API Gateway

1. Fully Managed

What are the benefits of API gateway?

Low cost and efficient

Scales effortlessly

You can throttle requests to prevent attacks

----------------------------------------------------------------------------------------------------------------
------------

Can connect with cloud-watch to log all requests

What does this Error mean "Origin Policy cannot be ready at the remote resource”?

Enable CORS on API Gateway

You are developing a highly available web application using stateless web servers. Which
services are suitable for storing session state data? Choose 3 answers.

A. Elastic Load Balancing (ELB)

B. Relational Database Service (RDS)

C. CloudWatch

D. ElastiCache

E. DynamoDB

F. AWS Storage Gateway

What services should store session data? Two are correct

A: DynamoDB

B: RDS

C: S3

D: Elastic Cache

Storing session in tabular structure?

A: Elastic Cache
D: DynamoDB

Which services invoke lambda function to improve performance?

A: Dynamo DB

B: Elastic Cache

User want to access stream and process streams.

Kinesis stream

Which service allows you to process nearly limitless streams of data in flight?

A. Kinesis Firehose

B. Elastic MapReduce (Amazon EMR)

C. Redshift

D. Kinesis Streams

Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure
monitoring application running on an Amazon instance in Availability Zone (AZ) A of the
region, and another application instance running in AZ B. The monitoring application needs
to make use of ICMP ping to confirm network reachability of the instance hosting the
application.

Can you configure the security groups for these instances to only allow the ICMP ping to
pass from the monitoring instance to the application instance and nothing else” If so how?

A. No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as
that protocol is not allowed across subnet (iebroadcast) boundaries

B. Yes Both the monitoring instance and the application instance have to be a part of the same
security group, and that security group needs to allow inbound ICMP

C. Yes, the security group for the monitoring instance needs to allow outbound ICMP
and the application instance’s security group needs to allow Inbound ICMP

D. Yes, Both the monitoring instance’s security group and the application instance’s security
group need to allow both inbound and outbound ICMP ping packets since ICMP is not a
connection-oriented protocol

Choose the correct AWS database service for the following requirements:

Large volumes of structured data to persist and query using standard SQL and existing
Business Intelligence tools

High performance at scale as data and query complexity grows

A. Amazon DynamoDB

B. Amazon RDS

C. Amazon ElastiCache

D. Amazon Redshift

Comments:

Amazon Redshift is a fast-managed petabyte-scale data warehouse service that makes it

simple and cost-effective to efficiently analyze all your data using your existing business
intelligence tools.

You have an existing website called example.com that points to a specific IP address. You
now want to create three sub domains that point to the same IP address. To reduce
maintenance which domain record type should you choose?

A. CNAME

B. A

C. MX

D. TXT

Amazon Elastic Block Store (Amazon EBS) volumes provide durable block-level storage for
use with Amazon EC2 instances (virtual machines). Amazon EBS volumes are off-instance
storage that persists independently from the running life of a single Amazon EC2 instance.

Which type would you choose for I/O-intensive workloads, relational databases, and NoSQL
databases?

A. Amazon EBS Magnetic

B. Amazon EBS Provisioned IOPS

C. Amazon EBS ZX1

D. Amazon EBS General Purpose

Which of the following in NOT part of security group?

A. List of usernames

B. List of protocols

C. IP address ranges

D. Ports
Which of the following is the correct statement regarding Availability Zones?

A. A collection of regions that together make up an Availability Zone.

B. A distinct location within a region that is insulated from failures in other Availability
Zones

C. Another name for an entire region which contains AWS instances.

D. The timeframe a particular service is available for use by authorized users

Which Amazon service would you use for content delivery?

A. CloudFront

B. ELB

C. SES

D. SQS

Which service provides an automated security assessment that helps improve the security and
compliance of applications deployed on AWS. The service automatically assesses
applications for vulnerabilities or deviations from best practices.

A. Amazon Redshift

B. EC2

C. Elastic Beanstalk

D. Amazon Inspector

Which product is ideal for transferring anywhere from terabytes to many petabytes of data in
and out of the AWS cloud securely, especially in cases where you don’t want to make
expensive upgrades to your network infrastructure, frequently experience large backlogs of
data, are in a physically isolated environment, or are in an area where high-speed Internet
connections are not available or cost-prohibitive. In general, if loading your data over the
Internet would take a week or more, you should consider what?

A. Amazon S3

B. AWS Snowball

C. Amazon EBS Magnetic

D. Amazon CloudFront

You have developed a new web application that offers users the chance to buy music at a
discounted rate through partnerships with local recording companies. You want to host this
app in AWS but you don't want the overhead of managing the infrastructure. Which option
should you choose?

A. EC2

B. CloudFront

C. Amazon Redshift

D. AWS Elastic Beanstalk

Amazon Glacier is an extremely low-cost storage service that provides highly secure,
durable, and flexible storage for data archiving and online backup.

Which of the following will you NOT be charged for when using Glacier?

A. Storage (per GB per month)

B. Data transfer in (per GB per month)

C. Requests (per thousand UPLOAD and RETRIEVAL requests per month)

D. Data transfer out (per GB per month)

Which service would you use to control access to content by allowing or blocking web
requests based on criteria that you specify, such as header values or the IP addresses that the
requests originate from. This service helps to protect against common web exploits that could
affect application availability, compromise security, or consume excessive resources.

A. EC2

B. S3

C. CloudFront

D. AWS WAF (Web Application Firewall)

Which of the below instances is used normally for massive parallel computations?

A. Spot Instances

B. On-Demand Instances

C. Dedicated Instances

D. This is not possible in AWS

DDoS attacks at their core create an availability problem, as the goal of attackers is to render
resources unusable for legitimate end users. Consequently, you can leverage failover
capabilities within AWS to reduce your vulnerability to availability problems caused by
DDoS attacks.

Which of the following is a protocol exhausting attack?

A. HTTP GET/POST flood

B. SYN flood

C. None of these

D. UDP flood

You are working with a customer who has 10 TB of archival data that they want to migrate to
Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or
feature provides the fastest method of getting the data into Amazon Glacier?

A. Amazon Glacier multipart upload

B. AWS Storage Gateway

C. VM Import/Export

D. AWS Import/Export

An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto
Scaling needs to terminate an EC2 instance by default, Auto Scaling will:

Choose 2 answers

A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before
terminating the instance.

B. Terminate the instance with the least active network connections. If multiple instances
meet this criterion, one will be randomly selected.

C. Send an SNS notification, if configured to do so.

D. Terminate an instance in the AZ which currently has 2 running EC2 instances.

E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.

An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance's security group is configured to
allow SSH from any IP address and deny all outbound traffic. What changes need to be made
to allow SSH access to the instance?

A. The outbound security group needs to be modified to allow outbound traffic.

B. The outbound network ACL needs to be modified to allow outbound traffic.

C. Nothing, it can be accessed from any IP address using SSH.

D. Both the outbound security group and outbound network ACL need to be modified to
allow outbound traffic

A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content
for a web-based property. The customer is storing objects using the Standard Storage class.
Where are the customers objects replicated?

A. A single facility in eu-west-1 and a single facility in eu-central-1

B. A single facility in eu-west-1 and a single facility in us-east-1

C. Multiple facilities in eu-west-1

D. A single facility in eu-west-1

A company is building a two-tier web application to serve dynamic transaction-based content.

The data tier is leveraging an Online Transactional Processing (OLTP) database. What
services should you leverage to enable an elastic and scalable web tier?

A. Elastic Load Balancing, Amazon EC2, and Auto Scaling

B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3

C. Amazon RDS with Multi-AZ and Auto Scaling

D. Amazon EC2, Amazon DynamoDB, and Amazon S3

Which services allow the customer to retain full administrative privileges of the underlying
EC2 instances? Choose 2 answers

A. Amazon Relational Database Service

B. Amazon Elastic Map Reduce

C. Amazon ElastiCache

D. Amazon DynamoDB

E. AWS Elastic Beanstalk

You are working with a customer who is using Chef Configuration management in their data
center. Which service is designed to let the customer leverage existing Chef recipes in AWS?

A. Amazon Simple Workflow Service

B. AWS Elastic Beanstalk

C. AWS CloudFormation
D. AWS OpsWorks

How can an EBS volume that is currently attached to an EC2 instance be migrated from one
Availability Zone to another?

A. Detach the volume and attach it to another EC2 instance in the other AZ.

B. Simply create a new volume in the other AZ and specify the original volume as the source.

C. Create a snapshot of the volume, and create a new volume from the snapshot in the
other AZ.

D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.

A client application requires operating system privileges on a relational database server. What
is an appropriate configuration for a highly available database architecture?

A. A standalone Amazon EC2 instance

B. Amazon RDS in a Multi-AZ configuration

C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone

D. Amazon EC2 instances in a replication configuration utilizing two different

Availability Zones

Which of the following are characteristics of Amazon VPC subnets?

Choose 2

A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.

B. Each subnet maps to a single Availability Zone.

C. CIDR block mask of/25 is the smallest range supported.

D. By default, all subnets can route between each other, whether they are private or public.

E. Instances in a private subnet can communicate with the Internet only if they have an
Elastic IP

You have a web application running on six Amazon EC2 instances, consuming about 45% of
resources on each instance. You are using auto-scaling to make sure that six instances are
running at all times. The number of requests this application processes is consistent and does
not experience spikes. The application is critical to your business and you want high
availability at all times. You want the load to be distributed evenly between all instances. You
also want to use the same Amazon Machine Image (AMI) for all instances. Which of the
following architectural choices should you make?

A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic
Load Balancer.

C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone
and use Amazon Elastic Load Balancer.

D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.

You run an ad-supported photo sharing website using S3 to serve photos to visitors of your
site. At some point you find out that other sites have been linking to the photos on your site,
causing loss to your business. What is an effective method to mitigate this?

A. Remove public read access and use signed URLs with expiry dates.

B. Use CloudFront distributions for static content.

C. Block the IPs of the offending websites in Security Groups.

D. Store photos on an EBS volume of the web server.

You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances
running in your VPC. Only clients connecting from the corporate external public IP address
72.34.51.100 should have SSH access to the host. Which option will meet the customer
requirement?

A. Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source
72.34.51.100/32

B. Security Group Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32

C. Network ACL Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32

D. Network ACL Inbound Rule: Protocol - TCP, Port Range-22, Source 72.34.51.100/0

You have decided to change the instance type for instances running in your application tier
that is using Auto Scaling. In which area below would you change the instance type
definition?

A. Auto Scaling policy

B. Auto Scaling group

C. Auto Scaling tags

D. Auto Scaling launch configuration

Which technique can be used to integrate AWS IAM (Identity and Access Management) with
an on-premise LDAP (Lightweight Directory Access Protocol) directory service?

A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between
AWS and LDAP.

C. Use AWS Security Token Service from an identity broker to issue short-lived AWS
credentials.

D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are
updated.

E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance
types

When using the following AWS services, which should be implemented in multiple
Availability Zones for high availability solutions?

Choose 2 answers

A. Amazon DynamoDB

B. Amazon Elastic Compute Cloud (EC2)

C. Amazon Elastic Load Balancing (ELB)

D. Amazon Simple Notification Service (SNS)

E. Amazon Simple Storage Service (S3)

You launch an Amazon EC2 instance without an assigned AVVS identity and Access
Management (IAM) role. Later, you decide that the instance should be running with an IAM
role. Which action must you take in order to have a running Amazon EC2 instance with an
IAM role assigned to it?

A. Create an image of the instance, and register the image with an IAM role assigned and an
Amazon EBS volume mapping.

B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to
the running instance.

C. Create an image of the instance, add a new IAM role with the same permissions as the
desired IAM role, and deregister the image with the new role assigned.

D. Create an image of the instance, and use this image to launch a new instance with the
desired IAM role assigned.

In order to optimize performance for a compute cluster that requires low inter-node latency,
which of the following feature should you use?

A. Multiple Availability Zones

B. AWS Direct Connect

C. EC2 Dedicated Instances

D. Placement Groups

E. VPC private subnets

Please select the Amazon EC2 resource which can be tagged.

A. key pairs

B. Elastic IP addresses

C. Placement groups

D. Amazon EBS snapshots

What are characteristics of Amazon S3?

Choose 2 answers

A. S3 allows you to store objects of virtually unlimited size.

B. S3 offers Provisioned IOPS.

C. S3 allows you to store virtually unlimited amounts of data.

D. S3 should be used to host a relational database.

E. Objects are directly accessible via a URL

How can you secure data at rest on an EBS volume?

A. Attach the volume to an instance using EC2's SSL interface.

B. Write the data randomly instead of sequentially.

C. Encrypt the volume using the S3 server-side encryption service.

D. Create an IAM policy that restricts read and write access to the volume.

E. Use an encrypted file system (EFS) on top of the EBS volume.

Which Amazon Elastic Compute Cloud feature can you query from within the instance to
access instance properties?

A. Instance user data

B. Resource tags

C. Instance metadata
D. Amazon Machine Image

After creating a new IAM user which of the following must be done before they can
successfully make API calls?

A. Add a password to the user.

B. Enable Multi-Factor Authentication for the user.

C. Assign a Password Policy to the user.

D. Create a set of Access Keys for the user.

A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as
part of their backup and archive infrastructure. The customer plans to use third-party software
to support this integration. Which approach will limit the access of the third-party software to
only the Amazon S3 bucket named "companybackup"?

A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive
"company-backup"

B. A custom bucket policy limited to the Amazon S3 API in "company-backup"

C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive
"company-backup".

D. A custom IAM user policy limited to the Amazon S3 API in "company-backup".

A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same
region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks.
The company wants to push minor code releases from Dev to Prod to speed up time to
market. Which of the following options helps the company accomplish this?

A. Create a new peering connection Between Prod and Dev along with appropriate
routes.

B. Create a new entry to Prod in the Dev route table using the peering connection as the
target.

C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the
gateway as the target.

D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables
contain local routes for all VPCs.

A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS
instance and send real-time alerts to their operations team. Which AWS services can
accomplish this?

Choose 2 answers
A. Amazon Simple Email Service

B. Amazon CloudWatch

C. Amazon Simple Queue Service

D. Amazon Route 53

E. Amazon Simple Notification Service

A company needs to deploy services to an AWS region which they have not previously used.
The company currently has an AWS identity and Access Management (IAM) role for the
Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB.
The company wants their EC2 instances in the new region to have the same privileges. How
should the company achieve this?

A. Create a new IAM role and associated policies within the new region

B. Assign the existing IAM role to the Amazon EC2 instances in the new region

C. Copy the IAM role and associated policies to the new region and attach it to the instances

D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region
using the AMI Copy feature

An existing application stores sensitive information on a non-boot Amazon EBS data volume
attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches
would protect the sensitive data on an Amazon EBS volume?

A. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with
AWS CloudHSM. Re-mount the Amazon EBS volume.

B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new
volume. Delete the old Amazon EBS volume.

C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon
EBS volume.

D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted
Amazon EBS volume. Mount the Amazon EBS volume

A customer has a single 3-TB volume on-premises that is used to hold a large repository of
images and print layout files. This repository is growing at 500 GB a year and must be
presented as a single logical volume. The customer is becoming increasingly constrained with
their local storage capacity and wants an off-site backup of this data, while maintaining low-
latency access to their frequently accessed data. Which AWS Storage Gateway configuration
meets the customer requirements?

A. Gateway-Cached volumes with snapshots scheduled to Amazon S3

B. Gateway-Stored volumes with snapshots scheduled to Amazon S3

C. Gateway-Virtual Tape Library with snapshots to Amazon S3

D. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

You are deploying an application to track GPS coordinates of delivery trucks in the United
States. Coordinates are transmitted from each delivery truck once every three seconds. You
need to design an architecture that will enable real-time processing of these coordinates from
multiple consumers. Which service should you use to implement data ingestion?

A. Amazon Kinesis

B. AWS Data Pipeline

C. Amazon AppStream

D. Amazon Simple Queue Service

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows
application sign-in using an OpenID Connect-compatible identity provider. Which AWS
Security Token Service approach to temporary access should you use for the Amazon S3
operations?

A. SAML-based Identity Federation

B. Cross-Account Access

C. AWS Identity and Access Management roles

D. Web Identity Federation

You manually launch a NAT AMI in a public subnet. The network is properly configured.
Security groups and network access control lists are property configured. Instances in a
private subnet can access the NAT. The NAT can access the Internet. However, private
instances cannot access the Internet. What additional step is required to allow access from the
private instances?

A. Enable Source/Destination Check on the private Instances.

B. Enable Source/Destination Check on the NAT instance.

C. Disable Source/Destination Check on the private instances.

D. Disable Source/Destination Check on the NAT instance.

A company is deploying a two-tier, highly available web application to AWS. Which service
provides durable storage for static content while utilizing lower Overall CPU resources for
the web tier?
A. Amazon EBS volume

B. Amazon S3

C. Amazon EC2 instance store

D. Amazon RDS instance

You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in
service. However, your web browser times out when connecting to the load balancer's DNS
name. Which options are probable causes of this behavior?

Choose 2 answers

A. The load balancer was not configured to use a public subnet with an Internet
gateway configured

B. The Amazon EC2 instances do not have a dynamically allocated private IP address

C. The security groups or network ACLs are not property configured for web traffic.

D. The load balancer is not configured in a private subnet with a NAT instance.

E. The VPC does not have a VGW configured.

A company is deploying a new two-tier web application in AWS. The company has limited
staff and requires high availability, and the application requires complex queries and table
joins. Which configuration provides the solution for the company's requirements?

A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone

B. Amazon RDS for MySQL with Multi-AZ

C. Amazon ElastiCache

D. Amazon DynamoDB

You have a distributed application that periodically processes large volumes of data across
multiple Amazon EC2 Instances. The application is designed to recover gracefully from
Amazon EC2 instance failures. You are required to accomplish this task in the most cost-
effective way.

Which of the following will meet your requirements?

A. Spot Instances

B. Reserved instances

C. Dedicated instances
D. On-Demand instances

A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that
is not connected to their corporate network. They are connecting to the VPC over the Internet
to manage all of their Amazon EC2 instances running in both the public and private subnets.
They have only authorized the bastion-securitygroup with Microsoft Remote Desktop
Protocol (RDP) access to the application instance security groups, but the company wants to
further limit administrative access to all of the instances in the VPC. Which of the following
Bastion deployment scenarios will meet this requirement?

A. Deploy a Windows Bastion host on the corporate network that has RDP access to all
instances in the VPC.

B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow
SSH access to the bastion from anywhere.

C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and
restrict RDP access to the bastion from only the corporate public IP addresses.

D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public
subnet, and allow RDP access to the bastion from only the corporate public IP
addresses.

Which of the following statements are true about Amazon Route 53 resource records?

Choose 2 answers

A. An Alias record can map one DNS name to another Amazon Route 53 DNS name.

B. A CNAME record can be created for your zone apex.

C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.

D. TTL can be set for an Alias record in Amazon Route 53. E. An Amazon Route 53 Alias
record can point to any DNS record hosted anywhere.

You have a content management system running on an Amazon EC2 instance that is
approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2
instance?

A. Create a load balancer, and register the Amazon EC2 instance with it

B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the
origin

C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action

D. Create a launch configuration from the instance using the CreateLaunchConfiguration

action
With which AWS orchestration service can you implement Chef Recipes?

A. CloudFormation

B. Elastic Beanstalk

C. Opsworks

D. Lambda

What events can be triggered by an AWS Lambda function?

Object uploads to Amazon S3

Amazon SNS notifications

API actions

You are designing a web application that stores static assets in an Amazon Simple Storage
Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests
per second. What should you do to ensure optimal performance?

A. Use multi-part upload.

B. Add a random prefix to the key names.

C. Amazon S3 will automatically manage performance at this scale.

D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in
the key names

In the shared security model, AWS is responsible for which of the following security best
practices (check all that apply):

Penetration testing

Operating system account security management

Threat modeling

User group access management

Static code analysis

Your AWS environment contains several reserved EC2 instances dedicated to a project that
has just been canceled. Your supervisor wants to stop incurring charges for these reserved
instances immediately and recuperate as much of the reserved instance cost as possible.

What can you do to avoid being charged for them?

Choose the 2 correct answers:

A. What are characteristics of Amazon S3

B. Terminate the instances as soon as possible

C. Sell the reserved instances on the AWS Reserved Instance Marketplace

D. Stop the instances as soon as possible

What URL might you query on an EC2 instance in order to find the public AND private IP
address of an instance?

A. http://169.254.169.254/latest/meta-data/

B. http://169.254.169.254/latest/user-data/

C. http://169.254.169.169/latest/meta-data/

D. http://169.254.169.169/latest/meta-data/

You design an application that checks for new items in an S3 bucket once per hour. If new
items exist, a message is added to an SQS queue. You have several EC2 instances which
retrieve messages from the SQS queue, parse the file, and send you an email containing the
relevant information from the file. You upload one test file to the bucket, wait a couple hours
and find that you have hundreds of emails from the application. What is the most likely cause
for this volume of email?

A. This is expected behavior when using short polling because SQS does not guarantee that
there will not be duplicate messages processed.

B. Your application does not issue a delete command to the SQS queue after processing
the message.

C. You can only have one EC2 instance polling the SQS queue at a time.

This is expected behavior when using long polling because SQS does not guarantee that there
will not be duplicate messages processed. What is true about EBS?

(choose 3 correct answers)

A. You can share the snapshot with other AWS accounts

B. The snapshots are just stored as another EBS volume

C. Snapshots are automatically encrypted

D. The snapshots are stored in S3

E. Snapshots are incremental in nature and only

You are excited to have just been employed by a large scientific institution that is at the
cutting edge of high-performance computing. Your first job is to launch 10 Large EC2
instances which will all be used to crunch huge amounts of data and will also need to pass
this data back and forth between each other. Which of the following would be the most
efficient setup to achieve this?

A. Use the largest EC2 instances currently available on AWS, but make sure they are all in
the same Availability Zone

B. Use Placement Groups and launch the 10 instances at the same time.

C. Use Placement Groups. Make sure the 10 Instances are spread evenly across Availability
Zones.

D. Use the largest EC2 instances currently available on AWS, but make sure they are all in
the same region.

You’re building a mobile application game. The application needs permissions for each user
to communicate and store data in DynamoDB tables. What is the best method for granting
each mobile device that installs your application to access DynamoDB tables for storage
when required?

A. Create an IAM group that only gives access to your application and to the DynamoDB
tables. Then, when writing to DynamoDB, simply include the unique device ID to associate
the data with that specific user.

B. Create an IAM role with the proper permission policy to communicate with the
DynamoDB table. Use web identity federation, which assumes the IAM role using
AssumeRoleWithWebIdentity, when the user signs in, granting temporary security
credentials using STS.

C. Create an Active Directory server and an AD user for each mobile application user. When
the user signs into the AD sign-on, allow the AD server to federate using SAML 2.0 to IAM
and assign a role to the AD user which is the assumed with AssumeRoleWithSAML

D. BCJC should create a new stack that contains the Python application code and manages
separate deployments of the application via the secondary stack using the deploy lifecycle
action to implement the application code.

A user has created a VPC with public and private subnets using the VPC wizard. The user has
not launched any instance manually and is trying to delete the VPC. What will happen in this
scenario?

A. It will not allow to delete the VPC since it has a running route instance

B. It will terminate the VPC along with all the instances launched by the wizard

C. It will not allow to delete the VPC as it has subnets with route tables

D. It will not allow to delete the VPC since it has a running NAT instance
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A
user can create a subnet with VPC and launch instances inside that subnet. If the user has
created a public-private subnet, the instances in the public subnet can receive inbound traffic
directly from the Internet, whereas the instances in the private subnet cannot. If these subnets
are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is
trying to delete the VPC it will not allow as the NAT instance is still running.

Which AWS services that you can access to underlying host? (Multiple choice)

A. ElastiCache

B. EMR

C. EC2

D. DynamoDB

E. Elastic Beanstalk

F. RDS

What are the characteristics of Dynamo DB? (choose 3 correct answers)

A. It is used for SQL databases like SQL Server, MySQL, Oracle

B. Gives you a fast and predictable performance with seamless scalability

C. When reading data from Amazon DynamoDB, users can specify whether they want
the read to

be eventually consistent or strongly consistent

D. It is a managed service provided by AWS

E. There is a limit of stored data or throughput of data

An instance is launched in private VPC subnet. All security, NACL and routing definition
configured as expected. A custom NAT instance is launched. Which of the following answer
is right for configuring custom NAT instance?

A. NAT instance should have public is address configured

B. Source/Destination check should be disabled

C. NAT instance should be launched in public subnet

D. NAT instance should have elastic IP address configured

You are configuring a new VPC for one of your client for a cloud migration project. Only a
public VPN will be in place. After you created your VPC, you created a new subnet, a new
internet gateway and attached your internet gateway with your VPC. As you created your first
instance in to your VPC, you realized that you cannot connect the instance even it is
configured with elastic IP. What should be done to access the instance?

A. A route should be created as 0.0.0.0/0 and your internet gateway as target

B. A NACL should be created and allow all outbound traffic

C. A NAT instance should be created, and all traffic should be forwarded to NAT instance

D. Attach another ENI to instance and connect via new ENI

How can an instance be copied to another region?

A. There is no way to copy an instance to another region

B. First instance's root volume is detached. Then a new instance is created in another region.
Finally, detached volume can be attached to new instance as root device

C. By stopping instance and using copy option

D. By creating an AMI and copy it to another region

What is the most secure option to connect to instances without Internet connectivity in private
subnet VPC?

A. Enable internet connectivity and configure NACL and security group to connect to the
instances

B. Enable internet connectivity and configure security group to connect to the instances

C. Using a bastion host server to connect to the instances

D. Configure IAM policy to restrict access to the instances

Which record type queries are free when using Route 53?

A. TXT

B. MX

C. Alias

D. AAAA

About the charge of Elastic IP Address, which of the following is true?

A. Elastic IP addresses can always be used with no charge.

B. You can have one Elastic IP (EIP) address associated with a running instance at no charge.
C. You can have 5 Elastic IP addresses per region with no charge.

D. You are charged for each Elastic IP addressed.

You have assigned one Elastic IP to your EC2 instance. Now we need to restart the VM
without EIP changed. Which of below you should not do?

A. Reboot and stop/start both works.

B. When the instance is in VPC public subnets, stop/start works.

C. When the instance is in VPC private subnet, stop/start works.

D. Reboot the instance.

Which of the below mentioned steps will not be performed while creating the AMI of
instance stored-backend?

A. Define the AMI launch permissions.

B. Register the AMI

C. Bundle the volume

D. Upload the bundled volume

Which of the following are features of enhanced networking? (Choose 3 answers)

A. More Packets Per Second (PPS)

B. Lower latency

C. Multiple network interfaces

D. Border Gateway Protocol (BGP) routing

E. Less jitter

The user just started an instance at 3 PM. Between 3 PM to 5 PM, he stopped and started the
instance twice. During the same period, he has run the Linux reboot command by SSH once
and triggered reboot from AWS console once. For how many instance hours will AWS charge
this user?

A. 2

B. 3

C. 4

D. 5
How can we attach our instance store volume to another instance?

A. We can stop the instance. Detach the volume. And attach to another instance

B. We can use "force detach" and then attach to another instance

C. We can use "detach volume" and then attach to another instance.

D. We cannot detach or attach instance store volume

You have an Amazon Elastic Cloud Compute (EC2) security group with several running EC2
instances. You change the security group rules to allow inbound traffic on a new port and
protocol, and launch several new instances in the same security group. The new rules apply:

A. To all instances, but it may take several minutes for old instances to see the changes.

B. Immediately to the new instances only.

C. Immediately to all instances in the security group

D. Immediately to the new instances, but old instances must be stopped and restarted before
the new rules apply.

How can software determine the public and private IP addresses of the Amazon Elastic Cloud
Compute instance that it is running on?

A. Use an ipconfig or ifconfig command

B. Query the local instance metadata.

C. Query the local instance userdata.

D. Query the appropriate Amazon CloudWatch metric.

You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to
$0.06/hr. and your Spot Instance is terminated by AWS. What was the total EC2 compute cost
of running your Spot Instance?

A. $0.02

B. $0.00

C. $0.05

D. $0.06

E. $0.025

(Note: if you bid on a price, and AWS restart the instances for marketplace and price changes
within the marketplace, the customer pays the CURRENT price). Similar question but bid
starts at $0.20/hr. and you bid $0.22/hr., after 90 minutes, the instance is terminated by AWS
and new price is $0.22/hr. Which price would you pay? ANS: $0.25. Anytime instance restart,
Amazon charges you per hour. So 90 minutes, user will be charged for 2hrs.

You have an Amazon Virtual Private Cloud (VPC) with a public subnet. Three Amazon
Elastic Compute Cloud (EC2) instances currently running inside the subnet can successfully
communicate with other hosts on the Internet. You launch a fourth instance in the same
subnet, using the same Amazon Machine Image (AMI) and security group configuration you
used for the others, but find that this instance cannot be accessed from the Internet. What
should you do to enable Internet access?

A. Deploy a NAT instance into the public subnet

B. Modify the routing table for the public subnet

C. Assign an elastic IP address to the fourth instance

D. Configure a publicly routable IP address in the host OS of the fourth instance.

A startup company hired you to help them build a mobile application, that will ultimately
store billions of images and videos in Amazon Simple Storage Service (S3). The company is
lean on funding, and wants to minimize operational costs, however, they have an aggressive
marketing plan, and expect to double their current installation base every six months. Due to
the nature of their business, they are expecting sudden and large increases in the traffic to and
from S3, and need to ensure that it can handle the performance needs of their application.
What other information must you gather from this customer in order to determine whether S3
is the right option?

A. In order to build the key namespace correctly, you must understand the total amount of
storage needs for each S3 bucket.

B. You must find out the total number of requests per second at peak usage.

C. You must know how many customers the company has today, because this is critical in
understanding what their customer base will be in two years.

D. You must know the size of individual objects being written to S3, in order to properly
design the key namespace.

You are deploying an application an Amazon Elastic Cloud Compute (EC2) that must call
AWS APIs. What method of securely passing credentials to the application should you use?

A. Embed the API credentials into your JAR files.

B. Pass API credentials to the instance using instance user data.

C. Store API credentials as an object in Amazon Simple Storage Service

D. Use AWS Identity and Access Management roles for EC2 instances
A VPC public subnet is one that:

A. Includes a route in its associated routing table via a Network Address Translation (NAT)
instance.

B. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0

C. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).

D. Has the Public Subnet option selected in its configuration.

In reviewing the Auto Scaling events for your application, you notice that your application is
scaling up and down multiple times in the same hour. What design choice could you make to
optimize for cost while preserving elasticity? (Choose 3 answers)

A. Modify the Auto Scaling group termination policy to terminate the oldest instance first.

B. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down
policy.

C. Modify the Auto Scaling group termination policy to terminate the newest instance first

D. Modify the Auto Scaling policy to use scheduled scaling actions.

E. Modify the Auto Scaling group cool-down timers.

What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection
between an on-premises data center and an Amazon VPC virtual private gateway?

A. Modify the main route table to allow traffic to a network address translation instance.

B. Assign a static Internet-routable IP address to an Amazon VPC customer gateway.

C. Establish a dedicated networking connection using AWS Direct Connect.

D. Use a dedicated network address translation instance in the public subnet

Which of the following is a durable key-value store?

A. Amazon Simple Queue Service

B. Amazon Simple Workflow Service

C. Amazon Simple Storage Service

D. Amazon Simple Notification Service

You have an application running in us-west-2 that requires six Amazon Elastic Compute
Cloud (EC2) instances running at all times. With three AZs available in that region (us-west-
2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent
fault tolerance if any single AZ in us-west-2 becomes unavailable? (Choose 2 answers)

A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c
with two EC2 instances

B. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c
with two EC2-instances

C. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c
with no EC2 instances

D. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-
2c with three EC2 instances.

E. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c
with no EC2 instances

Which route must be added to your routing table to allow connections to the Internet from
your subnet?

A. Destination: 0.0.0.0/0 --> Target: 0.0.0.0/32

B. Destination: 192.168.1.257/0 --> Target: your Internet gateway

C. Destination: 0.0.0.0/0 --> Target: your Internet gateway

D. Destination: 10.0.0.0/32 --> Target: your virtual private gateway

E. Destination: 0.0.0.0/32 --> Target: your virtual private gateway

What are the characteristics of Subnet? (choose 2 correct answers)

A. A subnet can be across multiple availability zones

B. Default subnets are assigned a /16 netblocks

C. Network traffic entering and exiting each subnet can be allowed or denied via network
Access Control Lists (ACLs)

D. A subnet can be across multiple regions

E. Default subnets are assigned a /20 netblocks

In Which case do you have full authority of the underlying host? (choose 2 correct answers)

A. EC2

B. EMR (Elastic Map Reduce)

C. Simple DB

D. Dynamo DB

E. RDS

After the Government organization you work for suffers it’s 3rd DDOS attack of the year you
have been handed one part of a strategy to try and stop this from happening again. You have
been told that your job is to minimize the attack surface area. You do have a vague idea of
some of the things you need to put in place to achieve this. Which of the following is NOT
one of the ways to minimize the attack surface area as a DDOS minimization strategy?

A. Eliminate non-critical Internet entry points.

B. Reduce the number of necessary Internet entry points.

C. Configure services such as Elastic Load Balancing and Auto Scaling to automatically
scale.

D. Separate end user traffic from management traffic.

What is the difference between an availability zone and an edge location?

A. Edge locations are used as control stations for AWS resources

B. None of the above

C. An availability zone is an Amazon Resource within an AWS region whereas an edge

location will deliver cached content to the closest location to reduce latency

D. An availability zone is a grouping of AWS resources in a specific region; an edge location

is a specific resource within the AWS region

Which of the following AWS services allow you access to the underlying operating system?

Choose the 2 correct answers:

A. RDS

B. S3

C. EMR

D. Elastic Beanstalk

You are a consultant tasked with migrating an on-premise application architecture to AWS.
During your design process you have to give consideration to current on-premise security and
determine which security attributes you are responsible for on AWS. Which of the follow
does AWS provide for you as part of the shared responsibility model?
Choose the 2 correct answers:

A. Virtualization Infrastructure

B. Instance Security

C. Physical Network Infrastructure

D. User access to the AWS environment

Which is an operational process performed by AWS for data security?

A. Secure wiping of EBS data when an EBS volume is unmounted

B. Background virus scans of EBS volumes and EBS snapshots

C. Background virus scans of EBS volumes and EBS snapshots

D. Decommissioning of storage devices using industry-standard practices

Company B provides an online image recognition service and utilizes SQS to decouple
system components for scalability. The SQS consumer’s readers’ poll the image queue as
often as possible to keep end-to-end throughput as high as possible. However, Company B is
realizing that polling in tight loops is burning CPU cycles and increasing costs with empty
responses. How can company B reduce the number of empty responses?

A. Enable short polling on the SQS queue by setting the ReceiveMessageWaitTimeSeconds

to a number > 0

B. Enable short polling on the SQS message by setting the ReceiveMessageWaitTimeSeconds

to a number = 0

C. Scale the component making the request using auto scaling based off the number of
messages in the queue

D. Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

You need to import several hundred megabytes of data from a local Oracle database to an
Amazon RDS DB instance. What does AWS recommend to use to accomplish this?

A. Oracle Data Pump

B. Oracle Export/Import Utilities

C. DBMSFILETRANSFER

D. Oracle SQL Developer

A user has created a VPC with two subnets: one public and one private. The user is planning
to run the patch update for the instances in the private subnet. How can the instances in the
private subnet connect to the internet?

A. Use the internet gateway with a private IP

B. Allow outbound traffic in the security group for port 80 to allow internet updates

C. The private subnet can never connect to the internet

D. Use NAT with an Elastic IP

A user has created a VPC with public and private subnets using the VPC wizard. Which of
the below mentioned statements is true in this scenario?

A. AWS VPC will automatically create a NAT instance with the micro size

B. VPC bounds the main route table with a public subnet and a custom route table with a
private subnet

C. VPC bounds the main route table with a private subnet and a custom route table with a
public subnet

D. User has to manually create a NAT instance

A user has created a VPC with a subnet and a security group. The user has launched an
instance in that subnet and attached a public IP. The user is still unable to connect to the
instance. The internet gateway has also been created. What can be the reason for the error?

A. The internet gateway is not configured with the route table

B. The private IP is not present

C. The internet gateway is not configured with the security group

D. The outbound traffic on the security group is disabled

You are attempting to connect to an instance in Amazon VPC without success you have
already verified that the VPC has an Internet Gateway (IGW) the instance has an associated
Elastic IP (EIP) and correct security group rules are in place. Which VPC component should
you evaluate next?

A. The configuration of the Routing Table

B. The configuration of a NAT instance

C. The configuration of the internet Gateway (IGW)

D. The configuration of SRC/DST checking

After launching an instance that you intend to serve as a NAT (Network Address Translation)
device in a public subnet you modify your route tables to have the NAT device be the target
of internet bound traffic of your private subnet. When you try and make an outbound
connection to the Internet from an instance in the private subnet, you are not successful.
Which of the following steps could resolve the issue?

A. Attaching an Elastic IP address to the instance in the private subnet

B. Disabling the Source/Destination Check attribute on the NAT instance

C. Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in
the private subnet

D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet,
and placing it in the public subnet

An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance’s security group is configured to
allow SSH from any IP address and deny all outbound traffic. What changes need to be made
to allow SSH access to the instance?

A. The outbound network ACL needs to be modified to allow outbound traffic.

B. Both the outbound security group and outbound network ACL need to be modified to
allow outbound traffic.

C. The outbound security group needs to be modified to allow outbound traffic.

D. Nothing, it can be accessed from any IP address using SSH.

You are currently hosting multiple applications in a VPC and have logged numerous port
scans coming in from a specific IP address block. Your security team has requested that all
access from the offending IP address block be denied for the next 24 hours. Which of the
following is the best method to quickly and temporarily deny access from the specified IP
address block?

A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny
access from the IP address block

B. Modify the Network ACLs associated with all public subnets in the VPC to deny access
from the IP address block

C. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your
organization uses in that VPC to deny access from the IP address block

D. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC)
in the same Availability Zone (AZ) but in different subnets. One instance is running a
database and the other instance an application that will interface with the database. You want
to confirm that they can talk to each other for your application to work properly. Which two
things do we need to confirm in the VPC settings so that these EC2 instances can
communicate inside the VPC? Choose 2 answers

A. That the default route is set to a NAT instance or Internet Gateway (IGW) for them to
communicate.

B. Both instances are the same instance class and using the same Key-pair.

C. A network ACL that allows communication between the two subnets.

D. Security groups are set to allow the application host to talk to the database on the right
port/protocol

When you put objects in Amazon S3, what is the indication that an object was successfully
stored?

A. A success code is inserted into the S3 object metadata.

B. Each S3 account has a special bucket nameds3logs. Success codes are written to this
bucket with a timestamp and checksum.

C. Amazon S3 is engineered for 99.999999999% durability. Therefore, there is no need to

confirm that data was inserted.

D. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation
was successful.

A company is storing data on Amazon Simple Storage Service (S3). The company’s security
policy mandates that data is encrypted at rest. Which of the following methods can achieve
this?

Choose 3 answers

A. Use Amazon S3 server-side encryption with AWS Key Management Service managed
keys

B. Use Amazon S3 server-side encryption with customer-provided keys

C. Use Amazon S3 bucket policies to restrict access to the data at rest.

D. Use SSL to encrypt the data while in transit to Amazon S3

E. Use Amazon S3 server-side encryption with EC2 key pair.

F. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master
key

When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the
data on the root volume?
A. Data is automatically deleted

B. Data is automatically saved as an EBS snapshot.

C. Data is automatically saved as an EBS volume.

D. Data is unavailable until the instance is restarted

In AWS, which security aspects are the customer’s responsibility? Choose 4 answers

A. Life-cycle management of IAM credentials

B. Patch management on the EC2 instances operating system

C. Encryption of EBS (Elastic Block Storage) volumes

D. Decommissioning storage devices (AWS responsibility)

E. Security Group and ACL (Access Control List) settings

F. Controlling physical access to compute resources (AWS responsibility)

A customer is hosting their company website on a cluster of web servers that are behind a
public-facing load balancer. The customer also uses Amazon Route 53 to manage their public
DNS. How should the customer configure the DNS zone apex record to point to the load
balancer?

A. Create an A record aliased to the load balancer DNS name

B. Create a CNAME record aliased to the load balancer DNS name.

C. Create an A record pointing to the IP address of the load balancer

D. Create a CNAME record pointing to the load balancer DNS name.

For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2
an appropriate solution? Choose 2 answers

A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet
of sensors

B. Managing a multi-step and multi-decision checkout process of an e-commerce website

C. Orchestrating the execution of distributed and auditable business processes

D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video

transcoding jobs

E. Using as a distributed session store for your web application

Which procedure for backing up a relational database on EC2 that is using a set of RAIDED
EBS volumes for storage minimizes the time during which the database cannot be written to
and results in a consistent backup?

F. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes

G. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4.
Resume disk I/O

H. Stop the EC2 Instance. 2. Snapshot the EBS volumes

I. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O

J. Orchestrating the execution of distributed and auditable business processes

using as an SNS (Simple Notification Service) endpoint to trigger execution of video

transcoding jobs

K. using as a distributed session store for your web application

A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only
private subnets, and VPC-2 contains only public subnets. The company uses a single AWS
Direct Connect connection and private virtual interface to connect their on-premises network
with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1?
Choose 2 answers

A. Establish a hardware VPN over the internet between VPC-2 and the on-premises network.
(Peered VPC does not support Edge to Edge Routing)

B. Establish a hardware VPN over the internet between VPC-1 and the on-premises
network

C. Establish a new AWS Direct Connect connection and private virtual interface in the same
region as VPC-2 (Peered VPC does not support Edge to Edge Routing)

D. Establish a new AWS Direct Connect connection and private virtual interface in a different
AWS region than VPC-1 (need to be in the same region as VPC-1)

E. Establish a new AWS Direct Connect connection and private virtual interface in the
same AWS region as VPC-1