AWS Certified Solutions Architect - Associate
Your organization needs to introduce Auto Scaling to its infrastructure and needs to generate a "golden image" AMI from an existing EBS volume. This image will need to be shared among multiple AWS accounts belonging to your organization. Which of the following steps will get you there? (Choose three.) A. Create a snapshot of the EBS root volume you need, use it to create an image, select your new AMI from your private collection, and use it for your launch configuration. B. Create an image from the EBS volume attached to the instance, select your new AMI from your private collection, and use it for your launch configuration. C. Search the AWS Marketplace for the appropriate image and use it for your launch configuration. D. Import the snapshot of an EBS root volume from a different AWS account, use it to create an image, select your new AMI from your private collection, and use it for your launch configurati
A, B, D. Options B, C, and E are steps necessary for creating and sharing such an image. When an image is created, a snapshot is automatically created from which an AMI is built. You do not, however, create a snapshot from an image. The AWS Marketplace contains only public images; hopefully, no one will have uploaded your organization's private image there!
You need to restrict access to your EC2 instance-based application to only certain clients and only certain targets. Which three attributes of an incoming data packet are used by a security group to determine whether it should be allowed through? (Choose three.) A. Network port B. Source address C. Datagram header size D. Network protocol E. Destination address
A, B, D. Ports and source and destinations addresses are considered by security group rules. Security group rules do not take packet size into consideration. Since a security group is www.pass4sure.com Pass4sure - #1 IT Certifications Materials Provider directly associated with specific objects, there's no need to reference the target address.
You are engaged in a deep audit of the use of your AWS resources and you need to better understand the structure and content of your S3 server access logs. Which of the following operational details are likely to be included in S3 server access logs? (Choose three.) A. Source bucket name B. Action requested C. Current bucket size D. API bucket creation calls E. Response status
A, B, E. S3 server access logs don't report the source bucket's current size. They don't track API calls—that's something covered by AWS CloudTrail.
Which is true regarding a primary key in a nonrelational database? (Choose all that apply.) A. It's required to uniquely identify an item. B. It must be unique within the table. C. It's used to correlate data across different tables. D. Its data type can vary within a table.
A, B. In a nonrelational database, a primary key is required to uniquely identify an item and hence must be unique within a table. All primary key values within a table must have the same data type. Only relational databases use primary keys to correlate data across different tables.
Which of the following allow EC2 instances in different regions to communicate using private IP addresses? (Choose three.) A. VPN B. Direct Connect C. VPC peering D. Transit gateway
A, C, D. VPC peering, transit gateways, and VPNs all allow EC2 instances in different regions to communicate using private IP addresses. Direct Connect is for connecting VPCs to on-premises networks, not for connecting VPCs together.
You need to integrate your company's local user access controls with some of your AWS resources. Which of the following can help you control the way your local users access your AWS services and administration console? (Choose two.) A. AWS Identity and Access Management (IAM) B. Key Management Service (KMS) C. AWS Directory Service D. Simple WorkFlow (SWF) E. Amazon Cognito
A, C. AWS IAM lets you create user accounts, groups, and roles and assign them rights and permissions over specific services and resources within your AWS account. Directory Service allows you to integrate your resources with external users and resources through third-party authentication services. KMS is a tool for generating and managing encryption keys, and SWF is a tool for coordinating application tasks. Amazon Cognito can be used to manage authentication for your application users, but not your internal admin teams.
Which database engine supports the bring-your-own-license (BYOL) model? (Choose all that apply.) A. Oracle Standard Edition Two B. Microsoft SQL Server C. Oracle Standard Edition One D. PostgreSQL
A, C. All editions of the Oracle database engine support the bring-your-own-license model in RDS. Microsoft SQL Server and PostgreSQL only support the license-included model.
Your web application relies on data objects stored in AWS S3 buckets. Compliance with industry regulations requires that those objects be encrypted and that related events be closely tracked. Which combination of tools should you use? (Choose two.) A. Server-side encryption B. Amazon S3-Managed Keys C. AWS KMS-Managed Keys D. Client-side encryption E. AWS End-to-End managed keys
A, C. Client-side encryption occurs before an object reaches the bucket (i.e., before it comes to rest in the bucket). Only AWS KMS-Managed Keys provide an audit trail. AWS End-to-End managed keys don't exist as an AWS service.
In a relational database, a row may also be called what? (Choose two.) A. Record B. Attribute C. Tuple D. Table
A, C. Different relational databases use different terminology. A row, record, and tuple all describe an ordered set of columns. An attribute is another term for column. A table contains rows and columns.
You need to deploy multiple EC2 Linux instances that will provide your company with virtual private networks (VPNs) using software called OpenVPN. Which of the following will be the most efficient solutions? (Choose two.) A. Select a regular Linux AMI and bootstrap it using user data that will install and configure the OpenVPN package on the instance and use it for your VPN instances. B. Search the community AMIs for an official AMI provided and supported by the OpenVPN company. C. Search the AWS Marketplace to see whether there's an official AMI provided and supported by the OpenVPN company. D. Select a regular Linux AMI and SSH to manually install and configure the OpenVPN package. E. Create a site-to-site VPN connection from the wizard in the AWS VPC dashboard.
A, C. Many third-party companies maintain official and supported AMIs running their software on the AWS Marketplace. AMIs hosted among the community AMIs are not always official and supported versions. Since your company will need several such instances, you'll be better off automating the process by bootstrapping rather than having to configure the software manually each time. The site-to-site VPN tool doesn't use OpenVPN.
Which of the following can perform stateful traffic filtering? (Choose two.) A. Security groups B. NACLs C. AWS Network Firewall D. AWS Transit Gateway
A, C. Security groups and AWS Network Firewall can perform stateful traffic filtering. NACLs perform stateless filtering only. AWS Transit Gateway isn't a firewall and doesn't perform traffic filtering.
Your organization runs Linux-based EC2 instances that all require low-latency read/write access to a single set of files. Which of the following AWS services are your best choices? (Choose two.) A. AWS Storage Gateway B. AWS S3 C. Amazon Elastic File System D. AWS Elastic Block Store
A, C. Storage Gateway and EFS provide the required read/write access. S3 can be used to share files, but it doesn't offer low-latency access—and its eventual consistency won't work well with filesystems. EBS volumes can be used only for a single instance at a time.
Which of the following are benefits of instance store volumes? (Choose two.) A. Instance volumes are physically attached to the server that's hosting your instance, allowing faster data access. B. Instance volumes can be used to store data even after the instance is shut down. C. The use of instance volumes does not incur costs (beyond those for the instance itself). D. You can set termination protection so that an instance volume can't be accidentally shut down. E. Instance volumes are commonly used as a base for the creation of AMIs.
A, C. The fact that instance volumes are physically attached to the host server and add nothing to an instance cost is a benefit. The data on instance volumes is ephemeral and will be lost as soon as the instance is shut down. There is no way to set termination protection for instance volumes because they're dependent on the life cycle of their host instances.
You've created one VPC peering connection between two VPCs. What must you do to use this connection for bidirectional instance-to-instance communication? (Choose all that apply.) A. Create two routes with the peering connection as the target. B. Create only one default route with the peering connection as the target. C. Create another peering connection between the VPCs. D. Configure the instances' security groups correctly.
A, D. Each peered VPC needs a route to the CIDR of its peer; therefore, you must create two routes with the peering connection as the target. Creating only one route is not sufficient to enable bidirectional communication. Additionally, the instances' security groups must allow for bidirectional communication. You can't create more than one peering connection between a pair of VPCs.
You need to create two subnets in a VPC that has a CIDR of 10.0.0.0/16. Which of the following CIDRs can you assign to one of the subnets while leaving room for an additional subnet? (Choose all that apply.) A. 10.0.0.0/24 B. 10.0.0.0/8 C. 10.0.0.0/16 D. 10.0.0.0/23
A, D. Options A and D (10.0.0.0/24 and 10.0.0.0/23) are within the VPC CIDR and leave room for a second subnet; 10.0.0.0/8 is wrong because prefix lengths less than /16 aren't allowed; and 10.0.0.0/16 doesn't leave room for another subnet.
Which non-S3 AWS resources can improve the security and user experience of your S3-hosted static website? (Choose two.) A. AWS Certificate Manager B. Elastic Compute Cloud (EC2) C. Relational Database Service (RDS) D. Route 53 E. AWS Key Management Service
A, D. The AWS Certificate Manager (when used as part of a CloudFront distribution) can apply an SSL/TLS encryption certificate to your website. You can use Route 53 to associate a DNS domain name to your site. EC2 instances and RDS database instances would never be used for static websites. You would normally not use KMS for a static website—websites are usually meant to be public and encrypting the website assets with a KMS key would make it impossible for clients to download them.
Normally, two instances running m5.large instance types can handle the traffic accessing your online e-commerce site, but you know that you will face short, unpredictable periods of high demand. Which of the following choices should you implement? (Choose two.) A. Configure autoscaling. B. Configure load balancing. C. Purchase two m5.large instances on the spot market and as many on-demand instances as necessary. D. Shut down your m5.large instances and purchase instances using a more robust instance type to replace them. E. Purchase two m5.large reserve instances and as many ondemand instances as necessary.
A, E. Reserve instances will give you the best price for instances you know will be running 24/7, whereas on-demand makes the most sense for workloads that will run at unpredictable times but can't be shut down until they're no longer needed. Load balancing controls traffic routing and, on its own, has no impact on your ability to meet changing demand. Since the m5.large instance type is all you need to meet normal workloads, you'll be wasting money by running a larger type 24/7.
What type of database instance only accepts queries? A. Read replica B. Standby database instance C. Primary database instance D. Master database instance
A. A read replica only services queries and cannot write to a database. A standby database instance in a multi-AZ deployment does not accept queries. Both a primary and a master database instance can service queries and writes.
When creating a DynamoDB table, how many read capacity units should you provision to be able to sustain strongly consistent reads of 11 KB per second? A. 3 B. 2 C. 1 D. 0
A. A single strongly consistent read of an item up to 4 KB consumes one read capacity unit. Hence, reading 11 KB of data per second using strongly consistent reads would consume three read capacity units. Were you to use eventually consistent reads, you would need only two read capacity units, as one eventually consistent read gives you up to 8 KB of data per second. Regardless, you must specify a read capacity of at least 1, so 0 is not a valid answer.
Which VPC resource performs network address translation? A. Internet gateway B. Route table C. EIP D. ENI
A. An Internet gateway performs NAT for instances that have a public IP address. A route table defines how traffic from instances is forwarded. An EIP is a public IP address and can't perform NAT. An ENI is a network interface and doesn't perform NAT.
How does an NACL differ from a security group? A. An NACL is stateless. B. An NACL is stateful. C. An NACL is attached to an ENI. D. An NACL can be associated with only one subnet.
A. An NACL is stateless, meaning it doesn't track a connection state. Every inbound rule must have a corresponding outbound rule to permit traffic, and vice versa. An NACL is attached to a subnet, whereas a security group is attached to an ENI. An NACL can be associated with multiple subnets, but a subnet can have only one NACL.
When working to set up your first AWS deployment, you keep coming across the term availability zone. What exactly is an availability zone? A. An isolated physical datacenter within an AWS region B. A region containing multiple isolated datacenters C. A single network subnet used by resources within a single region D. A single isolated server room within a datacenter
A. An availability zone is an isolated physical datacenter within an AWS region. Regions are geographic areas that contain multiple availability zones, subnets are IP address blocks that can be used within a zone to organize your networked resources, and there can be multiple datacenters within an availability zone.
You create a Linux instance and have AWS automatically assign a private IP address but not a public IP address. What will happen when you stop and restart the instance? A. You won't be able to establish an SSH session directly to the instance from the Internet. B. The instance won't be able to access the Internet. C. The instance will receive the same private IP address. D. The instance will be unable to reach other instances in its subnet.
A. An instance must have a public IP address to be directly reachable from the Internet. The instance may be able to reach the Internet via a NAT device. The instance won't necessarily receive the same private IP address because it was automatically assigned. The instance will be able to reach other instances in the subnet because a public IP is not required.
You've got a complex, multi-tiered application running on local servers that you want to migrate to the cloud. Which of these tools will provide you with the specific tools you'll need to move the application with the least risk and the least disruption? A. AWS Application Migration Service B. AWS Migration Hub C. AWS Application Discovery Service D. AWS Lift and Shift
A. Application Migration Service can automate the testing and transfer of AWS-bound migrations of your non-cloud application servers. That, therefore, is the correct answer. Migration Hub is a high-level tools for coordinating migrations. Application Discovery Service takes an inventory of your infrastructure but doesn't migrate anything itself. Lift and Shift doesn't actually exist, but don't you wish it did.
You create an Auto Scaling group with a minimum group size of 3, a maximum group size of 10, and a desired capacity of 5. You then manually terminate two instances in the group. Which of the following will Auto Scaling do? A. Create two new instances. B. Reduce the desired capacity to 3. C. Nothing. D. Increment the minimum group size to 5.
A. Auto Scaling strives to maintain the number of instances specified in the desired capacity setting. If the desired capacity setting isn't set, Auto Scaling will attempt to maintain the number of instances specified by the minimum group size. Given a desired capacity value of 5, there should be five healthy instances. If you manually terminate two of them, Auto Scaling will create two new ones to replace them. Auto Scaling will not adjust the desired capacity or minimum group size.
Some of your application's end users are complaining of delays when accessing your resources from remote geographic locations. Which of these services would be the most likely to help reduce the delays? A. Amazon CloudFront B. Amazon Route 53 C. Elastic Load Balancing D. Amazon Glacier
A. CloudFront maintains a network of endpoints where cached versions of your application data are stored to provide quicker responses to user requests. Route 53 manages DNS and network routing, Elastic Load Balancing routes incoming user requests among a cluster of available servers, and Glacier provides highlatency, low-cost file storage.
Which is true regarding an elastic network interface? A. It must have a private IP address from the subnet that it resides in. B. It cannot exist independently of an instance. C. It can be connected to multiple subnets. D. It can have multiple IP addresses from different subnets.
A. Every ENI must have a primary private IP address. It can have secondary IP addresses, but all addresses must come from the subnet the ENI resides in. Once created, the ENI cannot be moved to a different subnet. An ENI can be created independently of an instance and later attached to an instance.
You create a new route table in a VPC but perform no other configuration on it. You then create a new subnet in the same VPC. Which route table will your new subnet be associated with? A. The main route table B. The route table you created C. The default route table D. None of these
A. Every subnet is associated with the main route table by default. You can explicitly associate a subnet with another route table. There is no such thing as a default route table, but you can create a default route within a route table.
Your organization runs Windows-based EC2 instances that all require low-latency read/write access to a single set of files. Which of the following AWS services is your best choice? A. Amazon FSx for Windows File Server B. Amazon FSx for Lustre C. Amazon Elastic File System D. Amazon Elastic Block Store
A. FSx for Lustre and Elastic File System are primarily designed for access from Linux filesystems. EBS volumes can't be accessed by more than a single instance at a time.
Using general-purpose SSD storage, how much storage would you need to allocate to get 600 IOPS? A. 200 GB B. 100 GB C. 200 TB D. 200 MB
A. General-purpose SSD storage allocates three IOPS per gigabyte, up to 10,000 IOPS. Therefore, to get 600 IOPS, you'd need to allocate 200 GB. Allocating 100 GB would give you only 300 IOPS. The maximum storage size for gp2 storage is 16 TB, so 200 TB is not a valid value. The minimum amount of storage you can allocate depends on the database engine, but it's no less than 20 GB, so 200 MB is not valid.
You have a publicly available file called filename stored in an S3 bucket named bucketname. Which of the following addresses will successfully retrieve the file using a web browser? A. s3.amazonaws.com/bucketname/filename B. filename/bucketname.s3.amazonaws.com C. s3://bucketname/filename D. s3://filename/bucketname
A. HTTP (web) requests must address the s3.amazonaws.com domain along with the bucket and filenames.
When an instance with an automatically assigned public IP sends a packet to another instance's EIP, what source address does the destination instance see? A. The public IP B. The EIP C. The private IP D. 0.0.0.0
A. Internet-bound traffic from an instance with an automatically assigned public IP will traverse an Internet gateway that will perform NAT. The source address will be the instance's public IP. An instance with an automatically assigned public IP cannot also have an EIP. The NAT process will replace the private IP source address with the public IP. Option D, 0.0.0.0, is not a valid source address.
To save configuration time and money, you want your application to run only when network events trigger it but shut down immediately after. Which of the following will do that for you? A. AWS Lambda B. AWS Elastic Beanstalk C. Amazon Elastic Container Service (ECS) D. Auto Scaling
A. Lambda can be used as such a trigger. Beanstalk launches and manages infrastructure for your application that will remain running until you manually stop it, ECS manages Docker containers but doesn't necessarily stop them when a task is done, and Auto Scaling can add instances to an already running deployment to meet demand.
If a MariaDB database running in RDS needs to write 200 MB of data every second, how many IOPS should you provision using io1 storage to sustain this performance? A. 12,800 B. 25,600 C. 200 D. 16
A. MariaDB has a page size of 16 KB. To write 200 MB (204,800 KB) of data every second, it would need 12,800 IOPS. Oracle, PostgreSQL, or Microsoft SQL Server, which all use an 8 KB page size, would need 25,600 IOPS to achieve the same throughput. When provisioning IOPS, you must specify IOPS in increments of 1,000, so 200 and 16 IOPS—which would be woefully insufficient anyway—are not valid answers.
The sensitivity of the data your company works with means that the instances you run must be secured through complete physical isolation. What should you specify as you configure a new instance? A. Dedicated Host tenancy B. Shared tenancy C. Dedicated Instance tenancy D. Isolated tenancy
A. Only Dedicated Host tenancy offers full isolation. Shared tenancy instances will often share hardware with operations belonging to other organizations. Dedicated instance tenancy instances may be hosted on the same physical server as other instances within your account.
Which of the following classes will usually make the most sense for long-term storage when included within a sequence of life cycle rules? A. S3 Glacier Flexible Retrieval B. Reduced Redundancy C. S3 One Zone-IA D. S3 Standard-IA
A. S3 Glacier offers the least expensive and most highly resilient storage within the AWS ecosystem. Reduced Redundancy is not resilient and, in any case, is no longer recommended. S3 One Zone and S3 Standard are relatively expensive.
Your S3 buckets contain many thousands of objects. Some of them could be moved to less expensive storage classes and others still require instant availability. How can you apply transitions between storage classes for only certain objects within an S3 bucket? A. By specifying particular prefixes when you define your life cycle rules. B. This isn't possible. Life cycle rules must apply to all the objects in a bucket. C. By specifying particular prefixes when you create the bucket. D. By importing a predefined life cycle rule template.
A. S3 life cycle rules can incorporate specifying objects by prefix. There's no such thing as a life cycle template.
Which of the following explains the difference in durability between S3'sStandard-IA and S3 Intelligent-Tiering classes? A. Standard-IA data has only 99.9% availability, whereas Intelligent-Tiering's availability depends on the data's current state. B. Standard-IA data is heavily replicated but only within a single availability zone, whereas Intelligent-Tiering data is only lightly replicated. C. Standard-IA data is replicated across AWS regions, whereas Intelligent-Tiering data is restricted to a single region. D. Standard-IA data is automatically backed up to Amazon Glacier, whereas Intelligent-Tiering data remains within S3.
A. Standard-IA data has only a 99.9% availability rate, whereas the availability (and other features) of Intelligent-Tiering data will change across its life cycle.
Why must a NAT gateway reside in a different subnet than an instance that uses it? A. Both must use different default gateways. B. Both must use different NACLs. C. Both must use different security groups. D. The NAT gateway requires a public interface and a private interface.
A. The NAT gateway's default route must point to an Internet gateway, and the instance's default route must point to the NAT gateway. No differing NACL configurations between subnets are required to use a NAT gateway. Security groups are applied at the ENI level. A NAT gateway doesn't require separate public and private interfaces.
What is the range of allowed IPv4 prefix lengths for a VPC CIDR block? A. /16 to /28 B. /16 to /56 C. /8 to /30 D. /56 only
A. The allowed range of prefix lengths for a VPC CIDR is between /16 and /28 inclusive. The maximum possible prefix length for an IP subnet is /32, so /56 is not a valid length.
What is the destination for a default IPv4 route? A. 0.0.0.0/0 B. ::0/0 C. An Internet gateway D. The IP address of the implied router
A. The destination 0.0.0.0/0 matches all IP prefixes and hence covers all publicly accessible hosts on the Internet. ::0/0 is an IPv6 prefix, not an IPv4 prefix. An Internet gateway is the target of the default route, not the destination.
What must you do to configure a NAT instance after creating it? A. Disable the source/destination check on its ENI. B. Enable the source/destination check on its ENI. C. Create a default route in its route table with a NAT gateway as the target. D. Assign a primary private IP address to the instance.
A. The source/destination check on the NAT instance's ENI must be disabled to allow the instance to receive traffic not destined for its IP and to send traffic using a source address that it doesn't own. The NAT instance's default route must point to an Internet gateway as the target. You can't assign a primary private IP address after the instance is created.
While building a large AWS-based application, your company has been facing configuration problems they can't solve on their own. As a result, they need direct access to AWS support for both development and IT team leaders. Which support plan should you purchase? A. Business B. Developer C. Basic D. Enterprise
A. Unlike the Basic and Developer plans (which allow access to a support associate to no or one user, respectively), the Business plan allows multiple team members.
Which of the following occurs when you restore a failed database instance from a snapshot? A. RDS restores the snapshot to a new instance. B. RDS restores the snapshot to the failed instance. C. RDS restores only the individual databases to a new instance. D. RDS deletes the snapshot.
A. When you restore from a snapshot, RDS creates a new instance and doesn't make any changes to the failed instance. A snapshot is a copy of the entire instance, not just a copy of the individual databases. RDS does not delete a snapshot after restoring from it.
In the course of a routine infrastructure audit, your organization discovers that some of your running EC2 instances are not configured properly and must be updated. Which of the following configuration details cannot be changed on an existing EC2 instance? A. AMI B. Instance type C. Security group D. Public IP address
A. You can edit or even add or remove security groups from running instances and the changes will take effect instantly. Similarly, you can associate or release an elastic IP address to/from a running instance. You can change an instance type as long as you shut down the instance first. But the AMI can't be changed; you'll need to create an entirely new instance.
Which of the following is true regarding VPC peering? A. Transitive routing is not supported. B. A VPC peering connection requires a public IP address. C. You can peer up to three VPCs using a single peering connection. D. You can use a peering connection to share an Internet gateway among multiple VPCs.
A. You cannot route through a VPC using transitive routing. Instead, you must directly peer the VPCs containing the instances that need to communicate. A VPC peering connection uses the AWS internal network and requires no public IP address. Because a peering connection is a point-to-point connection, it can connect only two VPCs. A peering connection can be used only for instance-to-instance communication. You can't use it to share other VPC resources.
Which of the following are the recommended methods for providing secure and controlled access to your buckets? (Choose two.) A. S3 access control lists (ACLs) B. S3 bucket policies C. IAM policies D. Security groups E. AWS Key Management Service
B, C. ACLs are a legacy feature that isn't as flexible as IAM or S3 bucket polices. Security groups are not used with S3 buckets. KMS is an encryption key management tool and isn't used for authentication.
Which database engines are compatible with existing MySQL databases? (Choose all that apply.) A. Microsoft SQL Server B. MariaDB C. Aurora D. PostgreSQL
B, C. MariaDB and Aurora are designed as binary drop-in replacements for MySQL. PostgreSQL is designed for compatibility with Oracle databases. Microsoft SQL Server does not support MySQL databases.
You're running an application that receives a spike in traffic on the first day of every month. You want to configure Auto Scaling to add more instances before the spike begins and then add additional instances in proportion to the CPU utilization of each instance. Which of the following should you implement? (Choose all that apply.) A. Target tracking policies B. Scheduled actions C. Step scaling policies D. Simple scaling policies E. Load balancing
B, C. Scheduled actions can adjust the minimum and maximum group sizes and the desired capacity on a schedule, which is useful when your application has a predictable load pattern. To add more instances in proportion to the aggregate CPU utilization of the group, implement step scaling policies. Target tracking policies adjust the desired capacity of a group to keep the threshold of a given metric near a predefined value. Simple scaling policies simply add more instances when a defined CloudWatch alarm triggers, but the number of instances added is not proportional to the value of the metric.
As part of your company's long-term cloud migration strategy, you have a VMware virtual machine in your local infrastructure that you'd like to copy to your AWS account and run as an EC2 instance. Which of the following will be necessary steps? (Choose two.) A. Import the virtual machine to your AWS region using a secure SSH tunnel. B. Import the virtual machine using VM Import/Export. C. Select the imported VM from among your private AMIs and launch an instance. D. Select the imported VM from the AWS Marketplace AMIs and launch an instance. E. Use the AWS CLI to securely copy your virtual machine image to an S3 bucket within the AWS region you'll be using.
B, C. The VM Import/Export tool handles the secure and reliable transfer for a virtual machine between your AWS account and local datacenter. A successfully imported VM will appear among the private AMIs in the region you selected. Direct S3 uploads and SSH tunnels are not associated with VM Import/Export.
You have an instance running within a private subnet that needs external network access to receive software updates and patches. Which of the following can securely provide that access from a public subnet within the same VPC? (Choose two.) A. Internet gateway B. NAT instance C. Virtual private gateway D. NAT gateway E. VPN
B, D. NAT instances and NAT gateways are AWS tools for safely routing traffic between private and public subnets and from there, out to the Internet. An Internet gateway connects a VPC with the Internet, and a virtual private gateway connects a VPC with a remote site over a secure VPN. A stand-alone VPN wouldn't normally be helpful for this purpose.
Which of the following is true of a route in a transit gateway route table? A. It can be multicast. B. It can be a blackhole route. C. It can have an Internet gateway as a target. D. It can have an ENI as a target.
B. A transit gateway route table can hold a blackhole route. If the transit gateway receives traffic that matches the route, it will drop the traffic.
How many database engines can an RDS database instance run? A. Six B. One C. Two D. Four
B. Although there are six database engines to choose from, a single database instance can run only one database engine. If you want to run more than one database engine, you will need a separate database instance for each engine.
In a DynamoDB table containing orders, which key would be most appropriate for storing an order date? A. Partition key B. Sort key C. Hash key D. Simple primary key
B. An order date would not be unique within a table, so it would be inappropriate for a partition (hash) key or a simple primary key. It would be appropriate as a sort key, as DynamoDB would order items according to the order date, which would make it possible to query items with a specific date or within a date range.
How long will it take to retrieve an archive from Amazon Glacier Deep Archive ? A. 5 hours B. 12 hours C. 2 days D. 1 week
B. As of this writing, retrieving Glacier Deep Archive data will take no larger than 12 hours.
How can you assign a public IP address to a running instance that doesn't have one? A. Allocate an ENI and associate it with the instance's primary EIP. B. Allocate an EIP and associate it with the instance's primary ENI. C. Configure the instance to use an automatically assigned public IP. D. Allocate an EIP and change the private IP address of the instance's ENI to match.
B. Assigning an EIP to an instance is a two-step process. First you must allocate an EIP, and then you must associate it with an ENI. You can't allocate an ENI, and there's no such thing as an instance's primary EIP. Configuring the instance to use an automatically assigned public IP must occur at instance creation. Changing an ENI's private IP to match an EIP doesn't actually assign a public IP to the instance, because the ENI's private address is still private.
As part of your new data backup protocols, you need to manually take EBS snapshots of several hundred volumes. Which type of Systems Manager document enables you to do this? A. Command B. Automation C. Policy D. Manual
B. Automation documents let you perform actions against your AWS resources, including taking EBS snapshots. Although called automation documents, you can still manually execute them. A command document performs actions within a Linux or a Windows instance. A policy document works only with State Manager and can't take an EBS snapshot. There's no manual document type.
Your developers want to run fully provisioned EC2 instances to support their application code deployments but prefer not to have to worry about manually configuring and launching the necessary infrastructure. Which of the following should they use? A. AWS Lambda B. AWS Elastic Beanstalk C. Amazon EC2 Auto Scaling D. Amazon Route 53
B. Elastic Beanstalk takes care of the ongoing underlying deployment details for you, allowing you to focus exclusively on your code. Lambda will respond to trigger events by running code a single time, Auto Scaling will ramp up existing infrastructure in response to demand, and Route 53 manages DNS and network routing.
You want to launch and manage a complex microservices container workload in AWS but you want to avoid as many configuration headaches as possible, You figure you'll be fine with whatever defaults you're offered. Which of these platforms is your best choice? A. Amazon Elastic Kubernetes Service B. AWS Fargate C. Amazon EKS Distro D. Amazon Elastic Container Service
B. Fargate is a service that uses either ECS or EKS infrastructure under the hood, but actually abstracts away most of the configuration details. Therefore, Fargate is your best bet. EKS and ECS give you far greater control over your configuration but, as a result, are more complex. EKS Distro is a way of running K8s containers in your own infrastructure and, if anything, is the most complex option of all.
Which database instance class provides dedicated bandwidth for storage volumes? A. Standard B. Memory optimized C. Storage optimized D. Burstable performance
B. Memory-optimized instances are EBS optimized, providing dedicated bandwidth for EBS storage. Standard instances are not EBS optimized and top out at 10,000 Mbps disk throughput. Burstable performance instances are designed for development and test workloads and provide the lowest disk throughput of any instance class. There is no instance class called storage optimized.
What is the relationship between a subnet and an availability zone? A. A subnet can exist in multiple availability zones. B. An availability zone can have multiple subnets. C. An availability zone can have only one subnet. D. A subnet's CIDR is derived from its availability zone.
B. Multiple subnets may exist in a single availability zone. A subnet cannot span availability zones.
Which relational database type is optimized to handle multiple transactions per second? A. Offline transaction processing (OLTP) B. Online transaction processing (OLTP) C. Online analytic processing (OLAP) D. Key/value store
B. Online transaction processing databases are designed to handle multiple transactions per second. Online analytics processing databases are for complex queries against large data sets. A key/value store such as DynamoDB can handle multiple transactions per second, but it's not a relational database. There's no such thing as an offline transaction processing database.
Your application deployment includes multiple EC2 instances that need low-latency connections to each other. Which of the following AWS tools will allow you to locate EC2 instances closer to each other to reduce network latency? A. Load balancing B. Placement groups C. AWS Systems Manager D. AWS Fargate
B. Placement groups allow you to specify where your EC2 instances will live. Load balancing directs external user requests between multiple EC2 instances, Systems Manager provides tools for monitoring and managing your resources, and Fargate is an interface for administering Docker containers on Amazon ECS.
Which of the following use cases would be most cost effective if run using spot market instances? A. Your e-commerce website is built using a publicly available AMI. B. You provide high-end video rendering services using a faulttolerant process that can easily manage a job that was unexpectedly interrupted. C. You're running a backend database that must be reliably updated to keep track of critical transactions. D. Your deployment runs as a static website on S3.
B. Spot market instances can be shut down with only a minimal (two-minute) warning, so they're not recommended for www.pass4sure.com Pass4sure - #1 IT Certifications Materials Provider workloads that require reliably predictable service. Even if your AMI can be relaunched, the interrupted workload will still be lost. Static S3 websites don't run on EC2 infrastructure in the first place.
Which Redshift distribution style stores all tables on all compute nodes? A. EVEN B. ALL C. KEY D. ODD
B. The ALL distribution style ensures every compute node has a complete copy of every table. The EVEN distribution style splits tables up evenly across all compute nodes. The KEY distribution style distributes data according to the value in a specified column. There is no distribution style called ODD.
Your organization's operations team members need a way to access and administer your AWS infrastructure via your local command line or shell scripts. Which of the following tools will let them do that? A. AWS Config B. AWS CLI C. AWS SDK D. The AWS Console
B. The AWS Command-Line Interface (CLI) is a tool for accessing AWS APIs from the command-line shell of your local computer. The AWS SDK is for accessing resources programmatically, the AWS Console works graphically through your browser, and AWS Config is a service for editing and auditing your AWS account resources.
Which of the following is the 12-month availability guarantee for the S3 Standard-IA class? A. 99.99 percent B. 99.9 percent C. 99.999999999 percent D. 99.5 percent
B. The S3 Standard-IA (Infrequent Access) class is guaranteed to be available 99.9 percent of the time.
You don't want to open up the contents of an S3 bucket to anyone on the Internet, but you need to share the data with specific clients. Generating and then sending them a presigned URL is a perfect solution. Assuming you didn't explicitly set a value, how long will the presigned URL remain valid? A. 24 hours B. 3,600 seconds C. 5 minutes D. 360 seconds
B. The default expiry value for a presigned URL is 3,600 seconds (one hour).
For an account with multiple resources running as part of multiple projects, which of the following key/value combination examples would make for the most effective identification convention for resource tags? A. servers:server1 B. project1:server1 C. EC2:project1:server1 D. server1:project1
B. The first of two (and not three) strings in a resource tag is the key—the group to which the specific resource belongs. The second string is the value, which identifies the resource itself. If the key looks too much like the value, it can cause confusion.
As you plan your multi-tiered, multi-instance AWS application, you need a way to effectively organize your instances and configure their network connectivity and access control. Which tool will let you do that? A. Load Balancing B. Amazon Virtual Private Cloud (VPC) C. Amazon CloudFront D. AWS endpoints
B. VPCs are virtualized network environments where you can control the connectivity of your EC2 (and RDS, etc.) infrastructure. Load Balancing routes incoming user requests among a cluster of available servers, CloudFront maintains a network of endpoints where cached versions of your application data are stored to provide quicker responses to user requests, and AWS endpoints are URIs that point to AWS resources within your account.
Which of the following connection types is always encrypted? A. Direct Connect B. VPN C. VPC peering D. Transit gateway
B. VPN connections are always encrypted.
You've configured an EC2 Auto Scaling group to use a launch configuration to provision and install an application on several instances. You now need to reconfigure Auto Scaling to install an additional application on new instances. Which of the following should you do? A. Modify the launch configuration. B. Create a launch template and configure the Auto Scaling group to use it. C. Modify the launch template. D. Modify the CloudFormation template.
B. You can modify a launch template by creating a new version of it; however, the question indicates that the Auto Scaling group was created using a launch configuration. You can't modify a launch configuration. Auto Scaling doesn't use CloudFormation templates.
According to default behavior (and AWS recommendations), which of the following IP addresses could be assigned as the private IP for an EC2 instance? (Choose two.) A. 54.61.211.98 B. 23.176.92.3 C. 172.17.23.43 D. 10.0.32.176 E. 192.140.2.118
C, D. By default, EC2 uses the standard address blocks for private subnets, so all private addresses will fall within these ranges: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
You're assessing the level of durability you'll need to sufficiently ensure the long-term viability of a new web application you're planning. Which of the following risks are covered by S3's data durability guarantees? (Choose two.) A. User misconfiguration B. Account security breach C. Infrastructure failure D. Temporary service outages E. Datacenter security breach
C, E. The S3 guarantee only covers the physical infrastructure owned by AWS. Temporary service outages are related to "availability" and not "durability."
If you want the files stored in an S3 bucket to be accessible using a familiar directory hierarchy system, you'll need to specify prefixes and delimiters. What are prefixes and delimiters? A. A prefix is the name common to the objects you want to group, and a delimiter is the bar character (|). B. A prefix is the DNS name that precedes the amazonaws.com domain, and a delimiter is the name you want to give your file directory. C. A prefix is the name common to the objects you want to group, and a delimiter is a forward slash character (/). D. A prefix is the name common to the file type you want to identify, and a delimiter is a forward slash character (/).
C. A prefix is the name common to the objects you want to group, and a slash character (/) can be used as a delimiter. The bar character (|) would be treated as part of the name rather than as a delimiter. Although DNS names can have prefixes, they're not the same as prefixes in S3.
You've created a VPC with the CIDR 192.168.16.0/24. You want to assign a secondary CIDR to this VPC. Which CIDR can you use? A. 172.31.0.0/16 B. 192.168.0.0/16 C. 192.168.0.0/24 D. 192.168.16.0/23
C. A secondary CIDR may come from the same RFC 1918 address range as the primary, but it may not overlap with the primary CIDR. 192.168.0.0/24 comes from the same address range (192.168.0.0-192.168.255.255) as the primary and does not overlap with 192.168.16.0/24; 192.168.0.0/16 and 192.168.16.0/23 both overlap with 192.168.16.0/24; and 172.31.0.0/16 is not in the same range as the primary CIDR.
What must every relational database table contain? A. A foreign key B. A primary key C. An attribute D. A row
C. A table must contain at least one attribute or column. Primary and foreign keys are used for relating data in different tables, but they're not required. A row can exist within a table, but a table doesn't need a row in order to exist.
You need a quick way to transfer very large (peta-scale) data archives to the cloud. Assuming your Internet connection isn't up to the task, which of the following will be both (relatively) fast and cost-effective? A. Direct Connect B. Server Migration Service C. Snowball D. Storage Gateway
C. Direct Connect can provide fast network connections to AWS, but it's very expensive and can take up to 90 days to install. Server Migration Service and Storage Gateway aren't meant for moving data at such scale.
The data consumed by the application you're planning will require more speed and flexibility than you can get from a closely defined relational database structure. Which AWS database service should you choose? A. Relational Database Service (RDS) B. Amazon Aurora C. Amazon DynamoDB D. Key Management Service (KMS)
C. DynamoDB provides a NoSQL (nonrelational) database service. Both are good for workloads that can be more efficiently run without the relational schema of SQL database engines (like those, including Aurora, that are offered by RDS). KMS is a tool for generating and managing encryption keys.
Which storage engine should you use with MySQL, Aurora, and MariaDB for maximum compatibility with RDS? A. MyISAM B. XtraDB C. InnoDB D. PostgreSQL
C. InnoDB is the only storage engine Amazon recommends for MySQL and MariaDB deployments in RDS and the only engine Aurora supports. MyISAM is another storage engine that works with MySQL but is not compatible with automated backups. XtraDB is another storage engine for MariaDB, but Amazon no longer recommends it. The PostgreSQL database engine uses its own storage engine by the same name and is not compatible with other database engines.
You're worried that updates to the important data you store in S3 might incorrectly overwrite existing files. What must you do to protect objects in S3 buckets from being accidentally lost? A. Nothing. S3 protects existing files by default. B. Nothing. S3 saves older versions of your files by default. C. Enable versioning. D. Enable file overwrite protection.
C. Object versioning must be manually enabled for each object to prevent older versions of the object from being deleted.
You want to be sure that the application you're building using EC2 and S3 resources will be reliable enough to meet the regulatory standards required within your industry. What should you check? A. Historical uptime log records B. The AWS Program Compliance Tool C. The AWS service level agreement (SLA) D. The AWS Compliance Programs documentation page E. The AWS Shared Responsibility Model
C. The AWS service level agreement tells you the level of service availability you can realistically expect from a particular AWS service. You can use this information when assessing your compliance with external standards. Log records, though they can offer important historical performance metrics, probably won't be enough to prove compliance. The AWS Compliance Programs page will show you only which regulatory programs can be satisfied with AWS resources, not whether a particular configuration will meet their demands. The AWS Shared Responsibility Model outlines who is responsible for various elements of your AWS infrastructure. There is no AWS Program Compliance tool.
Which of the following will allow you to quickly copy a virtual machine image from your local infrastructure to your AWS VPC? A. AWS Simple Storage Service (S3) B. AWS Snowball C. VM Import/Export D. AWS Direct Connect
C. VM Import/Export will do this. S3 buckets are used to store an image, but they're not directly involved in the import operation. Snowball is a physical high-capacity storage device that Amazon ships to your office for you to load data and ship back. Direct Connect uses Amazon partner providers to build a high-speed connection between your servers and your AWS VPC.
If you need to achieve 12,000 IOPS using provisioned IOPS SSD storage, how much storage should you allocate, assuming that you need only 100 GB of storage? A. There is no minimum storage requirement. B. 200 GB. C. 240 GB. D. 12 TB.
C. When you provision IOPS using io1 storage, you must do so in a ratio no greater than 50 IOPS for 1 GB. Allocating 240 GB of storage would give you 12,000 IOPS. Allocating 200 GB of storage would fall short, yielding just 10,000 IOPS. Allocating 12 TB would be overkill for the amount of storage required.
Which of the following is a difference between a NAT instance and a NAT gateway? A. There are different NAT gateway types. B. A NAT instance scales automatically. C. A NAT gateway can span multiple availability zones. D. A NAT gateway scales automatically.
D. A NAT gateway is a VPC resource that scales automatically to accommodate increased bandwidth requirements. A NAT instance can't do this. A NAT gateway exists in only one availability zone. There are not multiple NAT gateway types. A NAT instance is a regular EC2 instance that comes in different types.
Your AWS CLI command to launch an AMI as an EC2 instance has failed, giving you an error message that includes InvalidAMIID.NotFound. What of the following is the most likely cause? A. You haven't properly configured the ~/.aws/config file. B. The AMI is being updated and is temporarily unavailable. C. Your key pair file has been given the wrong (overly permissive) permissions. D. The AMI you specified exists in a different region than the one you've currently specified.
D. AMIs are specific to a single AWS region and cannot be deployed into any other region. If your AWS CLI or its key pair was not configured properly, your connection would have failed completely. A public AMI being unavailable because it's "updating" is theoretically possible but unlikely.
What is an Internet gateway? A. A resource that grants instances in multiple VPCs' Internet access B. An implied router C. A physical router D. A VPC resource with no management IP address
D. An Internet gateway has no management IP address. It can be associated with only one VPC at a time and so cannot grant Internet access to instances in multiple VPCs. It is a logical VPC resource and not a virtual or physical router.
You've launched an EC2 application server instance in the AWS Ireland region and you need to access it from the web. Which of the following is the correct endpoint address that you should use? A. compute.eu-central-1.amazonaws.com B. ec2.eu-central-1.amazonaws.com C. elasticcomputecloud.eu-west-2.amazonaws.com D. ec2.eu-west-1.amazonaws.com
D. EC2 endpoints will always start with an ec2 prefix followed by the region designation (eu-west-1 in the case of Ireland).
Which of the following is the best use-case scenario for Elastic Block Store? A. You need a cheap and reliable place to store files your application can access. B. You need a safe place to store backup archives from your local servers. C. You need a source for on-demand compute cycles to meet fluctuating demand for your application. D. You need persistent storage for the filesystem run by your EC2 instance.
D. Elastic Block Store provides virtual block devices (think: storage drives) on which you can install and run filesystems and data operations. It is not normally a cost-effective option for long-term data storage.
How are IAM roles commonly used to ensure secure resource access in relation to EC2 instances? A. A role can assign processes running on the EC2 instance itself permission to access other AWS resources. B. A user can be given permission to authenticate as a role and access all associated resources. C. A role can be associated with individual instance-based processes (Linux instances only), giving them permission to access other AWS resources. D. A role can give users and resources permission to access the EC2 instance.
D. IAM roles define how resources access other resources. Users cannot authenticate as an instance role, nor can a role be associated with an instance's internal system process.
Your organization expects to be storing and processing large volumes of data in many small increments. When considering S3 usability, you'll need to know whether you'll face any practical limitations in the use of AWS account resources. Which of the following will normally be available only in limited amounts? A. PUT requests/month against an S3 bucket B. The volume of data space available per S3 bucket C. Account-wide S3 storage space D. The number of S3 buckets within a single account
D. In theory, at least, there's no limit to the data you can upload to a single bucket or to all the buckets in your account or to the number of times you upload (using the PUT command). By default, however, you are allowed only 100 S3 buckets per account.
In the context of an S3 bucket policy, which of the following statements describes a principal? A. The AWS service being defined (S3 in this case) B. An origin resource that's given permission to alter an S3 bucket C. The resource whose access is being defined D. The user or entity to which access is assigned
D. In this context, a principal is an entity to which bucket access is assigned.
In a multi-AZ deployment using Oracle, how is data replicated? A. Synchronously from the primary instance to a read replica B. Synchronously using a cluster volume C. Asynchronously from the primary to a standby instance D. Synchronously from the primary to a standby instance
D. Multi-AZ deployments using Oracle, PostgreSQL, MariaDB, MySQL, or Microsoft SQL Server replicate data synchronously from the primary to a standby instance. Only a multi-AZ deployment using Aurora uses a cluster volume and replicates data to a specific type of read replica called an Aurora replica.
Which of the following EBS options will you need to keep your data-hungry application that requires up to 20,000 IOPS happy? A. Cold HDD B. General-purpose SSD C. Throughput-optimized HDD D. Provisioned-IOPS SSD
D. Provisioned-IOPS SSD volumes are currently the only type that comes close to 20,000 IOPS. In fact, under the right circumstances, they can deliver up to 256,000 IOPS.
Your application regularly writes data to an S3 bucket, but you're worried about the potential for data corruption as a result of conflicting concurrent operations. Which of the following data operations would not be subject to concerns about eventual consistency? A. Operations immediately preceding the deletion of an existing object B. Operations subsequent to the updating of an existing object C. Operations subsequent to the deletion of an existing object D. Operations subsequent to the creation of a new object
D. S3 can't guarantee instant consistency across their infrastructure for changes to existing objects, but there aren't such concerns for newly created objects.
Which SQL statement would you use to retrieve data from a relational database table? A. QUERY B. SCAN C. INSERT D. SELECT
D. The SELECT statement retrieves data from a table. INSERT is used for adding data to a table. QUERY and SCAN are commands used by DynamoDB, which is a nonrelational database.
What do you have to do to securely authenticate to the GUI console of a Windows EC2 session? A. Use the private key of your key pair to initiate an SSH tunnel session. B. Use the public key of your key pair to initiate an SSH tunnel session. C. Use the public key of your key pair to retrieve the password you'll use to log in. D. Use the private key of your key pair to retrieve the password you'll use to log in.
D. The client computer in an encrypted operation must always use the private key to authenticate. For EC2 instances running Windows, you retrieve the password you'll use for the GUI login using your private key.
Which Redshift node type can store up to 326 TB of data? A. Dense memory B. Leader C. Dense storage D. Dense compute
D. The dense compute type can store up to 326 TB of data on magnetic storage. The dense storage type can store up to 2 PB of data on solid state drives. A leader node coordinates communication among compute nodes but doesn't store any databases. There is no such thing as a dense memory node type.
Which of the following is an example of a tightly coupled HPC workload? A. Image processing B. Audio processing C. DNA sequencing D. Hurricane track forecasting E. Video processing
D. Tightly coupled workloads include simulations such as weather forecasting. They can't be broken down into smaller, independent pieces, and so require the entire cluster to function as a single supercomputer.
Which of the following statements is true of security groups? A. Only one security group can be attached to an ENI. B. A security group must always be attached to an ENI. C. A security group can be attached to a subnet. D. Every VPC contains a default security group.
Which of the following statements is true of security groups? A. Only one security group can be attached to an ENI. B. A security group must always be attached to an ENI. C. A security group can be attached to a subnet. D. Every VPC contains a default security group.
