why is this incorrect? EBS volumes are created in a specific AZ, so if the AZ fails, they fail. Also, an EBS volume in one AZ cannot be attached to an EC2 instance in another — this isn't a recovery option. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html Correct Answer: D Why is this correct? This is the only recovery option assuming AZ 1a doesn't return.
You manage a fleet of 30 EC2 instances for a client, split across 10 AWS regions. To aid in managing these machines, you have been asked to allocate the instances' static public IP IPv4 addressing. Before this work is completed, you have been asked to provide a cost estimation for the change in addressing. What should you tell your client? A) Use EC2 IPv4 public IPs — they are allocated at no cost. B) Static public IPv4 addressing is not available in AWS — use IPv6 instead. C) Use Elastic IP addresses — there is a per-IP charge. D) Use Elastic IP addresses — there is no charge, assuming the IP is attached to a network interface.
Your Answer: A Why is this incorrect? EC2 IPv4 public addresses are dynamic and change if the instance is stopped and started. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html Correct Answer: D Why is this correct? Elastic IPs are static, and, as long as you use them, there is no charge. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
Your CFO has noticed different storage classes available within S3 specifically Glacier and Glacier deep archive classes. Which of the following options are ideal use cases for the S3 Glacier Storage class? (Possible Correct: 2) A) Frequently accessed objects B) Long term backups C) Data Archival D) Less frequently access objects
Your Answer: A Why is this incorrect? Glacier and Glacier Deep Archive cannot be accessed frequently and access takes an extended period of time Correct Answer: B Why is this correct? Glacier and Glacier Deep Archive are both great for long term backs Correct Answer: C Why is this correct? Glacier and Glacier Deep Archive are both great for data that needs archiving
You are architecting a solution for a mobile application your developers are creating. You need to allow logins to the application and for those logins to access AWS resources. The application will start with 3,000 users but could reach 1,000,000 within 12 months. What resource access method should you suggest? A) The application should use the AWS APIs to create an IAM user for every application user. Use long-term credentials to access resources. B) Create an IAM role that trusts an external IDP. Provide this role with permissions for the AWS services. C) The application should use the AWS APIs to create an IAM user for every application user. Use short-term credentials to access resources. D) Configure the AWS services using resource policies to accept incoming connections from identities using Facebook, Twitter, or Google credentials. Use Google IdP to verify these credentials.
Your Answer: A Why is this incorrect? IAM cannot support the number of users the application could grow to. Correct Answer: B Why is this correct? Web identity federation is the best architecture to use where an external IDP is trusted to assume an IAM role. https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WIF.html
You operate a commercial stock images website with millions of images. Watermarked preview images are available via an EC2 instance application. Full-resolution versions are stored on an EBS volume. The EBS volume is attached to the EC2 instance and delivered by the application. You have been asked to find a cheaper solution that can scale. Which option is the most suitable? A) Add a storage-optimized EBS volume to the EC2 instance. B) Move the images to S3, and add read permissions for everyone. C) Move the images to S3, and enable SFTP read support. D) Move the images to S3, and use pre-signed URLs.
Your Answer: A Why is this incorrect? Incorrect, EC2 needs the permissions to access S3 so EC2 would need an IAM role with the required permissions. Correct Answer: D Why is this correct? Correct, the EC2 instance needs permission to access S3.
You have launched 5 EC2 instances of the same size into a cluster placement group. You attempt to launch 5 more and get an error. What are you seeing this error and how can you resolve this issue? (Possible Correct: 2) A) Make sure you are launching your instances into different AZs B) Terminate these instances and relaunch 10 at the same time into the same placement group C) Use the same type and same size of instances D) Try launching 12 instances instead
Your Answer: A Why is this incorrect? Incorrect, cluster placement groups have instances in the same AZ Correct Answer: B Why is this correct? It is best practice to launch all of the instances at the same time to make sure there is enough available capacity Correct Answer: C Why is this correct? Instances should not only be the same size but the same type too
A client has asked for your suggestions on a cost-optimization exercise. They have a set of financial processes that occur everyday at 6 a.m. local time in every country of operation. The processes last four hours and occur daily, 7 days a week, 365 days a year. The processes cannot be interrupted — this would require 100% of the work to be completed again. What billing model would offer the best price, given the information you have? A) Use On-Demand instances. B) Use Spot instances. C) Use Scheduled Reserved instances. D) Use Reserved instances on a two-year term.
Your Answer: A Why is this incorrect? On-Demand would work but wouldn't offer any cost reductions. Correct Answer: C Why is this correct? Scheduled reservations make the most sense in this situation. The processing occurs regularly, at the same time for the same duration. Scheduled reservations are not subject to interruption and offer a good level of cost savings. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-scheduled-instances.html
You have been asked to implement a private connection between a client's premises and the AWS VPC they are using. The connection must be active within three weeks. The customer has a router that supports BGP, IPSec, and IPv4. Which option should you suggest? A) OpenVPN B) VPC peer C) AWS Direct Connect D) Hardware VPN connection
Your Answer: A Why is this incorrect? OpenVPN is an alternative VPN solution. Given that the client router supports IPSec and BGP, this isn't a preferred solution versus the hardware VPN. Correct Answer: D Why is this correct? A hardware VPN connection is based on IPSec and can be configured and operational within minutes with the companies existing hardware. This is the preferred option given the customer's restrictions. https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
Why does stopping and starting an instance usually fix a system status check error? A) Stopping and starting an instance reboots the operating system. B) Stopping and starting an instance causes the instance to be provisioned on different AWS hardware. C) None of these options are correct. D) Stopping and starting an instance causes the instance to use the latest version of the AMI it was provisioned with.
Your Answer: A Why is this incorrect? While stopping and starting does reboot the operating system, this is not the reason it tends to clear system status check errors. Correct Answer: B Why is this correct? Unless you have dedicated tenancy enabled, stopping and starting an instance will generally cause it to be launched onto different AWS host hardware
You are migrating a windows file server into AWS so that it can be used by Workspaces (Virtual Desktops). What is the most cost effective and resilient way to host this data in AWS and provide access to it using the SMB protocol. A) S3 B) EFS C) EC2 instance running Windows server D) FSx
Your Answer: A Why is this incorrect? S3 is AWS's Simple Storage Service and it stores a virtually unlimited amount of objects. Correct Answer: D Why is this correct? Amazon FSx for Windows File Server provides fully managed, highly reliable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration. It offers single-AZ and multi-AZ deployment options, fully managed backups, and encryption of data at rest and in transit. Amazon FSx file storage is accessible from Windows, Linux, and MacOS compute instances and devices running on AWS or on premises. You can optimize cost and performance for your workload needs with SSD and HDD storage options. Amazon FSx helps you lower TCO with data deduplication, reducing costs by up to 50-60% on your general-purpose file shares. It is easy to get started; there are no minimum commitments or upfront fees.
A data scientist is trying to upload a 500 GB object to S3. The scientist is in N. Virginia and the S3 bucket is located in the us-east-1 region. Previous smaller uploads have been running slowly, achieving ~2 Mbps on a 1 Gbps internet connection. What options can you suggest to speed up the data transfer of this larger file? A) S3 transfer acceleration B) SSE-S3 C) S3 CRR D) Multipart upload
Your Answer: A Why is this incorrect? S3 transfer acceleration allows for faster upload speeds where the upload is occurring in a different region than the bucket. In this case, this is not happening. Correct Answer: D Why is this correct? Multipart upload allows multiple transfers to occur at the same time, improving reliability for larger files but also improving speed. https://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
A consultancy client is running a high-throughput application on-premises that stores data onto S3. The host running the software is experiencing high CPU usage and seems unable to keep up with demand while encrypting the data on-host before transit. The system requires that no data be stored in a plaintext form and has to be encrypted in transit. What potential fixes should you recommend that meet the requirements and have the least admin overhead? A) Use SSE-C. B) Use client-side encryption. C) Use S3 transfer acceleration. D) Use SSE-S3 and an HTTPS Listener on an ALB.
Your Answer: A Why is this incorrect? SSE-C uses S3 for CPU-intensive encryption operations. No data is stored in plaintext and, assuming HTTPS is used, data is encrypted in transit. The problem is SSE-C requires the customer to manage keys, which is risky and involves high admin overhead. Correct Answer: D Why is this correct? This solution will show improvements — S3 will handle the encryption process and the encryption keys. Data will be stored in encrypted form and, assuming HTTPS is used, encrypted in transit.
One of your environments utilizes DynamoDB as a database. You need to ensure it can only be accessed by a select number of people using specific IP addresses. What design changes do you suggest? A) Create a security group, add allow rules for the IPs who need access, and attach the security group to DynamoDB B) Using the AWS console or CLI, edit the table(s) requiring the restrictions, set the default security to Deny, and add the IPs they'll be accessing the table from. C) Configure an IAM group (for each level of access), and add the people who need access. Give those groups access to the DynamoDB operations they need, but add a condition to the policy so it has to match the specific IP address. D) Create an isolated VPC that is not connected to the internet, provision a private DynamoDB instance in the VPC, and allow those "select people" to connect to the VPC using a VPN.
Your Answer: A Why is this incorrect? Security groups cannot be attached to DynamoDB. DynamoDB is a public service, and security groups are VPC-based security controls. Correct Answer: C Why is this correct? This is the best solution. By default, nobody has access to the DynamoDB tables unless they're granted access. Grants can be allowed via IAM users, who have policies with conditions matching specific IP addresses.
Over 1,000,000 objects are stored in an S3 bucket using Standard-IA in the us-east-1 region. You need to ensure the data will be secure even if an AZ fails entirely. What changes should you make? A) Change the storage class to Standard. B) No changes are required. C) Configure CRR. D) Change the storage class to One Zone-IA.
Your Answer: A Why is this incorrect? Standard has the same replication as Standard-IA, but it adds cost and isn't required. https://aws.amazon.com/s3/storage-classes/ Correct Answer: B Why is this correct? S3 Standard-IA is replicated across multiple AZs in a region — no changes are required to ensure the data is secure against an AZ failure. https://aws.amazon.com/s3/storage-classes/
You have an EC2 instance located in a private subnet on custom VPC. The instance is using a private IPv4 address in the 10.0.0.0/24 range and has no public IP or Elastic IP attached. NACLs and security groups are configured to allow the needed traffic. How can you provide this instance with access to the internet for updates? A) Use PrivateLink to access AWS-provided update servers. B) Provision a NAT gateway into the VPC. C) Attach an internet gateway to the VPC, provision a NAT gateway, and then update routes. D) Attach an internet gateway to the VPC and update routes.
Your Answer: A Why is this incorrect? There are no AWS-provided update servers, and PrivateLink isn't useful here. Correct Answer: C Why is this correct? By adding an internet gateway, the NAT gateway can itself access the internet. Then it can provide this to private instances after routes have been added or updated.
You have recently added an auto-scaling-group and an application load balancer to your application. Now your users are reporting that the application is constantly logging customers out and losing progress. What is a potential fix for this behaviour? A) Add a new Auto scaling group and policy to your application B) Change your EC2 instance size C) Enable Sticky Sessions D) Add health checks to your Auto Scaling group
Your Answer: A Why is this incorrect? This is added overhead administration and will not resolve the issue Correct Answer: C Why is this correct? Adding Sticky Sessions to your ELB will make sure that the users connections do not change to a new server and require new log in, etc.
Your company has a distributed workforce: 60% are based in the United States, 30% in Europe, and 10% in Asia. All workers upload video- and image-based survey data to an S3 bucket based in us-east-1. Users in Europe and Asia have been experiencing performance issues. What would you suggest to improve the experience of all workers? A) Use S3 Global Buckets. B) Use S3 transfer acceleration and a bucket located in eu-central-1. C) Use multiple S3 buckets — one in the United States, one in Europe, and one in Asia — and implement cross-region replication (CRR). Have remote workers upload objects to the bucket closest to them. D) Use S3 transfer acceleration and the bucket located in us-east-1.
Your Answer: A Why is this incorrect? This is not a valid service. Correct Answer: D Why is this correct? This solution positions the data close to the largest group and uses transfer acceleration to provide accelerated upload for the remaining users. https://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
You have a Multi-AZ RDS instance. Its primary Availability Zone is us-east-1a, and the secondary is us-east-1b. Which of the following events will cause a failover from the primary to secondary instance? (Possible Correct: 2) A) RDS OS patching in us-east-1b B) Storage failure in us-east-1b C) Failure of us-east-1a D) Storage failure in us-east-1a E) Performance alarms in us-east-1a
Your Answer: A Why is this incorrect? This is the secondary AZ — no failover will occur. If this were in 1a, it would cause a failover. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html Your Answer: B Why is this incorrect? This is the secondary AZ — no failover will occur. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html Correct Answer: C Why is this correct? Failure of the primary AZ will cause an automatic failover to the standby instance. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html Correct Answer: D Why is this correct? Storage failure of the primary instance will cause a failover. https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
A team of developers within your business has developed a mobile application, and it needs to access a DynamoDB table. The mobile application will be used by ~1,000,000 users. Which security access method would you suggest the developers use in order to minimize costs and admin overhead while maximizing security? A) Configure the DynamoDB and Twitter firehose integrations to allow connectivity between the mobile app (using Twitter IDs) and DynamoDB. B) Create a single IAM user, a service user for the mobile app. Hard-code the username and password into the application, and allow all instances of it to connect to DynamoDB using those credentials. C) Configure web identity federation in the mobile app. Use AWS Cognito, and set up an IAM role with permissions to connect to DynamoDB. D) Create an IAM user for the application. Allow the application to connect to AWS and create an IAM user for every new user of the application. Generate access keys for that user, and use those keys to connect to DynamoDB.
Your Answer: A Why is this incorrect? This isn't a valid solution. It doesn't allow authentication in this way. Correct Answer: C Why is this correct? This is the most secure method, and it avoids the need to manage any additional IAM users. It also avoids any account limits.
A large fleet of IoT devices is sending data to a Kinesis stream but experiencing an error of ProvisionedThroughputExceededException. How should you resolve the issue? A) Create an additional Kinesis stream and load balance the IoT devices. B) Adjust the partition key of the Kinesis data records. C) Increase the number of shards in the stream. D) Increase the size of the Kinesis shards.
Your Answer: A Why is this incorrect? This isn't an ideal solution — it's far easier to increase the number of shards. https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html Correct Answer: C Why is this correct? Increasing the number of shards is the recommended way to improve the performance of a Kinesis stream. https://docs.aws.amazon.com/streams/latest/dev/service-sizes-and-limits.html
You are architecting a web application that runs on EC2 instances. The application is stateless and stores its session state within DynamoDB. You want to ensure the application can scale as quickly as possible to increasing and decreasing demand in a cost-effective way. What options should you suggest? (Possible Correct: 2) A) Vertical scaling B) Horizontal scaling C) Small instances D) Large instances
Your Answer: A Why is this incorrect? This method of scaling involves increasing or decreasing the size of existing instances and causes outages. Correct Answer: B Why is this correct? This method of scaling involves adding or removing instances, SCALE-OUT and SCALE-IN, and is one part of elastic scaling. Correct Answer: C Why is this correct? Smaller instances ensure capacity can be added and removed in smaller gradients. Additionally, smaller instances tend to have fewer capacity issues or restrictions.
You have an EC2 instance that currently runs about 100 Python-based admin scripts for a business' IT team. The scripts interact with other AWS services using an instance role. The scripts run hourly and take around two to three minutes to run. The business has asked for your suggestions on cost-optimization for this scenario. The instance has been running for one year and has two years of a reserved instance term left. What two options should you suggest? (Possible Correct: 2) A) Run the scripts from Elastic Beanstalk environments within the same application. B) Migrate the scripts to use individual Lambda functions. C) Terminate the EC2 instance to avoid costs. D) Sell the remaining term of the instance reservation and stop the instance. E) Migrate the scripts to a Chef recipe and use AWS OpsWorks.
Your Answer: A Why is this incorrect? This would involve additional work and offer very little, if any, cost reductions. Correct Answer: B Why is this correct? Lambda charges only for the execution time, and since the scripts have low runtimes, this is the most economical option. Since IAM roles are used for the instance, the permissions can be migrated easily to Lambda execution roles. Correct Answer: D Why is this correct? This will remove most of the cost of the EC2 instance, and storage will still have costs, but it's the best solution available.
Which Route 53 routing policy type should you use to ensure clients are connected to servers that offer the best potential performance? A) Weighted routing policy B) Simple C) Geolocation routing policy D) Latency routing policy
Your Answer: A Why is this incorrect? Weighted routing is used to control the proportions of requests certain hosts receive — it's not directly performance related. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html Correct Answer: D Why is this correct? Latency routing attempts to resolve requests to a record that offers the lowest latency, so this will likely translate to the best performance. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html
You have been asked to design an upgrade to a legacy environment running in an AWS VPC. There will be an EC2 instance in each AZ's private subnet. The region the environment is in has four AZs. The VPC has eight subnets: four private (one in each AZ) and four public (one in each AZ). You have been asked to ensure the solution uses NAT gateways and that if any AZ fails, an instance in the other AZs can always access the internet. What is the minimum number of NAT gateways required? A) Two — each one is located in a single public subnet but not the same one. Private subnets are set to round-robin across them both. B) One — spanning all four public subnets. All private subnets use the single NAT gateway. C) Four — each is located in a single but different public subnet. Each private subnet is set to use the NAT gateway in the same AZ. D) Two — each spans two different public subnets, with private subnets set to round-robin across them both.
Your Answer: A Why is this incorrect? While the NAT gateway part is valid, round-robin routing is not a thing, and so a failure of one AZ, taking down one NAT gateway, would cut internet access for any private subnets using it for NAT. Correct Answer: C Why is this correct? For true HA, a NAT gateway per AZ is required. Each private subnet would use the NAT gateway in its AZ.
You have been asked to create a scalable deployment for a new business application. The application uses Java and requires lots of supporting libraries and frameworks. The total time for the installation is 25 minutes. If the business needterm-42s the application to scale in an elastic way, rapidly reacting to changes in system load, what method should you suggest for installing, deploying, and scaling the application? A) Use a launch template to add the application installation commands. B) Install the application on an EC2 instance and create an AMI. C) Install the application directly using instance metadata. D) Add the application installation commands to an Auto Scaling group.
Your Answer: A Why is this incorrect? While this would work, it would mean each scaling action inside an Auto Scaling group would take at least 25 minutes. https://aws.amazon.com/answers/configuration-management/aws-ami-design/ Correct Answer: B Why is this correct? This is an example of an AMI Pre-bake architecture, which would work. The 25-minute installation would be done once, with the results stored in an AMI — and this could be used with a launch configuration/launch template and an Auto Scaling group to scale the application. https://aws.amazon.com/answers/configuration-management/aws-ami-design/
You have been tasked to store files in S3 with encryption at rest. You also need a solution that matches the FIPS 140-2 Level 3 framework. Which solution meets this requirement? A) SSE-KMS B) SSE-S3 C) SSE-C D) CloudHSM
Your Answer: A Why is this incorrect? is rated for FIPS 140-2 Level 2 Correct Answer: D Why is this correct? CloudHSM is rated for FIPS 140-2 Level 3
Which of the following statements is correct about networking high availability in AWS? (Possible Correct: 2) A) A virtual private gateway is HA by design. B) A NAT gateway is highly available by design. C) An IGW should be created in each AZ that a VPC uses to ensure full HA. D) A NAT gateway should be added to each AZ a VPC uses for full HA.
Your Answer: B Why is this incorrect? A NAT gateway is not HA by design. It occupies a single public subnet, which is in one AZ. If that AZ fails, the service provision fails. Correct Answer: A Why is this correct? A VGW is HA by design in two AZs, so it can tolerate the failure of one. https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html Correct Answer: D Why is this correct? A NAT gateway should be created in one subnet in each AZ to be highly available. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
You are reviewing an existing VPN between a data center and an AWS VPC. Your client has asked you to suggest any HA improvements; the system must be able to tolerate the failure of an AWS AZ and a customer internet connection or router. Currently, the system includes: - One VPC - One business location with two internet connections — each with a router - One VPN connection using one virtual private gateway and two IPSec tunnels to one of the customer routers Which option below is the most appropriate and correct? A) Add an additional virtual private gateway to the VPC. B) Move one of the IPSec tunnels to the other customer router. C) Add another VPN connection to the second CGW. D) Take no action — the system meets the HA requirements with no changes.
Your Answer: B Why is this incorrect? A VPN connection (two tunnels) is between a VGW and a single customer gateway — this is not a valid solution. Correct Answer: C Why is this correct? This will add an additional two IPSec tunnels between the VGW and the second CGW. This will tolerate the failure of one customer connection and one AWS AZ because the VGW is already HA across multiple AZs.
You manage hundreds of AWS accounts for your organization. One of the AWS accounts is for a development team and you need to restrict what can occur within the account. There are 6 IAM users and also the account root user which need to be restricted. What solution below would be best? A) Identity Policy B) IAM Permission Boundary C) Service Control Policy D) Resource Policy
Your Answer: B Why is this incorrect? AWS supports permissions boundaries for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. Correct Answer: C Why is this correct? Service control policies (SCPs) are one type of policy that you can use to manage your organization. ... Attaching an SCP to an AWS Organizations entity (root, OU, or account) defines a guardrail for what actions the principals can perform.
You are migating an application into AWS with uses a messaging system to decouple its components. Which AWS Services can be used to provide this functionality? (Possible Correct: 2) A) Kinesis B) SES C) SQS D) SNS
Your Answer: B Why is this incorrect? Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers. Correct Answer: A Why is this correct? Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. Amazon Kinesis offers key capabilities to cost-effectively process streaming data at any scale, along with the flexibility to choose the tools that best suit the requirements of your application. With Amazon Kinesis, you can ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. Amazon Kinesis enables you to process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin. Correct Answer: C Why is this correct? Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message oriented middleware, and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.
You have been asked to implement a solution which can manage an application workflow which runs for between 7 and ~45 minutes before terminating. The process consists of individual steps which run for less than 5 minutes each. The processes are written in Python. Which AWS product or Products should you suggest to implement the solution in a cost effective way? A) Step Functions and Lambda B) Fargate C) EC2 D) Lambda
Your Answer: B Why is this incorrect? Fargate is great with ECS and containers. Correct Answer: A Why is this correct? Step Functions are great for workflows that run longer than 15 minutes and Lambda is great for workflows that run shorter than 15 minutes and both use Python.
If an EC2 instance uses an instance role, key rotation is automatic and handled by __. A) A script containing a valid IAM username and password stored on the EC2 instance. B) ssh-keygen on the EC2 instance C) The EC2 service D) IAM/STS
Your Answer: B Why is this incorrect? Instance role key rotation is handled by another service. Correct Answer: D Why is this correct? Instance role key rotation is handled by IAM/STS. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
You are reviewing a set of API endpoints for your development team that currently runs on a fleet of 50 EC2 instances. You have been asked to reduce costs. Are there any pairs of AWS products and/or features you could suggest to reduce the cost of the current solution? A) S3 and static web hosting B) API Gateway and Kinesis C) Lambda and API Gateway D) ALB and Elastic Beanstalk
Your Answer: B Why is this incorrect? Kinesis is a streaming service — it cannot be used to provide any form of API functionality. Correct Answer: C Why is this correct? Lambda and API Gateway can be used together to host APIs. Rather than being billed 24/7/365 for all of the EC2 instances, Lambda only has a cost when functions are invoked.
You just created a VPC. For security purposes, you are using NACLs and security groups. You launched an EC2 instance into a subnet, where you have set an inbound rule for SSH (22) in the security group and both inbound and outbound rules for port 22 on the subnet NACL. However, you are not able to access the instance via SSH. What is the most likely issue? A) The NACL needs an outbound rule for the high ephemeral port range (1024-65535). B) You need to add an outbound rule allowing SSH for the security group. C) You have not enabled IPv6 for the VPC. D) Your IAM user does not have SSH permissions.
Your Answer: B Why is this incorrect? Security groups are stateful, so an outbound rule is not required to allow responses to incoming SSH requests. Correct Answer: A Why is this correct? SSH uses port 22 for the inbound request, but a dynamic port for the response. So there has to be an allow for the ephemeral port range outbound.