AWS Certified Solutions Architect Associate (SAA02) - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 65 questions per test (similar to real AWS exam), 130 minutes, repeat tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

/25

10 votes, 4.5 avg

333

1 / 25

_____ is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend.

Consolidated Billing

AWS Cost Explorer

Cost Allocation Tags

AWS Budgets

Explanation

Cost Explorer, this is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend. A valuable tool that can help to identify where you should be focusing your cost optimization efforts. It also can forecast your estimated spend up to two months ahead using existing data as a reference. If you can see that your estimated future bills are becoming too high, you have the time now to identify where you can make and initiate cost reduction mechanisms to help mitigate the risk.

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

Explanation

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

2 / 25

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it.

You grant a database administrator access to the RDS database instance, but she is unable to connect to it.

What steps can you take to resolve the issue?

Create a key pair for your database administrator to log in

Use a different port for ingress.

Create a security group with specific ingress and egress rules for the DB instance

Configure single sign-on for your database administrator.

Explanation

When you are unable to connect to a new database, it is often because the DB instance creation is still in progress and is not available yet. A reasonable amount of time to wait (at most) is 20 to 30 minutes. Beyond that, there is likely a problem. A common pattern in DB implementation involves placing databases in private subnets for additional security. If you follow this practice, make sure that the Security Groups provide appropriate ingress and egress to the DB instance

Explanation

3 / 25

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Use the AWS server migration service to migrate existing records

Fix all MySQL issues in the local data center.

Order an on-demand instance matching the on-premises architecture.

Export all database records to S3.

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

4 / 25

You are helping a client design a static website which will potentially grow exponentially in the first few years of existence. You outline the benefits of using S3 to host this Website. What characteristics of S3 elasticity and scalability can you feature? (Choose 2 answers)

S3 bucket names can be replicated in multiple regions.

S3 supports an unlimited number of files in a bucket

S3 asynchronously replicates information to all availability zones within a region

S3 synchronously replicates information to all availability zones within a region

Explanation

With Amazon S3, you can store as much data as you want and access it when needed. S3 supports and unlimited number of files in a bucket so it is not necessary to know your storage needs up front or try to estimate. S3 can be scaled quickly and appropriately to meet the storage demands of your environment. S3 asynchronously replicates information to all availability zones within a region. Amazon S3 scales to support very high request rates. If your request rate grows steadily, Amazon S3 automatically partitions your buckets as needed to support higher request rates

Explanation

5 / 25

You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: security groups and network access control lists (ACLs). You have already looked into security groups and you are now trying to understand ACLs. Which statement below is incorrect in relation to ACLs?

Supports allow rules and deny rules.

Processes rules in number order when deciding whether to allow traffic.

Is stateful: Return traffic is automatically allowed, regardless of any rules.

Operates at the subnet level (second layer of defense).

Explanation

Amazon VPC provides two features that you can use to increase security for your VPC: Security groups–Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Network access control lists (ACLs)–Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. Security groups are stateful: (Return traffic is automatically allowed, regardless of any rules) Network ACLs are stateless: (Return traffic must be explicitly allowed by rules)

Explanation

6 / 25

A company needs to maintain system access logs for a minimum of 2 years due to financial compliance policies. Logs are rarely accessed, and access must be requested at least 12 hours in advance. What is the most cost-effective method to store logs that satisfies the compliance requirement, and delivers logs as requested in a timely manner?

Store the logs in Amazon S3 in the S3 One Zone-IA storage class. Configure a lifecycle policy to delete the logs after 2 years.

Store the logs in CloudWatch logs and configure a 2 years retention period.

Store the logs in Amazon S3 in the Intelligent-Tiering storage class. Configure a lifecycle policy to delete the logs after 2 years.

Store the logs in Amazon S3 in the S3 Glacier Deep Archive storage class. Configure a lifecycle policy that deletes the logs after 2 years.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

The other options offer some cost savings compared to Amazon S3 Standard storage class, but Intelligent tiering would not cycle the files to an archive storage class for roughly 120 days, and the One Zone-IA storage class would provide some cost savings, but offers less durable storage, so the likelihood of losing logs is higher.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

7 / 25

You have been assigned to design a new AWS RDS database for a pharmaceutical company. Their most important requirement is high availability. You have proposed a multi-AZ configuration for high availability. The discussion has progressed to failover scenarios. Which scenario will not cause an automatic failover?

Long running resource intensive stored procedure

Loss of availability in primary Availability Zone

Compute unit failure on primary

Loss of network connectivity to primary

Explanation

Amazon RDS detects and automatically recovers from the most common failure scenarios for Multi-AZ deployments so that you can resume database operations as quickly as possible without administrative intervention. Amazon RDS automatically performs a failover in the event of any of the following:

Loss of availability in primary Availability Zone
Loss of network connectivity to primary
Compute unit failure on primary
Storage failure on primary

Explanation

Loss of availability in primary Availability Zone
Loss of network connectivity to primary
Compute unit failure on primary
Storage failure on primary

8 / 25

A user wants to achieve High Availability with PostgreSQL DB. Which of the below mentioned functionalities helps achieve HA?

Read Replica

Multi AZ

Multi region

PostgreSQL does not support HA

The Multi AZ feature allows the user to achieve High Availability. For Multi AZ, Amazon RDS automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone.

9 / 25

Your client is using EBS volumes for storage. In general, things are working well but they’d like to increase the size if possible. It’s used for a critical application that has no tolerance for latency. What steps can you take to increase the size and avoid any latency? (Choose 2 answers)

Create a snapshot of the volume add a new larger volume from the snapshot, then replace the original volume.

Scale the existing volume up to a larger size in the AWS console.

Initialize a volume from a snapshot by accessing all the blocks in the snapshot to avoid latency.

Create a RAID 5 array to increase size and improve performance.

Explanation

You can use snapshots to increase the size of EBS volumes. Take a snapshot of the existing volume, create a new volume from the snapshot but with a larger size, then replace the original snapshot with the new volume. There is a performance hit with new volumes because, while the volume is created immediately, the data is lazy loaded. So there will be a first time performance hit when accessing each block on the volume. This problem can be resolved by initializing the volume and accessing each block one time before the volume is put into service.

Explanation

10 / 25

You have an application that is generating a log file every 5 minutes and you need to store these log files appropriately. The requirements for storing the log files are:

They should be quickly retrievable when needed, as they may be required only for verification in case of some major issue.
The logs will need to be accessed frequently, as all log data is retrieved and compiled from the files into a bi-monthly report.
The logs are essential to quarterly audits, so the storage solution must offer a high level of durability.
Cost should also be minimized for the storage service as much as possible.

Which of the storage options below is the best choice to meet these requirements?

Amazon S3 OneZone-IA

Amazon S3 Standard

Amazon S3 Glacier

Amazon S3 Standard – Infrequent Access (IA)

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard – Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Standard is for Amazon S3 and provides very high durability. Standard – Infrequent Access is designed for with a minimum data amount required and paid storage for at least 30 days. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files.

S3 OneZone IA is a variation of Standard-IA, which offers data archival at a reduced price, but also with less durability because the data within this class is stored within a single availability zone rather than spread throughout all availability zones within the S3 buckets region, as it is with S3 Standard storage.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard – Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

11 / 25

A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which one of the following is the best way to terminate the instance automatically once the job is finished?

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Configure a CloudWatch alarm to terminate the instance once it is idle

Configure an Auto Scaling scheduled activity to terminate the instance after seven days.

Configure the EC2 instance with a stop instance to terminate it.

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action

Explanation

12 / 25

Your client is a major U.S. semi-professional sports league. Their website streams live sporting events in high definition and special feature videos which they distribute to free and premium customers alike. They want to improve the speed of content delivery and you recommend implementing AWS CloudFront. They would like to restrict access to a portion of this content to premium level subscription customers only. What technique can you use to limit access to premium content to approved customers?

S3 Access Control Lists

signed urls

third party geo-location

geo restriction

Explanation

Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can do the following:

Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

Explanation

Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

13 / 25

Your client has a need to store data which could grow quickly but unpredictably. You recommend EBS as a storage solution. But they have voiced concerns about scalability. What features of EBS can you highlight to provide assurances of its elasticity and scalabilty? (Choose 3 answers)

EBS volumes are redundantly replicated on different hardware within the same AZ.

You can resize an existing volume by creating a snapshot and launching a new (larger volume) from the snapshot

An Elastic Load Balancer can scale EBS appropriately

You can quickly provision additional capacity by adding new EBS volumes

Explanation

AWS can be quickly provisioned for additional capacity by adding new EBS volumes. Existing volumes can be resized by creating a snapshot and launching a new (larger volume) from the snapshot. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS is designed for application workloads that benefit from fine tuning for performance, cost and capacity

Explanation

14 / 25

You have been assigned to a client with an existing AWS cloud environment. They have a VPC with multiple web servers in a public subnet and database servers in a private subnet. They purchased reserved Linux instances up-front but are finding they underestimated their workload and would like to scale now. What can you do with these instances to scale them without violating the term agreement of these instances?

Change to a larger instance within the same instance family.

Change to a larger instance of any type.

Change to On-Demand instances of a larger type.

Change to Spot instances of a larger type.

Explanation

A Reserved Instance (RI) is an EC2 offering that provides you with a significant discount on EC2 usage when you commit to a one-year or three-year term. You can modify the Availability Zone of the RI, change the scope of the RI from Availability Zone to region (and vice-versa), change the network platform from EC2-VPC to EC2-Classic (and vice versa) or modify instance sizes within the same instance family (on the Linux/Unix platform).

Explanation

15 / 25

You are designing a AWS cloud environment for a client who has a contract with a federal government agency. The cloud environment will have multiple VPCs and be in multiple regions. The government agency wants to whitelist only a handful of instances in your organization. This will dictate that these instances have static IP addresses. Elastic ip addresses can be used to keep a fixed set of IP addresses. How can the Elastic IP addresses (EIP) be used in this environment?

EIPs can be moved from one instance to another in multiple VPCs and multiple regions

EIPs can be moved from one instance to another in multiple VPCs within the same region

EIPs can be moved from one instance to another within the same Availability Zone

EIPs are attached to an instance and exist only for the life of that instance

Explanation

An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource. A disassociated Elastic IP address remains allocated to your account until you explicitly release it. An Elastic IP address is for use in a specific region only.

Explanation

16 / 25

In which circumstance would a bucket owner pay for the data transfers instead of the Requester Pays bucket?

When the request is anonymous

When the request is a known request

When the request is 202 Accepted

When the request is a HTTP request

Explanation

The charge for successful Requester Pays requests is straightforward: the requester pays for the data transfer and the request; the bucket owner pays for the data storage. However, the bucket owner is charged for the anonymous request.

Explanation

17 / 25

An accountant asks you to design a small VPC network for him and, due to the nature of his business, just needs something where the workload on the network will be low, and dynamic data will be accessed infrequently. Being an accountant, low cost is also a major factor. Which EBS volume type would best suit his requirements?

Magnetic or Provisioned IOPS (SSD)

Any, as they all perform the same and cost the same

Magnetic

General Purpose (SSD)

Explanation

You can choose between three EBS volume types to best meet the needs of their workloads: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. General Purpose (SSD) is the new, SSD-backed, general purpose EBS volume type that we recommend as the default choice for customers. General Purpose (SSD) volumes are suitable for a broad range of workloads, including small to medium sized databases, development and test environments, and boot volumes. Provisioned IOPS (SSD) volumes offer storage with consistent and low-latency performance, and are designed for I/O intensive applications such as large relational or NoSQL databases. Magnetic volumes provide the lowest cost per gigabyte of all EBS volume types. Magnetic volumes are ideal for workloads where data is accessed infrequently, and applications where the lowest storage cost is important

Explanation

18 / 25

Your client has submitted a change request to improve security on their S3 buckets. You have decided to allow two administrators to manage the buckets, and are setting up an IAM role for the admins. Your client approves of the two admins having some access, but does not want them to be able to review potentially valuable business information stored within the files. Which operations would you allow this admin role to perform? (Choose 3 answers)

Create and delete a bucket

Delete an object

List keys in a bucket

Get an object

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

19 / 25

An organization has launched five instances: two for production and three for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often be deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, production, and testing will not change in the foreseeable future.

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Define the IAM policy that allows access based on the instance ID

Launch the test and production instances in separate regions and allowing region wise access to the group

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Explanation

AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parameters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.
"Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/InstanceType": "Production" } } } ]

Explanation

20 / 25

A legacy application in your company has been deployed in a single availability zone. It is used only sporadically but must be available nevertheless. Due to your heavy administrative workload, you wish to automate a process that will rebuild the application automatically if it fails. What action should you take?

Monitor the server availability using Cloud Watch metrics to receive alerts of health check failures.

Add an additional availability zone and a load balancer.

Configure the server in an auto scaling group with a minimum and maximum size of one

Perform snapshots of EBS volumes on a set schedule.

Explanation

Auto scaling provides redundancy for a single server with the option of launching a configuration using the attributes from a running instance. When you use this option, auto scaling copies the attributes from the specified instance into a template from which you can launch one or more auto scaling groups.

Note that if the specified instance has properties that are not currently supported by auto scaling, instances launched by auto scaling using the launch configuration created from the identified instance might not be identical to the identified instance.

Explanation

21 / 25

You are designing an Amazon RDS database solution for a new medical supply company. This is a brand new company and they do not have an existing on-premises database. They would like to use Oracle for their new database. With a brand new database, which licensing model will you use for Oracle?

Pay per core licensing

Optional licensing

License included

Bring your own license

Explanation

You can run Amazon RDS for Oracle under two different licensing models – “License Included” and “Bring-Your-Own-License (BYOL)”. In the “License Included” service model, you do not need separately purchased Oracle licenses; the Oracle Database software has been licensed by AWS.

Explanation

22 / 25

Which statements regarding VPC subnets are correct? (Choose 2 answers)

A route to a virtual private gateway means that the subnet is public

No route to an internet gateway or virtual private gateway indicates a private subnet.

A route to a NAT instance indicates VPN communication with on-premises servers

A route to an internet gateway means the subnet is public

Explanation

Your VPC has an implicit router and a main route table that you can modify. Each subnet you create must be associated with a route table. Adding an internet gateway and adding a route to that IGW facilitates traffic out to the Internet for a public subnet. NAT instance and NAT gateways are provided to allow instances in private subnets to gain internet access

Explanation

23 / 25

A user is currently building a website which will require a large number of instances in six months, when a demonstration of the new site will be given upon launch. Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the demonstration?

Procure all the instances as reserved instances beforehand.

Pre-warm all the instances one month prior to ensure resource availability.

Launch all the instances as part of the cluster group to ensure resource availability.

Ask AWS now to procure the dedicated instances in 6 months.

Explanation

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Explanation

24 / 25

A user needs to run a batch process which runs for 10 minutes. This will only be run once, or at maximum twice, in the next month, so the processes will be temporary only. The process needs 15 X-Large instances. The process downloads the code fromS3 on each instance when it is launched, and then generates a temporary log file. Once the instance is terminated, all the data will be lost. Which of the below mentioned pricing models should the user choose in this case?

Reserved instance

Spot instance

On-demand instance

EBS optimized instance

Explanation

In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the instance if the other user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a good option to save money

Explanation

25 / 25

You have been contracted to start building the latest and greatest mobile chat app. The schedule for this development and delivery is time critical. What correct mix of AWS services and components should you consider to ensure that your mobile chat app can be produced on time, ensuring that the mobile chat app can authenticate and authorize users?

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Create an auto scaling group of EC2 instances with SAML 2.0 service endpoint, setup and install a custom LDAP directory, configure SSO within the mobile app to use the SAML 2.0 service endpoint to perform user authentication and authorization

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Explanation

Answer “Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization” is correct. The question highlights that the “development and delivery is time critical” – therefore the best approach time wise is to use the fit for purpose managed services provided by AWS – in this case, Amazon Cognito, IAM Roles and Policies, and the AWS Mobile SDK.

Explanation

Your score is

The average score is 54%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Ready to take AWS Certified Solutions Architect Associate (SAA) – Exam mode ?

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

/65

5 votes, 4.8 avg

149

Click Start button to start exam !

Time Out !

1 / 65

A user has applied an S3 Bucket access control list (ACL) and a bucket policy to an S3 bucket. Then, the user enables cross-origin resource sharing (CORS) on the same bucket.

Which of the following statements is true in this context?

The ACLs and policies continue to apply when you enable CORS on the bucket.

With CORS, only an ACL can be applied.

It is not possible to have all three applied to the same bucket.

With CORS, only the policy can be applied.

Explanation

The CORS specification gives a user the ability to build web applications that make requests to domains other than the one which supplied the primary content. The ACLs and policies continue to apply when you enable CORS on the bucket.

Explanation

2 / 65

Can we attach an EBS volume to more than one EC2 instance at the same time?

Yes, all types of EBS volumes can attach to multiple instances

Yes, but only one type of EBS volume can be attached to multiple instances

Yes, all but one type of EBS volumes can attach to multiple instances

Explanation

With the new EBS multi-attach feature for Provisioned IOPS volumes, you can attach EBS volumes (of this type only) to more than one EC2 instance. So, yes it is possible, but not for all EBS volume types.

Explanation

3 / 65

A user has applied an S3 Bucket access control list (ACL) and a bucket policy to an S3 bucket. Then, the user enables cross-origin resource sharing (CORS) on the same bucket.

Which of the following statements is true in this context?

With CORS, only an ACL can be applied

It is not possible to have all three applied to the same bucket.

The ACLs and policies continue to apply when you enable CORS on the bucket

With CORS, only the policy can be applied

Explanation

4 / 65

You have been put in charge of your company’s Virtual Private Cloud (VPC). The environment lacks sufficient documentation. You are investigating the VPC in an effort to document the environment. Your review includes the route tables. What relationships between route tables and subnets can you count on being present in the environment? (Choose 2 answers)

Each subnet must be associated with a route table

All subnets must be associated with the default route table

Subnets are not related to route tables

If a route table is not associated with a subnet, the subnet will be associated with the main route table

Explanation

Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table. A route in the route table to an Internet Gateway marks the subnet as a public subnet and no route to an Internet Gateway marks the subnet as private.

Explanation

5 / 65

A client of yours has a huge amount of data stored on Amazon S3, but is concerned about someone stealing it while it is in transit. You know that all data is encrypted in transit on AWS, but which of the following is wrong when describing server-side encryption on AWS?

In server-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools.

Server-side encryption is about data encryption at rest–that is, Amazon S3 encrypts your data as it writes it to disks.

Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data

Amazon S3 server-side encryption employs strong multi-factor encryption.

Explanation

Amazon S3 encrypts your object before saving it on disks in its data centers and decrypts it when you download the objects. You have two options depending on how you choose to manage the encryption keys: Server-side encryption and client-side encryption. Server-side encryption is about data encryption at rest–that is, Amazon S3 encrypts your data as it writes it to disks inits data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects. In client-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools. Server-side encryption is an alternative to client-side encryption in which Amazon S3 manages the encryption of your data, freeing you from thetasks of managing encryption and encryption keys. Amazon S3 server-side encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a masterkey that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256- bit Advanced Encryption Standard (AES-256), to encrypt your data

Explanation

6 / 65

The average traffic to your online business has quadrupled since you expanded your targeted marketing campaigns. Your web servers are handling the traffic, but you are closely monitoring your database layer, which consists of multiple Amazon RDS MySQL Databases.

You are monitoring key custom metrics related to read and write throughput and latency using Amazon CloudWatch. You have configured CloudWatch alarms to monitor these custom metrics against optimal performance thresholds, but want to ensure these alarms based on these specific metrics are as responsive as possible.

How can you increase the responsiveness of CloudWatch alarms for the specific custom metrics you have already implemented for your RDS MySQL databases? (Choose 2 answers)

Enable RDS Performance Insights

Enable Detailed Monitoring on CloudWatch

Configure Route 53 CloudWatch Alarm health checks

Enable RDS Enhanced Monitoring

Explanation

Most of these choices improve the responsiveness of CloudWatch in some way, but the aspect of this question is improving the responsiveness of CloudWatch alarms you have already implemented. This means you are not interested in additional metric information outside of the custom metrics you’ve already created in CloudWatch, and any features that increase responsiveness to metrics other than what you want will not be beneficial.

So, creating CloudWatch Log metric filters for default RDS metrics will not help, even though this can provide 1-second granularity, it is unlikely the logs will indicate overall latency and throughput of reads and writes, as these performance metrics are not related to specific API calls, but rather general database performance.

Performance Insights allow you to review and analyze your RDS database performance overall, but is not ideal for identifying a performance issue in real-time.

Enabling Enhanced monitoring does provide increased insight into RDS database performance, and with the increased granularity of 5 seconds instead of 60 seconds, or potentially even 1-second granularity through CloudWatch Log Streams. However, Enhanced Monitoring provides specific operating system metrics and other performance metrics, and would not apply to the custom metric you have created using CloudWatch.

Enabling Detailed Monitoring will increase the delivery of average metrics from every 5 minutes to every minute, and this will apply to your custom metrics as well.

In addition, creating a Route 53 CloudWatch Alarm Health Check will monitor the transmission of data to CloudWatch, and can effectively alert you before the CloudWatch alarm is even triggered.

Explanation

Performance Insights allow you to review and analyze your RDS database performance overall, but is not ideal for identifying a performance issue in real-time.

Enabling Detailed Monitoring will increase the delivery of average metrics from every 5 minutes to every minute, and this will apply to your custom metrics as well.

In addition, creating a Route 53 CloudWatch Alarm Health Check will monitor the transmission of data to CloudWatch, and can effectively alert you before the CloudWatch alarm is even triggered.

7 / 65

Your developers have created a sales application that works in tandem with the no SQL database. To ensure the fastest response for the application in production, the developers wish to remove the need to wait for acknowledgments from the database to the application after data have been sent. The acknowledgments can be stored and accessed asynchronously. Which managed application would be the best choice for their design?

Simple Queue Service

CloudWatch Logs

AWS Config

Simple Workflow Service

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

8 / 65

You are performing some testing of an application in development and wish to delete the parts of a multipart upload after a mistake is made with part numbering. Which command would you run to stop the upload and delete all the parts?

Delete multipart upload

Remove multipart upload

Abort multipart upload

Cancel multipart upload

Explanation

To delete the parts of a failed multipart upload so that you do not get charged for storage of those parts, you must use the command “Abort Multipart Upload” and provide the upload ID of upload you wish to abort. After aborting a multipart upload, you cannot upload any part using that upload ID again. All storage that any parts from the aborted multipart upload consumed is then freed.

Explanation

9 / 65

You must configure a number of CloudWatch alarms to terminate and/or recover EC2 instances based on their performance metrics, and to receive an alert when such an action is triggered. Which of the following services will you need to integrate with CloudWatch to configure the alarms and alerts? (Choose 2 answers)

AWS Config

Amazon Simple Notification Service (Amazon SNS)

AWS Identity and Access Management (IAM)

Amazon EC2 System Manager

Explanation

You will need to ensure the correct permissions have been assigned to the CloudWatch service, which means working with IAM permissions. You will also need to configure a notification via SNS.

Explanation

You will need to ensure the correct permissions have been assigned to the CloudWatch service, which means working with IAM permissions. You will also need to configure a notification via SNS.

10 / 65

You are contracted to manage cloud storage for a multi-national media company. During your informational analysis, you note a few crucial requirements: the need to upload very large files (greater than 5 GB), concerns about latency across continents, and a compliance requirement about storing backup data 1000 miles from the source.

Which Amazon S3 features will handle these requirements? (Choose 2 answers)

Multi-part upload

Pre-signed URLs

Cross-region replication

Read replicas

Explanation

Multipart uploads must be used for files greater than 5 GB. Cross-region replication is used to reduce latency by placing objects closer to users. This would address the issue of having users in different continents. Another use case for cross-region replication is to meet compliance requirements of storing backup data a certain distance from their origin.

Explanation

11 / 65

Which of the four storage options on Amazon S3 and Amazon Glacier charges per GB retrieval fees? (Choose 2 answers)

Amazon S3 Standard-Infrequent Access Storage

Amazon S3 Standard Storage

Amazon S3 Reduced Redundancy Storage

Amazon Glacier Storage

Explanation

Amazon Glacier and S3 Standard-IA are both designed for storing infrequently accessed data. This is why the data storage fees are roughly one-half to one-sixth the cost of Standard Storage. Retrieval fees will quickly add up if the data is retrieved too often, so planning or correctly setting your object lifecycle based on how often you or your company will need the data is important.

Explanation

12 / 65

You notice that your administrator has not created a security group. He created 3 EC2 instances and they were launched into the default security group. No changes were made to the default security group. What characteristics will the default security group provide? (Choose 3 answers)

No inbound traffic will be allowed to the EC2 instances.

All outbound traffic from the EC2 instances will be allowed.

No outbound traffic will be allowed from the EC2 instances

The EC2 instances will be able to communicate with each other.

Explanation

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don’t specify a different security group when you launch the instance. The default security group disallows all inbound traffic and allows all outbound traffic. However, the rules for a default security group can be changed.

Explanation

13 / 65

When launching an instance using the Launch Wizard, what happens when a user does not provide the security group?

The launch wizard gives an error and a security group is not created.

The launch wizard creates one security group for that instance

The launch wizard is created and the instance with the default security group of EC2 is launched

There is no security group attached to the instance.

Explanation

If a user does not select the security group while creating the instance launch configuration, the Launch wizard automatically defines the “launch-wizard-x” security group to allow the user to connect to the instance, which enables all IP addresses (0.0.0.0/0) to access the instance over the specified ports.

Explanation

14 / 65

To provide adequate computer resources for your company portal during busy sales cycles, you have your instances assigned to an EC2 auto scaling group associated with an application load balancer. You are now configuring the health checks for the auto scaling group.

What statement regarding health check configuration options for your auto scaling group is correct?

You can use both EC2 Instance Status Checks and ALB health checks simultaneously for your auto scaling group

You can use either EC2 Instance Status Checks or ALB health checks for your auto scaling group., but not both simultaneously

You can only use EC2 Instance Status Checks as a health check for your auto scaling group

You can only use ALB health checks as a health check for your auto scaling group

Explanation

Both instance status checks and health checks must be enabled before unhealthy instances will be terminated. It is critical that you test not only the saturation and breaking points but also the “normal” traffic profile you expect

Explanation

15 / 65

You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images in one batch, with an average of 3 batches per day. These images are loaded into an Amazon S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket.

Which of these is the best system architectures for this system?

Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis. Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events

Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket. Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty.

Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application, and Environment. Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.

Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an always-on instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

16 / 65

Get an object

Delete an object

List keys in a bucket

Create and delete a bucket

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

17 / 65

You’ve taken over management of your company’s AWS cloud environment. You know very little about the environment and have been provided very little documentation. You have been given access to the environment and begin a discovery and documentation process. You begin by looking at the route table. Without seeing the specific route table, what information do you know it contains about the subnets in the VPC? (Choose 2 answers)

Subnets that direct traffic to an Internet Gateway are public

The subnets region is indicated

The default mask of the subnet can be identified.

Subnets that do not direct traffic to an Internet Gateway are private

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. When you add an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint in your VPC, you must update the route table for any subnet that uses these gateways or connections.

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

18 / 65

Which choice correctly describes the differences between security groups and Network Access Control Lists (NACLs)? (Choose 2 answers)

Security Groups operate at the instance level and support allow rules only.

NACLs operate at the subnet level and support allow and deny rules

NACLs operate at the subnet level and support deny rules only.

Security Groups operate at the subnet level, and they support allow rules only

Explanation

You can secure your VPC instances using only security groups; however, you can add NACLs as a second layer of defense. Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level . Network access control lists (NACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level . Security Groups supports allow rules only while Network Access Control Lists support allow and deny rules.

Explanation

19 / 65

Your company is concerned with EBS volume backup on Amazon EC2 and wants to ensure they have proper backups that are scheduled once a day and that the data is durable. Which of the following options would be best for this? (Choose 2 answers)

Use the AWS Console to stop the instance, copy it to AWS Glacier and then start the instance again.

Write a Lambda function to take a snapshot of production EBS volumes

Write a cronjob and implement it via CloudWatch Events to take a snapshot of production EBS volumes

Use the AWS Console to take a snapshot of production EBS volumes

Explanation

The data is durable because EBS snapshots are stored on the Amazon S3 standard storage class.
You cannot schedule snaphots in the AWS Console.

Explanation

The data is durable because EBS snapshots are stored on the Amazon S3 standard storage class.
You cannot schedule snaphots in the AWS Console.

20 / 65

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs. The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours. What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

Copy the data to AWS using AWS DataSync.

Backup the data using AWS Storage Gateway tape gateways

Store the data in Amazon S3 in the S3 Glacier Deep Archive storage class.

Store the data in Amazon S3 in the S3 Glacier storage class

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper – compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue – the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper – compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue – the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

21 / 65

A bucket owner from Account Red allows Account Blue’s IAM users to upload and access objects in his bucket.

One of Account Blue’s IAM users tries to access an object in the bucket. The object is owned by an IAM user from Account Red who is not the bucket owner.

How will Amazon S3 process this request?

Amazon S3 only verifies permissions granted by the object owne

Amazon S3 only verifies permissions granted by the bucket owner and object owner

Amazon S3 only verifies permissions granted by the bucket owner

Amazon S3 verifies permissions granted by Account Blue’s IAM administrator, by the bucket owner, and by the object owner.

Explanation

If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

Explanation

22 / 65

A client contacts you to troubleshoot an issue with their company’s VPC. An initial review of an architectural diagram appears to call for an Internet-facing load balancer, and two auto scaling groups within a VPC. After logging in, you recognize that health checks are not reaching the EC2 instances launched in the VPC because the front-end connection (client to load balancer) has timed out.

What series of AWS recommended troubleshooting steps would likely resolve this issue? (Choose 3 answers)

Adjust response timeouts in your load balancer health check configuration.

Verify the issue by connecting directly with the instance.

Adjust the health check interval settings.

Ensure that the load balancer is configured for ingress traffic.

Explanation

It is critical before making any major changes to your health checks to verify whether you can connect manually to the EC2 instances in question. Once you’ve verified you can connect to them manually, you can begin altering the health check settings.

Explanation

23 / 65

A user is planning to make a mobile game which can be played online over the internet with multiplayer functionality or played offline individually, this game will be hosted on EC2. The user wants to ensure that if someone breaks the highest score or they achieve some milestone they can inform all their colleagues through emails. Which of the below mentioned AWS services would be best suited to achieve this goal?

AWS Simple Email Service.

AWS Simple Queue Service

AWS Simple Workflow Service

Amazon Cognito

Explanation

Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. It integrates with other AWS services, making it easy to send emails from applications that are hosted on AWS

Explanation

24 / 65

You are designing a cloud solution for a new client. They have a multi-tier application and would like high availability at both the Web and Database tiers. The database will be MySQL and will be a highly available, multi-AZ configuration. You describe the failover process to the client including how the failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. What additional step must you discuss with the clients technical team?

asynchronously replicating the primary database to the standby database

converting read replicas to multi-AZ standbys

transferring MySQL license to the standby server

re-establishing connections to the DB instance

Explanation

In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. Failover times are typically 60-120 seconds. The failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. As a result, you will need to re-establish any existing connections to your DB instance.

Explanation

25 / 65

Which type of IAM role is pre-defined, and can only be edited in a limited number of cases?

Cross-Account Access Roles

AWS Service-Linked Roles

AWS Service Roles

Identity Provider Access Roles

Explanation

The method that you use to edit a service-linked role depends on the service. Some services might allow you to edit the permissions for a service-linked role from the service console, API, or CLI. However, after you create a service-linked role, you cannot change the name of the role because various entities might reference the role. You can edit the description of any role from the IAM console, API, or CLI.

For information about which services support using service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. To learn whether the service supports editing the service-linked role, choose the Yes link to view the service-linked role documentation for that service.

Explanation

26 / 65

A national auto parts chain contracted your firm to design and implement their AWS environment. It is a very large-scale system that handles order processing, accounting, stocking, and logistics. This system spans multiple availability zones and requires a multi-AZ environment for high availability. The system has been implemented and you need to test the database failover mechanism. It is imperative that the failover occurs within the specified RTO. How can you consistently test database failover?

Contact Amazon to conduct a failover test.

Reboot the primary database instance

Backup then delete the primary database instance

Amazon has thoroughly tested failover and customers can not test failover.

Explanation

If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. Multi-AZ deployments utilize synchronous replication, making database writes concurrently on both the primary and standby so that the standby will be up-to-date in the event a failover occurs.

Explanation

27 / 65

You are developing a new application in which you need to transfer files over long distances between client-side storage and an S3 bucket. You decide to try sending data to the S3 bucket using S3 Transfer Acceleration. What must you do to achieve this? (Choose 2 answers)

Turn on S3 Transfer Acceleration for the bucket.

Use the SDK S3 accelerate upload commands

Use the CLI S3 accelerate upload commands.

Use the new accelerate endpoints to transfer your data to S3.

Explanation

After you turn on S3 Transfer Acceleration for a bucket, two new endpoints are created for the bucket: one for IPv4 and one for IPv6. You can use either the accelerate endpoints or the standard endpoints if you choose not to use the accelerate feature.

Explanation

28 / 65

You are leading a design meeting for a new client that is migrating their compute environment to the cloud. One of the first design meetings involves Identity and Access Management (IAM). You are giving them an explanation of concept of principals, which is an entity that is allowed to interact with AWS resources. Which is not a type of principal?

Roles/temporary security tokens

Root users

IAM users

Encryption keys

Explanation

A principal is an IAM entity that is allowed to interact with AWS resources. The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. The Principal element is relevant only in a bucket policy; you don’t specify it in a user policy because you attach user policy directly to a specific user.

Explanation

29 / 65

What features of VPC security groups are correct? (Choose 2 answers)

You can specify only deny rules, not allow rules.

Security Groups are stateless.

You can change the security group that an instance is associated with after launch and the changes will take effect immediately.

Instances associated with the same security group can not talk to each other unless rules are added specifically allowing communication.

Explanation

Instances associated with a security group can’t talk to each other unless you add rules allowing it (exception: the default security group has these rules by default). By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

Explanation

30 / 65

Your throughput-optimized HDD (st1) EBS volumes do not seem to be performing as expected and your team leader has requested you look into improving their performance.

Which statement regarding the performance of your EBS volumes is incorrect?

Frequent snapshots provide a higher level of data durability and will not degrade the IOPS performance of your application while the snapshot is in progress.

General Purpose (SSD) and Provisioned IOPS (SSD) volumes throughput limit can go from 128 MB/s to 320 MB/s per volume.

Amazon Web Services provides performance metrics for EBS that you can analyze and view with Amazon CloudWatch.

You can benchmark your storage and compute configuration to make sure you achieve the level of performance you expect to see before taking your application live.

Explanation

When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behavior is specific to these volume types.

Explanation

31 / 65

You run a stateless web application with the following components:

An Application Load Balancer (ALB)
A two-tier application with frontend instances processing user requests, and backend RDS MySQL instances
The MySQL RDS database offers a maximum of 3000 IOPS with Provisioned IOPS

You notice that the average response time for users is increasing. Looking at CloudWatch, you observe 85% CPU usage on the web and application servers and 20% CPU usage on the database. The average number of database disk operations varies between 1000 and 1500. How would you improve performance? (Choose 2 answers)

Use EC2 Auto Scaling to add additional frontend instances based on the CPU load threshold

Use Amazon RDS Read Replicas to improve your throughput

Choose a different EC2 instance type for the frontend servers with a more appropriate CPU/Memory ratio

Replace the backend RDS database instances with Aurora database engine

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

32 / 65

You are building a system to distribute confidential documents to employees across the world. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy.

Explanation

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users’ behalf. If your users try to access objects using Amazon S3 URLs, they’re denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don’t.

Explanation

33 / 65

Regarding EC2 instances, when are users billed per-second rather than per-hour? (Choose 2 answers)

When your instance has a Windows operating system

When your instance has a Linux operating system

When you use On-Demand or Spot instances

When you use Dedicated or Dedicated Host instances

Explanation

You are billed per-second with a one-minute minimum for On-Demand, Spot and Reserved instances as long as your EC2 instance is in a running state, provided the instance is Linux (with some exceptions), and not a Windows operating system, in which case the instance would be billed per-hour.

Explanation

34 / 65

You are asked by your manager to design a VPC and then deploy web servers in the VPC with high availability. The web servers must have Internet accessibility. Due to previous issues with downtime and disaster recovery considerations, it is of utmost importance to have an architecture with high availability. Which options will provide high availability? (Choose 2 answers)

Use DNS failover and health checks, and then assign Elastic IP addresses to the web servers, Configure a Route 53 record set with all EIPs.

Create an Elastic Load Balancer and place your web servers behind the ELB. Then configure a Route 53 CNAME and point it to the DNS name of the ELB

Create a Bastion host to provide connectivity to your private subnet and to act as a proxy for web requests.

Use dual NAT instances for high availability and create a route to a Virtual Private Gateway for Internet access.

Explanation

If you have multiple resources that perform the same function, for example, web servers or email servers, and you want Amazon Route 53 to route traffic only to the resources that are healthy, you can configure DNS failover by associating health checks with your resource record sets. If a health check determines that the underlying resource is unhealthy, Amazon Route 53 routes traffic away from the associated resource record set.

Explanation

35 / 65

You are an AWS Solutions Architect helping a client plan a migration to the AWS Cloud. The client has provided you with a detailed inventory of their current on-premises compute infrastructure, including metrics related to storage and bandwidth. What tool would you use to estimate the amount of money they will save by migrating to the AWS Cloud?

Cost Explorer

TCO Calculator

Detailed Billing Reports

Trusted Advisor

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

36 / 65

If you determine that the resources on a launched Amazon EC2 instance are insufficient to handle the workload of an application, you can resize the instance without performing any migration as long as your root device is a(n) ____________.

EBS volume

instance store

EFS filesystem

S3 bucket

Explanation

As your needs change, you might find that your instance is over-utilized (the instance type is too small) or under-utilized (the instance type is too large). If the root device for your instance is an Elastic Block Store (EBS) volume, you can change the size of the instance simply by changing its instance type, which is known as resizing it. If the root device for your instance is an instance store volume, you must migrate your application to a new instance with the instance type that you want

Explanation

37 / 65

You are placed in charge of a client’s existing AWS cloud environment. They have several web servers in a public subnet and three database servers in a private subnet. The database is an RDS solution using SQL Server. AWS limits the types of changes the customer can make to the underlying infrastructure. What change will you be responsible for when administering this RDS database?

Setting up database accounts and privileges for non-admin

Deploying virtual infrastructure

Performing daily database backups

Patching the database instance operating system

Explanation

Amazon RDS manages the work involved in setting up a relational database: from provisioning the infrastructure capacity you request to installing the database software. Once your database is up and running, Amazon RDS automates common administrative tasks such as performing backups and patching the software that powers your database. With optional multi-AZ deployments, Amazon RDS also manages synchronous data replication across Availability Zones with automatic failover.

Since Amazon RDS provides native database access, you interact with the relational database software as you normally would. This means you’re still responsible for managing the database settings that are specific to your application. You’ll need to build the relational schema that best fits your use case and are responsible for any performance tuning to optimize your database for your application’s workflow.

Explanation

38 / 65

What is the default maximum number of Access Keys per user?

The default maximum number of Access Keys per user is 2

39 / 65

In Amazon Route 53, which of the following failover configurations should be used when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable?

Active-active-passive failover

Passive-passive failover

Active-passive failover

Active-active failover

Explanation

In Amazon Route 53, you can use the active-passive failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.

Explanation

40 / 65

A user manages a running MySQL RDS instance that will not be used for the next three months. What is the most effective way to avoid costs for the database, and allow it to be used in three months time? (Choose 2 answers)

Delete the DB instance

Stop the RDS instance

Save the most recent snapshot from RDS automated backup

Create a manual snapshot of the DB instance

Explanation

Because the user needs to stop the instance for 3 months, the most cost-effective option is to create a manual snapshot of the RDS instance to launch later, and terminate the current RDS instance. Stopping the instance is not ideal in this case because the instance will be restarted automatically by Amazon after seven days. Amazon will also charge for provisioned and backup storage.

The best option is to create a manual snapshot of the instance, which can be stored for any length of time, and will not be deleted if the original instance is deleted. Note an automatic snapshot has a limited retention period, and will be deleted if the original instance is deleted. The user will only be charged for storage in this case if the user exceeds his/her default storage space

Explanation

41 / 65

Your organization is migrating applications to AWS. Your new security policy mandates that all user accounts be created and managed through IAM. Currently, your corporation is using Active Directory as their on-premise LDAP service. Once applications go live at AWS, all users must access applications using temporary access credentials, and all IAM users must have passwords that are rotated on a set schedule. Which of the following actions will allow you to enforce this security policy? (Choose 3 answers)

Create required IAM user accounts

Create and enforce a password expiration policy option for all IAM users.

Deploy federation services that support the Security Token Service

Disable the root account for your AWS account.

Explanation

STS is the “glue” that supports temporary access credentials for federation. If you are running code, AWS CLI, or Tools for Windows PowerShell commands inside an EC2 instance, you can take advantage of roles for Amazon EC2. Otherwise, you can call an AWS STS API to get the temporary credentials, and then use them explicitly to make calls to AWS services.

Explanation

42 / 65

You’ve been assigned to a client that has an auto scaling group behind an Application Load Balancer. The autoscaling group is handling traffic spikes well, but the client is concerned about cost. After reviewing statistics, you find that a large number of instances are being launched for just a short time period (15 – 30 minutes) and you know that Amazon charges per second for the time these instances are running.

You’re concerned that when these bursts occur, instances that scale out in a larger number than required and actually outlive the short bursts of increased workload.

What steps can you take to maintain performance but reduce costs? (Choose 2 answers)

Create scheduled scaling events instead of using your simply scaling policy.

Create a step scaling policy for improved scale-out events

Use Trusted Advisor to terminate instances immediately when no longer needed.

Create a cool down period for your auto scaling group

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

Adjusting the cooldown period also minimizes the likelihood of scaling out again before the instances that were deployed in a previous scale out event have had time to warm up and handle requests to their full capability.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

43 / 65

You have been contracted by a company to design and implement their AWS cloud environment. The company has a very tight budget and would like to maximize savings wherever possible. They’ve gotten a 5-year government contract and the workload is expected to remain steady throughout the length of the contract. What type of instance will best meet their computing needs while providing maximum savings?

Convertible reserved instances, one-year commitment, no upfront

Convertible reserved instances, three-year term commitment, all upfront

Standard reserved instances, one-year commitment, no upfront

Standard reserved instances, three-year term commitment, all upfront

Explanation

When you purchase a Reserved Instance, choose a payment option, term, and an offering class that suits your needs. Generally speaking, you can save more money choosing Reserved Instances with a higher upfront payment. There are three payment options (No Upfront, Partial Upfront, All Upfront), two-term lengths (one-year or three-years), and two offering classes (Convertible and Standard). Convertible RIs offer up to a 55% discount, while Standard offers up to a 75% discount. No Upfront and Partial Upfront Reserved Instances are billed for usage on an hourly basis, regardless of whether they are being used. All Upfront Reserved Instances have no additional hourly charges.

Explanation

44 / 65

You have a lot of data stored in the AWS Storage Gateway and your manager has come to you asking about how the billing is calculated, specifically the Virtual Tape Shelf usage. What would be a correct response to this?

You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon S3 and are billed for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon Glacier and are billed for the size of the virtual tape

You are billed for the virtual tape data you store in Amazon S3 and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

Explanation

The AWS Storage Gateway is a service connecting an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure. AWS Storage Gateway billing is as follows. Volume storage usage (per GB per month): You are billed for the Cached volume data you store in Amazon S3. You are only billed for volume capacity you use, not for the size of the volume you create. Snapshot Storage usage (per GB per month): You are billed for the snapshots your gateway stores in Amazon S3. These snapshots are stored and billed as Amazon EBS snapshots. Snapshots are incremental backups, reducing your storage charges. When taking a new snapshot, only the data that has changed since your last snapshot is stored. Virtual Tape Library usage (per GB per month): You are billed for the virtual tape data you store in Amazon S3. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape. Virtual Tape Shelf usage (per GB per month): You are billed for the virtual tape data you store in Amazon Glacier. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape

Explanation

45 / 65

S3 supports an unlimited number of files in a bucket

S3 synchronously replicates information to all availability zones within a region

S3 asynchronously replicates information to all availability zones within a region

S3 bucket names can be replicated in multiple regions.

Explanation

46 / 65

Which of the following accurately describes Elastic Load Balancing? (Choose 3 answers)

Elastic Load Balancing automatically scales its request handling capacity to meet the demands of application traffic.

Elastic Load Balancing works with Amazon Virtual Private Cloud (VPC) to provide robust networking and security features.

Elastic Load Balancing ensures that only healthy Amazon EC2 instances receive traffic by detecting unhealthy instances and rerouting traffic across the remaining healthy instances.

Elastic Load Balancing delivers your content through a worldwide network of edge locations.

Explanation

Elastic Load Balancing works with Amazon Virtual Private Cloud (VPC) to provide robust networking and security features. Elastic Load Balancing ensures that only healthy Amazon EC2 instances receive traffic by detecting unhealthy instances and rerouting traffic across the remaining healthy instances. Elastic Load Balancing automatically scales its request handling capacity to meet the demands of application traffic.

CloudFront delivers your content through a worldwide network of edge locations. Using Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications

Explanation

47 / 65

You’ve been assigned to assist a client in the creation of their AWS Virtual Private Cloud (VPC). You are shadowing their IT admin to allow the admin to create the VPC, learn, and benefit from your guidance. Which VPC components come automatically upon creation of a default VPC? (Choose 3 answers)

a default elastic IP address (EIP)

a default VPC security group

a default subnet

a main route table

Explanation

When you create a default VPC, the following components are created with it:

default subnet in each Availability Zone.
main route table
default security group
default network access control list (ACL)
Associate the default DHCP options set for your AWS account with your default VPC.

Explanation

When you create a default VPC, the following components are created with it:

default subnet in each Availability Zone.
main route table
default security group
default network access control list (ACL)
Associate the default DHCP options set for your AWS account with your default VPC.

48 / 65

You are designing your company’s new RDS database environment. Your design include multi-AZ for high availability and you have intentions of reviewing scalability options. But first, you need to determine which storage option meets your performance and cost requirements. You expect to have a small database that could grow to medium sized over time. You also want to have burst performance to meet short term spikes. Which storage option is best for you?

Dual core processors

General Purpose (SSD)

Magnetic

Provisioned IOPS (SSD)

Explanation

Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database workload. General purpose is good for small to medium sized databases and has the burst to handle spikes.

Explanation

49 / 65

A user is currently building a website that will require a large number of instances in six months, when a demonstration of the new site will be given upon launch.
Which of the choices below allows the user to obtain the resources beforehand, and not worry about infrastructure availability during the demonstration?

Schedule all the instances beforehand as a queued reserved instances to be available in 6 months.

Ask AWS now to create the dedicated instances in 6 months

Pre-warm all the instances one month prior to ensure resource availability.

Launch all the instances as part of the cluster group to ensure resource availability.

Explanation

By default, when you purchase a Reserved Instance, it is executed immediately. Alternatively, you can queue your purchases for a future date and time. For example, you can queue a purchase for around the time that an existing Reserved Instance expires. This can help you ensure that you have uninterrupted coverage.

You can queue purchases for regional Reserved Instances, but not zonal Reserved Instances or Reserved Instances from other sellers. You can queue a purchase up to three years in advance. On the scheduled date and time, the purchase is executed using the default payment method. After the payment is successful, the billing benefit is applied.

Explanation

50 / 65

What is one security benefit of utilizing the Elastic Load Balancer?

Providing TLS/SSL termination as well as centralized certificate management

Blocking network traffic based on heuristic analysis

Providing encrypted data storage for use in application development

Performing network address translation

Explanation

The Elastic Load Balancer can integrate with the AWS Certificate Manager to provide a central method of managing your TLS/SSL certificates. It allows you to renew, deploy and configure your TLS/SSL certificates for your application or website from a single location.

Explanation

51 / 65

A client has contacted you about designing their AWS cloud environment. They want to fully migrate their compute environment to the cloud. Their biggest requirement is that they need high availability at both the web and database tiers. Their current database is MySQL. How might you best design high availability for their environment with cost being a consideration as well?

Auto scaling

Read Replicas

Cross-region replication

Multi-AZ Deployment

Explanation

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Amazon RDS uses several different technologies to provide failover support. Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon’s failover technology. SQL Server DB instances use SQL Server Mirroring. Amazon Aurora instances stores copies of the data in a DB cluster across multiple Availability Zones in a single region, regardless of whether the instances in the DB cluster span multiple Availability Zones.

Explanation

52 / 65

You are working for a rapidly growing company that is using EC2 instances to process customer requests. There have been many instances of latency related to the high demand for specific EC2 instances. You are designing changes to the environment, including an Application Load Balancer to manage traffic demands. What ELB characteristics and best practices should you keep in mind? (Choose 2 answers)

It is recommended to reference an ELB by its DNS name instead of its IP address

Note that ELB in a VPC supports both IPv4 and IPv6.

For instances behind an ELB, do not bind an application to the instances IP address

It is recommended to reference an ELB by its MAC address instead of its DNS address.

Explanation

The IP address for a load balancer can frequently change as the service scales up and down in a process managed by the service. What this means is that the IP address you reference may change as the service scales – the hardware technically behind the load balancing service may have been reallocated. By using the DNS name, ELB can reference and translate that to the current load balancer’s IP address.

The same goes for the binding the application to an instance’s IP address – the actual instances handling requests can change at a moment’s notice in the cloud, so rather than tying requests to a specific IP address, reference a DNS name and this will be translated to the current instance IP address.

Explanation

53 / 65

Your account has 3 VPCs deployed in the same region.

The IPv4 address ranges of the VPCs are:

VPC A 172.22.0.0/16

VPC B 10.3.0.0/16

VPC C 10.4.0.0/16

VPC B and VPC C are already connected through VPC peering connection (PCX) named pcx-abcxyz. VPC A has resources that VPC B and VPC C must access. Which of the options below best achieves the objective of allowing VPC B and VPC C to access VPC A?

Create separate VPC Peering connections between VPC A & VPC B and VPC A & VPC C

Add static routes to VPC A with Targets of 10.3.0.0/16 and 10.4.0.0/16 and a Destination of pcx-abcxyz

Connect VPC A to pcx-abcxyz

Connect VPC A to VPC B using VPC Peering and allow VPC C to access VPC A through VPC B

Explanation

Creating separate VPC Peering connections between each VPC is required for Peering 3 VPCs together. Transitive routing is not supported in VPC Peering so VPC C could not reach VPC A through VPC B. A new VPC Peering connection is required for connecting additional VPCs, so connecting VPC A to pcx-abcxyz is not a viable option. Adding a static route to VPC A that points to pcx-abcxyz would not work as pcx-abcxyz is not connected to VPC A.

Explanation

54 / 65

Which of the following are IAM best practices (Choose 3 answers)

Discontinue use of the root access key.

Create privileged users and enable multi-factor authentication.

Assign permissions to IAM groups instead of IAM users

Designate a backup administrator to use the root access key

Explanation

You use an access key (consisting of an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account (root) access key. Create groups that relate to job functions so that you can make changes for everyone in a group in just one place.

Explanation

55 / 65

Magnetic

Magnetic or Provisioned IOPS (SSD)

Any, as they all perform the same and cost the same

General Purpose (SSD)

Explanation

56 / 65

A user has set up the CloudWatch alarm on the CPU utilization metric at 50%, with a time interval of 5 minutes and 10 periods to monitor. What will be the state of the alarm at the end of 90 minutes, if the CPU utilization is constant at 80%?

ALARM

ALERT

INSUFFICIENT_DATA

Explanation

In this case the alarm watches a metric every 5 minutes for 10 intervals. Thus, it needs at least 50 minutes to come to the “OK” state. Till then it will be in the INSUFFUCIENT_DATA state. Since 90 minutes have passed and CPU utilization is at 80% constant, the state of alarm will be “ALARM”.

Explanation

57 / 65

You receive a bill from AWS but are confused because you see you are incurring different costs for the exact same storage size in different regions on Amazon S3. You ask AWS why this is so. What response would you expect to receive from AWS?

We charge less in different time zones.

This will balance out next bill.

We charge less where our costs are less.

It must be a mistake

Explanation

Amazon S3 is storage for the Internet. It’s a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs. AWS charges less where their costs are less. For example, their costs are lower in the US Standard Region than in the US West (Northern California) Region.

Explanation

58 / 65

You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Multi-AZ deployment. You now start to worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure?

Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

Your database will not resume operation without manual administrative intervention.

Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

Explanation

Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks, freeing you up to focus on your applications and business. When you create or modify your DB Instance to run as a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure. During certain types of planned maintenance, or in the unlikely event of DB Instance failure or Availability Zone failure, Amazon RDS will automatically failover to the standby so that you can resume database writes and reads as soon as the standby is promoted. Since the name record for your DB Instance remains the same, your application can resume database operation without the need for manual administrative intervention. With Multi-AZ deployments, replication is transparent: you do not interact directly with the standby, and it cannot be used to serve read traffic. If you are using Amazon RDS for MySQL and are looking to scale read traffic beyond the capacity constraints of a single DB Instance, you can deploy one or more Read Replicas

Explanation

59 / 65

You have implemented multipart uploading in your company’s AWS cloud storage environment. The overall performance has been good but there is some concern about network utilization. Your CFO has also raised concerns about greater than expected storage costs. What steps can you take to address each of these issues with cost as a primary concern? (Choose 2 answers)

Compress data for faster upload times.

Abort incomplete uploads after a specified time with an object lifecycle policy

Use Direct Connect for greater throughput

Pause uploads during high traffic periods.

Explanation

The ability to pause multipart uploads offers great flexibility in its usage. A pause could be initiated for a number of reasons but pausing to relieve network traffic is a prime use case. If a multipart upload aborts, it is good practice to have a lifecycle policy, which will delete incomplete uploads after a predetermined number of days. This will reduce storage costs.

Explanation

60 / 65

You are designing a cloud implementation for a client. They have requested a database that will serve data to a website as well as perform some complex reporting in a Data Warehouse. They are also looking for a durable location to store session state. Which design choices would meet the client’s requirements? (Choose 3 answers)

MySQL database to serve data to the website

DynamoDB for session state

Amazon Glacier for Data Warehousing/Reporting

Amazon Redshift for Data Warehousing/Reporting

Explanation

An RDS database such as MySQL is a good choice as the back end for a web server. Amazon Redshift is often paired with RDS to offload Data Warehousing/Reporting traffic. DynamoDB is a good choice for managing session state, shopping cart data, or time-series data.

Explanation

61 / 65

You need to design secure administrative access to application servers residing in private subnets in multiple availability zones. You require a select group of administrators to have access from specific IP addresses. You also want the solution to be automated and repeatable. Which of the following options could achieve your goals? (Choose 2 answers)

Elastic Beanstalk

Cloud Formation

NAT Gateway

Quick Start

Explanation

Quick Start is a new solution that is worth checking out. You can use IAM with AWS CloudFormation to control what users can do with AWS CloudFormation. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. Elastic Beanstalk is primarily for web applications only

Explanation

62 / 65

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it.

You grant a database administrator access to the RDS database instance, but she is unable to connect to it.

What steps can you take to resolve the issue?

Create a key pair for your database administrator to log in

Create a security group with specific ingress and egress rules for the DB instance

Use a different port for ingress.

Configure single sign-on for your database administrator.

Explanation

63 / 65

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it. You granted a database administrator access in IAM to the RDS database instance, who is now attempting to connect from a secure, company-managed on-premise IP address range. However, she is unable to connect to the RDS instance. You have reviewed IAM permissions for the administrator and AWS resources that need to connect to the database, and they appear correctly configured. All application instances are able to connect to the RDS instance, but other employees on the same approved IP address range cannot connect to the database. What steps is a recommended first step to troubleshoot the issue?

Check the database security group’s specific ingress and egress rules.

Configure single sign-on for your database administrator.

Create a key pair for your database administrator to log into the environment’s EC2 instances

Enable multi-factor authentication for your database administrator.

Explanation

64 / 65

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

iSCSI

NFS

Fibre

CIFS

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway’s volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

65 / 65

In which circumstance would a bucket owner pay for the data transfers instead of the Requester Pays bucket?

When the request is a HTTP request

When the request is a known request

When the request is anonymous

When the request is 202 Accepted

Explanation

Your score is

The average score is 44%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Need more practice ? take the AWS Certified Solutions Architect Associate (SAA) – Learning mode

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation