AWS Solutions Architect Quiz
You need to restrict access to an S3 bucket. Which of the following methods can you use to do so? Access control Lists P.... and P....
Access control lists for s3 - permissions Policies
Which of the following are valid S3 data encryption options? (Choose 4) A client library such as Amazon S3 Encryption Client. Server Side Encryption (SSE)-S3. SSE-KMS. SSE-C. Open SSL.
All but Open SSL.
Amazon's EBS volumes are ________.
Block based stroage
You have created a new subdomain for your popular website, and you need this subdomain to point to an Elastic Load Balancer using Route53. Which DNS record set should you create?
CName
Auditing user access/API calls etc across the entire AWS estate can be achieved by using ________. CloudFlare CloudTrail CloudFront CloudWatch
CloudTrail
Which of the following AWS services is a non-relational database? RDS ElastiCache DynamoDB Redshift
DYNAMO!
You need to add a route to your routing table that will allow connections to the internet from your subnet. Which of the following routes should you add? 1 Destination: 0.0.0.0/0 --> Target: 0.0.0.0/24 2 Destination: 0.0.0.0/33 --> Target: your virtual private gateway 3 Destination: 0.0.0.0/0 --> Target: your Internet gateway 4 Destination: 192.168.1.258/0 --> Target: your Internet gateway
Destination: 0.0.0.0/0 --> Target: your Internet gateway
Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions may you set when configuring AWS WAFirewall? (Choose 3) Termination Conditions URL Match Conditions SQL Rejection Match Conditions IP Match Conditions String Match Conditions Size Constraint Conditions
IP Match Conditions String Match Conditions Size Constraint Conditions
You are a security architect working for a large antivirus company. The production environment has recently been moved to AWS and is in a public subnet. You are able to view the production environment over HTTP. However, when your customers try to update their virus definition files over a custom port, that port is blocked. You log in to the console and you allow traffic in over the custom port. How long will this take to take effect? 1 Straight away to the new instances, but old instances must be stopped and restarted before the new rules apply. 2 After a few minutes. 3 Immediately. 4 Straight away, but to the new instances only.
Immediately
Individual EC2 instances are provisioned ________.
In Availability zones
Which of the following is most suitable for OLAP? Redshift DynamoDB ElastiCache RDS
Redshift would be the most suitable for online analytics processing.
You need to use an Object based storage solution to store your critical, non replaceable data in a cost effective way. This data will be frequently updated and will need some form of version control enabled on it. Which S3 storage solution should you use? S3 - RRS, Glacier, S3, S3 - IA
S3
You need to migrate a legacy application into AWS. It currently runs on a linux operating system and has a requirement for iSCSI based block storage. Which AWS Service would you utilise to meet this requirement. EFS or Storage Gateway
Storage Gateway Storage gateway can be provisioned within a VPC and is an appliance which connects to a host via iSCSI
To help you manage your Amazon EC2 instances, you can assign your own metadata in the form of ________.
Tags A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define
When editing permissions (policies and ACLs), to whom does the concept of the "Owner" refer?
The "Owner" refers to the identity and email address used to create the AWS account.
What happens if you reboot an instance-store backed EC2 instance with a Public IP?
The instance remains in the running state Rebooting only restarts the operating system. It does not stop the instance. The Public IP is retained unless the instance is stopped or terminated.
Route53, the AWS implementation of DNS, supports a number of Routing policies. Which of the following are valid Policy types? (Choose 5)
Weighted, simple, latency, failover, geolocation
What is the underlying Hypervisor for EC2? OVM Hyper-V ESX Xen
Xen!!! - Opensource OVM - is oracle Hyper-V - Microsoft ESX -VMware
Does Route53 support MX Records?
Yes - MX (mail exchange record)
Is it possible to perform actions on an existing Amazon EBS Snapshot?
Yes, through the AWS APIs, CLI, and AWS Console.
You have been asked to identify a service on AWS that is a durable key value store. Which of the services below meets this definition? 1 Elastic File Service (EFS) 2 Simple Storage Service (S3) 3 Mobile Hub 4 Kinesis
s3
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue?
12 hrs
You are a solutions architect at a large digital media company. The company has decided that they want to operate within the Japanese region, and they need a bucket called "testbucket" set up immediately for testing purposes. You log in to the AWS console and try to create this bucket in the Japanese region. However, you are told that the bucket name is already taken. What should you do to resolve this? 1 Change your region to Korea and then create the bucket "testbucket". 2 Bucketnames are global, not regional. This is a popular bucket name and is already taken. You must choose another bucket name. 3 Raise a ticket with AWS and ask them to release the name "testbucket" to you. 4 Run a WHO IS request on the bucket name and get the registered owners email address. Contact the owner and ask if you can purchase the rights to the bucket.
2 Bucketnames are global, not regional. This is a popular bucket name and is already taken. You must choose another bucket name.
With EBS, I can ________. (Choose 2) 1 Encrypt an existing volume. 2 Create an encrypted volume from a snapshot of another encrypted volume. 3 Create an encrypted snapshot from an unencrypted snapshot by creating an encrypted copy of the unencrypted snapshot. 4 Create an unencrypted volume from an encrypted snapshot.
2 Create an encrypted volume from a snapshot of another encrypted volume. 3 Create an encrypted snapshot from an unencrypted snapshot by creating an encrypted copy of the unencrypted snapshot. You cannot create an unencrypted volume from an encrypted snapshot or encrypt an existing volume.
A new employee has just started work, and it is your job to give her administrator access to the AWS console. You have given her a user name, an access key ID, a secret access key, and you have generated a password for her. She is now able to log in to the AWS console, but she is unable to interact with any AWS services. What should you do next? Ensure she is logging in to the AWS console from your corporate network and not the normal internet. Grant her Administrator access by adding her to the Administrators' group. Tell her to log out and try logging back in again. Require multi-factor authentication for her user account.
2 Grant her Administrator access by adding her to the Administrators' group.
You are a solutions architect working for a biotech company who is pioneering research in immunotherapy. They have developed a new cancer treatment that may be able to cure up to 94% of cancers. They store their research data on S3. However, an intern recently deleted some critical files accidentally. You've been asked to prevent this from happening in the future. Which of the following solutions can be used to prevent accidental data loss? 1 Make sure the interns can only access data on S3 using signed URLs. 2 Create an IAM bucket policy that disables deletes. 3 Enable S3 versioning on the bucket & enable MFA Delete on the bucket. 4 Use S3 Infrequently Accessed storage to store the data on.
3 Enable S3 versioning on the bucket & enable MFA Delete on the bucket.
What data transfer charge is incurred when replicating data from your primary RDS instance to your secondary RDS instance? 1 The charge is double the standard data transfer charge. 2 The charge is half of the standard data transfer charge. 3 There is no charge associated with this action. 4 The charge is the same as the standard data transfer charge.
3 There is no charge associated with this action.
You successfully configure VPC Peering between VPC-A and VPC-B. You then establish an IGW and a Direct-Connect connection in VPC-B. Can instances in VPC-A connect to your corporate office via the Direct-Connect service, and connect to the Internet via the IGW? 1 Yes: VPC Peering is designed to route traffic between the VPCs. 2 Instances in VPC-A will be able to access the corporate office, but not the Internet. 3 VPC peering does not support edge to edge routing. 4 Instances in VPC-A will be able to access the Internet, but not the corporate office.
3 VPC peering does not support edge to edge routing. VPC peering only routes traffic between source and destination VPCs. VPC peering does not support edge to edge routing.
In RDS, what is the maximum value I can set for my backup retention period?
35 days
You have provisioned a custom VPC with a subnet that has a CIDR block of 10.0.3.0/28 address range. Inside this subnet, you have 2 webservers, 2 application servers, 2 database servers, and a NAT. You have configured an Autoscaling group on the two web servers to automatically scale when the CPU utilization goes above 90%. Several days later you notice that autoscaling is no longer deploying new instances into the subnet, despite the CPU utilization of all web servers being at 100%. Which of the following answers may offer an explanation? (Choose 2) 0 AWS reserves both the first two and the last two IP addresses in each subnet's CIDR block. 1 Your Autoscaling Group (ASG) has provisioned too many EC2 instances and has exhausted the number of internal IP addresses available in the subnet. 2 AWS reserves both the first three and the last two IP addresses in each subnet's CIDR block. 3 Your internet gateway (IGW) on your VPC has provisioned too many EC2 instances. 4 AWS reserves both the first four and the last IP address in each subnet's CIDR block.
4 AWS reserves both the first four and the last IP address in each subnet's CIDR block. 1 Your Autoscaling Group (ASG) has provisioned too many EC2 instances and has exhausted the number of internal IP addresses available in the subnet.
The combined Value and Name Dynamo attribute combined must not exceed ....
400 KB.
Default number of VPC in an account
5!
Limit of domain names using Route53
50
In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch. What are they?
A Private IP Address & Public IP Address
Which of the following services allow the administrator access to the underlying operating system? (pick 2) A. Amazon EC2 B. DynamoDB C. ElastiCache D. Amazon EMR E. Amazon RDS
A. Amazon EC2 D. Amazon EMR
Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level
ACLs
You are a student currently learning about the different AWS services. Your employer asks you to tell him a bit about Amazon's Glacier service. Which of the following best describes the use cases for Glacier? 1 Hosting active databases 2 Infrequently accessed data & data archives 3 Frequently Accessed Data 4 Replicating Files across multiple availability zones and regions
...2
Which of the following is a chief advantage of using VPC endpoints to connect your VPC to services such as S3? 1 VPC Endpoints require public IP addresses, offering rapid connectivity from the public internet. 2 VPC endpoints are dedicated hardware devices that cannot be accessed without the correct IAM credentials. 3 VPC Endpoints offer a faster path through the public internet than you can realize with a NAT instance. 4 Traffic between your VPC and the other service does not leave the Amazon network.
...Think it's 4..
Your company has hired a young and enthusiastic accountant. After reviewing the AWS documentation and usage graphs, he announces that you are wasting vast amounts of money running servers for a full hour instead of spinning them up only when they are needed and down again as soon as they are idle for 1 minute. He cites the AWS claim that you only pay for what you use, and that as a senior engineer, you should be more conscious of wasting company money. How do you respond? 1 You thank him for his concern, and advise him that he has misinterpreted the pricing document: Instances are billed by the full hour, and partial hours are billed as such. Additionally, storage charges are incurred even if the Db instance sits idle. Taking into account productivity losses, stopping and restarting Db instances may actually result in additional costs. As such, your solution is fine as it now stands. 2 You acknowledge the problem and propose that you could downsize the instances so that the workload over the hour consumes the full instance capacity for the full hour. You might also propose closer monitoring and automation to allow you to up-size and down-size the instance each hour over the day to match the instance performance to the anticipated workload. 3 You leap across the meeting table and slap him for insulting you in front of your peers. 4 You grudgingly acknowledge his point and change your scheduling and tuning settings.
1
The risk with spot instances is that you are not guaranteed use of the resource for as long as you might want. Which of the following are scenarios under which AWS might execute a forced shutdown? (Choose 4) 1 AWS sends a notification of termination and you receive it 120 seconds before the intended forced shutdown, but AWS do not action the shutdown. 2 AWS sends a notification of termination and you receive it 120 seconds before the intended forced shutdown. 3 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, but you block the shutdown because you used 'Termination Protection' when you initialized the instance. 4 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, but the normal lease expired before the forced shutdown. 5 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, and you delay it by sending a 'Delay300' instruction before the forced shutdown takes effect. 6 AWS sends a notification of termination but you do not receive it within the 120 seconds and the instance is shutdown.
1 AWS sends a notification of termination and you receive it 120 seconds before the intended forced shutdown, but AWS do not action the shutdown. 2 AWS sends a notification of termination and you receive it 120 seconds before the intended forced shutdown. X 3 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, but you block the shutdown because you used 'Termination Protection' when you initialized the instance. 4 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, but the normal lease expired before the forced shutdown. X 5 AWS sends a notification of termination and you receive it 120 seconds before the forced shutdown, and you delay it by sending a 'Delay300' instruction before the forced shutdown takes effect. 6 AWS sends a notification of termination but you do not receive it within the 120 seconds and the instance is shutdown.
On which of the following does the AWS Trusted Adviser service offer advice? (Choose 2) 1 Advice on security groups and what ports have unrestricted access 2 Vulnerability scans on existing VPCs 3 Antivirus protection on EC2 instances 4 Whether there is MFA configure on the Root Account
1 Advice on security groups and what ports have unrestricted access 4 Whether there is MFA configure on the Root Account
Your company has a policy of encrypting all data at rest. You host your production environment on EC2 in a bespoke VPC. Attached to your EC2 instances are multiple EBS volumes, and you must ensure this data is encrypted. Which of the following options will allow you to do this? (Choose 3) 1 Encrypt the data using native encryption tools available in the operating system (such as windows bitlocker). 2 EBS Volumes are encrypted by default. You do not need to do anything. 3 Install SSL certificates on the servers so as to encrypt your data 4 Use third party volume encryption tools. 5 Encrypt your data inside your application, before storing it on EBS.
1 Encrypt the data using native encryption tools available in the operating system (such as windows bitlocker). 4 Use third party volume encryption tools. 5 Encrypt your data inside your application, before storing it on EBS volumes can be encrypted, but they are not encrypted by default. SSL certificates will only be useful to encrypt data in transit, not data at rest.
How should you direct traffic to an ECS cluster running three microservices with the following URLs: 'https://services.mydomain.com/ServiceA/', 'https://services.mydomain.com/ServiceB/', 'https://anotherservice.mydomain.com/'? 1 Use an Application Load Balancer with cross-zone load balancing on. 2 Use a Classic Load Balancer with cross-zone load balancing off. 3 Use Route53 to send the requests to the right containers. 4 Use an Application Load Balancer with cross-zone load balancing off. 5 Send the requests to the ECS instances and they will route the traffic. 6 Use a Classic Load Balancer with cross-zone load balancing on.
1 Use an Application Load Balancer with cross-zone load balancing on.
You are leading a design team to implement an urgently needed collection and analysis project. You will be collecting data for an array of 50,000 anonymous data collectors which will be summarized each day and then rarely used again. The data will be pulled from collectors approximately once an hour. The Dev responsible for the DynamoDB design is concerned about how to design the Partition and Local keys to ensure efficient use of the DynamoDB tables. What advice would you provide. (Choose 2) 1 Create a new table each day, and reconfigure the old table for infrequent use after the summation is complete. 2 Insert a calculated hash in front of the Date/Time value in the partition key to force DynamoDB to hop from partition to to partition. 3 Use a Date-based partition key to avoid having to hop from partition to partition. 4 Use a time-based partition key so that it is easy to query and analyze. 5 Don't worry about it: AWS will optimize the table and partitions to meet our needs.
1 Create a new table each day, and reconfigure the old table for infrequent use after the summation is complete. 2 Insert a calculated hash in front of the Date/Time value in the partition key to force DynamoDB to hop from partition to to partition.
You work for a large media organization who has traditionally stored all their media on large SAN arrays. After evaluating AWS, they have decided to move their storage to the cloud. Staff will store their personal data on S3, and will have to use their Active Directory credentials in order to authenticate. These items will be stored in a single S3 bucket, and each staff member will have their own folder within that bucket named after their employee ID. Which of the following steps should you take in order to help set this up? (Choose 3) 1 Create an IAM role. 2 Create an IAM user for each member of staff and use their existing active directory password for the account. 3 Create either a federation proxy or identity provider. 4 Use AWS security token service to create temporary tokens. 5 Tag each folder with the staff members ID.
1 Create an IAM role. 2 Create an IAM user for each member of staff and use their existing active directory password for the account. 4 Use AWS security token service to create temporary tokens. You can not tag s3
You are a solutions architect working for a cosmetics company. Your company has a busy Magento online store that consists of a two tier architecture. The webservers are behind an Auto Scaling Group and the database is on a Large MySQL instance. Your store is having a Black Friday sale at the end of the week, and having reviewed the performance for the last sale you expect the site to start running very slowly during the peak load. You investigate and you determine that the database was struggling to keep up with the number of reads that the store was generating. How can you successfully scale this environment out so as to increase the speed of the site? (Choose 2) 1 Place the RDS instances behind an ElastiCache instance. 2 Migrate the database to a MySQL Multi-AZ database. 3 Create a read replica of the MySQL database. 4 Migrate the database from MySQL to Aurora for better performance.
1 Place the RDS instances behind an ElastiCache instance. 4 Migrate the database from MySQL to Aurora for better performance. Adding a read replica on its own won't solve your problem, you would need to alter the code for Magento to use the read replica (which was not in the offered options). Multi-AZ is a reliability technique not a performance technique. The best answer available is to migrate the database to Aurora which has superior Read performance due to it's design. Implementing ElastiCache, is relatively easy and will also offload some of the Read traffic.
You've been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this? 1 RDS, DynamoDB, and ElastiCache 2 Cloudwatch, RDS, and DynamoDb 3 AWS Storage Gateway, ElastiCache, and ELB 4 ELB, ElastiCache, and RDS
1 RDS, DynamoDB, and ElastiCache An Elastic Load Balancer can help you deliver stateful services, but not stateless. Elastic Map Reduce is a data crunching services and is not related to servicing web traffic.
You work for a famous bakery who are deploying a hybrid cloud approach. Their legacy IBM AS400 servers will remain on premise within their own datacenter. However, they will need to be able to communicate to the AWS environment over a site-to-site VPN connection. What do you need to do to establish the VPN connection? 1 Set an ASN for the Virtual Private Gateway. 2 Assign a public IP address to your Amazon VPC Gateway. 3 Create a dedicated NAT and deploy this to the public subnet. 4 Connect to the environment using AWS Direct Connect. 5 Update your route table to add a route for the NAT to 0.0.0.0/0.
1 Set an ASN for the Virtual Private Gateway. Autonomous System Number (ASN) The termination IP address on the AWS side is not at the gateway. It is defined as part of the AWS VPN configuration process. Direct Connect could be a carrier, but is not a VPN its self.
You are running a media rich website with a global audience in US-EAST-1 for a customer in the publishing industry. The website updates every 20 minutes. The web-tier of the site sits on three EC2 instances inside an Auto Scaling Group. The Auto Scaling group is configured to scale when CPU utilization of the instances is greater than 70%. The Auto Scaling group sits behind an Elastic Load Balancer, and your static content lives in S3 and is distributed globally by CloudFront. Your RDS database is an db.r3.8xlarge instance. Cloudwatch metrics show that your RDS instance usually has around 2GB of memory free, and an average CPU utilization of 75%. Currently, it is taking your users in Japan and Australia approximately 3 - 5 seconds to load your website, and you have been asked to help reduce these load-times. How might you improve your page load times? (Choose 3) 1 Set up a clone of your production environment in the Asia Pacific region and configure latency based routing on Route53. 2 Change your Auto Scaling Group so that it will scale when CPU Utilization is only 50%, rather than 70%. 3 Use ElastiCache to cache the most commonly accessed DB queries. 4 Upgrade the RDS instance to a higher memory instance. 5 Setup CloudFront with dynamic content support to enable the caching of re-usable content from the media rich website.
1 Set up a clone of your production environment in the Asia Pacific region and configure latency based routing on Route53. 3 Use ElastiCache to cache the most commonly accessed DB queries. 5 Setup CloudFront with dynamic content support to enable the caching of re-usable content from the media rich website.
You have created a bespoke VPC that contains 2 web servers. These web servers must be publicly accessible by the internet and should also be highly resilient. Which of the following configurations should you consider? (Choose 2) 1 Setup an Elastic Load Balancer and place your 2 webservers behind this ELB in different Availability Zones. Configure a Route53 CNAME to use the public DNS address of the Elastic Load Balancer. 2 Assign each EC2 instance with an Elastic IP Address. Configure Route53 with both EIP's and setup health checks with DNS failover. 3 Setup an Elastic Load Balancer and place your 2 webservers behind this ELB in different Availability Zones. Configure a Route53 "A" record to point to the IP address of the Elastic Load Balancer. 4 Configure a NAT instance within your VPC. Create a route via the NAT and associate it with all private subnets within your VPC. Create a Route53 "A" record to point to the public IP address of the NAT.
1 Setup an Elastic Load Balancer and place your 2 webservers behind this ELB in different Availability Zones. Configure a Route53 CNAME to use the public DNS address of the Elastic Load Balancer. 2 Assign each EC2 instance with an Elastic IP Address. Configure Route53 with both EIP's and setup health checks with DNS failover. You have the option of either using an Elastic Load Balancer or multiple Elastic IP addresses and configuring DNS failover with health checks using route 53. You cannot configure a Route53 A record that points to an ELB and you can't use a NAT as a makeshift Load Balancer.
Which of the following strategies does AWS use to deliver the promised levels of DynamoDB performance? (Choose 2) 1 The Database is partitioned across a number of instances. 2 AWS deploy caching instances in front of the DynamoDB cluster. 2.1 Data is stored on Solid State Disks. 3 DynamoDB instances can be configured with EBS-Optimised connections. 4 AWS deploys Read Replicas of the database to balance the load.
1 The Database is partitioned across a number of instances. 2.1 Data is stored on Solid State Disks.
You are reviewing Change Control requests, and you note that there is a change designed to reduce costs by updating the "WaitTimeSeconds" attribute. What does this mean? 1 When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection. 2 When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period. 3 While processing a message, a consumer instance can amend the message visibility counter by a fixed amount. 4 When a consumer instance retrieves a message, that message will be hidden in the queue for a fixed period. 5 When the consumer instance polls for new work, the consumer instance will wait a certain time until it has a full workload before closing the connection. 6 While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter.
1 When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection.
A. Purchase Region scoped reserved instances B. Purchase AZ scoped reserved instances C. You should inform the CIO that the environment is efficient as is, there are no efficiencies to be made. D. Change the on-demand model to use Spot instances ... the cost savings are always substantial. 1....In event of an AZ failure the instances in the remaining AZ's have running priority it's best to 2....For maximum possible savings and doesn't care about capacity reservations
1. Purchase AZ scoped reserved instances - AZ scoped reservations reserve capacity in that AZ and reduce costs 2. Purchase Region Scoped - Standard RIs
3 things about Security groups for vpcs
1. Security Groups evaluate all rules before deciding whether to allow traffic. 2. Security Groups support "allow" rules only. 3. Security Groups operate at the instance level.
You are a solutions architect working for an oil and gas company. They are moving their production environment to AWS and need a custom VPC into which to put it. You have been asked to create a public subnet. You create the VPC with a subnet bearing the CIDR address range of 10.0.1.0/24. Which of the following steps should you take to make this subnet public? (Choose 2) 1 Create a route in the route table of the subnet allowing a route out of the Customer Gateway (CGW). 2 Attach an Internet Gateway (IGW) to the VPC. 3 In the AWS console, right click on the subnet and then select the Make Public option. 4 Attach a Customer Gateway (CGW). 5 Create a route in the route table of the subnet allowing a route out of the Internet Gateway (IGW).
2 Attach an Internet Gateway (IGW) to the VPC. 5 Create a route in the route table of the subnet allowing a route out of the Internet Gateway (IGW).
You work for a large software company in Seattle. They have their production environment provisioned on AWS inside a custom VPC. The VPC contains both a public and private subnet. The company tests their applications on custom EC2 instances inside a private subnet. Three are approximately 500 instances, and they communicate to the outside world via a proxy server. At 3am every night, the EC2 instances pull down OS updates, which are usually 150MB or so. They then apply these updates and reboot: if the software has not downloaded within half an hour, then the update will attempt to download the following day. You notice that a number of EC2 instances are continually failing to download the updates in the allotted time. Which of the following answers might explain this failure? (Choose 2) 1 Your proxy server is blacklisting the address in which the updates are being downloaded from, resulting in failed downloads. 2 The proxy server is in a private subnet and uses a NAT instance to connect to the internet. However, this instance is too small to handle the required network traffic. You should reprovision the NAT solution so that it's able to handle the throughput. 3 The proxy server is on an inadequately sized EC2 instance and does not have sufficient network throughput to handle all updates simultaneously. You should increase the instance size or type of the EC2 instance for the proxy server. 4 The proxy server has an inadequately sized EBS volume attached to it. The network buffer is stored on the EBS volume, and it is running out of disk space when trying to buffer the 500 simultaneous connections. You should provision an EBS volume with provisioned IOPS. 5 The proxy server has only one elastic IP address added to it. To increase network throughput, you should add additional elastic IP addresses.
2 The proxy server is in a private subnet and uses a NAT instance to connect to the internet. However, this instance is too small to handle the required network traffic. You should reprovision the NAT solution so that it's able to handle the throughput. 3 The proxy server is on an inadequately sized EC2 instance and does not have sufficient network throughput to handle all updates simultaneously. You should increase the instance size or type of the EC2 instance for the proxy server. Network throughput is the obvious bottleneck. You are not told in this question whether the proxy server is in a public or private subnet. If it is in a public subnet, the the proxy server instance size itself may not be large enough to cope with the current network throughput. If the proxy server is in a private subnet, then it must be using a NAT instance or NAT gateway to communicate out to the internet. If it is a NAT instance, this may also be inadequately provisioned in terms of size. You should therefore increase the size of the proxy server and or the NAT soluton.
You work for a genomics company that is developing a cure for motor neuron disease by using advanced gene therapies. As a part of their research, they take extremely large data sets (usually in the terabytes) and analyze these data sets using Elastic Map Reduce. In order to keep costs low, they run the analysis for only a few hours in the early hours of the morning, using spot instances for the task nodes. The core nodes are on-demand instances. Lately however the EMR jobs have been failing. This is due to spot instances being unexpectedly terminated. Which of the following remedies would both keep costs manageable and mitigate the issues caused by terminated spot instances? (Choose 2) 1 Increase the bid price for the core nodes. 2 Change the task nodes to on-demand instances. 3 Increase the bid price for the task nodes so that you have a greater threshold before the task nodes are terminated. 4 Change the core nodes to spot instances and lower the spot price.
2 Change the task nodes to on-demand instances. 3 Increase the bid price for the task nodes so that you have a greater threshold before the task nodes are terminated. A /28 subnet will only have 16 addresses available. AWS reserve both the first four and last IP addresses in each subnet's CIDR block. It is likely that your autoscaling group has provisioned too many EC2 instances and you have run out of internal private IP addresses. F
You working in the media industry, and you have created a web application where users will be able to upload photos they create to your website. This web application must be able to call the S3 API in order to be able to function. Where should you store your API credentials whilst maintaining the maximum level of security. 1 Save your API credentials in a public github repository. 2 Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it. 3 Save the API credentials locally to each EC2 instance. 4 Get the API credentials using the EC2 instances User Data.
2 Don't save your API credentials. Instead create a role in IAM and assign this role to an EC2 instance when you first create it.
Your company provides an online image recognition service and uses SQS to decouple system components. Your EC2 instances poll the image queue as often as possible to keep end-to-end throughput as high as possible, but you realize that all this polling is resulting in both a large number of CPU cycles and skyrocketing costs. How can you reduce cost without compromising service? 1 Enable short polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0. 2 Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0. 3 Enable long polling by setting the ReceiveMessageWaitTimeMinutes to a number > 0. 4 Enable short polling by setting the ReceiveMessageWaitTimeMinutes to a number > 0.
2 Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0.
A single m4.medium NAT instance inside a VPC supports a company of 100 people. This NAT instance allows individual EC2 instances in private subnets to communicate out to the internet without being directly accessible via the internet. As the company has grown over the last year, they are finding that the additional traffic through the NAT instance is causing serious performance degradation. What might you do to solve this problem? 1 Use an Elastic Load Balancer and forward traffic out through this ELB. The ELB will automatically scale on demand as traffic increases. 2 Increase the class size of the NAT instance from an m4.medium to an m4.xLarge. 3 Instead of using a NAT, use Direct Connect to route all traffic through your VPC and back out to the Internet. 4 Attach an additional IGW to your VPC.
2 Increase the class size of the NAT instance from an m4.medium to an m4.xLarge.
You work for a popular media outlet about to release a story that is expected to go viral. During load testing on the website, you discover that there is read contention on the database tier of your application. Your RDS instance consists of a MySQL database on an extra large instance. Which of the following approaches would be best to further scale this instance to meet the anticipated increase in traffic your viral story will generate? (Choose 3) 1 Shard the MySQL database into multiple copies. 2 Provision a larger instance size with provisioned IOPS. 3 Add an RDS Multi-AZ for increased read performance. 4 Add an RDS Read Replica for increased read performance. 5 Use ElastiCache to cache the frequently read, static data.
2 Provision a larger instance size with provisioned IOPS. 4 Add an RDS Read Replica for increased read performance. 5 Use ElastiCache to cache the frequently read, static data. You should consider scaling-up your instance size, using ElastiCache, and using RDS Read Replicas. RDS Multi-AZ is for disaster recovery only.
DynamoDB has many use cases. Which of the following are legitimate use cases for DynamoDB? (Choose 3) 1 Storing data that requires relational joins and highly complex updates 2 Storing JSON 3 Storing the metadata of BLOB data stored in S3 4 storing archive data that you do not need to access often 5 Storing web session data
2 Storing JSON 3 Storing the metadata of BLOB data stored in S3 5 Storing web session data
You are designing a new application that processes payments and delivers promotional emails to customers. You need to ensure that the payment process takes priority over the creation and delivery of emails. How might you use SQS to achieve this. 1 Use 1 SQS queue for the platform. Use the HighPriority API call to ensure that all payment SQS messages take priority over the promotional email messages. 2 Use 2 SQS queues for the platform. Have the EC2 fleet poll the payment SQS queue first. If this queue is empty, then poll the promotional emails queue. 3 Use 1 SQS queue for the platform. Use the SetPriority API call to ensure that all payment SQS messages take priority over the promotional email messages. 4 Use 2 SQS queues for the platform. Have the EC2 fleet poll the promotional emails SQS queue first. If this queue is empty, then poll the payment emails queue.
2 Use 2 SQS queues for the platform. Have the EC2 fleet poll the payment SQS queue first. If this queue is empty, then poll the promotional emails queue.
When you create a new user, that user ________. 1 Will be able to log in to the console anywhere in the world, using their access key ID and secret access key. 2 Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs. 3 Will be able to log in to the console only after multi-factor authentication is enabled on their account. 4 Will only be able to log in to the console in the region in which that user was created.
2 Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs.
You have a MySQL database running on an EC2 instance in a private subnet. You can connect via SSH, but you are unable to apply updates to the database server via the NAT instance. What might you do to remedy this problem? 1 Replace the NAT instance. 2 Ensure that "Source/Destination Checks" is disabled on the NAT instance. 3 Ensure that the Security Group allows HTTP traffic. 4 Modify the Security Group to allow SSH traffic from anywhere.
2 With NAT instances, the most common oversight is forgetting to disable Source/Destination Checks.
You work in the genomics industry, and you process large amounts of genomic data using a nightly Elastic Map Reduce (EMR) job. This job processes a single 3 Tb file which is stored on S3. The EMR job runs on 3 on-demand core nodes and four on-demand task nodes. The EMR job is now taking longer than anticipated, and you have been asked to advise how to reduce the completion time. Which of the following would you suggest? 1 Use four Spot Instances for the task nodes rather than four On-Demand instances. 2 You should reduce the input split size in the MapReduce job configuration, then adjust the number of simultaneous mapper tasks so that more tasks can be processed at once. 3 Store the file on Elastic File Service instead of S3, then mount EFS as an independent volume for your core nodes. 4 Configure an independent VPC in which to run the EMR jobs, then mount EFS as an independent volume for your core nodes.
2 You should reduce the input split size in the MapReduce job configuration, then adjust the number of simultaneous mapper tasks so that more tasks can be processed at once.
With SAML-enabled single sign-on, ________. (Choose 2) 1 The client browser is immediately directed to the AWS Console. 2 The portal first verifies the user's identity in your organization, then generates a SAML authentication response. 3 After the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect, and the client browser is redirected to the Console. 4 The portal acknowledges a SAML authentication response, then verifies the user's identity in your organization.
2 and 3 The portal first verifies the user's identity in your organization, then generates a SAML authentication response. After the client browser posts the SAML assertion, AWS sends the sign-in URL as a redirect, and the client browser is redirected to the Console.
You work for a busy real estate company, and you need protect your data stored on S3 from accidental deletion. Which of the following actions might you take to achieve this. (Choose 2) 1 Use signed URL's so that users will not be able to accidentally delete data. 2 Enable versioning on the bucket. If a file is accidentally deleted, delete the delete marker. 3 Create a bucket policy that prohibits anyone from deleting things from the bucket. 4 Enable protected access using Multi-Factor Authentication (MFA). 5 Enable S3 - Infrequent Access Storage (S3 - IA).
2 versioning and 4 MFA
You are reviewing Change Control requests and you note that there is a proposed change designed to reduce errors due to S3 Eventual Consistency by updating the "DelaySeconds" attribute. What does this mean? 1 While processing a message, a consumer instance can reset the message visibility by restarting the preset timeout counter. 2 When the consumer instance polls for new work, the consumer instance will wait a certain time until it has a full workload before closing the connection. 3 When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period. 4 While processing a message, a consumer instance can amend the message visibility counter by a fixed amount. 5 When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for a message to be available before closing the connection. 6 When a consumer instance retrieves a message, that message will be hidden in the queue for a fixed period.
3 When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period.
You are hosting a MySQL database on the root volume of an EC2 instance. The database is using a large number of IOPS, and you need to increase the number of IOPS available to it. What should you do? 1 Migrate the database to Glacier. 2 Use Cloud Front to cache the database. 3 Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes. 4 Migrate the database to an S3 bucket.
3 Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes.
Following advice from your consultant, you have configured your VPC to use Dedicated hosting tenancy. A subsequent change to your application has rendered the performance gains from dedicated tenancy superfluous, and you would now like to recoup some of these greater costs. How do you revert to Default hosting tenancy? 1 Stop each instance and change the hosting attribute and restart. 2 Change the hosting attribute and then restart the instance. 3 Create AMIs of all your instances. Create a new VPC with Default as the hosting tenancy attribute, and use them to create new instances using Default tenancy. 4 Create AMIs of all your instances and use them to create new instances using Default hosting.
3 Create AMIs of all your instances. Create a new VPC with Default as the hosting tenancy attribute, and use them to create new instances using Default tenancy. Once a VPC is set to Dedicated hosting, it is not possible to change the VPC or the instances to Default hosting. You must re-create the VPC.
Your company has decided to set up a new AWS account for test and dev purposes. They already use AWS for production, but would like a new account dedicated for test and dev so as to not accidentally break the production environment. You launch an exact replica of your production environment using a CloudFormation template that your company uses in production. However, CloudFormation fails. You use the exact same CloudFormation template in production, so the failure is something to do with your new AWS account. The CloudFormation template is trying to launch 60 new EC2 instances in a single availability zone. After some research you discover that the problem is ________. 1 For all new AWS accounts, there is a soft limit of 20 EC2 instances per availability zone. You should submit the limit increase form and retry the template after your limit has been increased. 2 Your CloudFormation template is configured to use the parent account and not the new account. Change the account number in the CloudFormation template and relaunch the template. 3 For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased. 4 You cannot launch more than 20 instances in your default VPC. Instead, reconfigure the CloudFormation template to provision the instances in a custom VPC.
3 For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased. 20 PER REGION
By definition, a public subnet within a VPC is one that ________. 1 Has had the public subnet check box ticked when setting up this subnet in the VPC console. 2 Has at least one route in it's routing table that routes via a Network Address Translation (NAT) instance. 3 Has at least one route in its routing table that uses an Internet Gateway (IGW). 4 Where the the Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0.
3 Has at least one route in its routing table that uses an Internet Gateway (IGW).
The Customer Experience manager comes to see you about some odd behaviours with the ticketing system: messages presented to the support team are not arriving in the order in which they were generated. You know that this is due to the way that the underlying SQS standard queue service is being used to manage messages. Which of the following are correct explanations? (Choose 2) 1 SQS has been setup to prioritize messages in the queue based on keywords. 2 As the SQS service gets busy, some of the hosts will automatically swap from FIFO to LIFO to provide a better work load balance and clearance rate. 3 If an agent abandons a message or takes a break before finishing with a message, it will be offered in the queue again. In order to ensure that no message is lost, a message will persist in the SQS queue until it is processed successfully. 4 The support staff are probably using the provided admin tools to amend the priority in the SQS queue based on their experience and insights about the issues. 5 SQS uses multiple hosts, and each host holds only a portion of all the messages. When a staff member calls for their next message, the consumer process does not see all the hosts or all the messages. As such, messages are not necessarily delivered in the order in which they were generated.
3 If an agent abandons a message or takes a break before finishing with a message, it will be offered in the queue again. In order to ensure that no message is lost, a message will persist in the SQS queue until it is processed successfully. 5 SQS uses multiple hosts, and each host holds only a portion of all the messages. When a staff member calls for their next message, the consumer process does not see all the hosts or all the messages. As such, messages are not necessarily delivered in the order in which they were generated.
A client is concerned that someone other than approved administrators is trying to gain access to the linux web app instances in their VPC. She asks what sort of network access logging can be added. Which of the following might you recommend? (Choose 2) 1 Set up a traffic logging rule on the VPC firewall appliance and direct the log to CloudWatch or S3. 2 Set up a Flow Log for the group of instances and forward them to S3. 3 Make use of an OS level logging tools such as iptables and log events to CloudWatch or S3. 4 Set up a Flow Log for the group of instances and forward them to CloudWatch. 5 Use Event Log filters to trigger alerts that are forwarded to CloudWatch.
3 Make use of an OS level logging tools such as iptables and log events to CloudWatch or S3. 4 Set up a Flow Log for the group of instances and forward them to CloudWatch. Security and Auditing in AWS needs to be considered during the Design phase.
You work for a toy company that has a busy online store. As you are approaching Christmas, you find that your store is getting more and more traffic. You ensure that the web tier of your store is behind an Auto Scaling group. However, you notice that the web tier is frequently scaling, sometimes multiple times in an hour, only to scale back after peak usage. You need to keep Auto Scaling from scaling up and down so rapidly. Which of the following options would help you to achieve this? 1 Change your Auto Scaling policy so that it only scales at scheduled times. 2 Configure Auto Scaling to terminate your newest instances first, then adjust your CloudWatch alarm. 3 Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy. 4 Configure Auto Scaling to terminate your oldest instances first, then adjust your CloudWatch alarm.
3 Modify the Auto Scaling group cool-down timers & modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down policy.
You have been engaged by a company to design and lead a migration to an AWS environment. The team is concerned about the capabilities of the new environment, especially when it comes to avoiding bottlenecks. The design calls for about 20 instances (C3.2xLarge) pulling jobs/messages from SQS. Network traffic per instance is estimated to be around 500 Mbps at the beginning and end of each job. Which network configuration should you plan on deploying? 0 Activate EBS-Optimization on the instance to maximize network throughput. 1 Deploy as a Placement Group as the aggregated burst traffic could be around 10 Gbps. 2 Choose a different instance type that better matched the traffic demand. 3 Spread the Instances over multiple AZs to minimize the traffic concentration and maximize the fault tolerance. 4 Use a 2nd Network Interface to separate the SQS traffic for the storage traffic.
3 Spread the Instances over multiple AZs to minimize the traffic concentration and maximize the fault tolerance. When considering network traffic, you need to understand the difference between storage traffic and general network traffic, and the ways to address each. The 10Gbps is a red-herring, in that the 500Mbps only occurs for short intervals, and therefore your sustained throughput is not 10Gpbs. Wherever possible, use simple solutions such as spreading the load out rather than expensive high tech solutions
You manage a Ruby on Rails application that lives on a cluster of EC2 instances. Your website occasionally experiences brief, strong, and entirely unpredictable spikes in traffic that overwhelm your EC2 instances' resources and freeze the application. As a result, you're losing recently submitted requests from end users. You use Auto Scaling to deploy additional resources to handle the load during spikes, but the new instances don't spin-up fast enough to prevent the existing application servers from freezing. Which of the following will provide the most cost-effective solution in preventing the loss of recently submitted requests? 1 Ask AWS support to pre-warm the Elastic Load Balancer. 2 Keep a large EC2 instance on standby. 3 Use Amazon SQS to decouple the application components and keep the requests in queue until the extra Auto-Scaling instances are available. 4 Increase the size of your existing EC2 instances.
3 Use Amazon SQS to decouple the application components and keep the requests in queue until the extra Auto-Scaling instances are available.
You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator, and she will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are, and you have provided the new user with their secret access key and their access key id. However, when she tries to log in to the AWS console, she cannot. Why might that be? 1 You have not applied the "log in from console" policy document to the user. You must apply this first so that they can log in. 2 Your user is trying to log in from the AWS console from outside the corporate network. This is not possible. 3 You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization's unique AWS console login URL. 4 You have not yet activated multi-factor authentication for the user, so by default they will not be able to log in.
3 You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization's unique AWS console login URL.
You work for a construction company that has their production environment in AWS. The production environment consists of 3 identical web servers that are launched from a standard Amazon linux AMI using Auto Scaling. The web servers are launched in to the same public subnet and belong to the same security group. They also sit behind the same ELB. You decide to do some testing: you launch a 4th EC2 instance into the same subnet and same security group. Annoyingly, your 4th instance does not appear to have internet connectivity. What could be the cause of this? 1 You have not configured a routable IP address in the host OS of the fourth instance. 2 You have not configured a NAT in the public subnet. 3 You have not assigned an elastic IP address to this instance. 4 You need to update your route table so as to provide a route out for this instance.
3 You have not assigned an elastic IP address to this instance.
Under what circumstances would I choose provisioned IOPS over standard storage when creating an RDS instance? 1 If you have worklods that are not sensitive to latency/lag. 2 If your business was trying to save money. 3 If this was a test DB. 4 If you use online transaction processing in your production environment.
4
Your client has been experiencing problems with his aging in-house infrastructure, and is extremely concerned about managing the cost of maintaining his online presence. After deciding that the cost of developing a sound DR plan more than makes up for the negative impact of being off-line, the board has directed you to prepare a proposal that achieves an RTO of 20 hours, an RPO of 1 hour, and keeps the costs of meeting those target time-windows to a minimum. They have also mandated the use of the AWS Storage Gateway to mitigate the risk associated with a catastrophic NAS failure. Which of the following solutions best meet the requirements? 1 Provide their engineering staff with an AWS account. Create a small, under-sized DR DB instance and use application synchronization to keep the DR instance synchronized within 30 seconds of the production instance. Build one of each web/app server and keep these patched and on-line. Provide the Ops team with written instructions explaining how to upgrade the DB host to a full sized instance within 20 minutes. 2 Provide their engineering staff with an AWS account and create IAM Users, Groups, & Roles. Use CloudFormation/CloudFormer to clone the existing on-premises environment and store the build scripts in GitHub. Migrate the in-house DNS to Route53 to simplify cut-over. Set up the Storage Gateway and the Snapshot schedule to meet the RPO. Provide the engineering team with a CLI script to kick-start the CloudFormation build and restoration of the StorageGateway snapshots. 3 Provide their engineering staff with an AWS account, and ask them to rebuild all the servers in AWS to form a fully functional Hot Standby environment. Use Storage Gateway to copy the data on the NAS to S3 so that it can be accessed by the database servers. 4 Work with the customer's engineers to identify the key servers and data. Help them setup an AWS account with IAM users, groups, and roles. Build templates of the critical web/app servers and save these as AMIs. Agree upon RDS specifications that meet the stated requirements. Set up the Storage Gateway and the Snapshot schedule to meet the RPO. Document, script, or automate the steps to initiate the RDS instance, the EC2 instances, the steps to restore the latest data from the Storage Gateway snapshots into RDS, plus any DNS changes. Test the process with each of the Operations team shifts.
4 ... There are three key aspects: RTO, RPO, and cost. All three must be balanced and meet objectives for the design to be considered acceptable.
A user of your web-site makes an HTTP request to access a static resource on your server. The request is automatically redirected to the nearest CloudFront server. For some reason, the requested resource does not exist on the CloudFront server. Which of the following is true? 1 The request will be put on hold until the resource has been cached at the edge location 2 The request will be sent to the nearest available edge location that contains that resource 3 Your user will receive a 404 error. 4 Cloudfront will query the origin server and then cache the resource on the edge location.
4 Cloudfront will query the origin server and then cache the resource on the edge location.
You have just created a 2nd VPC and launched an EC2 instance in a subnet of that VPC. You want this instance to be publicly available, but you forgot to assign a public IP address during creation. How might you make your instance reachable from the outside world? 1 Create an Internet Gateway and associate it with the private IP address of your instance with it. 2 Create an Elastic IP address for your instance. 3 Go back and create a Public IP address. Associate it with your Internet Gateway. 4 Create an Internet gateway and an Elastic IP address. Associate the Elastic IP with the EC2 instance.
4 Create an Internet gateway and an Elastic IP address. Associate the Elastic IP with the EC2 instance.
You have launched a NAT instance in to a public subnet, and you have configured all relevant security groups, network ACLs, and routing policies to allow this NAT to function. However, EC2 instances in the private subnet still cannot communicate out to the internet. What troubleshooting steps should you take to resolve this issue? 1 Configure all traffic to go out via the Elastic Load Balancer. 2 Update Route53 to allow traffic to flow out from your VPC. 3 Enable Source/Destination Check on the NAT instance. 4 Disable the Source/Destination Check on your NAT instance.
4 Disable the Source/Destination Check on your NAT instance.
Your company likes the idea of storing files on AWS. However, low-latency service of the last few days of files is important to customer service. Which Storage Gateway configuration would you use to achieve both of these ends? 1 Gateway-Stored 2 Gateway-Snapshot 3 Gateway-VTL 4 Gateway-Cached
4 Gateway-Cached volumes retain a copy of frequently accessed data subsets locally. Cached volumes offer a substantial cost savings on primary storage and minimize the need to scale your storage on-premises.
What happens to the I/O operations of a single-AZ RDS instance during a database snapshot or backup? 1 Nothing. 2 I/O operations will function normally. 3 I/O operations to the database are sent to a Secondary instance of a Multi-AZ installation (for the duration of the snapshot.) 4 I/O may be briefly suspended while the backup process initializes (typically under a few seconds), and you may experience a brief period of elevated latency.
4 I/O may be briefly suspended while the backup process initializes (typically under a few seconds), and you may experience a brief period of elevated latency.
How is the Public IP address managed in an instance session via the instance GUI/RDP or Terminal/SSH session? 1 The Public IP address can be managed via the instance MetaData at http://169.254.169.254/latest/meta-data/local-ipv4. 2 The Public IP address can be managed via the instance MetaData at http://169.254.169.254/latest/meta-data/public-ipv4. 3 For security reasons, the Public IP address is a hidden value. 4 The Public IP address is not managed on the instance: It is, instead, an alias applied as a network address translation of the Private IP address.
4 The Public IP address is not managed on the instance: It is, instead, an alias applied as a network address translation of the Private IP address.
You have been monitoring a sensitive autoscaling group, and you expect it to scale-in as you enter a period of holiday downtime. The auto scaling group is distributed over three AZs ( AZ - A & -B have two instances each, and AZ -C has three instances). All instances have different CPU and Memory utilization, and all instances have been running for a different number of days. All instances come from different versions of a root AMI, and all instances have different numbers of sessions connected. Which instance will be the 1st to shut down? 1 The instance in AZ -C that has been running the longest will terminate first. 2 The instance in AZ -C that has the least number of sessions will terminate first. 3 The Instance with the fewest current sessions will terminate first. 4 The instance in AZ -C that has the oldest launch configuration will terminate first. 5 The instance that has been running longest will terminate first.
4 The instance in AZ -C that has the oldest launch configuration will terminate first. ... OLDEST LAUNCH
You receive a ProvisionedThroughputExceededException error. However, the DynamoDB metrics show that your table or Index has not been operating at maximum provisioned throughput. What could the error be caused by. 1 It is a transitory error. AWS will adjust the table to accommodate it and reprocess the transaction. 2 It is only a warning. DynamoDB's Burst Capacity will handle the extra traffic. 3 The error is caused by excess traffic generated by your Local Secondary Indexes. You should provision Units specifically to the Local Secondary Indexes. 4 The throughut is not balanced across your partitions. One partition is being subjected to a disproportionate amount of the traffic and, therefore, exceeding limits.
4 The throughut is not balanced across your partitions. One partition is being subjected to a disproportionate amount of the traffic and, therefore, exceeding limits. The consumption of provisioned throughput units, and I/O bottlenecks are not a simple average over the table. Consumption is measured in terms of load on each individual partition, as well as load on each Local & Global Secondary Index.
Although your application customarily runs at 30% usage, you have identified a recurring usage spike (>90%) between 8pm and midnight daily. What is the most cost effective way to scale your application to meet this increased need? 3 Manually deploy Reactive Event-based Scaling each night at 7:45. 4 Use Proactive Cyclic Scaling to boost your capacity at a fixed interval.
4 Use Proactive Cyclic Scaling to boost your capacity at a fixed interval.
Which of the following URL formats does S3 support in pointing to bucket "mynewbucket"? (Choose 2) 1 http://s3.aws-region.amazonaws.com/mynewbucket 2 http://mynewbucket.s3.aws-region.amazonaws.com 3 http://mynewbucket.s3-aws-region.aws.com 4 http://s3-aws-region.aws.com/mynewbucket 5 http://mynewbucket.s3-aws-region.amazonaws.com 6 http://s3-aws-region.amazonaws.com/mynewbucket 7 http://mynewbucket.s3-aws-region.amazon.com 8 http://s3-aws-region.amazon.com/mynewbucket
4 http://s3-aws-region.aws.com/mynewbucket 5 http://mynewbucket.s3-aws-region.amazonaws.com
Your company has just purchased another company. As part of the merger, your team has been instructed to cross connect the corporate networks. You run all your confidential corporate services and Internal DNS in a VPC. The merged company has all their confidential corporate services and Internal DNS on-premises. After establishing a Direct-Connect service between your VPC and their on-premise network, and confirming all the routing, firewalls, and authentication, you find that while you can resolve names against their DNS, the other company services is unable to resolve names against your DNS servers. Why might this be? 1 AWS Route53 is an Internet service, and the other company needs to do lookups and zone transfers via the Internet, not the Direct-Connect link 2The computers are not configured properly. You need to add the IP address of the AWS DNS servers into the DNS options of the IP stack. 3 You cannot use DNS in this way. You need to merge the zones under a parent zone registered with ICANN. 4 Route53 is not an industry standard DNS service, and zone transfers and name resolution must be done via a proprietary API. 5 By design, AWS DNS does not respond to requests originating from outside the VPC.
5 By design, AWS DNS does not respond to requests originating from outside the VPC. Route53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.
You've been asked by your businesses risk team to add additional resiliency to a critical business application. The application uses RDS and the MySQL engine and is based in us-east-1. The risk team would like to protect the application against an AZ failure AND region issues - in a way which is as cost effective as possible. What two options could you suggest. (choose 2) A Enable Multi-AZ mode in 2 AZ's to protect against an AZ failure within the us-east-1 region B Enable Multi-AZ mode - but select the 'cross region' option to allow synchronous replication to another global region. C Enable Multi-AZ mode in 3 AZ's to protect against an AZ failure within the us-east-1 region D Add 1 or more read-replicas in us-east-1 E Add 1 or more read-replicas in other regions
A Enable Multi-AZ mode in 2 AZ's to protect against an AZ failure within the us-east-1 region E Add 1 or more read-replicas in other regions Multi AZ adds synchronous replication within 2 AZ's in a single region and is effective at protecting against local failure with minimal loss of transactions. Max 2 This adds another layer of protection by Asynchronously replicating data to another region. This can be used for higher performance reads in that region - or - it's primary purpose in this scenario of allowing recovery if us-east-1 fails.
You have two large EC2 instances running in the same VPC and are concerned that you are not achieving the maximum network throughput between the instances as the instance is capable of. What two factors could explain the lower then expected performance. A The instances are not capable or enabled for enhanced networking B There is a network interface throttle value set on one or both of the instances C The instances are not within a placement group D Instances can only achieve max performance when running in dedicated tenancy mode
A The instances are not capable or enabled for enhanced networking C The instances are not within a placement group
Your business stores high resolution media imaging in one of its S3 buckets accessible internally to it's applications. The number of objects increase daily, and approximately 100,000 objects are added daily. After discussing the situation with your medical consultants you have learned a few things. Firstly, images are used extensively for 7 days, after that there maybe be some images accessed extensively for up to 60 days after arrival. Beyond that point, images are rarely accessed, only for scheduled consultations. How could you best design a solution to these mounting costs - at the lowest cost. A Transition images from Standard to Standard_IA after 30 days. After a further 30 transition from Standard_IA to Glacier. Glacier objects are accessed from the S3 console. B Implement an S3 lifecycle policy to move images between storage classes, Standard, Standard_IA and glacier. Train staff to access images via the glacier console once archived. C Transition Images from S3 Standard to Glacier after 7 days. D Hire a small team of admin staff to move images to archival storage when they are no longer used.
A Transition images from Standard to Standard_IA after 30 days. After a further 30 transition from Standard_IA to Glacier. Glacier objects are accessed from the S3 console. this solution design will provide the best value to the business while matching the requirements. Objects transitioned to glacier from S3 classes are accessed via the S3 console.
Power User Access allows ________. 1 Access to all AWS services except the management of groups and users within IAM. 2 Users to inspect the source code of the AWS platform 3 Full Access to all AWS services and resources. 4Read Only access to all AWS services and resources.
Access to all AWS services except the management of groups and users within IAM.
You've been asked to upgrade an old AWS environment which is suffering from slow internet throughout. Which option below represents a potential solution (choose one) A Change the Nat instance from a T2 large instance to a T2 medium instance B Add a virtual private gateway to the VPC C Replace the NAT instance in the VPC with a Nat Gateway D Enable enhanced networking on the Nat instance E Add another internet gateway to the VPC for a total of two - providing 2x internet throughput.
C Replace the NAT instance in the VPC with a Nat Gateway
You have been asked to advise a junior colleague how to explicitly DENY traffic from an EC2 instance to a specific remote internet FQDN - what advice would you give. A. Use a security group attached to the instance and explicitly DENY traffic to the FQDN B. Use a security group attached to the VPC and explicitly DENY traffic to the FQDN C. Implement a proxy service in the VPC, adjust route tables and use the proxy server to DENY access to the remote hostname. D. Use a NACL on the subnet the EC2 instance is on - DENY traffic from the EC2 instance to the FQDN.
C. Implement a proxy service in the VPC, adjust route tables and use the proxy server to DENY access to the remote hostname. Why is this correct? This is the only valid option - AWS has no products capable of handling this type of deny to a FQDN Security groups cannot deny traffic explicitly.
You have been engaged as a consultant by a company that generates utility bills and publishes them online. PDF images are generated, then stored on a high-performance RDS instance. Customarily, invoices are viewed by customers once per month. Recently, the number of customers has increased threefold, and the wait-time necessary to view invoices has increased unacceptably. The CTO is unwilling to alter the codebase more than necessary this quarter, but needs to return performance to an acceptable level before the end-of-the-month print run. Which of the following solutions would you feel comfortable proposing to the CTO and GM? (Choose 2) 0 Move the images to S3 to reduce DataBase IO. 1 Move the metadata to a DynamoDB solution, permitting real-time scaling of Read IOPS to match demand. 2 Create RDS Read-Replicas and additional Web/App instances across all the available AZs. 3 Use CloudFront to accelerate presentation of the PDF images. 4 Evaluate the risks and benefits associated with an RDS instance upgrade. 5 Install an ElastiCache cluster in front of the RDS installation.
Caching content is not always effective. Sometimes, optimal solutions cannot be achieved; so you need to figure out the next best way to keep the show going. 2 Create RDS Read-Replicas and additional Web/App instances across all the available AZs. 4 Evaluate the risks and benefits associated with an RDS instance upgrade.
In order to enable encryption at rest using EC2 and Elastic Block Store, you must ________.
Configure encryption when creating the EBS volume
Amazon SWF is designed to help users ________. Manage user identification and authorization Coordinate synchronous and asynchronous tasks Secure their VPCs Store file based objects
Coordinate synchronous and asynchronous tasks
Your Security Manager has hired a security contractor to audit your firewall implementation. When the consultant asks for the login details for the firewall appliance, which of the following might you do? Create an IAM ...(ROLE OR USER) with a policy that can (Choose 2) - Read Security Group - Route settings - nACL settings ... Explain that AWS implements network security differently and that there is no such thing as a Firewall appliance. OR Explain that AWS is a cloud service and that AWS manages the Network appliances.
Create an IAM User with a policy that can Read Security Group and nACL settings. Explain that AWS implements network security differently and that there is no such thing as a Firewall appliance. You might then suggest that the consultant take the 'A Cloud Guru' AWS CSA-A course in preparation for the audit. AWS has removed the Firewall appliance from the hub of the network and implemented the firewall functionality as stateful Security Groups, and stateless subnet NACLs. This is not a new concept in networking, but rarely implemented at this scale
One of the projects you have designed and implemented has a new requirement. The product uses an Amazon RDS database, and is located within a VPC isolated from your corporate network. The RDS instance is not itself accessible publicly, but certain subnets of the VPC are. You need to allow members of your business IT team to be able to perform operations on the RDS instance - but not everyone in the business. How could you accomplish this with the least cost possible. A Provision an AWS Direct Connect link between the corporate network and AWS. Use your internal active directory credentials to login to RDS using federation. B Make the RDS instance public and allow federated signon using your business credentials C Using a VPC Virtual private gateway, create a 1:1 VPN between the RDS instance and individual user workstations for the staff members who need to access it. D Create an EC2 instance in the public subnet. Configure federation on this instance so certain corporate users can login with their AD credentials. Install RDS DB management tools on this bastion host.
D Create an EC2 instance in the public subnet. Configure federation on this instance so certain corporate users can login with their AD credentials. Install RDS DB management tools on this bastion host.
The customer has requested that all instances deployed in the public subnet of the VPC be accessible from the internet. What must be configured to ensure that this requirement is met? A. Network Access Control Lists B. Nothing, public subnets are always accessible from the internet C. Customer Gateway D. Route Table
D. Route Table Why is this correct? A Route Table with a route to the internet must be associated with the subnet before instances will be accessible from the internet. The default Network Access Control List will allow all traffic in and out of the subnet, so this is not a requirement.
Which of the following operating systems are supported by the ECS Agent software? (Choose 5) Debian MacOS Windows Ubuntu OS/2 RedHat CentOS Amazon Linux
Debian x MacOS x Windows Ubuntu x OS/2 RedHat CentOS Amazon Linux
When making use of ec2 instances on Dedicated Hosting, which of the following modes are you able to transition between by stopping the instance and starting it again?
Dedicated and host The tenancy of an instance can only be change between variants of 'dedicated' tenancy hosting. It cannot be changed from or to default tenancy hosting. Further information:
What can help boost performance of an HPC application that relies heavily on inter-node communication. (Choose 2) A. Enable VPC Peering B. Add a secondary ENI to each instance to increase network capacity C. Make sure all instances are using Enhanced Networking D. Enable T2 Unlimited E. Put all instances in a Cluster Placement Group
E. Put all instances in a Cluster Placement Group C. Make sure all instances are using Enhanced Networking
If I wanted to run a database on an EC2 instance, which of the following storage options would Amazon recommend? EBS S3 Glacier RDS
EBS
You have a database-style application that frequently has multiple reads and writes across the data set. Which of the following AWS storage services are capable of hosting this application? (Choose 2) S3 Glacier EBS Elastic File Service (EFS)
EBS Elastic File Service (EFS) -S3 is for object not applications silly!!!
You are consulting for a finance company that has specific backup and archiving policies. Financial documents for the past six months may need to be accessed frequently. You need to configure a setup that allows for all documents that are 6 months or older to be sent automatically for archiving in a lower-cost but highly durable archive environment. Given that the company is using a Storage Gateway in File Gateway configuration, which of the following would be the best setup to reach the objectives? A Enable an S3 lifecycle policy to integrate into Amazon EBS for a good backup solution B Enable an S3 lifecycle policy to immediately send all objects added to the bucket to Glacier C Enable S3 versioning with a lifecycle policy that sends objects older than 6 months to Amazon Glacier D Enable versioning on the S3 connected bucket to the Gateway Storage configuration
Enable S3 versioning with a lifecycle policy that sends objects older than 6 months to Amazon Glacier
You have created a new AWS account for your company, and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account. Restrict login to the corporate network only. Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols. Give all users the same password so that if they forget their password they can just ask their co-workers. Require users to only be able to log in using biometric authentication.
Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.
If you want your application to check RDS for an error, have it look for an ______ node in the response from the Amazon RDS API. Incorrect Abort Exit Error
Error
As the AWS platform is PCI DSS Level 1 Certified, I can immediately deploy a website to it that can take and store credit card details without getting a delta accreditation from a QSA.
False
You can RDP or SSH in to an RDS instance to see what is going on with the operating system.
False
When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.
False - You may peer a VPC to another VPC that's in your same account, or to any VPC in any other account.
You have inherited a VPC which has a CIDR of 10.0.0.0/16. You need to design a subnet layout which allows for four availability zones to be used. Which option below is valid for this criterial. Pick the one which uses the least number of subnets to decrease management over head. A Four subnets 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 - each one, within one availability zone B Four subnets all using the 10.0.0.0/16 range - one subnet per AZ C A single subnet 10.0.0.0/16 which spans all 4 AZ's D Two subnets 10.0.0.0/24 and 10.0.1.0/24 - each subnet set in a HA configuration, each set to use two of the four AZ's
Four subnets 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24 and 10.0.3.0/24 - each one, within one availability zone
Your company likes the idea of storing files on AWS. However, low-latency service of the majority of files is important to customer service. Which Storage Gateway configuration would you use to achieve both of these ends? Gateway-Cached Gateway-Snapshot Gateway-VTL Gateway-Stored
Gateway-Stored volumes store your primary data locally, while asynchronously backing up that data to aws
You work for a health insurance company that amasses a large number of patients' health records. Each record will be used once when assessing a customer, and will then need to be securely stored for a period of 7 years. In some rare cases, you may need to retrieve this data within 24 hours of a claim being lodged. Given these requirements, which type of AWS storage would deliver the least expensive solution? S3 - RRS, Glacier, S3, S3 - IA
Glacier
If data is traveling from a customer, over the open internet, to a website you are hosting on an EC2 instance in an AWS VPC, what is the order of components that data will travel through? Rearrage Security Group -> IGW -> Route Table -> NACL -> EC2 Instance
IGW -> Route Table -> NACL -> Security Group -> EC2 Instance Why is this correct? As traffic comes into the VPC from the open internet, it first must be passed through an IGW. A route table will then direct traffic to the subnet that the instance is located in. However, before the traffic can enter the subnet, it must pass through the NACL protecting the subnet. Once inside the subnet, the date must pass through another security layer (the Security Group) before finally reaching the EC2 instance. -
What is an additional way to secure the AWS accounts of both the root account and new users alike? Configure the AWS Console so that you can only log in to it from your internal network IP address range. Store the access key id and secret access key of all users in a publicly accessible plain text document on S3 of which only you and members of your organization know the address to. Configure the AWS Console so that you can only log in to it from a specific IP Address range Implement Multi-Factor Authentication for all accounts.
Implement Multi-Factor Authentication for all accounts.
What is AWS Storage Gateway? None of the above. It allows large scale import/exports in to the AWS cloud without the use of an internet connection. It allows a direct MPLS connection in to AWS. It's an on-premise virtual appliance that can be used to cache S3 locally at a customers site.
It's an on-premise virtual appliance that can be used to cache S3 locally at a customers site.
When copying an AMI, which of the following types of information must be manually copied to the new instance? (Choose 3) Launch permissions User-defined tags S3 bucket permissions User data
Launch permissions, S3 bucket permissions, and user-defined tags must be copied manually to an instance based on an AMI. User data is part of the AMI, itself, and does not need to be copied manually.
You are a systems administrator and you need to monitor the health of your production environment. You decide to do this using Cloud Watch. However, you notice that you cannot see the health of every important metric in the default dashboard. When monitoring the health of your EC2 instances, for which of the following metrics do you need to design a custom CloudWatch metric? CPU Usage Memory usage Network in Disk read operations
Memory usage .... * not sure about this answer...
At which of the following levels can VPC Flow Logs be created? (Choose 3) Network Interface Level VPC Level Network Access Control List Level Subnet Level Security Group Level Instance Level
Network Interface Level VPC Level Subnet Level
Can I delete a snapshot of an EBS Volume that is used as the root device of a registered AMI?
No
Can you attach an EBS volume to more than one EC2 instance at the same time?
No - 1 EBS for 1 EC2
When you have deployed an RDS database into multiple availability zones, can you use the secondary database as an independent read node?
No - The secondary database is to be thought of as a DR site, it will be active only when the primary fails
What is the default level of access a newly created IAM User is granted?
No access to any AWS services.
If an Amazon EBS volume is an additional partition (not the root volume), can I detach it without stopping the instance?
No, you will need to stop the instance.
SQS and SNS... pull or push
PULL = SQS PUSH = SNS
You run a popular photo sharing website that depends on S3 to store content. Paid advertising is your primary source of revenue. However, you have discovered that other websites are linking directly to the images in your buckets, not to the HTML pages that serve the content. This means that people are not seeing the paid advertising, and you are paying AWS unnecessarily to serve content directly from S3. How might you resolve this issue?
Remove the ability for images to be served publicly to the site and then use signed URLs with expiry dates.
You have been asked by your employer to create an identical copy of your production environment in another region for disaster recovery purposes. In the list below, which AWS resources would you NOT need to recreate, because they are available universally across the console? (Choose 2) EC2 Key Pairs Elastic Load Balancers Route53 Identity Access Management Roles Security Groups
Route53. IAM Roles EC2 Key Pairs, Security Groups, and ELBs are region-specific.
You work for a busy digital marketing company who currently store their data on premise. They are looking to migrate to AWS S3 and to store their data in buckets. Each bucket will be named after their individual customers, followed by a random series of letters and numbers. Once written to S3 the data is rarely changed, as it has already been sent to the end customer for them to use as they see fit. However on some occasions, customers may need certain files updated quickly, and this may be for work that has been done months or even years ago. You would need to be able to access this data immediately to make changes in that case, but you must also keep your storage costs extremely low. The data is not easily reproducible if lost. Which S3 storage class should you choose to minimise costs and to maximize retrieval times? S3 - RRS, Glacier, S3, S3 - IA
S3 - IA
You run a meme creation website that stores the original images in S3 and each meme's meta data in DynamoDB. You need to decide upon a low-cost storage option for the memes, themselves. If a meme object is lost, a Lambda function will automatically recreate it using the original file from S3 and the metadata from DynamoDB. Which storage solution should you use to store the non-critical, easily reproducible memes in the most cost effective way? S3 - RRS, Glacier, S3, S3 - IA
S3 - RRS
You need to store some easily-replaceable objects on S3. With quick retrieval times and and cost effectiveness in mind, which S3 storage class should you consider. S3 S3 - RRS Glacier Snowball S3 - Provisioned IOPS
S3 - RRS there is no such thing as provisioned IOPS
You work for a major news network in Europe. They have just released a new mobile app that allows users to post their photos of newsworthy events in real time. Your organization expects this app to grow very quickly, essentially doubling its user base each month. The app uses S3 to store the images, and you are expecting sudden and sizable increases in traffic to S3 when a major news event takes place (as users will be uploading large amounts of content.) You need to keep your storage costs to a minimum, and it does not matter if some objects are lost. With these factors in mind, which storage media should you use to keep costs as low as possible? S3 - RRS, Glacier, S3, S3 - IA
S3 - Reduced Redundancy Storage (RRS)
You work for a major news network in Europe. They have just released a new mobile app that allows users to post their photos of newsworthy events in real time. Your organization expects this app to grow very quickly, essentially doubling its user base each month. The app uses S3 to store the images, and you are expecting sudden and sizable increases in traffic to S3 when a major news event takes place (as users will be uploading large amounts of content.) You need to keep your storage costs to a minimum, and it does not matter if some objects are lost. With these factors in mind, which storage media should you use to keep costs as low as possible? S3 - Provisioned IOPS, S3 - Reduced Redundancy Storage (RRS), S3 One Zone-IA, S3 Standard-IA, Glacier
S3 One Zone-IA ... The key driver here is cost, so an awareness of cost is necessary to answer this. Full S3 is quite expensive at around $0.023 per GB for the lowest band. S3 standard IA is $0.0125 per GB, S3 One Zone-IA is $0.01 per GB, and Legacy S3-RRS is around $0.024 per GB for the lowest band. Of the offered solutions S3 One Zone-IA is the cheapest suitable option. Glacier cannot be considered as it is not intended for direct access, however it comes in at around $0.004 per GB. Further information:
Which of the following services should you implement in multiple availability zones in order to achieve high availability? (Choose 2) Simple Queue Service DynamoDB EC2 RDS Simple Storage Service
S3, SQS & DynamoDB are already built in a fault tolerant fashion, you do not need to provision these services across multiple availability zones. Therefore the correct answers are RDS and EC2
When you create a custom VPC, which of the following are created automaticaly? (Choose 3) Subnets Access Control List Security Group Internet Gateway NAT Gateway Route Table
Security Group, Route Table, ACL
Choose (stateful or stateless) Security Groups are _________and Network Access Control Lists are __________.
Security Groups are stateful and Network Access Control Lists are stateless.
To establish a successful site-to-site VPN connection from your on-premise network to an AWS Virtual Private Cloud, which of the following might be combined & configured? (Choose 4) A Virtual Private Gateway A Virtual Customer Gateway A NAT instance A private subnet in your VPC An on-premise Customer Gateway A VPC with Hardware VPN Access
There are a number of ways to set up a VPN. Based on the options provided, AWS have a standard solution that makes use of a VPC with; a private subnet, Hardware VPN Access, a VPG, and an on-premise Customer Gateway. Yes A Virtual Private Gateway No A Virtual Customer Gateway No A NAT instance Yes A private subnet in your VPC Yes An on-premise Customer Gateway Yes A VPC with Hardware VPN Access
You have created a Direct Connect Link from your on premise data center to your Amazon VPC. The link is now active and routes are being advertised from the on-premise data center. You can connect to EC2 instances from your data center; however, you cannot connect to your on premise servers from your EC2 instances. Which of the following solutions would remedy this issue? (Choose 2) 1 Enable route propagation on your Customer Gateway (CGW). 2 Configure a new route from the NAT to the on premise data center. 3 Use an IPSEC VPN and add this route to the route table with the VPN being the target. 4 Edit the VPC subnet route table, adding a route back to the on-premise data center. 5 Enable route propagation on your Virtual Private Gateway (VPG).
There is no route connecting your VPC back to the on premise data center. You need to add this route to the route table and then enable propagation on the Virtual Private Gateway. 4 Edit the VPC subnet route table, adding a route back to the on-premise data center. 5 Enable route propagation on your Virtual Private Gateway (VPG).
Will an Amazon EBS root volume persist independently from the life of the terminated EC2 instance to which it was previously attached? In other words, if I terminated an EC2 instance, would that EBS root volume persist?
Trick question*** Only if I specify (using either the AWS Console or the CLI) that it should do so. Default = delete on termination for root volume
You are designing a VPC for a small application which will operate in a private subnet and needs internet access to software updates and other communications with internet IP's. Your security team is happy for there to be no restrictions in the application servers internet access. Which AWS products are needed to allow this solution - the priority being the least amount of services. Assume the EC2 instance and any NACL's, routes and Security groups are included implicitly. VPC, VPC Peering, Virtual Private Gateway, Subnets, Route Table(s), Nat Gateway, Internet Gateway
VPC, Subnets, Route Table(s), Nat Gateway, Internet Gateway
What are two things that must be configured to allow public access to an EC2 Instance in a VPC? (choose 2) A. Public IP or Elastic IP or IPv6 address B. Route in the subnet route table with 0.0.0.0/0 as the destination and the Internet Gateway as the target C. Private IP D. A NAT gateway is required to forward incoming requests to the instance. E. An IAM Role that allows HTTP traffic to the instance
What are two things that must be configured to allow public access to an EC2 Instance in a VPC? (choose 2) A. Public IP or Elastic IP or IPv6 address B. Route in the subnet route table with 0.0.0.0/0 as the destination and the Internet Gateway as the target Why is this correct? A route table entry is required for there to be a path for the traffic to reach the instance. NAT gateways do not do this.
To add an object to an S3 bucket, the PUT operation is used. As part of crafting a PUT, the programmer can add instructions called Request Headers. Which of the following are valid S3 Request Headers? (Choose 4) x-amz-meta- x-aws-meta- Content-Length x-aws-storage-class Cache-Enable x-amz-storage-class Content-MD5
YES x-amz-meta- NO x-aws-meta- YES Content-Length NO x-aws-storage-class NO Cache-Enable YES x-amz-storage-class YES Content-MD5
You are a solutions architect with a manufacturing company running several legacy applications. One of these applications needs to communicate with services which are currently hosted on-premise. The people who wrote this application have left the company, and there is no documentation describing how the application works. You need to ensure that this application can be hosted in a bespoke VPC, but remains able to communicate to the back-end services hosted on-premise. Which of the following answers will allow the application to communicate back to the on premise equipment without the need to reprogram the application? (Choose 3) 1 You should ensure the VPC has an internet gateway attached to it. That way, you can establish a site-to-site VPN with the on-premise environment. 2You should configure your Elastic Load Balancer to act as a reverse proxy so that the EC2 instance can communicate back to the on-premise data center. 3 You should configure an AWS Direct Connect link between the VPC and the site with the on-premise solution. 4 You should configure the VPC subnet in which the application sits so that it does not have an IP address range that conflicts with that of the on-premise VLAN in which the back end services sit. 5 You should attach an Elastic IP address to the VPC so that it will be able to communicate with the on-premise site.
You need to ensure that your application in your custom VPC can communicate back to the on-premise data center. You can do this by either using a site to site VPN or Direct Connect. It will be using an internal IP address range, so you must make sure that your internal IP addresses do not overlap. 1 You should ensure the VPC has an internet gateway attached to it. That way, you can establish a site-to-site VPN with the on-premise environment. 3 You should configure an AWS Direct Connect link between the VPC and the site with the on-premise solution. 4 You should configure the VPC subnet in which the application sits so that it does not have an IP address range that conflicts with that of the on-premise VLAN in which the back end services sit
You are a solutions architect working for a large engineering company who are moving from a legacy infrastructure to AWS. You have configured the company's first AWS account and you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary operating out of South Korea, so that office will need its own AWS environment. Which of the following statements is true? You will need to configure your users regionally, however your policy documents are global. You will need to configure Users and Policy Documents only once, as these are applied globally. You will need to configure your policy documents regionally, however your users are global. You will then need to configure Users and Policy Documents for each region respectively.
You will need to configure Users and Policy Documents only once, as these are applied globally.