ANSWERED: Amazon Web Services (AWS) Certified Solutions Architect (CSA)

Associat
e Level, Sample Exam Questions
There are many posts with various accounts from the AWS CSA exam, I feel obligat
ed to post my experience, and I will try to keep mine concise and to the point.
You need to know the basics of all AWS services. The exam is not weighted toward
s any one specific service over another, though some crosscut other services lik
e IAM for example, and come up several times. Questions are situational and focu
sed on specific knowledge of various AWS services. The sample exam questions acc
urately represent the format of the questions on the exam. The questions focus o
n specific technical aspects and nuances of AWS services. A test for your famili
arity with their products perhaps rather than a test of your knowledge about app
lying their services to larger systems architecture and design requirements.
My studies for the AWS Certified Solutions Architect Exam began in the natural s
tarting place, the sample exam questions provided by AWS. AWS does not answer th
e questions and though I knew the answer to most or could make a reasonable gues
s on others I found myself researching a couple of subjects. Since I cannot give
any specifics on questions I saw on the exam, I thought I would answer the samp
le questions.
AWS Sample Exam Questions:
The 7 sample exam questions can be found at: http://awstrainingandcertification.
s3.amazonaws.com/production/AWS_certified_solutions_architect_associate_examsamp
le.pdf
** Note that these questions published by AWS. I am providing answers based on m
y knowledge and experience but these are unofficial and not supported by AWS. **
Questions:
Amazon Glacier is designed for (Choose 2 answers)
Answer(s): B - infrequently accessed data, C - data archives.
Explanation: Glacier is an archival storage service. You are charged every-time
you access data over the free tier threshold. When you put data in Glacier you w
ant to have a reasonable expectation that you will at most need to recover a sma
ll portion at most per-month unless there is a disaster/emergency scenario.
Other Choices: The other choices suggest scenarios where data access is required
much more frequently than the ideal Glacier use case.
Your web application front end consists of multiple EC2 instances behind an Elas
tic Load Balancer. You configured ELB to perform health checks on these EC2 inst
ances. If an instance fails to pass health checks, which statement will be true?
Answer(s): C - The ELB stops sending traffic to the instance that failed its hea
lth check.
Explanation: ELBs are deigned to dynamically forward traffic to the eth0 interfa
ce of some set of ec2 instances in one or more availability zones of a single re
gion. When monitoring is setup, the ELB will see that the instance is not respon
ding and stop sending traffic to the failed instance.
Other Choices: The other choices suggest that an ELB will take unsupported or in
accurate actions against your instances or actions that are capabilities of othe
r services, specifically Auto Scaling.
You are building a system to distribute confidential training videos to employee
s. Using CloudFront, what method could be used to serve content that is stored i
n S3, but not publicly accessible from S3 directly?
Answer(s): A - Create an Origin Access Identity (OAI) for CloudFront and grant a
ccess to the objects in your S3 bucket to that OAI.
Explanation: CloudFront is a CDN capability that distributes S3 objects geograph
ically. An OAI is sort of like a service account for a CloudFront distribution.
Using an OAI you can restrict access to S3 content effectively preventing direct
access to content in S3 but still allowing CloudFront access to distribute that
data.
Other Choices: The other choices either refer to actions that do not make sense
in the context of the question.
Which of the following will occur when an EC2 instance in a VPC (Virtual Private

Cloud) with an associated Elastic IP is stopped and started? (Choose 2 answers)

Answer(s): B - All data on instance-store devices will be lost, E - The underlyi
ng host for the instance is changed
Explanation: It is important in this question to note that the instance is in a
VPC to rule out other answers. Any instance storage device is only persisted dur
ing the running life of the instance because instance storage is physically atta
ched to the host rather than SAN storage like EBS. Now part of the reason that i
nstance storage only persists while an instance is powered on is because the hos
t could/always changes when the instance is started. Remember that instance reso
urces are very loosely coupled with other resources. When you start an instance,
it gets a resource reservation on a carefully chosen, presumably with some comp
lex algorithm, available host.
Other Choices: The other choices either refer to behaviors of instances not in a
VPC, are outright incorrect or do not make sense in the context of the question
. Reference the AWS article for behaviors when stopping or starting an instance.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html.
In the basic monitoring package for EC2, Amazon CloudWatch provides the followin
g metrics:
Answer(s): D - hypervisor visible metrics such as CPU utilization
Explanation: A responsibility boundary exists between the hypervisor and guest o
perating system. AWS does not have access to the guest operating system and ther
efore cannot see anything that is not visible to the hypervisor. Such informatio
n would be resource demands of the guest operating system that the hypervisor mu
st service like, CPU usage. Refer back to the shared responsibility model discus
sed in the AWS Security Whitepaper.
Other Choices: The other choices refer to data that would not be visible to the
hypervisor and that would not be visible within CloudWatch unless published by t
he instance owner. See publishing custom metrics.
Which is an operational process performed by AWS for data security?
Answer(s): B - Decommissioning of storage devices using industry-standard practi
ces
Explanation: The key to this question is understanding the shared responsibility
boundary between AWS and its customers as well as the specific statement "opera
tional process". Again, we need to refer to the AWS Security Whitepaper. As a st
andard practice, AWS shreds all physical disks after magnetically wiping them as
part of their decommissioning process.
Other Choices: The other options refer to processes or practices that cross the
responsibility boundary or that simply do not make sense in the context of the q
uestion or AWS operations.
To protect S3 data from both accidental deletion and accidental overwriting, you
should:
Answer(s): A - enable S3 versioning on the bucket
Explanation: By enabling versioning, you ensure that if accidentally or otherwis
e overwritten any previous object version is persisted as a previous version. In
addition, you protect against complete loss from accidental deletion.
Other Choices: The other choices, though referring to valid S3 bucket features,
would not provide any protection against deletion or overwriting.