Search
Browse
Create
Log in
Sign up
Log in
Sign up
AWS Sol Arch - Mock Exam1
STUDY
Flashcards
Learn
Write
Spell
Test
PLAY
Match
Gravity
Terms in this set (158)
Provides -AWS resource inventory
- configuration history, and
- configuration change notifications
to enable security and governance. You can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing.
AWS Config
- Log files your applications generate.
- System-wide visibility into resource utilization, application performance, and operational health.
- Custom metrics generated by your applications and services
Which of the items can AWS Cloudwatch monitor?
A hosted zone is a collection of resource record sets hosted by Route 53.
In Route 53, what does a Hosted Zone refer to?
Metrics for CloudWatch are available only when you choose the US East (N. Virginia)
Cloud Front metrics in cloudwatch - available for all regions?
$ aws sns publish --topic-arn arn:aws:sns:us-east-1:546419318123:OperationsError -message "Script Failure"
Which of the following AWS CLI commands is syntactically incorrect?
$ aws ec2 describe-instances
$ aws ec2 start-instances --instance-ids i-1348636c
$ aws sns publish --topic-arn arn:aws:sns:us-east-1:546419318123:OperationsError -message "Script Failure"
$ aws sqs receive-message --queue-url https://queue.amazonaws.com/546419318123/Test
to read or modify the table directly, without a middle-tier service
The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants ______.
A hosted zone is a collection of resource record sets for a specified domain. You create a hosted zone for a domain (such as example.com), and then you create resource record sets to tell the Domain Name System how you want traffic to be routed for that domain. Route 53 automatically creates -
- name server (NS) record (identifies 4 NS of DNS service so that DNS queries are routed to Route53)
- a start of authority (SOA) record for the zone
You can create more than one hosted zone with the same name and add different resource record sets to each hosted zone.
Route 53 hosted zone?
- By default, Amazon Route 53 assigns a unique set of four name servers (known collectively as a delegation set) to each hosted zone that you create.
- Route 53 never returns values for resource record sets in other hosted zones that have the same name.
Amazon S3, Amazon Route 53 and Amazon CloudFront
You receive the following request from a client to quickly deploy a static website for them, specifically on AWS. The requirements are low-cost, reliable, online storage, and a reliable and cost-effective way to route customers to the website, as well as a way to deliver content with low latency and high data transfer speeds so that visitors to his website don't experience unnecessary delays. What do you think would be the minimum AWS services that could fulfill the client's request?
No
Can I change the EC2 security groups after an instance is launched in EC2-Classic?
SQS
A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to retrieve the picture accordingly and send the picture to EC2 for processing. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario?
1 hr
What can be the maximum time out period that user would be able to specify for connection draining?
No
Can you specify the security group that you created for a VPC when you launch an instance in EC2-Classic?
- Data replication
- Data encryption
- Data snapshot
An organization has a statutory requirement to protect the data at rest for data stored in EBS volumes. Which of the below mentioned options can the organization use to achieve data protection?
Yes, they are allowed but only with approval.
Are penetration tests allowed as long as they are limited to the customer's instances?
Resources
You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?
Luna Backup HSM
In AWS CloudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a:
You can't terminate, stop, or delete a resource based solely on its tags.
Which of the following statements is true of tagging an Amazon EC2 resource?
Network Bandwidth
You are planning and configuring some EBS volumes for an application. In order to get the most performance out of your EBS volumes, you should attach them to an instance with enough ________ to support your volumes.
20
By default, what is the maximum number of Auto Scaling groups that AWS will allow you to create?
- M3 instances provide better, more consistent performance that M1 instances for most use-cases.
- M3 instances also offer SSD-based instance storage that delivers higher I/O performance.
- M3 instances are less expensive than M4 instances.
Difference between M1, M3 and M4 instance types
Billing commences when Amazon EC2 initiates the boot sequence of an AMI instance and billing ends when the instance terminates and you pay for total number of hours consumed including partial hours.
How does billing work for EC2 instances?
Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
how RDS database with multi AZ will function if there is a database failure?
US West-1
A user is hosting a website application in the US West-1 region. The website has the highest client base from the Asia-Pacific (Singapore / Japan) region. The application is accessing data from S3 before serving it to client. Which of the below mentioned regions gives the best performance for delivering S3 objects to the application?
In the EC2-VPC platform, the Elastic IP Address (EIP) does not remain associated with the instance when you stop it.
Which of the following statements is NOT true about using Elastic IP Address (EIP) in EC2-Classic and EC2-VPC platforms?
Different instances running on the same physical machine are isolated from each other via the Xen hypervisor.
How are different EC2 instances separated from each other for security
Auto Scaling automatically can create a launch configuration directly from an EC2 instance.
In regards to creating a launch configuration using an EC2 instance, which of the following statements is true?
You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.
How billing is calculated, specifically the Virtual Tape Shelf usage?
(IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication.
You have some very sensitive data stored on AWS S3 and want to keep it secure in terms of access control. What are the mechanisms available for access control on AWS S3?
Force IAM users to contact an account administrator when the user has entered his password incorrectly.
Correct ones (allowed) -
- Require IAM users to change their password after a specified period of time.
- Prevent IAM users from reusing previous passwords.
- Force IAM users to contact an account administrator when the user has allowed his or her password to expire.
Which of the following is not an account password policy for IAM Users that can be set?
- Client IP address
- Load Balancer IP address
- Previous Request IP address
X-Forwarded-For header, contains which IP address?
1
You have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region, and you want to distribute requests across all three IPs evenly for users for whom US East (Virginia) is the appropriate region.
How many EC2 instances would be sufficient to distribute requests in other regions?
Auto Scaling must launch a new instance to replace it.
In an experiment, if the minimum size for an Auto Scaling group is 1 instance, which of the following statements holds true when you terminate the running instance?
EBS
You have been asked to set up a database in AWS that will require frequent and granular updates. You know that you will require a reasonable amount of storage space but are not sure of the best option. What is the recommended storage option when you run a database on an instance with the above criteria?
partition group
The AWS CloudHSM service defines a resource known as a high-availability (HA) ________________, which is a virtual partition that represents a group of partitions, typically distributed between several physical HSMs for high-availability.
Do not select the AZ; instead let AWS select the AZ
A user is launching an first EC2 instance in the US East region. Which of the below mentioned options is recommended by AWS with respect to the selection of the availability zone?
Yes, both increment and decrement operations.
Does Amazon DynamoDB support both increment and decrement atomic operations?
Data is deleted
What happens to data on an non-root instance store volume of an EBS-backed EC2 instance if it is terminated or if it fails?
Internal DNS name
Which DNS name can only be resolved within Amazon EC2?
No
Is it required to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices?
VPC with a Public Subnet Only and Hardware VPN Access
Which of the following is not an option for network architectures after launching the "Start VPC Wizard" in Amazon VPC page on the AWS Management Console?
You need to manually create EBS volume first.
Correct answers for EC2 instance termination -
- The AMI is missing a required part.
- The snapshot is corrupt.
- You've reached your volume limit.
You are trying to launch an EC2 instance, however the instance seems to go into a terminated status immediately. What would probably NOT be a reason for this?
STOPPED
Correct EMR states
- STARTING
- BOOTSTRAPPING
- RUNNING
Which of the below is not an Amazon EMR cluster state?
Route 53 natively supports ELB with an internal health check. Turn "Evaluate target health" on and "Associate with Health Check" off and R53 will use the ELB's internal health check.
What is the best way for you to configure the Route 53 health check to use ELB health check instead of its own?
Elastic IP
Which of the below mentioned options is not available when an instance is launched by Auto Scaling with EC2 Classic?
No access is provided by default, and any access must be explicitly added with a rule to the DB security group.
A Database security group controls network access to a database instance that is inside a Virtual Private Cloud (VPC) and by default allows access from?
The IP addresses belong to EC2 Classic; so they cannot be assigned to VPC
A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. The user has 3 elastic IPs and is trying to assign one of the Elastic IPs to the VPC instance from the console. The console does not show any instance in the IP assignment screen. What is a possible reason that the instance is unavailable in the assigned IP console?
2
How many access keys may an AWS Identity and Access Management (IAM) user have active at one time?
Distribution Type
CloudFront billing is driven by -
- Data transfer out
- Edge Location Traffic Distribution
- Dedicated IP SSL Certificates
Which one of the below doesn't affect Amazon CloudFront billing?
Amazon Redshift uses a four-tier, key-based architecture for encryption. These keys are the master key, a cluster key, a database key, and data encryption keys.
Which of the following describes the scheme used by an Amazon Redshift cluster leveraging AWS Key Management Service (AWS KMS) to encrypt data-at-rest?
Server Order Preference
- negotiating connections between a client and a load balancer
During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client's list that matches any one of the load balancer's ciphers is selected for the SSL connection.
- If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client's list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.
Which of the following Elastic Load Balancing options ensure that the load balancer determines which cipher is used for a Secure Sockets Layer (SSL) connection?
PC-over-IP (PCoIP)
Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data.
Which technology does Amazon WorkSpaces use to provide data security?
- take advantage of multiple regions and Availability Zones
Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.
As a Solutions Architect, how should you architect systems on AWS?
Time-Based One-Time Password (TOTP)
Which security scheme is used by the AWS Multi-Factor Authentication (AWS MFA) token?
- DynamoDB can store data encrypted with a client-side encryption library solution before storing the data in DynamoDB.
- DynamoDB can be used with the AWS Key Management Service to encrypt the data before storing the data in DynamoDB.
No server side encryption possible
DynamoDB tables may contain sensitive data that needs to be protected. Which of the following is a way for you to protect DynamoDB table content?
IAM instance profile
- An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts.
Which feature of AWS is designed to permit calls to the platform from an Amazon Elastic Compute Cloud (Amazon EC2) instance without needing access keys placed on the instance?
Signature Version 4
The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
Which of the following is the most recent version of the AWS digital signature calculation process?
The master node is launched into a security group that allows Secure Shell (SSH) and service access, while the slave nodes are launched into a separate security group that only permits communication with the master node.
- Amazon EMR starts your instances in two Amazon Elastic Compute Cloud (Amazon EC2) security groups, one for the master and another for the slaves. The master security group has a port open for communication with the service. It also has the SSH port open to allow you to securely connect to the instances via SSH using the key specified at startup. The slaves start in a separate security group, which only allows interaction with the master instance. By default, both security groups are set up to prevent access from external sources, including Amazon EC2 instances belonging to other customers. Because these are security groups in your account, you can reconfigure them using the standard Amazon EC2 tools or dashboard.
Which of the following describes how Amazon Elastic MapReduce (Amazon EMR) protects access to the cluster?
same Availability Zone in a region
- When you create an Amazon EBS volume in an Availability Zone, it is automatically replicated within that Availability Zone to prevent data loss due to failure of any single hardware component.
- An EBS Snapshot creates a copy of an EBS volume to Amazon S3 so that copies of the volume can reside in different Availability Zones within a region.
To help prevent data loss due to the failure of any single hardware component, Amazon Elastic Block Storage (Amazon EBS) automatically replicates EBS volume data to which of the following?
- Obtaining industry certifications and independent third-party attestations
- Publishing information about security and AWS control practices via the website, whitepapers, and blogs
- Directly providing customers with certificates, reports, and other documentation (under NDA in some cases)
AWS communicates with customers regarding its security and control environment through a variety of different mechanisms. Which of the following are valid mechanisms? (Choose three)
- By using specific control definitions or through general control standard compliance
AWS provides IT control information to customers through either specific control definitions or general control standard compliance.
AWS provides IT control information to customers in which of the following ways?
- SOC 1
- PCI DSS Level 1
- ISO 27001
Which of the following is a valid report, certification, or third-party attestation for AWS? (Choose three)
IT governance is still the customer's responsibility, despite deploying their IT estate onto the AWS platform.
Which of the following statements is true? about ownership of governance
Each availability zone consists of multiple discrete data centers with redundant power and networking/connectivity.
Which of the following statements best describes an availability zone?
- AWS regularly performs scans of public-facing endpoint IP addresses for vulnerabilities.
- AWS security notifies the appropriate parties to remediate any identified vulnerabilities.
With regard to vulnerability scans and threat assessments of the AWS platform, which of the following statements are true? (Choose two.)
AWS publishes information about the AWS security and control practices online, and directly to customers under NDA. Customers do not need to communicate their use and configurations to AWS.
Which of the following best describes the risk and compliance communication responsibilities of customers to AWS?
Energy
- The collective control environment includes people, processes, and technology necessary to establish and maintain an environment that supports the operating effectiveness of AWS control framework. Energy is not a discretely identified part of the control environment
The AWS control environment is in place for the secure delivery of AWS Cloud service offerings. Which of the following does the collective control environment NOT explicitly include?
- Kinesis
- SQS
When designing a loosely coupled system, which AWS services provide an intermediate durable storage layer between components? (Choose 2 answers)
- Launch the web server instances across multiple Availability Zones.
- Leverage Auto Scaling to recover from failed instances.
Launching instances across multiple Availability Zones helps ensure the application is isolated from failures in a single Availability Zone, allowing the application to achieve higher availability. Whether you are running one Amazon EC2 instance or thousands, you can use Auto Scaling to detect impaired Amazon EC2 instances and unhealthy applications and replace the instances without your intervention. This ensures that your application is getting the compute capacity that you expect, thereby maintaining your availability.
Which of the following options will help increase the availability of a web server farm? (Choose 2 answers)
- DynamoDB
- S3
DynamoDB runs across AWS proven, high-availability data centers. The service replicates data across three facilities in an AWS region to provide fault tolerance in the event of a server failure or Availability Zone outage. Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects. Your data is redundantly stored across multiple facilities and multiple devices in each facility. While Elastic Load Balancing and Amazon ElastiCache can be deployed across multiple Availability Zones, you must explicitly take such steps when creating them.
Which of the following AWS cloud services are designed according to the Multi-AZ principle? (Choose 2 answers)
- Autoscaling
- CloudWatch
Auto Scaling enables you to follow the demand curve for your applications closely, reducing the need to provision Amazon EC2 capacity manually in advance. For example, you can set a condition to add new Amazon EC2 instances in increments to the Auto Scaling group when the average CPU and network utilization of your Amazon EC2 fleet monitored in Amazon CloudWatch is high; similarly, you can set a condition to remove instances in the same increments when CPU and network utilization are low.
Your e-commerce site was designed to be stateless and currently runs on a fleet of Amazon Elastic Compute Cloud (Amazon EC2) instances. In an effort to control cost and increase availability, you have a requirement to scale the fleet based on CPU and network utilization to match the demand curve for your site. What services do you need to meet this requirement? (Choose 2 answers)
- Create a new Amazon EBS volume with encryption enabled.
- Attach an Amazon EBS volume with encryption enabled to the instance that hosts the data, then migrate the data to the encryption-enabled Amazon EBS volume.
- Copy the data from the unencrypted Amazon EBS volume to the Amazon EBS volume with encryption enabled.
There is no direct way to encrypt an existing unencrypted volume. However, you can migrate data between encrypted and unencrypted volumes.
Your compliance department has mandated a new requirement that all data on Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Which of the following steps would you follow for your existing Amazon EBS volumes to comply with the new requirement? (Choose 3 answers)
- Reduces the number of necessary Internet entry points
- Obfuscates necessary Internet entry points to the level that untrusted end users cannot access them
The attack surface is composed of the different Internet entry points that allow access to your application. The strategy to minimize the attack surface area is to (a) reduce the number of necessary Internet entry points, (b) eliminate non-critical Internet entry points, (c) separate end user traffic from management traffic, (d) obfuscate necessary Internet entry points to the level that untrusted end users cannot access them, and (e) decouple Internet entry points to minimize the effects of attacks. This strategy can be accomplished with Amazon VPC.
When building a Distributed Denial of Service (DDoS)-resilient architecture, how does Amazon Virtual Private Cloud (Amazon VPC) help minimize the attack surface area? (Choose 2 answers)
Create a read replica for an Amazon RDS instance.
Your e-commerce application provides daily and ad hoc reporting to various business units on customer purchases. This is resulting in an extremely high level of read traffic to your MySQL Amazon Relational Database Service (Amazon RDS) instance. What can you do to scale up read traffic without impacting your database's performance?
Type A Alias resource record set
- An alias resource record set can point to an ELB. You cannot create a CNAME record at the top node of a Domain Name Service (DNS) namespace, also known as the zone apex, as the case in this example. Alias resource record sets can save you time because Amazon Route 53 automatically recognizes changes in the resource record sets to which the alias resource record set refers.
Your website is hosted on a fleet of web servers that are load balanced across multiple Availability Zones using an Elastic Load Balancer (ELB). What type of record set in Amazon Route 53 can be used to point myawesomeapp.com to your website?
Provision the Amazon EC2 instances with an instance profile that has the appropriate privileges.
An instance profile is a container for an AWS Identity and Access Management (IAM) role that you can use to pass role information to an Amazon EC2 instance when the instance starts. The IAM role should have a policy attached that only allows access to the AWS Cloud services necessary to perform its function.
You need a secure way to distribute your AWS credentials to an application running on Amazon Elastic Compute Cloud (Amazon EC2) instances in order to access supplementary AWS Cloud services. What approach provides your application access to use short-term credentials for signing requests while protecting those credentials from other users?
API Gateway
Amazon API Gateway is a fully managed service that makes it easy for developers to publish, maintain, monitor, and secure APIs at any scale. You can create an API that acts as a "front door" for applications to access data, business logic, or functionality from your code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.
You are running a suite of microservices on AWS Lambda that provide the business logic and access to data stored in Amazon DynamoDB for your task management system. You need to create well-defined RESTful Application Program Interfaces (APIs) for these microservices that will scale with traffic to support a new mobile application. What AWS Cloud service can you use to create the necessary RESTful APIs?
DynamoDB
- Amazon DynamoDB is a NoSQL database store that is a great choice as an alternative due to its scalability, high-availability, and durability characteristics. Many platforms provide open-source, drop-in replacement libraries that allow you to store native sessions in Amazon DynamoDB. Amazon DynamoDB is a great candidate for a session storage solution in a share-nothing, distributed architecture.
You are changing your application to move session state information off the individual Amazon Elastic Compute Cloud (Amazon EC2) instances to take advantage of the elasticity and cost benefits provided by Auto Scaling. Which of the following AWS Cloud services is best suited as an alternative for storing session state information?
- Use different access keys for different applications.
- Rotate access keys periodically.
- Configure Multi-Factor Authentication (MFA) for your most sensitive operations.
Which of the following are best practices for managing AWS Identity and Access Management (IAM) user access keys? (Choose 3 answers)
- CloudTrail
- S3
- Lambda
You can enable AWS CloudTrail in your AWS account to get logs of API calls and related events' history in your account. AWS CloudTrail records all of the API access events as objects in an Amazon S3 bucket that you specify at the time you enable AWS CloudTrail. You can take advantage of Amazon S3's bucket notification feature by directing Amazon S3 to publish object-created events to AWS Lambda. Whenever AWS CloudTrail writes logs to your Amazon S3 bucket, Amazon S3 can then invoke your AWS Lambda function by passing the Amazon S3 object-created event as a parameter. The AWS Lambda function code can read the log object and process the access records logged by AWS CloudTrail.
You need to implement a service to scan Application Program Interface (API) calls and related events' history to your AWS account. This service will detect things like unused permissions, overuse of privileged accounts, and anomalous logins. Which of the following AWS Cloud services can be leveraged to implement this service? (Choose 3 answers)
Provide signed Amazon CloudFront URLs to authenticated users to access the paid content.
- Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, such as users who have paid a fee. To serve this private content securely using Amazon CloudFront, you can require that users access your private content by using special Amazon CloudFront-signed URLs or signed cookies.
Your company provides media content via the Internet to customers through a paid subscription model. You leverage Amazon CloudFront to distribute content to your customers with low latency. What approach can you use to serve this private content securely to your paid subscribers?
Create a Network Address Translation (NAT) gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
- You can use a NAT gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances. If you have resources in multiple Availability Zones and they share one NAT gateway, resources in the other Availability Zones lose Internet access in the event that the NAT gateway's Availability Zone is down. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
Your Amazon Virtual Private Cloud (Amazon VPC) includes multiple private subnets. The instances in these private subnets must access third-party payment Application Program Interfaces (APIs) over the Internet. Which option will provide highly available Internet access to the instances in the private subnets?
- Create pre-signed url for an object
- S3 ACL on bucket or object
- S3 bucket policy
Which features can be used to restrict access to Amazon Simple Storage Service (Amazon S3) data? (Choose 3 answers)
- lower latency access to second bucket
- compliance reasons, store data 300miles away from first region
What are some reasons to enable cross-region replication on an Amazon Simple Storage Service (Amazon S3) bucket? (Choose 2 answers)
- IP address range
- AWS account
- Objects with a specific prefix
Amazon Simple Storage Service (S3) bucket policies can restrict access to an Amazon S3 bucket and objects by which of the following? (Choose 3 answers)
- configure bucket for static website hosting and specify an index and error document
- create a bucket with same name as website
- make the objects in bucket world-readable
What must be done to host a static website in an Amazon Simple Storage Service (Amazon S3) bucket? (Choose 3 answers)
- use instance type with 10 Gbps network performance
- put instances in placement group
- enable enhanced networking on the instances
You are creating a High-Performance Computing (HPC) cluster and need very low latency and high bandwidth between instances. What combination of the following will allow this? (Choose 3 answers)
- no SG rule that allows RDP access over port 3389 from your ip address
Using the correctly decrypted Administrator password and RDP, you cannot log in to a Windows instance you just launched. Which of the following is a possible reason?
/28
What is the minimum size subnet that you can have in an Amazon VPC?
- on-demand instances
- spot instances
An Auto Scaling group may use: (Choose 2 answers)
- service name
- action
Which of the following are found in an IAM policy? (Choose 2 answers)
- change password and add MFA to root user
- put IP restriction on root user
- rotate keys and change passwords for IAM accounts
- delete administrator's personal IAM account
Q. 93 Your AWS account administrator left your company today. The administrator had access to the root user and a personal IAM administrator account. With these accounts, he generated other IAM accounts and keys. Which of the following should you do today to protect your AWS infrastructure? (Choose 4 ans)
- password policies
- MFA
Which of the following are IAM security features? (Choose 2 answers)
- EC2 roles
- federation
Which of the following are based on temporary security tokens? (Choose 2 answers)
restore database from a recent automated DB snapshot
You have been using Amazon Relational Database Service (Amazon RDS) for the last year to run an important application with automated backups enabled. One of your team members is performing routine maintenance and accidentally drops an important table, causing an outage. How can you recover the missing data while minimizing the duration of the outage?
- no action necessary.
your connection string points to DB endpoint & AWS automatically updates this endpoint to point to your secondary instance
You are a system administrator whose company has moved its production database to AWS. Your company monitors its estate using Amazon CloudWatch, which sends alarms using Amazon Simple Notification Service (Amazon SNS) to your mobile phone. One night, you get an alert that your primary Amazon Relational Database Service (Amazon RDS) Instance has gone down. You have Multi-AZ enabled on this instance. What should you do to ensure the failover happens quickly?
- launch RDS instance, select Microsoft SQL Server enterprise edition under Bring Your Own License (BYOL) model
You are working for a small organization without a dedicated database administrator on staff. You need to install Microsoft SQL Server Enterprise edition quickly to support an accounting back office application on Amazon Relational Database Service (Amazon RDS). What should you do?
Simple AD
Which of the following is an AWS Directory Service offering that is powered by Samba 4 and is Microsoft Active Directory-compatible?
Verify the identity of the requestor, protect data in transit, and protect against potential replay attacks.
Which of the following best describes how AWS Signature Version 4 secures requests?
In CIDR notation, from /28 (16 IP addresses) to /16 (65,536 IP addresses)
Which of the following describes the range of Classless Inter-Domain Routing (CIDR) addressing supported by Amazon Virtual Private Cloud (Amazon VPC)?
5
- first four IP addresses and the last IP address of every subnet for IP networking purposes.
How many IP addresses does AWS reserve within a subnet for its own networking purposes?
- Layer 4
- Layer 7
> Layer 4 is the transport layer that describes the Transmission Control Protocol (TCP) connection between the client and your back-end instance through the load balancer.
> Layer 7 is the application layer that describes the use of Hypertext Transfer Protocol (HTTP) and HTTPS (secure HTTP) connections from clients to the load balancer and from the load balancer to your back-end instance.
Which of the following Open System Interconnection (OSI) layers are configurable on an Elastic Load Balancer? (Choose 2 answers)
A human-readable header is added to the request header with connection information such as the source IP address, destination IP address, and port numbers.
- By default, when you use Transmission Control Protocol (TCP) for both the front-end and back-end connections, your load balancer forwards requests to the back-end instances without modifying the request headers. If you enable Proxy Protocol, a human-readable header is added to the request header with connection information such as the source IP address, destination IP address, and port numbers.
What is the result of enabling Proxy Protocol on an Elastic Load Balancer?
A period of time after an Auto Scaling event during which Auto Scaling waits before resuming Auto Scaling activities.
- The Auto Scaling cool-down period is a configurable setting for your Auto Scaling group that helps ensure that Auto Scaling doesn't launch or terminate additional instances before the previous scaling activity takes effect. After the Auto Scaling group dynamically scales using a simple scaling policy, Auto Scaling waits for the cool-down period to complete before resuming scaling activities.
Which of the following is the best description of an Auto Scaling cool-down period?
S3
Which of the following AWS storage services is best suited for the following requirement:"Your web application needs large-scale storage capacity and performance."
A Query operation finds items in a table or a secondary index using only primary key attribute values and a Scan operation reads every item in a table or a secondary index.
What is the difference between an Amazon DynamoDB Query operation and an Amazon DynamoDB Scan operation?
Asynchronously
How is data copied from an Amazon Relational Database Service (Amazon RDS) MySQL, MariaDB, or PostgreSQL source database to a Read Replica?
Delay queues make messages unavailable upon arrival to the queue and visibility timeouts make messages unavailable after being retrieved from the queue.
What is the functional difference between an Amazon Simple Queue Service (Amazon SQS) delay queue and Amazon SQS visibility timeout?
Receipt Handle
Which Amazon Simple Queue Service (Amazon SQS) identifier must be used to delete a message from a queue?
1
How many availability zones may an Amazon Virtual Private Cloud (Amazon VPC) subnet span?
Use VM Import/Export to load the VM on AWS as an Amazon Machine Image (AMI). Launch an Amazon EC2 instance from the AMI to confirm operation, then terminate the Amazon EC2 instance until failover is needed.
- VM Import/Export is an excellent way to get the VM image into AWS, but there is no need to pay the compute costs of a running instance while the DR installation is not needed.
Your company has a legacy application running locally on a Virtual Machine (VM) on Windows 2008. The application is a compute workload that has no state. The original development team is no longer with the firm, and recreating the VM would be extremely difficult and time-consuming. To mitigate the risk, the company wants to create a Disaster Recovery installation for this application on AWS. What method accomplishes this in a straightforward and cost-effective manner?
An Amazon Elastic Block Store (Amazon EBS) General Purpose SSD volume
- Either General Purpose SSD or Provisioned IOPs would work, but the bursty nature of the IO makes the General Purpose SSD the more cost-effective choice. The durability requirement eliminates the Instance Storage option. Magnetic volumes cannot achieve 2,500 IOPs. The random file access makes the workload block storage, so Amazon S3 will not meet the requirements.
Your company runs a monitoring application that retrieves server status information hourly from all of the servers in your data center and cloud infrastructure. The information is required to be maintained for 24 hours. When the information is retrieved, appending it to the end of the 200 GB file (and removing data older than 24 hours from the top of the file) requires 2,500 IOPs for one minute. Network administrators periodically display summary information and randomly accessed rows in a browser-based application, but this operation requires a negligible amount of IOPs. What type of storage is well suited for this workload?
Instance storage
You are running a photomontage application that takes many photo files from Amazon Simple Storage Service (Amazon S3), assembles them into a single large image that includes all of the photos, and stores the resulting image back on Amazon S3. As part of the processing, your application requires access to block storage for writing temporary files. What storage is well suited for this workload?
A temporary security token with specific permissions is provided for a console session based on the user's identity in an external Identity Provider (IdP).
How does identity federation work?
Kinesis Stream
- Kinesis Stream allows you to create custom applications to analyze big data streams in real time.
A shipping company tracks the location of every package using bar code readers that transfer over wireless back to the main tracking system. The resulting traffic averages 10,000 scans a second. What service will process the incoming stream of scans and update the data in the tracking system on a near real-time basis?
- S3
- Redshift
- Elastic search service
Which of the following are possible destinations for data ingested with Kinesis Firehose? (Choose 3 answers)
EMR
- Amazon EMR is an excellent choice to analyze data at read, such as logs stored on Amazon S3. Amazon Kinesis Streams can analyze streams of data in real time, which is not the scenario here.
Your company stores click stream logs from your website on Amazon Simple Storage Service (Amazon S3) nightly, averaging 20 TB of new data a night. Your data scientists would like to analyze this data to segment users and understand user preferences. Which service is well suited to meet their needs?
- Amazon Storage Gateway - Gateway Stored Volumes replicate all data to the cloud while storing it all locally to reduce latency.
- Amazon Storage Gateway - Gateway Cached Volumes provide an iSCSI interface to block storage, but copies all files to Amazon S3 for durability and retains only the recently used files locally. Neither Amazon S3 nor Amazon Red shift are block storage.
What is Amazon Storage Gateway - Gateway Stored Volume?
restrict access to content by providing paid subscribers with links that are valid for a limited period of time and, optionally, only valid from a particular IP address range.
What is CloudFront Signed URLs?
- Amazon S3 buckets can hold a virtually unlimited amount of data; Amazon EBS volumes have a maximum size.
- Amazon S3 is object storage; Amazon EBS is block storage.
- Amazon S3 is accessed via a REST API; Amazon EBS is accessed from an attached Amazon Elastic Compute Cloud (EC2) instance.
Which of the following are differences between Amazon Simple Storage Service (Amazon S3) and Amazon Elastic Block Store (Amazon EBS)? 3 ans
- S3 bucket policies
- IAM policies
- S3 ACL
Which of the following can be used to control access to objects in Amazon Simple Storage Service (Amazon S3)? (Choose 3 answers)
The website content was not set to publicly readable
You are deploying a static website on Amazon Simple Storage Service (Amazon S3). After naming your bucket with a proper Domain Name Service (DNS) name, enabling and configuring website hosting, uploading your content, and redirecting your domain name to the bucket, users still cannot load the page. What is a possible problem?
AD Connector
Which of the following services is a proxy service for connecting your on-premises Microsoft Active Directory to the AWS Cloud?
- AWS KMS
- AWS CloudHSM
> AWS KMS is a managed service that makes it easy for you to create and control the symmetric encryption keys used to encrypt your data.
> AWS CloudHSM is a service that makes it easy for you to create and control both symmetric and asymmetric keys used to encrypt and decrypt data.
Which of the following AWS Cloud services provide you the ability to manage your own symmetric and asymmetric keys? (Choose 2 answers)
Typically within 15 minutes
How long does it take AWS CloudTrail to deliver an event for an Application Programming Interface (API) call?
- IP spoofing
- Promiscuous packet sniffing
Which of the following network actions are not possible within AWS? (Choose 2 answers)
- Message integrity
- Replay attack prevention
The Signature Version 4 digital signature calculation process provides which security benefits? (Choose 2 answers)
RSA 2048 SSH-2 key pairs
Amazon Elastic Compute Cloud (Amazon EC2) supports which type of key pair?
A private subnet is a subnet that does not have a route to the IGW
Which of the following best describes an Amazon Virtual Private Cloud (Amazon VPC) private subnet?
An IGW serves two purposes:
> to provide a target in your VPC route tables for Internet-routable traffic and
> to perform Network Address Translation (NAT) for instances that have been assigned public IP addresses.
What function does an Amazon Virtual Private Cloud (Amazon VPC) Internet Gateway (IGW) serve?
VPC subnet
With which of the following is an Amazon Virtual Private Cloud (Amazon VPC) Elastic Network Interface (ENI) associated?
- Stacks, layers, Chef recipes, instances, and apps
Which of the following describes AWS OpsWorks components? 5 ans
Deletion policy
Which of the following policies must be specified on an AWS CloudFormation resource in order to ensure that the resource is not deleted when the stack is deleted?
AWS Support API
AWS Trusted Advisor is available through which AWS Application Programming Interface (API)?
CloudWatch Logs Agent
Which of the following provides an automated way to send log data to CloudWatch Logs for Amazon Elastic Compute Cloud (Amazon EC2) instances running Amazon Linux or Ubuntu?
An Elastic Load Balancing load balancer's DNS CNAME will not change over time, providing you with a single fixed addressing entry, regardless of the pool of IPs referenced by the CNAME.
Which of the following explains why referencing an Elastic Load Balancing load balancer by its Domain Name System (DNS) Canonical Name (CNAME) is a best practice?
- CloudWatch
- ELB
- Auto scaling
Which of the following services can be used together to create a highly available application with a resilient architecture on AWS? (Choose 3 answers)
least privilege
Issuance of temporary tokens to authenticated entities through federation, credential rotation, and assigning permissions to AWS Identity and Access Management (IAM) roles for Amazon Elastic Compute Cloud (Amazon EC2) instances is an example of adhering to which security principle?
multi-threading
Which of the following must you leverage in your cloud applications in order to take advantage of the cloud's parallelization quality?
The ability to use the cloud's API to automate deployment processes and to build self-healing systems.
Which one of the following is the most important benefit of using a cloud environment?
RDS
Your company's senior management wants to launch an e-commerce web application in the cloud. The application will be two-tiered and the data layer will receive hundreds of reads and writes per second due to customers searching for and purchasing items. Which of the following is the best service to use to deliver the data layer for the e-commerce application?
Amazon Aurora
Which of the following Amazon Relational Database Service (Amazon RDS) database engines are compatible with MySQL?
The ability to sideline and isolate unsuccessfully processed messages.
- Dead letter queues contain messages that have not been deleted from the source queue and, therefore, the dead letter queue contains message that are not being successfully processed.
Which of the following is a primary benefit of using a dead letter queue?
2
- Two IPSec tunnels are established between the CGW and the VPG to provide higher availability of the VPN connection.
How many Internet Protocol Security (IPSec) tunnels are established when creating a Virtual Private Network (VPN) connection between a Customer Gateway (CGW) and Virtual Private Gateway (VPG)?
Launch the number of On-Demand Instances that fit within the project budget. Augment those with Spot Instances at a lower price to complete the task sooner for less compute cost. When all the images are converted, terminate all the instances.
Your firm has just received 200 TB of TIF images that must be converted to GIF images. This conversion will occur only once. The primary requirement for the workload is to complete the work within a fixed budget, although the business would also appreciate a swift completion. What is an appropriate mix of Amazon Elastic Compute Cloud (Amazon EC2) instances to meet the business's goals?
- The operating system version and configuration
- Software installed on the instance at launch
What does the Amazon Machine Image (AMI) define for a new Amazon Elastic Compute Cloud (Amazon EC2) instance? (Choose 2 answers)
EC2 placement group
Your workload needs low network latency and high network throughput between Amazon Elastic Compute Cloud (Amazon EC2) instances. Which feature will help you achieve this?
The z:\ is instance storage and data is lost when the instance is stopped.
You downloaded a 25 GB video to the z:\ drive of your Amazon Elastic Compute Cloud (Amazon EC2) instance. To get more compute, you stopped the instance to change the instance type, then restarted the instance. When you connect to your instance again, you notice that the video is no longer on the z:\ drive. What is the likely cause?
Amazon EBS volumes are replicated at least once within a single availability zone and are not backed up to tape. A single instance can be attached to several Amazon EBS volumes, but an Amazon EBS volume can be attached to only one instance at a time.
Which of the following is true for Amazon Elastic Block Store (Amazon EBS)?
Two Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS volumes, each provisioned for 20,000 IOPS in a RAID 0 configuration
- Spreading the data across two Amazon EBS Provisioned IOPS volumes can spread the IOPS across two volumes, creating total IOPS for the volume of 40,000.
Your company runs an application that relies on a legacy database system. The database requires two TB of block storage and 40,000 IOPS of storage capacity. What architecture will support the requirements for this database?
Temporary security token
Which of the following are not found in an AWS Identity and Access Management (IAM) policy?
Kinesis Firehose, S3, EMR, AWS Data Pipeline, and RDS
Your company receives information on every sale from thousands of Point-of-Sale (POS) machines, resulting in 5,000-10,000 messages per second and 20 TB of new data every day. Every night this information must be analyzed and summary results stored in a MySQL database for display in a management dashboard. What combination of services will address this use case?
- The instance type of the nodes in your cluster
- The number of nodes in your cluster
- The version of Hadoop you want to run
When you launch an Amazon Elastic MapReduce (Amazon EMR) cluster, what must you specify? (Choose 3 answers)
AWS Storage Gateway - gateway-cached volume
- AWS Storage Gateway - gateway-cached volumes provide an iSCSI interface to block storage and copy all files to Amazon S3 for durability. Gateway-cached volumes also store only the most frequently used files locally, allowing you to store more data on your AWS Storage Gateway than would fit on your local physical storage.
You have an application that indexes documents and makes them available via a browser-based interface. The documents are stored on a block storage device accessed by the application over an iSCSI interface, but time of retrieval is not a critical factor. As the number of documents grows, you have been tasked with increasing the capacity of the application, as well as providing durable backup for the documents. What service can meet your requirements?
Migrate all product manuals to Amazon Simple Storage Service (Amazon S3), create an Amazon CloudFront distribution with two origins, and use path patterns to point one origin to the manuals on Amazon S3 and the other to your web farm.
Your company website includes hundreds of product manuals. Your data center is full and there is no room for more servers or storage, so you have been instructed to reduce storage requirements, lower compute needs, and improve response time for the entire website. What architectural pattern will achieve this?
Deploy new instances with detailed monitoring enabled.
Your company's web application recently had a service interruption when the CPU usage spiked. When reviewing the logs, you found that the five-minute interval between Amazon CloudWatch metrics prevented you from fully analyzing the problem. What can you do to ensure that you have more granular visibility in the future?
Number of requests handled by a web server
Which of the following measured values requires a custom metric to be logged by Amazon CloudWatch?
Turn on Bucket Logging to generate access logs
- Bucket Logging will create access logs that list the time, IP address, and AWS Identity and Access Management (IAM) user identity of any access to an object in the bucket
Your company maintains financial records for customers. These records are stored as PDF files on Amazon Simple Storage Service (Amazon S3). Compliance rules require that you record when any user accesses a PDF file. How can you meet this compliance goal?
- Dedicated Instances
- Dedicated Hosts
Dedicated Instances run on hardware that's dedicated to a single customer. As a customer runs more Dedicated Instances, more underlying hardware may be dedicated to their account. Dedicated Hosts are physical servers with Amazon EC2 instance capacity fully dedicated to a single customer's use.
Your company faces a compliance requirement dictating that none of your Amazon Elastic Compute Cloud (Amazon EC2) instances can be hosted on hardware shared with any other AWS customer. Which two services allow this?
YOU MIGHT ALSO LIKE...
Accounting Information Systems
TextbookMediaPremium
$9.99
STUDY GUIDE
AWS Certified Solutions Architect Chapter Exams
243 Terms
anatoly_guler
Set 5
73 Terms
sfdcbrewery
Review - Chapter 14 AWS
20 Terms
bassbonestones
OTHER SETS BY THIS CREATOR
AWS Sol Arch - Mock Exam4
29 Terms
vardaang
AWS Dev Associate - MockExam 1
94 Terms
vardaang
AWS Sol Arch - FAQs
15 Terms
vardaang
AWS Sol Arch - Mock Exam3
69 Terms
vardaang
THIS SET IS OFTEN IN FOLDERS WITH...
AWS Certified Solutions Architect - Associate Practice Questions
851 Terms
dathuminh
AWS Sol Arch Practice Exam Question
155 Terms
vardaang
AWS Sol Arch - Mock Exam2
191 Terms
vardaang
AWS Certified Solutions Architect 851 Q from dathuminh
851 Terms
mamun001
;