AWS Certified Solutions Architect Associate (SAA02) - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 65 questions per test (similar to real AWS exam), 130 minutes, repeat tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

/25

10 votes, 4.5 avg

337

1 / 25

A non-root EC2 instance store volume is added to an EBS-backed EC2 instance. Then the instance is somehow accidentally terminated or failed. What happened to the data on the non-root EC2 instance store volume?

The data is automatically copied to another instance store volume

The data is deleted

The volume data is saved in S3

The data persists.

Explanation

EC2 instance store volumes can be added as additional volumes to certain EBS-backed EC2 Instance types. Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues).

Explanation

2 / 25

Which of the four storage options on Amazon S3 and Amazon Glacier charges per GB retrieval fees? (Choose 2 answers)

Amazon S3 Standard Storage

Amazon S3 Standard-Infrequent Access Storage

Amazon S3 Reduced Redundancy Storage

Amazon Glacier Storage

Explanation

Amazon Glacier and S3 Standard-IA are both designed for storing infrequently accessed data. This is why the data storage fees are roughly one-half to one-sixth the cost of Standard Storage. Retrieval fees will quickly add up if the data is retrieved too often, so planning or correctly setting your object lifecycle based on how often you or your company will need the data is important.

Explanation

3 / 25

You are tasked with configuring Route 53 for use with EC2 instances across multiple regions that are used for a customer’s website. The customer would like to route traffic based upon the location of the website’s visitors so visitors from specific regions can be presented with specific content. Which of the following would be best suited to meet the requirement?

EDNS0

DynDNS

A region based routing policy

A geolocation routing policy

Explanation

A Geolocation routing policy would allow Route 53 to route queries based upon the location of users. DynDNS is used to automatically update DNS records. EDNS0 can be used to improve the accuracy of geolocation routing, but is not a routing policy in and of itself. Region based is not a valid Route 53 routing policy type.

Explanation

4 / 25

What is the default maximum number of Access Keys per user?

The default maximum number of Access Keys per user is 2

5 / 25

Which choice correctly describes the differences between security groups and Network Access Control Lists (NACLs)? (Choose 2 answers)

NACLs operate at the subnet level and support deny rules only.

Security Groups operate at the subnet level, and they support allow rules only

Security Groups operate at the instance level and support allow rules only.

NACLs operate at the subnet level and support allow and deny rules

Explanation

You can secure your VPC instances using only security groups; however, you can add NACLs as a second layer of defense. Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level . Network access control lists (NACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level . Security Groups supports allow rules only while Network Access Control Lists support allow and deny rules.

Explanation

6 / 25

You are developing a new application in which you need to transfer files over long distances between client-side storage and an S3 bucket. You decide to try sending data to the S3 bucket using S3 Transfer Acceleration. What must you do to achieve this? (Choose 2 answers)

Turn on S3 Transfer Acceleration for the bucket.

Use the CLI S3 accelerate upload commands.

Use the new accelerate endpoints to transfer your data to S3.

Use the SDK S3 accelerate upload commands

Explanation

After you turn on S3 Transfer Acceleration for a bucket, two new endpoints are created for the bucket: one for IPv4 and one for IPv6. You can use either the accelerate endpoints or the standard endpoints if you choose not to use the accelerate feature.

Explanation

7 / 25

Your client’s AWS environment contains several EBS-backed EC2 instances for a project that needs to be postponed.

What choices below will allow you to avoid charges for these on-demand instances, but retain data currently stored within these instances? (Choose 2 answers)

Terminate all the instances.

Take a snapshot of all the instances and then terminate all the instances.

Stop all the instances

Terminate all the instances and then make an image of all the instances.

Explanation

If you stop the instances you will not be charged and the data will still be kept. If you terminate the instances you will lose all your data. If you take a snapshot of all the instances and then terminate all the instances you will not be charged but will still have all your data in the snapshot which can be restored later.

Explanation

8 / 25

You’ve taken over management of your company’s AWS cloud environment. You know very little about the environment and have been provided very little documentation. You have been given access to the environment and begin a discovery and documentation process. You begin by looking at the route table. Without seeing the specific route table, what information do you know it contains about the subnets in the VPC? (Choose 2 answers)

Subnets that do not direct traffic to an Internet Gateway are private

Subnets that direct traffic to an Internet Gateway are public

The subnets region is indicated

The default mask of the subnet can be identified.

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. When you add an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint in your VPC, you must update the route table for any subnet that uses these gateways or connections.

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

9 / 25

A user has enabled static website hosting on an S3 bucket, and configured and uploaded an index document.

An S3 bucket configured for static website hosting provides what additional capabilities?

It reduces costs related to I/O charges.

None. The website hosting feature only enables the user to point to the specific index file

None. The user can always access index.html without enabling static website hosting

The user can directly access the website using the region-specific endpoint

Explanation

To host a static website, the user needs to configure an Amazon S3 bucket for website hosting and then upload the website contents to the bucket. The website is then available at the region-specific website endpoint of the bucket.

If the user has an index.html object as part of the bucket, the user can always host it without the website hosting feature. However, it will require an absolute URL of the object. In this case the user can access the whole bucket as a website and need not refer individual objects separately.

Explanation

10 / 25

You are contracted to manage cloud storage for a multi-national media company. During your informational analysis, you note a few crucial requirements: the need to upload very large files (greater than 5 GB), concerns about latency across continents, and a compliance requirement about storing backup data 1000 miles from the source.

Which Amazon S3 features will handle these requirements? (Choose 2 answers)

Read replicas

Pre-signed URLs

Cross-region replication

Multi-part upload

Explanation

Multipart uploads must be used for files greater than 5 GB. Cross-region replication is used to reduce latency by placing objects closer to users. This would address the issue of having users in different continents. Another use case for cross-region replication is to meet compliance requirements of storing backup data a certain distance from their origin.

Explanation

11 / 25

A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to configure that the instance can be accessed only from this IP?

In the security group, open port 22 for IP 10.20.30.40/32

In the security group, open port 22 for IP 10.20.30.40/0

In the security group, open port 22 for IP 10.20.30.40

In the security group, open port 22 for IP 10.20.30.40/24

Explanation

In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIDR format

Explanation

12 / 25

A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following is important when thinking about being able to quickly launch resources in AWS to ensure business continuity in case of a disaster?

Create and maintain AMIs of key servers where fast recovery is required

All items listed here are important when thinking about disaster recovery.

Regularly run your servers, test them, and apply any software updates and configuration changes.

Ensure that you have all supporting custom software packages available in AWS.

Explanation

In the event of a disaster to your AWS infrastructure you should be able to quickly launch resources in Amazon Web Services (AWS) to ensure business continuity. The following are some key steps you should have in place for preparation: 1. Set up Amazon EC2 instances to replicate or mirror data. 2. Ensure that you have all supporting custom software packages available in AWS. 3. Create and maintain AMIs of key servers where fast recovery is required. 4. Regularly run these servers, test them, and apply any software updates and configuration changes. 5. Consider automating the provisioning of AWS resources.

Explanation

13 / 25

A user is making a scalable web application with compartmentalization. The user wants the log module to be accessible by all the application functionalities in an asynchronous way. Each module of the application sends data to the log module, and based on the resource availability it will process the logs. Which AWS service helps achieving this functionality?

AWS Simple Notification Service.

AWS Simple Workflow Service.

AWS Simple Queue Service.

AWS Simple Email Service.

Explanation

Amazon Simple Queue Service (SQS) is a highly reliable distributed messaging system for storing messages as they travel between computers. By using Amazon SQS, developers can simply move data between distributed application components. It is used to achieve compartmentalization or loose coupling. In this case all the modules will send a message to the logger queue and the data will be processed by queue as per the resource availability.

Explanation

14 / 25

A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which one of the following is the best way to terminate the instance automatically once the job is finished?

Configure an Auto Scaling scheduled activity to terminate the instance after seven days.

Configure the EC2 instance with a stop instance to terminate it.

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Configure a CloudWatch alarm to terminate the instance once it is idle

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action

Explanation

15 / 25

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Fix all MySQL issues in the local data center.

Export all database records to S3.

Order an on-demand instance matching the on-premises architecture.

Use the AWS server migration service to migrate existing records

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

16 / 25

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing EC2 budget. They have asked you to identify strategies to reduce the EC2 spend by at least 25% before the next monthly billing cycle. How choices below could assist in accomplishing this? (Choose 3 answers)

Consolidate AWS accounts for billing.

Look for opportunities to use dedicated instances.

Look for opportunities to use reserved or spot instances.

Reduce or eliminate over-provisioned or unused instances.

Explanation

You can reduce EC2 spend by migrating to reserved/spot instances, eliminating/shrinking unused resources, or consolidating AWS accounts (to qualify for volume discounts). The paying account’s use of consolidated billing can benefit from volume pricing discounts gained thru aggregate account usage.

Explanation

17 / 25

Which type of IAM role is pre-defined, and can only be edited in a limited number of cases?

AWS Service Roles

Identity Provider Access Roles

Cross-Account Access Roles

AWS Service-Linked Roles

Explanation

The method that you use to edit a service-linked role depends on the service. Some services might allow you to edit the permissions for a service-linked role from the service console, API, or CLI. However, after you create a service-linked role, you cannot change the name of the role because various entities might reference the role. You can edit the description of any role from the IAM console, API, or CLI.

For information about which services support using service-linked roles, see AWS Services That Work with IAM and look for the services that have Yes in the Service-Linked Role column. To learn whether the service supports editing the service-linked role, choose the Yes link to view the service-linked role documentation for that service.

Explanation

18 / 25

You have been assigned to design a new AWS RDS database for a pharmaceutical company. Their most important requirement is high availability. You have proposed a multi-AZ configuration for high availability. The discussion has progressed to failover scenarios. Which scenario will not cause an automatic failover?

Loss of network connectivity to primary

Loss of availability in primary Availability Zone

Long running resource intensive stored procedure

Compute unit failure on primary

Explanation

Amazon RDS detects and automatically recovers from the most common failure scenarios for Multi-AZ deployments so that you can resume database operations as quickly as possible without administrative intervention. Amazon RDS automatically performs a failover in the event of any of the following:

Loss of availability in primary Availability Zone
Loss of network connectivity to primary
Compute unit failure on primary
Storage failure on primary

Explanation

Loss of availability in primary Availability Zone
Loss of network connectivity to primary
Compute unit failure on primary
Storage failure on primary

19 / 25

After setting up an EC2 security group with a cluster of 20 EC2 instances, you find an error in the security group settings. You quickly make changes to the security group settings. When will the changes to the settings be effective?

The settings will be effective only for the new instances added to the security group.

The settings will be effective immediately for all the instances in the security group.

The settings will be effective only when all the instances are restarted

The settings will be effective for all the instances only after 30 minutes

Explanation

Amazon Redshift applies changes to a cluster security group immediately. So if you have associated the cluster security group with a cluster, inbound cluster access rules in the updated cluster security group apply immediately.

Explanation

20 / 25

You are designing a VPC for a small legal firm. The firm only has 6 users who will need instances, and the firm does not expect any growth. When creating the VPC, you will need to specify an IPv4 address range by choosing a CIDR block. What is the smallest size CIDR block that could be used for this network?

/28

/16

/24

Explanation

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. AWS reserves the first four addresses and the last address in a CIDR block, so be sure to subtract five to give the number of addresses in a CIDR block available for use

Explanation

21 / 25

Your company is migrating its infrastructure to AWS. When considering the migration level effort required, you determine there are a select number of VMs that fall under the “very low effort” category. After considering third-party migration options, you decide to utilize available AWS tools. What tools are available for migrating VMs to the AWS cloud? (Choose 2 answers)

AWS VM Import

AWS Snowmobile

AWS Snowball

AWS S3 Import

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

22 / 25

_____ is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend.

Cost Allocation Tags

AWS Budgets

Consolidated Billing

AWS Cost Explorer

Explanation

Cost Explorer, this is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend. A valuable tool that can help to identify where you should be focusing your cost optimization efforts. It also can forecast your estimated spend up to two months ahead using existing data as a reference. If you can see that your estimated future bills are becoming too high, you have the time now to identify where you can make and initiate cost reduction mechanisms to help mitigate the risk.

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

Explanation

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

23 / 25

You have been placed in charge of your company’s existing AWS cloud environment. Your company is very large and you have a team of 5 engineers. You are managing IAM with one of your team members as a backup. You will assign two team members to manage the RDS databases and will need two team members managing the VPC and the EC2 instances within it. How can you give your team members the ability to administer the EC2 instances? (Choose 2 answers)

Create a role with permissions that grant EC2:* actions on all resources.

Create a login key pair for the EC2 instances and provide this to your team.

Create cross-account access to the VPC which houses the EC2 instances.

Ensure permissions are in place to allow the intended team members to assume the role.

Explanation

Using IAM, you apply permissions to IAM users, groups, and roles by creating policies. You can create two types of IAM policies: Managed Policies and Inline Policies. Managed policies are standalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies apply only to identities (users, groups, and roles) – not resources. Inline policies are policies that you create and manage, and that are embedded directly into a single user, group, or role.

Explanation

24 / 25

Your engineers are concerned about application availability during in-place updates to a live Elastic Beanstalk stack. You advise them to consider a blue/green deployment and then list the necessary steps to carry out this deployment. Which steps are valid to include? (Choose 3 answers)

From the new environment’s dashboard, swap environmental URLs and click Swap

Clone your current environment

Deploy the new version of the application

From the new environment’s dashboard, choose Restart Environment

Explanation

Blue/green deployments resolve application unavailability during updates.

To perform a blue/green deployment:

Open the Elastic Beanstalk console.
Clone your current environment, or launch a new environment running the desired configuration.
Deploy the new application version to the new environment.
Test the new version in the new environment.
From the new environment’s dashboard, choose Actions and then choose Swap Environment URLs.

Explanation

Blue/green deployments resolve application unavailability during updates.

To perform a blue/green deployment:

Open the Elastic Beanstalk console.
Clone your current environment, or launch a new environment running the desired configuration.
Deploy the new application version to the new environment.
Test the new version in the new environment.
From the new environment’s dashboard, choose Actions and then choose Swap Environment URLs.

25 / 25

You have a client in the financial industry who is moving to AWS for their IT infrastructure and applications. They need to become PCI compliant to protect their client’s card information. Amazon has many processes in place for PCI compliance. What steps do you need to take to help them become compliant? (Choose 3 answers)

Encrypt data in transit.

Monitor access with CloudTrail and VPC Flow Logs

Use server side encryption to protect card holder data.

Secure private subnets with ACLs and Security Groups

Explanation

AWS provides customers with a PCI-compliant environment and the necessary tools to secure their environment. PCI compliance falls very much in line with the shared responsibility model. But ultimately, it is the customers responsibility to build and maintain a PCI-compliant environment.

Explanation

Your score is

The average score is 54%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Ready to take AWS Certified Solutions Architect Associate (SAA) – Exam mode ?

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

/65

5 votes, 4.8 avg

154

Click Start button to start exam !

Time Out !

1 / 65

Create a login key pair for the EC2 instances and provide this to your team.

Ensure permissions are in place to allow the intended team members to assume the role.

Create cross-account access to the VPC which houses the EC2 instances.

Create a role with permissions that grant EC2:* actions on all resources.

Explanation

2 / 65

Under the shared responsibility model, which aspects of security in the AWS cloud are the responsibility of the user rather than AWS? (Choose 3 answers)

Data encryption

Network hardware maintenance

EC2 instance security

Installation of EC2 security patches

Explanation

AWS is responsible for the security of the cloud in general, in areas such data security and protection against IP spoofing. The customer is responsible for security in the cloud in areas such as data encryption, installing security patches on EC2 instances, and IAM best practices. It is very important to understand this concept to avoid any lapses in your security measures.

Explanation

3 / 65

Your on-premise bare-metal servers are over five years old. You’re considering moving to AWS. The offerings of virtual instances far surpass what you can access on-premises. Before you choose your test instance at AWS, what questions should you ask? (Choose 3 answers)

What is the cost of over-provisioning?

How much network bandwidth do you need?

What is the average server utilization?

When peak load occurs, how much over-provisioning is required?

Explanation

On-premises data centers have costs associated with the servers, storage, networking, power, cooling, physical space, and IT labor required to support applications and services running in the production environment. For servers, these questions are most applicable: What is your average server utilization? How much do you overprovision for peak load? What is the cost of over-provisioning?

Explanation

4 / 65

You are designing a cloud implementation for a client. They have requested a database that will serve data to a website as well as perform some complex reporting in a Data Warehouse. They are also looking for a durable location to store session state. Which design choices would meet the client’s requirements? (Choose 3 answers)

MySQL database to serve data to the website

DynamoDB for session state

Amazon Glacier for Data Warehousing/Reporting

Amazon Redshift for Data Warehousing/Reporting

Explanation

An RDS database such as MySQL is a good choice as the back end for a web server. Amazon Redshift is often paired with RDS to offload Data Warehousing/Reporting traffic. DynamoDB is a good choice for managing session state, shopping cart data, or time-series data.

Explanation

5 / 65

While monitoring your application servers hosted behind an elastic load balancer, you discover that the servers always operate at between 75 and 80% of their capacity after five minutes of operation. Also, there is a constant number of servers being marked as unhealthy very early in their initial lifecycle. Upon further analysis, you also discover that your servers are taking between three and four minutes to become operational after launch. What two tasks should you complete as soon as possible? (Choose 2 answers)

Increase the maximum number of instances in your auto-scaling group

Increase the size of instances in your launch configuration.

Decrease the length of your scaling cool down period

Increase the length of your scaling cool down period

Explanation

A prolonged grace period and a larger number of instances will solve these issues. You can use scaling policies to increase or decrease the number of running EC2 instances in your group automatically to meet changing conditions. When the scaling policy is in effect, the Auto Scaling group adjusts the desired capacity of the group and launches or terminates the instances as needed. If you manually scale or scale on a schedule, you must adjust the desired capacity of the group for the changes to take effect.

Explanation

6 / 65

You have been assigned to work with a manufacturing company that wants to migrate to a Virtual Private Cloud. Their technical lead is very proactive and and would like to use EC2 Spot instances wherever possible for cost efficiency. He also wants to use Instance Stored volumes where possible. You need to educate the technical lead about EBS backed volumes versus Instance Stored volumes. What are some of the advantages of EBS volumes? (Choose 3 answers)

EBS instances boot faster

If the instance is terminated, your data is not lost.

EBS volumes are more cost-effective

EBS based instances can be stopped and restarted.

Explanation

An EBS volume is off-instance storage that can persist independently from the life of an instance. You continue to pay for the volume usage as long as the data persists. EBS instances can be stopped and re-started. And EBS volumes boot faster than instance store volumes often by an order of magnitude

Explanation

7 / 65

Due to compliance rules and regulations, your company’s workload has to run on dedicated instances. How can you make sure that all EC2 instances created for your workload now and in the future are dedicated instances? (Choose 2 answers)

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Explanation

You can create a VPC with an instance tenancy of dedicated to ensure that all instances launched into the VPC are dedicated instances. Alternatively, you can specify the tenancy of the instance during launch

Explanation

8 / 65

A user has suspended the Auto Scaling process and updates the desired capacity of the Auto Scaling group. Which statements below is correct regarding this update?

The desired capacity will not get updated as scaling is frozen

The Auto Scaling will not allow modification of the desired capacity during the suspended process state

The scaling activity will happen as this is manual scaling

The desired capacity will get updated, but the scaling activity will not happen

Explanation

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can suspend one or more scaling processes at any time. When the process is suspended and the user changes the desired capacity, the changes will take effect, but Auto Scaling will not be executed. Thus, the scaling activity will not happen even though there is a difference between the desired capacity and the current capacity.

Explanation

9 / 65

A user is planning to make a mobile game which can be played online or offline and will be hosted on EC2. The user wants to ensure that if someone breaks the highest score or they achieve some milestone they can inform all their colleagues through email. Which of the below mentioned AWS services helps achieve this goal?

Amazon Cognito

AWS Simple Email Service.

AWS Simple Queue Service.

AWS Simple Workflow Service.

Explanation

Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. It integrates with other AWS services, making it easy to send emails from applications that are hosted on AWS.

Explanation

10 / 65

You are an AWS Solutions Architect helping a client plan a migration to the AWS Cloud. The client has provided you with a detailed inventory of their current on-premises compute infrastructure, including metrics related to storage and bandwidth. What tool would you use to estimate the amount of money they will save by migrating to the AWS Cloud?

TCO Calculator

Trusted Advisor

Detailed Billing Reports

Cost Explorer

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

11 / 65

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

Fibre

NFS

iSCSI

CIFS

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway’s volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

12 / 65

Which IAM role do you use to grant AWS Lambda permission to access a DynamoDB Stream?

Execution role

Event Source role

Dynamic role

Invocation role

Explanation

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the “execution role”.

Explanation

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the “execution role”.

13 / 65

Your company has a VPC with one public and one private subnet. The EC2 instances in the private subnet are configured to access the internet via a network access translation (NAT) instance.

However, the EC2 instances in the private subnet are currently unable to connect to the internet, and you need to troubleshoot the issue.

First, you verify that the security groups are configured correctly, and that the EC2 instances in the public subnet can connect to destinations on the Internet via the VPC’s internet gateway. It also appears that the NAT instance can access the Internet. The access control list (ACL) for the public subnet has one line allowing inbound HTTP traffic.

What steps can you take to enable the private EC2 instances to access the Internet? (Choose 2 answers)

Enable Source/Destination checks on the NAT instance.

Disable Source/Destination checks on the NAT instance.

Disable Source/Destination checks on the EC2 instances.

Add an ACL rule allowing outbound HTTP traffic

Explanation

There are some issues that could cause EC2 instances in a VPC to be unable to reach the Internet, including the following. An Internet Gateway must be attached to the VPC for a public subnet. Ingress and egress for Security Groups and Access Control Lists must be correct. EC2 instances in a private subnet need a NAT instance or a NAT Gateway, and for a NAT instance’s source/destination checks must be turned off. EC2 instances in a public subnet must have a route to the Internet Gateway in the route table

Explanation

14 / 65

Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement?

Active-active failover.

None. Route 53 can’t failover.

Active-passive failover

Active-active-passive and other mixed configurations.

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets. Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it’s unhealthy and stop including it when responding to queries. Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If allof the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries. Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

15 / 65

You are designing an AWS cloud environment for a small company with limited budget. They have decided to go with a single-AZ database deployment to ensure the implementation remains within budget. You have convinced them of the benefits of doing automatic backups and saving incremental backups to Amazon S3. What would be the best time to perform these automatic backups?

Two hours before the work day starts

After midnight

Amazon will determine the best time

During the daily low in write IOPS

Explanation

It is best practice to enable automatic backups and set the backup window to occur during the daily low in write IOPS. Amazon RDS creates automated backups of your DB instance during the backup window of your DB instance. Amazon RDS saves the automated backups of your DB instance according to the backup retention period that you specify. If necessary, you can recover your database to any point in time during the backup retention period.

Explanation

16 / 65

An accountant asks you to design a small VPC network for him and, due to the nature of his business, just needs something where the workload on the network will be low, and dynamic data will be accessed infrequently. Being an accountant, low cost is also a major factor. Which EBS volume type would best suit his requirements?

Magnetic

Magnetic or Provisioned IOPS (SSD)

General Purpose (SSD)

Any, as they all perform the same and cost the same

Explanation

You can choose between three EBS volume types to best meet the needs of their workloads: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. General Purpose (SSD) is the new, SSD-backed, general purpose EBS volume type that we recommend as the default choice for customers. General Purpose (SSD) volumes are suitable for a broad range of workloads, including small to medium sized databases, development and test environments, and boot volumes. Provisioned IOPS (SSD) volumes offer storage with consistent and low-latency performance, and are designed for I/O intensive applications such as large relational or NoSQL databases. Magnetic volumes provide the lowest cost per gigabyte of all EBS volume types. Magnetic volumes are ideal for workloads where data is accessed infrequently, and applications where the lowest storage cost is important

Explanation

17 / 65

A user has enabled a CloudWatch alarm. The alarm has a $50 threshold for total AWS charges in the US East (N. Virginia) region. When does CloudWatch trigger the alarm for this threshold?

When the total AWS charges reach $49

When the total AWS charges exceed $50

When the total charges for the US East (N. Virginia) region exceeds $50

When the total charges for the US East (N. Virginia) region reach $49

Explanation

You can choose to receive alerts by email when charges have exceeded a certain threshold. These alerts are triggered by CloudWatch and messages are sent using Amazon Simple Notification Service (Amazon SNS). In this case, when the usage exceeds $50, CloudWatch triggers the alarm.

The metric isn’t specific to US East (N. Virginia) because billing is a worldwide metric, not specific to any region.

Explanation

The metric isn’t specific to US East (N. Virginia) because billing is a worldwide metric, not specific to any region.

18 / 65

You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?

Amazon SQS is for single-threaded sending or receiving speeds.

Amazon SQS is a non-distributed queuing system.

Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

Explanation

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to a queue is available to be received.

Explanation

19 / 65

AWS can be used as a disaster recovery solution for on-premises infrastructure, and AWS offerings can be deployed to meet a variety of disaster recovery requirements. When deploying disaster recovery in AWS, which strategy incorporates traditional off-site backups to AWS, but has the longest recovery time?

Pilot light

Multi-region

Backup and restore

Active/active

Explanation

Backup and restore, as defined in the “Using Amazon Web Services for Disaster Recovery” white paper, is most like traditional off-site backup replication. You can leverage services such as Amazon S3 or Amazon Storage Gateway to provide a backup replication target and Amazon EC2 can be used to restore access to your applications. This strategy for disaster recovery is the slowest of all AWS DR strategies.

Explanation

20 / 65

You are signed in as root user on your account but there is an Amazon S3 bucket under your account that you cannot access. What is a possible reason for this?

The S3 bucket is full.

You are in the wrong availability zone

An IAM user assigned a bucket policy to an Amazon S3 bucket and didn’t specify the root user as a principal

The S3 bucket has reached the maximum number of objects allowed

Explanation

With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access. In some cases, you might have an IAM user with full access to IAM and Amazon S3. If the IAM user assigns a bucket policy to an Amazon S3 bucket and doesn’t specify the root user as a principal, the root user is denied access to that bucket. However, as the root user, you can still access the bucket by modifying the bucket policy to allow root user access.

Explanation

21 / 65

You are designing an Amazon RDS database solution for a new medical supply company. This is a brand new company and they do not have an existing on-premises database. They would like to use Oracle for their new database. With a brand new database, which licensing model will you use for Oracle?

Optional licensing

License included

Bring your own license

Pay per core licensing

Explanation

You can run Amazon RDS for Oracle under two different licensing models – “License Included” and “Bring-Your-Own-License (BYOL)”. In the “License Included” service model, you do not need separately purchased Oracle licenses; the Oracle Database software has been licensed by AWS.

Explanation

22 / 65

An international web journal hosted on AWS handles requests for technical publications. The front-end tier is hosted in a VPC with multiple availability zones, auto-scaling groups, and cross zone load-balancing. RDS hosts the application database responsible for indexing and searching the content, and technical journals are served from S3 buckets. At certain times, specific professional journals became quite popular, causing viewing delays. Which additional components could be utilized in your architecture to help improve performance? (Choose 2 answers)

Utilize ElasticCache with Lazy Loading to cache popular searches and indexes

Deploy CloudFront to help with content delivery to users in remote geographic locations

Add cross-region replication to S3 buckets hosting your journals

Utilize the SQS service to speed up response to requests

Explanation

Lazy loading keeps the cache up to date based only on requests, which avoids filling up the cache needlessly, but if data is only written to the cache when there is a cache miss, data in the cache can become stale since there are no updates to the cache when data is changed in the database. This issue is addressed by using lazy loading in conjunction with write through, which adds data or updates data in the cache whenever data is written to the database. You may also use CloudFront to optimize your caching. By default, CloudFront doesn’t consider headers when caching your objects in edge locations. If your origin returns two objects and they differ only by the values in the request headers, CloudFront caches only one version of the object

Explanation

23 / 65

Your client has contacted you about an existing AWS cloud environment that they have. They have a large number of T2 large instances in a VPC but have statistics indicating they may need larger instances soon. Another consideration is the company’s limited budget to add new instances and/or upgrade its current instances. However, they need to do something and are relying on you to provide a solution. This company has used its existing instances for over 3 years and expects a similar lifespan for any new solution.

What changes would best address the issues with their compute resources? (Choose 2 answers)

Use spot instances to supplement the existing instances.

Upgrade to Enhanced Networking instances.

Upgrade to standard reserved instances

Replace T2 large instances with large general purpose instances.

Explanation

T2 instances are Burstable Performance Instances that provide a baseline level of CPU performance with the ability to burst above the baseline. The baseline performance and ability to burst are governed by CPU Credits. M4 instances are the latest generation of General Purpose Instances. This family provides a balance of compute, memory, and network resources, and it is a good choice for many applications. In this instance, the only option which provides for growth while keeping costs in check is to upgrade to reserved M4 instances on a long term 3 year contract.

Explanation

24 / 65

In which of the following scenarios will data be deleted from an EC2 instance store? (Choose 2 answers)

Network failure

The instance stops

The instance reboots

Disk drive failure

Explanation

An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. Instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content, or for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers.

Data in the instance store is lost under the following circumstances:

The underlying disk drive fails
The instance stops
The instance terminates

If the instance reboots (either intentionally or unintentionally) the data persists.

Explanation

Data in the instance store is lost under the following circumstances:

The underlying disk drive fails
The instance stops
The instance terminates

If the instance reboots (either intentionally or unintentionally) the data persists.

25 / 65

A user has deployed an application on his private cloud. The user is using his own monitoring tool. He wants to configure it so that whenever there is an error, the monitoring tool will notify him via SMS. Which of the below mentioned AWS services will help in this scenario?

AWS SNS

AWS SES

None because the user infrastructure is in the private cloud.

AWS SMS

Explanation

Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, and fully managed push messaging service. Amazon SNS can be used to make push notifications to mobile devices. Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS) queues or to any HTTP endpoint. In this case user can use the SNS apis to send SMS.

Explanation

26 / 65

A secured web application running on an EC2 instance needs to perform PUT and GET operations on objects within an S3 bucket. The EC2 instance and S3 bucket are owned by the same AWS account. Of the policies listed below, which two grant the necessary permissions for this web application? (Choose 2 answers)

A service-linked policy applied to the S3 bucket allowing access to the web application.

An IAM role assigned to the application hosted on the EC2 instance which allows the application (as a service) to perform PUT/GET operations in Amazon S3.

An S3 Bucket policy that allows the application (as a principal) to perform PUT/GET operations on approved S3 resources within the bucket

An S3 Bucket Trust policy that allows the application (as a principal) to assume S3Admin role to PUT/GET objects to this bucket

Explanation

For internal communication between S3 and an application running on EC2 instance, you need two policies:

An IAM trust policy that allows the EC2 instance to assume a role
An IAM policy or S3 bucket policy that allows the role to get/put objects to the specific bucket

So, the kind of policies that control access to S3 bucket are either an IAM Policy or S3 Bucket Policy. The IAM trust policy is required, but it doesn’t control access to S3.

Explanation

For internal communication between S3 and an application running on EC2 instance, you need two policies:

An IAM trust policy that allows the EC2 instance to assume a role
An IAM policy or S3 bucket policy that allows the role to get/put objects to the specific bucket

So, the kind of policies that control access to S3 bucket are either an IAM Policy or S3 Bucket Policy. The IAM trust policy is required, but it doesn’t control access to S3.

27 / 65

A user is aware that a huge download is occurring on his instance. He has already set the Auto Scaling policy to increase the instance count when the network I/O increases beyond a certain limit. How can the user ensure that this temporary event does not result in scaling?

The policy cannot be set on the network I/O

Suspend scaling

There is no way the user can stop scaling as it is already configured

The network I/O are not affected during data download

Explanation

28 / 65

You are designing a cloud solution for a new client. They have a multi-tier application and would like high availability at both the Web and Database tiers. The database will be MySQL and will be a highly available, multi-AZ configuration. You describe the failover process to the client including how the failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. What additional step must you discuss with the clients technical team?

asynchronously replicating the primary database to the standby database

converting read replicas to multi-AZ standbys

transferring MySQL license to the standby server

re-establishing connections to the DB instance

Explanation

In the event of a planned or unplanned outage of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. Failover times are typically 60-120 seconds. The failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. As a result, you will need to re-establish any existing connections to your DB instance.

Explanation

29 / 65

You have been storing massive amounts of data on Amazon Glacier for the past 2 years and now start to wonder if there are any limitations on this. What is the correct answer to your question?

The total volume of data is limited but the number of archives you can store are unlimited.

The total volume of data is unlimited but the number of archives you can store are limited

The total volume of data is limited and the number of archives you can store are limited.

The total volume of data and number of archives you can store are unlimited.

Explanation

An archive is a durably stored block of information. You store your data in Amazon Glacier as archives. You may upload a single file as an archive, but your costs will be lower if you aggregate your data. TAR and ZIP are common formats that customers use to aggregate multiple files into a single file before uploading to Amazon Glacier. The total volume of data and number of archives you can store are unlimited. Individual Amazon Glacier archives can range in size from 1 byte to 40 terabytes. The largest archive that can be uploaded in a single upload request is 4 gigabytes. For items larger than 100 megabytes, customers should consider using the Multipart upload capability. Archives stored in Amazon Glacier are immutable, i.e. archives can be uploaded and deleted but cannot be edited or overwritten.

Explanation

30 / 65

If you determine that the resources on a launched Amazon EC2 instance are insufficient to handle the workload of an application, you can resize the instance without performing any migration as long as your root device is a(n) ____________.

S3 bucket

EBS volume

instance store

EFS filesystem

Explanation

As your needs change, you might find that your instance is over-utilized (the instance type is too small) or under-utilized (the instance type is too large). If the root device for your instance is an Elastic Block Store (EBS) volume, you can change the size of the instance simply by changing its instance type, which is known as resizing it. If the root device for your instance is an instance store volume, you must migrate your application to a new instance with the instance type that you want

Explanation

31 / 65

Your client has submitted a change request to improve security on their S3 buckets. You have decided to allow two administrators to manage the buckets, and are setting up an IAM role for the admins. Your client approves of the two admins having some access, but does not want them to be able to review potentially valuable business information stored within the files. Which operations would you allow this admin role to perform? (Choose 3 answers)

Get an object

List keys in a bucket

Create and delete a bucket

Delete an object

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

Explanation

The Amazon S3 API is intentionally simple with only a handful of common operations. They include: create/delete a bucket, write an object, read an object, delete an object, and list keys in a bucket.

32 / 65

You are managing a static blog site on a MySQL database hosted on an EC2 instance. When an article goes viral, the increased traffic strains your DB server. What is the simplest and most cost-effective way to resolve this issue and make the blog post infinitely scaleable?

Migrate your blog site to DynamoDB to increase scalability to match the increased traffic.

Use spot EC2 instances to increase your capacity.

Enable and configure static web hosting for your blog on Amazon S3. Use Route 53 to point the DNS to the static S3 bucket.

Migrate your blog site to an Amazon RDS instance. Create a database read replica and route read queries from your primary DB instance to the read replica

Explanation

You can host a static website on Amazon S3. On a static website, individual web pages include static content. They may also contain client-side scripts. Because your storage on Amazon S3 is virtually unlimited you can scale infinitely. You also do not need to service dynamic content so a database is not needed.

Using spot instances would not necessarily work because of how spot instance pricing affects the instance availability. As soon as your the instance cost exceeds your bid price, the instances will be terminated and the traffic will once again exceed your MySQL database’s capabilities.

The other options would fix the problem – you can host the site on RDS or DynamoDB. However, they would not be as cost effective as Amazon S3.

Explanation

The other options would fix the problem – you can host the site on RDS or DynamoDB. However, they would not be as cost effective as Amazon S3.

33 / 65

What is the default maximum number of Access Keys per user?

The default maximum number of Access Keys per user is 2

34 / 65

You are responsible for a web application where the web server instances are hosted in auto-scaling group. You discover the following after monitoring your application workload for the past year:

You need a minimum of nine EC2 instances to handle the lowest levels of activity during non-business hours.
During local business hours, you require between 12-16 instances.
Roughly 35 percent of non-business workload involves backend data processing and analysis.

With this information, what recommendations would you make to minimize operating costs while providing the required availability?

Purchase nine standard reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during non-business hours. Purchase spot instances to handle additional capacity needs

Purchase nine convertible reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during local business hours. Purchase spot instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 scheduled reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase spot instances to handle the data processing workload.

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 convertible reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Explanation

The spot instances are ideal for the data processing workload during non-business hours, and deducting those instances from your minimum workload requirements leaves roughly six instances that are running all day. Purchase six standard reserved instances to meet this need with the greatest discount. You can then schedule reserved instances to run during business hours to meet the increase, and on-demand instances to scale as needed while providing necessary availability.

Explanation

35 / 65

A user has set up the CloudWatch alarm on the CPU utilization metric at 50%, with a time interval of 5 minutes and 10 periods to monitor. What will be the state of the alarm at the end of 90 minutes, if the CPU utilization is constant at 80%?

INSUFFICIENT_DATA

ALERT

ALARM

Explanation

In this case the alarm watches a metric every 5 minutes for 10 intervals. Thus, it needs at least 50 minutes to come to the “OK” state. Till then it will be in the INSUFFUCIENT_DATA state. Since 90 minutes have passed and CPU utilization is at 80% constant, the state of alarm will be “ALARM”.

Explanation

36 / 65

Your web-based application has been launched publicly. Your design has implemented auto scaling and classic load balancing and your design is responding to the changes in demand as expected. Over the next few months, during the holiday season, demand is expected to be quite robust. You estimate that 100 EC2 instances will be required to meet your customers’ demand. How should you plan properly for growth? (Choose 2 answers)

Contact Amazon to pre-warm your elastic load balancer to match the expected demands.

Change your auto scaling configuration, setting a desired maximum capacity of 100 instances. Verify your limits allow for this capacity

Use AWS Trusted Advisor to analyze your workload requirements

Add a second load balancer for additional redundancy

Explanation

In certain scenarios, such as when flash traffic is expected, or in the case where a load test cannot be configured to gradually increase traffic, AWS recommends that you have your load balancer “pre-warmed”. They will configure the load balancer to have the appropriate level of capacity based on the traffic that you expect. They also need to know the start and end dates of your tests or expected flash traffic, the expected request rate per second and the total size of the typical request/response that you will be testing

Explanation

37 / 65

You are deploying a two-tiered web application with web servers in a public subnet of your VPC and your database isolated in a private subnet. Your requirements call for the web tier to be highly available. Which services listed will be needed to make the web-tier highly available? (Choose 3 answers)

Route 53

Elastic Load Balancer

Cross-region replication

Auto Scaling

Explanation

The key is that the requirement is for high availability at the web-tier. While multi-AZ deployments and cross-region replication can contribute to high availability, they are each at the storage tier. Route 53 with Health Checks and Failover, Elastic Load Balancer (with health checks and various forms of load balancing, and auto scaling groups create high availability at the web tier.

Explanation

38 / 65

You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: security groups and network access control lists (ACLs). You have already looked into security groups and you are now trying to understand ACLs. Which statement below is incorrect in relation to ACLs?

Is stateful: Return traffic is automatically allowed, regardless of any rules.

Supports allow rules and deny rules.

Processes rules in number order when deciding whether to allow traffic.

Operates at the subnet level (second layer of defense).

Explanation

Amazon VPC provides two features that you can use to increase security for your VPC: Security groups–Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Network access control lists (ACLs)–Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. Security groups are stateful: (Return traffic is automatically allowed, regardless of any rules) Network ACLs are stateless: (Return traffic must be explicitly allowed by rules)

Explanation

39 / 65

You’ve been assigned to a client that has an auto scaling group behind an Application Load Balancer. The autoscaling group is handling traffic spikes well, but the client is concerned about cost. After reviewing statistics, you find that a large number of instances are being launched for just a short time period (15 – 30 minutes) and you know that Amazon charges per second for the time these instances are running.

You’re concerned that when these bursts occur, instances that scale out in a larger number than required and actually outlive the short bursts of increased workload.

What steps can you take to maintain performance but reduce costs? (Choose 2 answers)

Create a cool down period for your auto scaling group

Create a step scaling policy for improved scale-out events

Create scheduled scaling events instead of using your simply scaling policy.

Use Trusted Advisor to terminate instances immediately when no longer needed.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

Adjusting the cooldown period also minimizes the likelihood of scaling out again before the instances that were deployed in a previous scale out event have had time to warm up and handle requests to their full capability.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

40 / 65

As the Senior Architect assigned to your team, you must decide how to best maintain your application’s availability and ensure optimum service as the level of customer activity changes. As your business has grown an increasing international presence, the previous methods for tracking activity are no longer working. However, reviewing performance logs for the past several days, you’ve noticed that users experience connectivity issues once the CPU utilization rate increases beyond 70 percent. You would like to maintain optimum performance, you need to ensure CPU utilization remains at 50 percent.

What choice below will best address the issue and help maintain optimum performance? (Choose 2 answers)

Enable CloudWatch monitoring for your EC2 auto scaling group with detailed monitoring

Create a Target Tracking policy using AWS EC2 Auto Scaling

Create a CloudWatch Event to trigger a scaling activity once CPU utilization passes 50 percent

Enable CloudWatch monitoring for your EC2 auto scaling group with basic monitoring

Explanation

With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the target value, a target tracking scaling policy also adjusts to the changes in the metric due to a changing load pattern.

Explanation

41 / 65

An organization has a statutory requirement to protect the data at rest for data stored in EBS volumes. Which of the below mentioned options can the organization use to achieve data protection?

Data encryption.

Data replication.

All the options listed here.

Data snapshot.

Explanation

For protecting the Amazon EBS data at REST, the user can use options, such as Data Encryption (Windows / Linux / third party based), Data Replication (AWS internally replicates data for redundancy), and Data Snapshot (for point in time backup). Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

Explanation

42 / 65

Which of the following statements is true of creating a launch configuration using an EC2 instance?

Auto Scaling automatically creates a launch configuration directly from an EC2 instance.

The launch configuration should be created manually from the AWS CLI.

A user should manually create a launch configuration before creating an Auto Scaling group.

The launch configuration can be created only using the Query APIs.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

43 / 65

You need to create an Amazon Machine Image (AMI) for a customer for an application which does not appear to be part of the standard AWS AMI template that you can see in the AWS console. What are the alternative possibilities for creating an AMI on AWS ?

You can purchase an AMIs from a third party but cannot create your own AMI

You can purchase an AMIs from a third party or can create your own AMI.

Only AWS can create AMIs and you need to wait till it becomes available.

Only AWS can create AMIs and you need to request them to create one for you.

Explanation

You can purchase an AMIs from a third party, including AMIs that come with service contracts from organizations such as Red Hat. You can also create an AMI and sell it to other Amazon EC2 users. After you create an AMI, you can keep it private so that only you can use it, or you can share it with a specified list of AWS accounts. You can also make your custom AMI public so that the community can use it. Building a safe, secure, usable AMI for public consumption is a fairly straightforward process, if you follow a few simple guidelines.

Explanation

44 / 65

Configure an Auto Scaling scheduled activity to terminate the instance after seven days

Configure a CloudWatch alarm to terminate the instance once it is idle.

Configure the EC2 instance with a stop instance to terminate it.

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Explanation

45 / 65

Which statements below correctly describe how a security group functions in the AWS cloud? (Choose 2 answers)

Security groups are stateless

Every instance must have at least one assigned security group.

If there are multiple security groups, the most restrictive one is used

Security groups control traffic at the instance level

Explanation

Security Groups are essentially stateful firewalls at the instance level. Security Groups are associated with instances at launch time, and restrict or allow traffic based on port, protocol, and source/destination.

Explanation

46 / 65

You are building a system to distribute confidential documents to employees across the world. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?

Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Explanation

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users’ behalf. If your users try to access objects using Amazon S3 URLs, they’re denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don’t.

Explanation

47 / 65

You are designing monitoring and operation management for your environment on AWS and in the process of deciding which metrics to start with for your monitoring. Which of the following metrics should be included in your initial monitoring plan at a minimum? (Choose 3 answers)

Volume Queue Length

Memory Utilization

CPU Utilization

Disk Performance (Read and Write OPS)

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

48 / 65

As the lead architect managing the migration from an on-premises data center to the AWS cloud, you are currently considering the most effective network configuration to meet your requirements.

You want your application servers, which will be hosted within Amazon VPC on multiple EC2 instances in a private subnet, to be able to send read and write requests to specific DynamoDB tables without sending HTTP requests over the public internet or VPN.

How can you allow EC2 to connect with your DynamoDB tables given these requirements?

Create a VPC Interface Endpoint

Create a VPC Gateway Endpoint

Create a VPC peering connection

Create a dedicated network connection with Direct Connect

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

49 / 65

EDNS0

A region based routing policy

A geolocation routing policy

DynDNS

Explanation

50 / 65

You decide that you need to create a number of Auto Scaling groups to try and save some money as you have noticed that at certain times most of your EC2 instances are not being used. By default, what is the maximum number of Auto Scaling groups that AWS will allow you to create?

Unlimited

Explanation

Auto Scaling is an AWS service that allows you to increase or decrease the number of EC2 instances within your application’s architecture. With Auto Scaling, you create collections of EC2 instances, called Auto Scaling groups. You can create these groups from scratch, or from existing EC2 instances that are already in production

Explanation

51 / 65

True or False: In Amazon Route 53, you can create a hosted zone for a top-level domain (TLD).

FALSE

TRUE

True, only if you send an XML document with a CreateHostedZoneRequest element for TL

False, Amazon Route 53 automatically creates it for you.

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

52 / 65

You’ve been contracted by a client to improve the resiliency of their VPC in preparation for increased Disaster Recovery requirements with shorter RTO and RPOs. One thing you’d like to improve upon is resource and application monitoring. Which services used together will allow for the monitoring of application logs on EC2, notification of users managing the services, and the overall health of AWS resources? (Choose 2 answers)

SNS

CloudFront

Trusted Advisor

Cloudwatch

Explanation

Amazon SNS and CloudWatch are integrated so you can collect, view, and analyze metrics for every active Amazon SNS notification. By configuring CloudWatch for Amazon SNS, you can gain better insight into the performance of your Amazon SNS topics, push notifications, and SMS deliveries.

Explanation

53 / 65

You are running an Amazon EC2 EBS-backed instance with a Windows operating system. The hourly instance charge for your instance is $14. You’ve asked your team to stop the instance when they aren’t using it in an effort to save money. However, when the bill comes, you’re surprised to realize that there was an hour where you were charged $42 for the instance. How could this be?

Too many people attempted to access that instance in that particular hour, resulting in a higher bill.

No one ever stopped the instance like they were supposed to when they weren’t using it.

That instance was stopped and restarted twice within that hour.

That instance was stopped and never started again, resulting in a premature termination fee.

Explanation

When an Amazon EBS-backed instance is stopped, you’re not charged for instance usage; however, you’re still charged for volume storage. Amazon charges a full instance hour for every transition from a stopped state to a running state, even if you transition the instance multiple times within a single hour. In this scenario, the charge was $42, which is three times more than $14. This suggests that you stopped and restarted that instance twice during that hour (the initial $14, plus 2 x $14 for each restart).

Although some instances now have per-second billing available, this new billing structure does not apply to Windows instances at this point.

Explanation

Although some instances now have per-second billing available, this new billing structure does not apply to Windows instances at this point.

54 / 65

You have taken on a client that has been configured for AWS cloud and is fully operational. Your investigation of the environment reveals that your predecessor was a highly skilled AWS Architect. You view one instance that handles Internet traffic but also handles back end database traffic in a private subnet. This one instance is configured as a full management network attached to both a public subnet and a private subnet. What AWS device will enable such a configuration for a single instance?

Auto scaling group

Elastic Load Balancer

Elastic Network Interface

Elastic ip address

Explanation

You can create a management network using network interfaces. In this scenario, the secondary network interface on the instance handles public-facing traffic and the primary network interface handles back-end management traffic and is connected to a separate subnet in your VPC that has more restrictive access controls. The public-facing interface, which may or may not be behind a load balancer, has an associated security group that allows access to the server from the Internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the Internet, a private subnet within the VPC or a virtual private gateway.

Explanation

55 / 65

_____ is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend.

Consolidated Billing

AWS Budgets

Cost Allocation Tags

AWS Cost Explorer

Explanation

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

Explanation

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view – this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View – this covers the current and previous two months and is grouped by linked accounts
Daily Spend view – this covers the daily spend over the previous sixty days

56 / 65

You are pulled in on a redesign of a client’s AWS VPC. The client was an early adopter of AWS but wants to improve their overall security in the VPC. The budget allocated for this redesign is very limited and you need to optimize your time. You’ve created new security groups for the VPC. What’s the most expedient way to associate these new security groups with the instances in the VPC?

Associate the instances with the new security groups while the instances are running.

Create a snapshot of the instance, launch new instances from the snapshot, which are attached to the new security groups.

Shutdown the instances and attach to the new security groups then re-start the instances.

Delete the instances, create new instances, attach to the security groups, then launch the instances.

Explanation

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don’t specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC. If an instance is running in an Amazon VPC you can change which security groups are associated with an instance while the instance is running.

Explanation

57 / 65

Which one of the following answers is not a possible state of Amazon CloudWatch Alarm?

STATUS_CHECK_FAILED

ALARM

INSUFFICIENT_DATA

Explanation

Amazon CloudWatch Alarms have three possible states: OK: The metric is within the defined threshold ALARM: The metric is outside of the defined threshold INSUFFICIENT_DATA: The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

Explanation

58 / 65

You have designed an application that does the following:

It runs hourly checks for new items in an S3 bucket.
If new items exist, a message is added to an SQS queue.
It has several EC2 instances which retrieve messages from the SQS queue, parse the file, and send you an email containing the relevant information from the file.

You upload a test file to the bucket, wait a couple of hours and find that you have hundreds of emails from the application.
Which of the following is the most likely cause for this volume of email? (Choose 2 answers)

Messages are not being deleted following processing.

You are being spammed

You should be checking for messages every 10 minutes.

To keep multiple instances from processing the same SQS message, your application must delete the SQS message after processing it.

Explanation

Many instances can poll a single queue, but to keep multiple instances from processing the same SQS message, your application must delete the SQS message after processing it. While SQS does not guarantee a message will be processed only once, the same message being processed many times is probably an indication that the message is not being deleted following processing.

Explanation

59 / 65

You’ve been assigned to assist a client in the creation of their AWS Virtual Private Cloud (VPC). You are shadowing their IT admin to allow the admin to create the VPC, learn, and benefit from your guidance. Which VPC components are optional and should be created at the discretion of the customer? (Choose 3 answers)

Internet Gateways

NAT Gateways

Route Tables

Virtual Private Gateways

Explanation

The optional components of a VPC are available for situational use in the VPC. An internet gateway needs to be created to give instances within the VPC internet access. By creating the Internet Gateway and creating a route in the route table to the Internet Gateway the instances will be able to access the internet. NAT Gateway perform a similar function to Internet Gateways but they are used for instances within private subnets. Virtual Private Gateways facilitate connectivity between the VPC and an on-premises network.

Explanation

60 / 65

An EC2 instance has one additional EBS volume attached to it. How can a user attach the same volume to another running instance in the same availability zone?

Terminate the first instance and only then attach it to the new instance

Detach the volume first and attach it to new instance

Attach the volume as read-only to the second instance

No need to detach. Just select the volume and attach it to the new instance, it will take care of mapping internally.

Explanation

If an EBS volume is attached to a running EC2 instance, the user needs to detach the volume from the original instance and then attach it to a new running instance. The user doesn’t need to stop or terminate the original instance.

Explanation

61 / 65

A national auto parts chain contracted your firm to design and implement their AWS environment. It is a very large-scale system that handles order processing, accounting, stocking, and logistics. This system spans multiple availability zones and requires a multi-AZ environment for high availability. The system has been implemented and you need to test the database failover mechanism. It is imperative that the failover occurs within the specified RTO. How can you consistently test database failover?

Amazon has thoroughly tested failover and customers can not test failover.

Backup then delete the primary database instance

Contact Amazon to conduct a failover test.

Reboot the primary database instance

Explanation

If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. Multi-AZ deployments utilize synchronous replication, making database writes concurrently on both the primary and standby so that the standby will be up-to-date in the event a failover occurs.

Explanation

62 / 65

A gaming company comes to you and asks you to build infrastructure for their site. They are not sure how big they will be because, as with all startups, they have limited money and big ideas. What they do tell you is that if the game becomes successful, like one of their previous games, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. After considering all of this, you decide that they need a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability and persistent storage. Which of the following databases do you think would best fit their needs?

Amazon Elasticache

Amazon DynamoDB

Amazon Redshift

Amazon Aurora

Explanation

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables customers to offload the administrative burdens of operating and scaling distributed databases to AWS, so they don’t have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling.

Today’s web-based applications generate and consume massive amounts of data. For example, an online game might start out with only a few thousand users and a light database workload consisting of 10 writes per second and 50 reads per second. However, if the game becomes successful, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. It may also create terabytes or more of data per day. Developing your applications against Amazon DynamoDB enables you to start small and simply dial-up your request capacity for a table as your requirements scale, without incurring downtime. You pay highly cost-efficient rates for the request capacity you provision, and let Amazon DynamoDB do the work over partitioning your data and traffic over sufficient server capacity to meet your needs. Amazon DynamoDB does the database management and administration, and you simply store and request your data. Automatic replication and failover provides built-in fault tolerance, high availability, and data durability. Amazon DynamoDB gives you the peace of mind that your database is fully managed and can grow with your application requirements.

Explanation

63 / 65

Which of the following strategies can be used to control access to your Amazon EC2 instances?

IAM Policies

DB security groups

None of the above

EC2 security groups

Explanation

IAM policies allow you to specify what actions your IAM users are allowed to perform against your EC2 Instances. However, when it comes to access control, security groups are what you need in order to define and control the way you want your instances to be accessed, and whether or not certain kind of communications are allowed or not.

Explanation

64 / 65

You are the technical lead on a project to implement a large scale message queue system. You’ve presented Amazon SQS and its many benefits as a solution. Your management is impressed but asks about cost. What can you tell them about SQS pricing? (Choose 2 answers)

You pay only for what you use, and there is no minimum fee.

You are charged a set price for using the service no matter then number of messages transferred.

The Amazon SQS Free Tier provides you with 1 million requests per month at no charge.

SQS is completely free. It acts as a link between billed services.

Explanation

The pricing of SQS is as follows: You pay only for what you use, and there is no minimum fee. The cost of Amazon SQS is calculated per request, plus data transfer charges for data transferred out of Amazon SQS. The Amazon SQS Free Tier provides you with 1 million requests per month at no charge. Many small-scale applications are able to operate entirely within the limits of the Free Tier. However, data transfer charges might still apply.

Explanation

65 / 65

Your business is slowly migrating to the AWS cloud, but must continue to support its on-premises servers and networks while extending to the cloud. As a result, you are looking for every possible way to optimize costs while ensuring resources remain secure. In order to provide an extra layer of security, you would like for your servers hosted within your VPCs to communicate with other AWS services without leaving your VPC network. You would also like your on-premises servers to be able to connect to these same AWS services through your VPC instead of sending and receiving requests over the public internet. Which AWS networking service or component would satisfy these requirements?

VPC Virtual Private Gateways

VPC Gateway Endpoints

VPC Interface Endpoints

VPC Peering Connections

Explanation

With VPC Interface Endpoints, it is possible to connect to a number of AWS services both from resources within your Amazon VPC and from resources in your on-premises environment. This is not possible with VPC Gateway Endpoints.

Explanation

Your score is

The average score is 43%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Need more practice ? take the AWS Certified Solutions Architect Associate (SAA) – Learning mode

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation