Documente Academic
Documente Profesional
Documente Cultură
1. Fully Managed
Scales effortlessly
----------------------------------------------------------------------------------------------------------------
------------
What does this Error mean "Origin Policy cannot be ready at the remote resource”?
You are developing a highly available web application using stateless web servers. Which
services are suitable for storing session state data? Choose 3 answers.
C. CloudWatch
D. ElastiCache
E. DynamoDB
A: DynamoDB
B: RDS
C: S3
D: Elastic Cache
A: Elastic Cache
D: DynamoDB
A: Dynamo DB
B: Elastic Cache
Kinesis stream
Which service allows you to process nearly limitless streams of data in flight?
A. Kinesis Firehose
C. Redshift
D. Kinesis Streams
Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure
monitoring application running on an Amazon instance in Availability Zone (AZ) A of the
region, and another application instance running in AZ B. The monitoring application needs
to make use of ICMP ping to confirm network reachability of the instance hosting the
application.
Can you configure the security groups for these instances to only allow the ICMP ping to
pass from the monitoring instance to the application instance and nothing else” If so how?
A. No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as
that protocol is not allowed across subnet (iebroadcast) boundaries
B. Yes Both the monitoring instance and the application instance have to be a part of the same
security group, and that security group needs to allow inbound ICMP
C. Yes, the security group for the monitoring instance needs to allow outbound ICMP
and the application instance’s security group needs to allow Inbound ICMP
D. Yes, Both the monitoring instance’s security group and the application instance’s security
group need to allow both inbound and outbound ICMP ping packets since ICMP is not a
connection-oriented protocol
Choose the correct AWS database service for the following requirements:
Large volumes of structured data to persist and query using standard SQL and existing
Business Intelligence tools
B. Amazon RDS
C. Amazon ElastiCache
D. Amazon Redshift
Comments:
You have an existing website called example.com that points to a specific IP address. You
now want to create three sub domains that point to the same IP address. To reduce
maintenance which domain record type should you choose?
A. CNAME
B. A
C. MX
D. TXT
Amazon Elastic Block Store (Amazon EBS) volumes provide durable block-level storage for
use with Amazon EC2 instances (virtual machines). Amazon EBS volumes are off-instance
storage that persists independently from the running life of a single Amazon EC2 instance.
Which type would you choose for I/O-intensive workloads, relational databases, and NoSQL
databases?
A. List of usernames
B. List of protocols
C. IP address ranges
D. Ports
Which of the following is the correct statement regarding Availability Zones?
B. A distinct location within a region that is insulated from failures in other Availability
Zones
A. CloudFront
B. ELB
C. SES
D. SQS
Which service provides an automated security assessment that helps improve the security and
compliance of applications deployed on AWS. The service automatically assesses
applications for vulnerabilities or deviations from best practices.
A. Amazon Redshift
B. EC2
C. Elastic Beanstalk
D. Amazon Inspector
Which product is ideal for transferring anywhere from terabytes to many petabytes of data in
and out of the AWS cloud securely, especially in cases where you don’t want to make
expensive upgrades to your network infrastructure, frequently experience large backlogs of
data, are in a physically isolated environment, or are in an area where high-speed Internet
connections are not available or cost-prohibitive. In general, if loading your data over the
Internet would take a week or more, you should consider what?
A. Amazon S3
B. AWS Snowball
D. Amazon CloudFront
You have developed a new web application that offers users the chance to buy music at a
discounted rate through partnerships with local recording companies. You want to host this
app in AWS but you don't want the overhead of managing the infrastructure. Which option
should you choose?
A. EC2
B. CloudFront
C. Amazon Redshift
Amazon Glacier is an extremely low-cost storage service that provides highly secure,
durable, and flexible storage for data archiving and online backup.
Which of the following will you NOT be charged for when using Glacier?
Which service would you use to control access to content by allowing or blocking web
requests based on criteria that you specify, such as header values or the IP addresses that the
requests originate from. This service helps to protect against common web exploits that could
affect application availability, compromise security, or consume excessive resources.
A. EC2
B. S3
C. CloudFront
Which of the below instances is used normally for massive parallel computations?
A. Spot Instances
B. On-Demand Instances
C. Dedicated Instances
DDoS attacks at their core create an availability problem, as the goal of attackers is to render
resources unusable for legitimate end users. Consequently, you can leverage failover
capabilities within AWS to reduce your vulnerability to availability problems caused by
DDoS attacks.
B. SYN flood
C. None of these
D. UDP flood
You are working with a customer who has 10 TB of archival data that they want to migrate to
Amazon Glacier. The customer has a 1-Mbps connection to the Internet. Which service or
feature provides the fastest method of getting the data into Amazon Glacier?
C. VM Import/Export
D. AWS Import/Export
An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto
Scaling needs to terminate an EC2 instance by default, Auto Scaling will:
Choose 2 answers
A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before
terminating the instance.
B. Terminate the instance with the least active network connections. If multiple instances
meet this criterion, one will be randomly selected.
E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.
An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance's security group is configured to
allow SSH from any IP address and deny all outbound traffic. What changes need to be made
to allow SSH access to the instance?
D. Both the outbound security group and outbound network ACL need to be modified to
allow outbound traffic
A customer is leveraging Amazon Simple Storage Service in eu-west-1 to store static content
for a web-based property. The customer is storing objects using the Standard Storage class.
Where are the customers objects replicated?
Which services allow the customer to retain full administrative privileges of the underlying
EC2 instances? Choose 2 answers
C. Amazon ElastiCache
D. Amazon DynamoDB
You are working with a customer who is using Chef Configuration management in their data
center. Which service is designed to let the customer leverage existing Chef recipes in AWS?
C. AWS CloudFormation
D. AWS OpsWorks
How can an EBS volume that is currently attached to an EC2 instance be migrated from one
Availability Zone to another?
A. Detach the volume and attach it to another EC2 instance in the other AZ.
B. Simply create a new volume in the other AZ and specify the original volume as the source.
C. Create a snapshot of the volume, and create a new volume from the snapshot in the
other AZ.
D. Detach the volume, then use the ec2-migrate-voiume command to move it to another AZ.
A client application requires operating system privileges on a relational database server. What
is an appropriate configuration for a highly available database architecture?
Choose 2
D. By default, all subnets can route between each other, whether they are private or public.
E. Instances in a private subnet can communicate with the Internet only if they have an
Elastic IP
You have a web application running on six Amazon EC2 instances, consuming about 45% of
resources on each instance. You are using auto-scaling to make sure that six instances are
running at all times. The number of requests this application processes is consistent and does
not experience spikes. The application is critical to your business and you want high
availability at all times. You want the load to be distributed evenly between all instances. You
also want to use the same Amazon Machine Image (AMI) for all instances. Which of the
following architectural choices should you make?
A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic
Load Balancer.
C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone
and use Amazon Elastic Load Balancer.
D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.
You run an ad-supported photo sharing website using S3 to serve photos to visitors of your
site. At some point you find out that other sites have been linking to the photos on your site,
causing loss to your business. What is an effective method to mitigate this?
A. Remove public read access and use signed URLs with expiry dates.
You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances
running in your VPC. Only clients connecting from the corporate external public IP address
72.34.51.100 should have SSH access to the host. Which option will meet the customer
requirement?
A. Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source
72.34.51.100/32
B. Security Group Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32
C. Network ACL Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32
D. Network ACL Inbound Rule: Protocol - TCP, Port Range-22, Source 72.34.51.100/0
You have decided to change the instance type for instances running in your application tier
that is using Auto Scaling. In which area below would you change the instance type
definition?
Which technique can be used to integrate AWS IAM (Identity and Access Management) with
an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between
AWS and LDAP.
C. Use AWS Security Token Service from an identity broker to issue short-lived AWS
credentials.
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are
updated.
E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance
types
When using the following AWS services, which should be implemented in multiple
Availability Zones for high availability solutions?
Choose 2 answers
A. Amazon DynamoDB
You launch an Amazon EC2 instance without an assigned AVVS identity and Access
Management (IAM) role. Later, you decide that the instance should be running with an IAM
role. Which action must you take in order to have a running Amazon EC2 instance with an
IAM role assigned to it?
A. Create an image of the instance, and register the image with an IAM role assigned and an
Amazon EBS volume mapping.
B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to
the running instance.
C. Create an image of the instance, add a new IAM role with the same permissions as the
desired IAM role, and deregister the image with the new role assigned.
D. Create an image of the instance, and use this image to launch a new instance with the
desired IAM role assigned.
In order to optimize performance for a compute cluster that requires low inter-node latency,
which of the following feature should you use?
D. Placement Groups
A. key pairs
B. Elastic IP addresses
C. Placement groups
Choose 2 answers
D. Create an IAM policy that restricts read and write access to the volume.
Which Amazon Elastic Compute Cloud feature can you query from within the instance to
access instance properties?
B. Resource tags
C. Instance metadata
D. Amazon Machine Image
After creating a new IAM user which of the following must be done before they can
successfully make API calls?
A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as
part of their backup and archive infrastructure. The customer plans to use third-party software
to support this integration. Which approach will limit the access of the third-party software to
only the Amazon S3 bucket named "companybackup"?
A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive
"company-backup"
C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive
"company-backup".
A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same
region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks.
The company wants to push minor code releases from Dev to Prod to speed up time to
market. Which of the following options helps the company accomplish this?
A. Create a new peering connection Between Prod and Dev along with appropriate
routes.
B. Create a new entry to Prod in the Dev route table using the peering connection as the
target.
C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the
gateway as the target.
D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables
contain local routes for all VPCs.
A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS
instance and send real-time alerts to their operations team. Which AWS services can
accomplish this?
Choose 2 answers
A. Amazon Simple Email Service
B. Amazon CloudWatch
D. Amazon Route 53
A company needs to deploy services to an AWS region which they have not previously used.
The company currently has an AWS identity and Access Management (IAM) role for the
Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB.
The company wants their EC2 instances in the new region to have the same privileges. How
should the company achieve this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region
using the AMI Copy feature
An existing application stores sensitive information on a non-boot Amazon EBS data volume
attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches
would protect the sensitive data on an Amazon EBS volume?
A. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with
AWS CloudHSM. Re-mount the Amazon EBS volume.
B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new
volume. Delete the old Amazon EBS volume.
C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon
EBS volume.
D. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted
Amazon EBS volume. Mount the Amazon EBS volume
A customer has a single 3-TB volume on-premises that is used to hold a large repository of
images and print layout files. This repository is growing at 500 GB a year and must be
presented as a single logical volume. The customer is becoming increasingly constrained with
their local storage capacity and wants an off-site backup of this data, while maintaining low-
latency access to their frequently accessed data. Which AWS Storage Gateway configuration
meets the customer requirements?
You are deploying an application to track GPS coordinates of delivery trucks in the United
States. Coordinates are transmitted from each delivery truck once every three seconds. You
need to design an architecture that will enable real-time processing of these coordinates from
multiple consumers. Which service should you use to implement data ingestion?
A. Amazon Kinesis
C. Amazon AppStream
A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows
application sign-in using an OpenID Connect-compatible identity provider. Which AWS
Security Token Service approach to temporary access should you use for the Amazon S3
operations?
B. Cross-Account Access
You manually launch a NAT AMI in a public subnet. The network is properly configured.
Security groups and network access control lists are property configured. Instances in a
private subnet can access the NAT. The NAT can access the Internet. However, private
instances cannot access the Internet. What additional step is required to allow access from the
private instances?
A company is deploying a two-tier, highly available web application to AWS. Which service
provides durable storage for static content while utilizing lower Overall CPU resources for
the web tier?
A. Amazon EBS volume
B. Amazon S3
You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in
service. However, your web browser times out when connecting to the load balancer's DNS
name. Which options are probable causes of this behavior?
Choose 2 answers
A. The load balancer was not configured to use a public subnet with an Internet
gateway configured
B. The Amazon EC2 instances do not have a dynamically allocated private IP address
C. The security groups or network ACLs are not property configured for web traffic.
D. The load balancer is not configured in a private subnet with a NAT instance.
A company is deploying a new two-tier web application in AWS. The company has limited
staff and requires high availability, and the application requires complex queries and table
joins. Which configuration provides the solution for the company's requirements?
C. Amazon ElastiCache
D. Amazon DynamoDB
You have a distributed application that periodically processes large volumes of data across
multiple Amazon EC2 Instances. The application is designed to recover gracefully from
Amazon EC2 instance failures. You are required to accomplish this task in the most cost-
effective way.
A. Spot Instances
B. Reserved instances
C. Dedicated instances
D. On-Demand instances
A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that
is not connected to their corporate network. They are connecting to the VPC over the Internet
to manage all of their Amazon EC2 instances running in both the public and private subnets.
They have only authorized the bastion-securitygroup with Microsoft Remote Desktop
Protocol (RDP) access to the application instance security groups, but the company wants to
further limit administrative access to all of the instances in the VPC. Which of the following
Bastion deployment scenarios will meet this requirement?
A. Deploy a Windows Bastion host on the corporate network that has RDP access to all
instances in the VPC.
B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow
SSH access to the bastion from anywhere.
C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and
restrict RDP access to the bastion from only the corporate public IP addresses.
D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public
subnet, and allow RDP access to the bastion from only the corporate public IP
addresses.
Which of the following statements are true about Amazon Route 53 resource records?
Choose 2 answers
A. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
D. TTL can be set for an Alias record in Amazon Route 53. E. An Amazon Route 53 Alias
record can point to any DNS record hosted anywhere.
You have a content management system running on an Amazon EC2 instance that is
approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2
instance?
A. Create a load balancer, and register the Amazon EC2 instance with it
B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the
origin
C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
A. CloudFormation
B. Elastic Beanstalk
C. Opsworks
D. Lambda
API actions
You are designing a web application that stores static assets in an Amazon Simple Storage
Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests
per second. What should you do to ensure optimal performance?
D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in
the key names
In the shared security model, AWS is responsible for which of the following security best
practices (check all that apply):
Penetration testing
Threat modeling
Your AWS environment contains several reserved EC2 instances dedicated to a project that
has just been canceled. Your supervisor wants to stop incurring charges for these reserved
instances immediately and recuperate as much of the reserved instance cost as possible.
What URL might you query on an EC2 instance in order to find the public AND private IP
address of an instance?
A. http://169.254.169.254/latest/meta-data/
B. http://169.254.169.254/latest/user-data/
C. http://169.254.169.169/latest/meta-data/
D. http://169.254.169.169/latest/meta-data/
You design an application that checks for new items in an S3 bucket once per hour. If new
items exist, a message is added to an SQS queue. You have several EC2 instances which
retrieve messages from the SQS queue, parse the file, and send you an email containing the
relevant information from the file. You upload one test file to the bucket, wait a couple hours
and find that you have hundreds of emails from the application. What is the most likely cause
for this volume of email?
A. This is expected behavior when using short polling because SQS does not guarantee that
there will not be duplicate messages processed.
B. Your application does not issue a delete command to the SQS queue after processing
the message.
C. You can only have one EC2 instance polling the SQS queue at a time.
This is expected behavior when using long polling because SQS does not guarantee that there
will not be duplicate messages processed. What is true about EBS?
A. Use the largest EC2 instances currently available on AWS, but make sure they are all in
the same Availability Zone
B. Use Placement Groups and launch the 10 instances at the same time.
C. Use Placement Groups. Make sure the 10 Instances are spread evenly across Availability
Zones.
D. Use the largest EC2 instances currently available on AWS, but make sure they are all in
the same region.
You’re building a mobile application game. The application needs permissions for each user
to communicate and store data in DynamoDB tables. What is the best method for granting
each mobile device that installs your application to access DynamoDB tables for storage
when required?
A. Create an IAM group that only gives access to your application and to the DynamoDB
tables. Then, when writing to DynamoDB, simply include the unique device ID to associate
the data with that specific user.
B. Create an IAM role with the proper permission policy to communicate with the
DynamoDB table. Use web identity federation, which assumes the IAM role using
AssumeRoleWithWebIdentity, when the user signs in, granting temporary security
credentials using STS.
C. Create an Active Directory server and an AD user for each mobile application user. When
the user signs into the AD sign-on, allow the AD server to federate using SAML 2.0 to IAM
and assign a role to the AD user which is the assumed with AssumeRoleWithSAML
D. BCJC should create a new stack that contains the Python application code and manages
separate deployments of the application via the secondary stack using the deploy lifecycle
action to implement the application code.
A user has created a VPC with public and private subnets using the VPC wizard. The user has
not launched any instance manually and is trying to delete the VPC. What will happen in this
scenario?
A. It will not allow to delete the VPC since it has a running route instance
B. It will terminate the VPC along with all the instances launched by the wizard
C. It will not allow to delete the VPC as it has subnets with route tables
D. It will not allow to delete the VPC since it has a running NAT instance
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A
user can create a subnet with VPC and launch instances inside that subnet. If the user has
created a public-private subnet, the instances in the public subnet can receive inbound traffic
directly from the Internet, whereas the instances in the private subnet cannot. If these subnets
are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is
trying to delete the VPC it will not allow as the NAT instance is still running.
Which AWS services that you can access to underlying host? (Multiple choice)
A. ElastiCache
B. EMR
C. EC2
D. DynamoDB
E. Elastic Beanstalk
F. RDS
C. When reading data from Amazon DynamoDB, users can specify whether they want
the read to
An instance is launched in private VPC subnet. All security, NACL and routing definition
configured as expected. A custom NAT instance is launched. Which of the following answer
is right for configuring custom NAT instance?
You are configuring a new VPC for one of your client for a cloud migration project. Only a
public VPN will be in place. After you created your VPC, you created a new subnet, a new
internet gateway and attached your internet gateway with your VPC. As you created your first
instance in to your VPC, you realized that you cannot connect the instance even it is
configured with elastic IP. What should be done to access the instance?
C. A NAT instance should be created, and all traffic should be forwarded to NAT instance
B. First instance's root volume is detached. Then a new instance is created in another region.
Finally, detached volume can be attached to new instance as root device
What is the most secure option to connect to instances without Internet connectivity in private
subnet VPC?
A. Enable internet connectivity and configure NACL and security group to connect to the
instances
B. Enable internet connectivity and configure security group to connect to the instances
Which record type queries are free when using Route 53?
A. TXT
B. MX
C. Alias
D. AAAA
B. You can have one Elastic IP (EIP) address associated with a running instance at no charge.
C. You can have 5 Elastic IP addresses per region with no charge.
You have assigned one Elastic IP to your EC2 instance. Now we need to restart the VM
without EIP changed. Which of below you should not do?
Which of the below mentioned steps will not be performed while creating the AMI of
instance stored-backend?
B. Lower latency
E. Less jitter
The user just started an instance at 3 PM. Between 3 PM to 5 PM, he stopped and started the
instance twice. During the same period, he has run the Linux reboot command by SSH once
and triggered reboot from AWS console once. For how many instance hours will AWS charge
this user?
A. 2
B. 3
C. 4
D. 5
How can we attach our instance store volume to another instance?
A. We can stop the instance. Detach the volume. And attach to another instance
You have an Amazon Elastic Cloud Compute (EC2) security group with several running EC2
instances. You change the security group rules to allow inbound traffic on a new port and
protocol, and launch several new instances in the same security group. The new rules apply:
A. To all instances, but it may take several minutes for old instances to see the changes.
D. Immediately to the new instances, but old instances must be stopped and restarted before
the new rules apply.
How can software determine the public and private IP addresses of the Amazon Elastic Cloud
Compute instance that it is running on?
You receive a Spot Instance at a bid of $0.05/hr. After 30 minutes, the Spot Price increases to
$0.06/hr. and your Spot Instance is terminated by AWS. What was the total EC2 compute cost
of running your Spot Instance?
A. $0.02
B. $0.00
C. $0.05
D. $0.06
E. $0.025
(Note: if you bid on a price, and AWS restart the instances for marketplace and price changes
within the marketplace, the customer pays the CURRENT price). Similar question but bid
starts at $0.20/hr. and you bid $0.22/hr., after 90 minutes, the instance is terminated by AWS
and new price is $0.22/hr. Which price would you pay? ANS: $0.25. Anytime instance restart,
Amazon charges you per hour. So 90 minutes, user will be charged for 2hrs.
You have an Amazon Virtual Private Cloud (VPC) with a public subnet. Three Amazon
Elastic Compute Cloud (EC2) instances currently running inside the subnet can successfully
communicate with other hosts on the Internet. You launch a fourth instance in the same
subnet, using the same Amazon Machine Image (AMI) and security group configuration you
used for the others, but find that this instance cannot be accessed from the Internet. What
should you do to enable Internet access?
A startup company hired you to help them build a mobile application, that will ultimately
store billions of images and videos in Amazon Simple Storage Service (S3). The company is
lean on funding, and wants to minimize operational costs, however, they have an aggressive
marketing plan, and expect to double their current installation base every six months. Due to
the nature of their business, they are expecting sudden and large increases in the traffic to and
from S3, and need to ensure that it can handle the performance needs of their application.
What other information must you gather from this customer in order to determine whether S3
is the right option?
A. In order to build the key namespace correctly, you must understand the total amount of
storage needs for each S3 bucket.
B. You must find out the total number of requests per second at peak usage.
C. You must know how many customers the company has today, because this is critical in
understanding what their customer base will be in two years.
D. You must know the size of individual objects being written to S3, in order to properly
design the key namespace.
You are deploying an application an Amazon Elastic Cloud Compute (EC2) that must call
AWS APIs. What method of securely passing credentials to the application should you use?
D. Use AWS Identity and Access Management roles for EC2 instances
A VPC public subnet is one that:
A. Includes a route in its associated routing table via a Network Address Translation (NAT)
instance.
B. Has a Network Access Control List (NACL) permitting outbound traffic to 0.0.0.0/0
C. Has at least one route in its associated routing table that uses an Internet Gateway (IGW).
In reviewing the Auto Scaling events for your application, you notice that your application is
scaling up and down multiple times in the same hour. What design choice could you make to
optimize for cost while preserving elasticity? (Choose 3 answers)
A. Modify the Auto Scaling group termination policy to terminate the oldest instance first.
B. Modify the Amazon CloudWatch alarm period that triggers your Auto Scaling scale down
policy.
C. Modify the Auto Scaling group termination policy to terminate the newest instance first
What action is required to establish an Amazon Virtual Private Cloud (VPC) VPN connection
between an on-premises data center and an Amazon VPC virtual private gateway?
A. Modify the main route table to allow traffic to a network address translation instance.
You have an application running in us-west-2 that requires six Amazon Elastic Compute
Cloud (EC2) instances running at all times. With three AZs available in that region (us-west-
2a, us-west-2b, and us-west-2c), which of the following deployments provides 100 percent
fault tolerance if any single AZ in us-west-2 becomes unavailable? (Choose 2 answers)
A. Us-west-2a with two EC2 instances, us-west-2b with two EC2 instances, and us-west-2c
with two EC2 instances
B. Us-west-2a with four EC2 instances, us-west-2b with two EC2 instances, and us-west-2c
with two EC2-instances
C. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c
with no EC2 instances
D. Us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-
2c with three EC2 instances.
E. Us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c
with no EC2 instances
Which route must be added to your routing table to allow connections to the Internet from
your subnet?
C. Network traffic entering and exiting each subnet can be allowed or denied via network
Access Control Lists (ACLs)
In Which case do you have full authority of the underlying host? (choose 2 correct answers)
A. EC2
D. Dynamo DB
E. RDS
After the Government organization you work for suffers it’s 3rd DDOS attack of the year you
have been handed one part of a strategy to try and stop this from happening again. You have
been told that your job is to minimize the attack surface area. You do have a vague idea of
some of the things you need to put in place to achieve this. Which of the following is NOT
one of the ways to minimize the attack surface area as a DDOS minimization strategy?
C. Configure services such as Elastic Load Balancing and Auto Scaling to automatically
scale.
Which of the following AWS services allow you access to the underlying operating system?
A. RDS
B. S3
C. EMR
D. Elastic Beanstalk
You are a consultant tasked with migrating an on-premise application architecture to AWS.
During your design process you have to give consideration to current on-premise security and
determine which security attributes you are responsible for on AWS. Which of the follow
does AWS provide for you as part of the shared responsibility model?
Choose the 2 correct answers:
A. Virtualization Infrastructure
B. Instance Security
Company B provides an online image recognition service and utilizes SQS to decouple
system components for scalability. The SQS consumer’s readers’ poll the image queue as
often as possible to keep end-to-end throughput as high as possible. However, Company B is
realizing that polling in tight loops is burning CPU cycles and increasing costs with empty
responses. How can company B reduce the number of empty responses?
C. Scale the component making the request using auto scaling based off the number of
messages in the queue
You need to import several hundred megabytes of data from a local Oracle database to an
Amazon RDS DB instance. What does AWS recommend to use to accomplish this?
C. DBMSFILETRANSFER
B. Allow outbound traffic in the security group for port 80 to allow internet updates
A user has created a VPC with public and private subnets using the VPC wizard. Which of
the below mentioned statements is true in this scenario?
A. AWS VPC will automatically create a NAT instance with the micro size
B. VPC bounds the main route table with a public subnet and a custom route table with a
private subnet
C. VPC bounds the main route table with a private subnet and a custom route table with a
public subnet
A user has created a VPC with a subnet and a security group. The user has launched an
instance in that subnet and attached a public IP. The user is still unable to connect to the
instance. The internet gateway has also been created. What can be the reason for the error?
You are attempting to connect to an instance in Amazon VPC without success you have
already verified that the VPC has an Internet Gateway (IGW) the instance has an associated
Elastic IP (EIP) and correct security group rules are in place. Which VPC component should
you evaluate next?
C. Attaching a second Elastic Network interface (ENI) to the NAT instance, and placing it in
the private subnet
D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet,
and placing it in the public subnet
An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance’s security group is configured to
allow SSH from any IP address and deny all outbound traffic. What changes need to be made
to allow SSH access to the instance?
B. Both the outbound security group and outbound network ACL need to be modified to
allow outbound traffic.
You are currently hosting multiple applications in a VPC and have logged numerous port
scans coming in from a specific IP address block. Your security team has requested that all
access from the offending IP address block be denied for the next 24 hours. Which of the
following is the best method to quickly and temporarily deny access from the specified IP
address block?
A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny
access from the IP address block
B. Modify the Network ACLs associated with all public subnets in the VPC to deny access
from the IP address block
C. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your
organization uses in that VPC to deny access from the IP address block
D. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block
You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC)
in the same Availability Zone (AZ) but in different subnets. One instance is running a
database and the other instance an application that will interface with the database. You want
to confirm that they can talk to each other for your application to work properly. Which two
things do we need to confirm in the VPC settings so that these EC2 instances can
communicate inside the VPC? Choose 2 answers
A. That the default route is set to a NAT instance or Internet Gateway (IGW) for them to
communicate.
B. Both instances are the same instance class and using the same Key-pair.
D. Security groups are set to allow the application host to talk to the database on the right
port/protocol
When you put objects in Amazon S3, what is the indication that an object was successfully
stored?
B. Each S3 account has a special bucket nameds3logs. Success codes are written to this
bucket with a timestamp and checksum.
D. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation
was successful.
A company is storing data on Amazon Simple Storage Service (S3). The company’s security
policy mandates that data is encrypted at rest. Which of the following methods can achieve
this?
Choose 3 answers
A. Use Amazon S3 server-side encryption with AWS Key Management Service managed
keys
F. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master
key
When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the
data on the root volume?
A. Data is automatically deleted
In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
A customer is hosting their company website on a cluster of web servers that are behind a
public-facing load balancer. The customer also uses Amazon Route 53 to manage their public
DNS. How should the customer configure the DNS zone apex record to point to the load
balancer?
For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2
an appropriate solution? Choose 2 answers
A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet
of sensors
F. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes
G. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4.
Resume disk I/O
I. Suspend disk I/O, 2. Create an image of the EC2 Instance, 3. Resume disk I/O
A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only
private subnets, and VPC-2 contains only public subnets. The company uses a single AWS
Direct Connect connection and private virtual interface to connect their on-premises network
with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1?
Choose 2 answers
A. Establish a hardware VPN over the internet between VPC-2 and the on-premises network.
(Peered VPC does not support Edge to Edge Routing)
B. Establish a hardware VPN over the internet between VPC-1 and the on-premises
network
C. Establish a new AWS Direct Connect connection and private virtual interface in the same
region as VPC-2 (Peered VPC does not support Edge to Edge Routing)
D. Establish a new AWS Direct Connect connection and private virtual interface in a different
AWS region than VPC-1 (need to be in the same region as VPC-1)
E. Establish a new AWS Direct Connect connection and private virtual interface in the
same AWS region as VPC-1