AWS Certified Solutions Architect Associate (SAA02) - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 65 questions per test (similar to real AWS exam), 130 minutes, repeat tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

/25

10 votes, 4.5 avg

332

1 / 25

Your company is planning to deploy a hybrid environment linking their on-premise database to an application hosted at AWS. When considering performance rather than security, what are key concerns when designing a network between AWS and the on-site database? (Choose 2 answers)

Network bandwidth

Control of data resources

Network latency

Private network access

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

2 / 25

If you determine that the resources on a launched Amazon EC2 instance are insufficient to handle the workload of an application, you can resize the instance without performing any migration as long as your root device is a(n) ____________.

EBS volume

instance store

S3 bucket

EFS filesystem

Explanation

As your needs change, you might find that your instance is over-utilized (the instance type is too small) or under-utilized (the instance type is too large). If the root device for your instance is an Elastic Block Store (EBS) volume, you can change the size of the instance simply by changing its instance type, which is known as resizing it. If the root device for your instance is an instance store volume, you must migrate your application to a new instance with the instance type that you want

Explanation

3 / 25

You have been contracted to start building the latest and greatest mobile chat app. The schedule for this development and delivery is time critical. What correct mix of AWS services and components should you consider to ensure that your mobile chat app can be produced on time, ensuring that the mobile chat app can authenticate and authorize users?

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Create an auto scaling group of EC2 instances with SAML 2.0 service endpoint, setup and install a custom LDAP directory, configure SSO within the mobile app to use the SAML 2.0 service endpoint to perform user authentication and authorization

Explanation

Answer “Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization” is correct. The question highlights that the “development and delivery is time critical” – therefore the best approach time wise is to use the fit for purpose managed services provided by AWS – in this case, Amazon Cognito, IAM Roles and Policies, and the AWS Mobile SDK.

Explanation

4 / 25

You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information stored in it. What are all the possible security groups that RDS uses?

EC2 security groups only

DB security groups, VPC security groups, and EC2 security groups.

VPC security groups, and EC2 security groups.

DB Security groups only

Explanation

A security group controls the access to a DB instance. It does so by allowing access to IP address ranges or Amazon EC2 instances that you specify. Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and can be used with a DB instance.

Explanation

5 / 25

You are the technical lead on a project to implement a large scale message queue system. You’ve presented Amazon SQS and its many benefits as a solution. Your management is impressed but asks about cost. What can you tell them about SQS pricing? (Choose 2 answers)

You pay only for what you use, and there is no minimum fee.

You are charged a set price for using the service no matter then number of messages transferred.

SQS is completely free. It acts as a link between billed services.

The Amazon SQS Free Tier provides you with 1 million requests per month at no charge.

Explanation

The pricing of SQS is as follows: You pay only for what you use, and there is no minimum fee. The cost of Amazon SQS is calculated per request, plus data transfer charges for data transferred out of Amazon SQS. The Amazon SQS Free Tier provides you with 1 million requests per month at no charge. Many small-scale applications are able to operate entirely within the limits of the Free Tier. However, data transfer charges might still apply.

Explanation

6 / 25

You are designing a cloud implementation for a client. They have requested a database that will serve data to a website as well as perform some complex reporting in a Data Warehouse. They are also looking for a durable location to store session state. Which design choices would meet the client’s requirements? (Choose 3 answers)

DynamoDB for session state

MySQL database to serve data to the website

Amazon Glacier for Data Warehousing/Reporting

Amazon Redshift for Data Warehousing/Reporting

Explanation

An RDS database such as MySQL is a good choice as the back end for a web server. Amazon Redshift is often paired with RDS to offload Data Warehousing/Reporting traffic. DynamoDB is a good choice for managing session state, shopping cart data, or time-series data.

Explanation

7 / 25

In a design meeting with your Senior AWS Architect you are asked to create a dual homed network. The client has been using AWS cloud for a few years and has staff who are fairly well versed in AWS technology. They have offered a preliminary design, which calls for dual homed web servers attached to an application server. This setup is also dual homed to connect to a backend database server. Which AWS device will enable such a dual homed scenario?

Elastic Network Interface

Elastic IP Address

Dual Channel VPN

Elastic Load Balancer

Explanation

You can place a network interface on each of your web servers that connects to a mid-tier network where an application server resides. The application server can also be dual-homed to a back-end network (subnet) where the database server resides. Instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end, initiates a connection to the back end, and then sends requests to the servers on the back-end network.

Explanation

8 / 25

A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1-week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch?

The user can zoom a particular period by specifying the period in the Time Range

The user can zoom a particular period by specifying the aggregation data for that period

The user can zoom a particular period by double clicking on that period with the mouse

The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse

Explanation

Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. The AWS CloudWatch console provides the option to change the granularity of a graph and zoom in to see data over a shorter time period. To zoom, the user has to click in the graph details pane, drag on the graph area for selection, and then release the mouse button.

Explanation

9 / 25

As the lead architect managing the migration from an on-premises data center to the AWS cloud, you are currently considering the most effective network configuration to meet your requirements.

You want your application servers, which will be hosted within Amazon VPC on multiple EC2 instances in a private subnet, to be able to send read and write requests to specific DynamoDB tables without sending HTTP requests over the public internet or VPN.

How can you allow EC2 to connect with your DynamoDB tables given these requirements?

Create a dedicated network connection with Direct Connect

Create a VPC Gateway Endpoint

Create a VPC peering connection

Create a VPC Interface Endpoint

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

10 / 25

When you force a failover of your DB instance in RDS, which of the following things does RDS do? (Choose 2 answers)

Automatically switches to a standby replica in another region

Allocates a new Elastic IP which points to the new replica

Updates the DNS record for the DB instance to point to the standby DB instance

Automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ

Explanation

When you force a failover of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. The time it takes for the failover to complete depends on the database activity and other conditions at the time the primary DB instance became unavailable. Failover times are typically 60-120 seconds. However, large transactions or a lengthy recovery process can increase failover time. When the failover is complete, it can take additional time for the RDS console UI to reflect the new Availability Zone.

The failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. As a result, you will need to re-establish any existing connections to your DB instance.

Explanation

11 / 25

You are assisting an IT administrator for a client company over the phone. The administrator has created a public subnet and had added two EC2 instances to this subnet. But he is unable to access the Internet from these new EC2 instances and is asking for your assistance. What general checks can he make to ensure proper configuration and Internet access? (Choose 3 answers)

He should check to ensure Network ACLs and Security Groups allow ingress and egress.

He should check that the EC2 instances have either a public IP address or an Elastic IP address.

He should check that an Virtual Private Gateway is configured and that the route table routes internet traffic to the Internet gateway.

He should check that an Internet Gateway is configured and that the route table routes Internet traffic to the Internet gateway.

Explanation

To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Attach an Internet gateway to your VPC.
Ensure that your subnet’s route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

Explanation

To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Attach an Internet gateway to your VPC.
Ensure that your subnet’s route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

12 / 25

You are setting up your company’s Virtual Private Cloud (VPC). It is time to select the virtual hardware and the software to be provisioned for the instances you will launch within the VPC. You will do this by selecting the Instance Types and Amazon Machine Images (AMI). Which item is not defined by the AMI?

Operating system

Application or System Software

The initial state of any patches

Virtual CPUs

Explanation

An Amazon Machine Image (AMI) is a template that contains a software configuration (for example, an operating system, an application server, and applications). The AMI includes the operating system, initial state of any patches, and any application software. For example, you can select an AMI that has SQL Server. The virtual CPUs are not part of the AMI but are defined by the instance type.

Explanation

13 / 25

Which choice below accurately describes the ‘warm standby’ disaster recovery method?

A complete duplicate of your entire system, to which all traffic can be directed in the event of a disaster.

Keeping data backed up to tape and sent offsite regularly, from which all data can be restored in the event of a disaster.

A duplicate version of only your business-critical systems that is always running, in case you need to divert your workloads to them in the event of a disaster.

Storing critical systems as a template, from which resources can be scaled out in the event of a disaster.

Explanation

Warm standby is essentially ready to go with all key services running in the most minimal possible way, essentially a smaller version of the production environment. In the event of a disaster, the standby environment will be scaled up for production load quickly and easily. DNS records will be changed to route all traffic to the AWS environment.

Explanation

14 / 25

Your database is very frequently receiving more read and write requests than it can handle. To process the higher loads more effectively you’ve decided to vertically scale your RDS database instance. You’ve confirmed that your licensing can handle the increased scale; next, you must determine when the changes will be applied. When can you apply the changes? (Choose 2 answers)

During the maintenance window for the database instances

When changing the database storage type

Immediately, when choosing a larger instance size

When using CloudFront metrics

Explanation

When scaling an RDS instance, changes can be applied immediately or during the maintenance window specified. It is also recommended that you before you scale, make sure you have the correct licensing in place for commercial engines (SQL Server, Oracle) especially if you Bring Your Own License (BYOL). One important thing to call out is that for commercial engines, you are restricted by the license, which is usually tied to the CPU sockets or cores.

Explanation

15 / 25

A user has applied an S3 Bucket access control list (ACL) and a bucket policy to an S3 bucket. Then, the user enables cross-origin resource sharing (CORS) on the same bucket.

Which of the following statements is true in this context?

With CORS, only the policy can be applied

It is not possible to have all three applied to the same bucket.

With CORS, only an ACL can be applied

The ACLs and policies continue to apply when you enable CORS on the bucket

Explanation

The CORS specification gives a user the ability to build web applications that make requests to domains other than the one which supplied the primary content. The ACLs and policies continue to apply when you enable CORS on the bucket.

Explanation

16 / 25

You have been contracted by a company to design and implement their AWS cloud environment. The company has a very tight budget and would like to maximize savings wherever possible. They’ve gotten a 5-year government contract and the workload is expected to remain steady throughout the length of the contract. What type of instance will best meet their computing needs while providing maximum savings?

Standard reserved instances, three-year term commitment, all upfront

Convertible reserved instances, one-year commitment, no upfront

Convertible reserved instances, three-year term commitment, all upfront

Standard reserved instances, one-year commitment, no upfront

Explanation

When you purchase a Reserved Instance, choose a payment option, term, and an offering class that suits your needs. Generally speaking, you can save more money choosing Reserved Instances with a higher upfront payment. There are three payment options (No Upfront, Partial Upfront, All Upfront), two-term lengths (one-year or three-years), and two offering classes (Convertible and Standard). Convertible RIs offer up to a 55% discount, while Standard offers up to a 75% discount. No Upfront and Partial Upfront Reserved Instances are billed for usage on an hourly basis, regardless of whether they are being used. All Upfront Reserved Instances have no additional hourly charges

Explanation

17 / 25

You are the DevOps engineer at a mid-sized technology firm, responsible for the automated disaster recovery of your company’s AWS infrastructure. Your supervisor has recently learned about the EC2 Auto Recovery feature, and she has asked you to evaluate whether or not it would be a good fit for your environment. She is particularly interested in the types of failures it can detect. Which conditions would be detectable by EC2 Auto Recovery? (Choose 3 answers)

Loss of network connectivity

Software or hardware issues on the physical host (hypervisor)

Loss of system power

Application errors or crashes

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

18 / 25

An organization has launched five instances: two for production and three for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often be deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, production, and testing will not change in the foreseeable future.

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Define the IAM policy that allows access based on the instance ID

Launch the test and production instances in separate regions and allowing region wise access to the group

Explanation

AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parameters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.
"Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/InstanceType": "Production" } } } ]

Explanation

19 / 25

You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds

Amazon SQS is a non-distributed queuing system.

Amazon SQS is for single-threaded sending or receiving speeds.

Explanation

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to a queue is available to be received.

Explanation

20 / 25

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it.

You grant a database administrator access to the RDS database instance, but she is unable to connect to it.

What steps can you take to resolve the issue?

Use a different port for ingress.

Create a key pair for your database administrator to log in

Create a security group with specific ingress and egress rules for the DB instance

Configure single sign-on for your database administrator.

Explanation

When you are unable to connect to a new database, it is often because the DB instance creation is still in progress and is not available yet. A reasonable amount of time to wait (at most) is 20 to 30 minutes. Beyond that, there is likely a problem. A common pattern in DB implementation involves placing databases in private subnets for additional security. If you follow this practice, make sure that the Security Groups provide appropriate ingress and egress to the DB instance

Explanation

21 / 25

You are designing a VPC for a small legal firm. The firm only has 6 users who will need instances, and the firm does not expect any growth. When creating the VPC, you will need to specify an IPv4 address range by choosing a CIDR block. What is the smallest size CIDR block that could be used for this network?

/16

/28

/24

Explanation

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. AWS reserves the first four addresses and the last address in a CIDR block, so be sure to subtract five to give the number of addresses in a CIDR block available for use

Explanation

22 / 25

You have a lot of data stored in the AWS Storage Gateway and your manager has come to you asking about how the billing is calculated, specifically the Virtual Tape Shelf usage. What would be a correct response to this?

You are billed for the virtual tape data you store in Amazon S3 and are billed for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon S3 and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon Glacier and are billed for the size of the virtual tape

Explanation

The AWS Storage Gateway is a service connecting an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure. AWS Storage Gateway billing is as follows. Volume storage usage (per GB per month): You are billed for the Cached volume data you store in Amazon S3. You are only billed for volume capacity you use, not for the size of the volume you create. Snapshot Storage usage (per GB per month): You are billed for the snapshots your gateway stores in Amazon S3. These snapshots are stored and billed as Amazon EBS snapshots. Snapshots are incremental backups, reducing your storage charges. When taking a new snapshot, only the data that has changed since your last snapshot is stored. Virtual Tape Library usage (per GB per month): You are billed for the virtual tape data you store in Amazon S3. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape. Virtual Tape Shelf usage (per GB per month): You are billed for the virtual tape data you store in Amazon Glacier. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape

Explanation

23 / 25

Which of the following types of Amazon S3 metadata or subresources can be tracked by AWS Usage and Cost Reports?

User-defined object metadata

System-defined object metadata

S3 Object tags

S3 Bucket tags

Explanation

S3 Bucket tags are one of several AWS resources in numerous services that fall within the group of cost allocation tags. These tags can be tracked and included within AWS Usage and Billing Reports.

Explanation

S3 Bucket tags are one of several AWS resources in numerous services that fall within the group of cost allocation tags. These tags can be tracked and included within AWS Usage and Billing Reports.

24 / 25

One of your developers is creating an application that must upload large files to an S3 bucket. You suggest that they use the multipart upload feature. Which actions are required from the developer to complete a multipart upload? (Choose 2 answers)

Construct the final object from the parts.

Upload each part with an upload ID and a part number.

Send a request to initiate a multipart upload

Create ordered ETag values to label each part.

Explanation

When you send a request to initiate a multipart upload, Amazon S3 returns a response with an upload ID, which is a unique identifier for your multipart upload. You must include this upload ID whenever you upload parts, list the parts, complete an upload, or abort an upload. When uploading a part, in addition to the upload ID, you must specify a part number that uniquely identifies a part and its position in the object you are uploading. Amazon S3 returns an ETag header in its response. For each part upload, you must record the part number and the ETag value for use in each subsequent request.

Explanation

25 / 25

You are migrating on-premise legal files to the AWS Cloud in Amazon S3 buckets. The corporate audit team will review all legal files within the next year, but until that review is completed, you need to ensure that the legal files are neither updated or deleted in the next 18 months. What steps will ensure the files can be uploaded efficiently but have the required protection for the specific time period of 18 months? (Choose 2 answers)

Set a default legal hold on all related S3 buckets

Set a retention period of 18 months on all relevant object versions via a batch operation

Enable object locks on all relevant S3 buckets with a retention mode of compliance mode.

Set a default retention period of 18 months on all related S3 buckets.

Explanation

The key points of this question are:

the difference between compliance mode and governance mode – compliance prevents objects from being updated or deleted, governance only prevents deletion.
Default Retention periods can be set at bucket level and then applied to all objects uploaded into the bucket. Otherwise they have to set at an object version level.
Legal holds have no specific time frame associated with them, and cannot be configured at a bucket level. They must be configured at an object version level.
Object lock setting cannot be configured via batch operations.

Explanation

The key points of this question are:

the difference between compliance mode and governance mode – compliance prevents objects from being updated or deleted, governance only prevents deletion.
Default Retention periods can be set at bucket level and then applied to all objects uploaded into the bucket. Otherwise they have to set at an object version level.
Legal holds have no specific time frame associated with them, and cannot be configured at a bucket level. They must be configured at an object version level.
Object lock setting cannot be configured via batch operations.

Your score is

The average score is 55%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Ready to take AWS Certified Solutions Architect Associate (SAA) – Exam mode ?

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

/65

5 votes, 4.8 avg

146

Click Start button to start exam !

Time Out !

1 / 65

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing S3 budget. They have asked you to identify strategies to reduce the S3 spend by at least 25% before the next monthly billing cycle.

How could you accomplish this? (Choose 2 answers)

Implement lifecycle to archive older objects to Glacier

Enable object compression to reduce object sizes

Use Snowball for large data objects to avoid data transfer rates

Utilize Infrequent Access storage for objects that are not requested so frequently

Explanation

You can use the infrequent access to reduce the cost of certain classes of objects, as well as send older objects to Glacier for archiving at a much lower cost.

Note that data transfer into S3 is always free. So if you want to reduce your cost, using Snowball might speed up moving large data sets however it will not reduce your cost

Explanation

You can use the infrequent access to reduce the cost of certain classes of objects, as well as send older objects to Glacier for archiving at a much lower cost.

Note that data transfer into S3 is always free. So if you want to reduce your cost, using Snowball might speed up moving large data sets however it will not reduce your cost

2 / 65

A legacy application in your company has been deployed in a single availability zone. It is used only sporadically but must be available nevertheless. Due to your heavy administrative workload, you wish to automate a process that will rebuild the application automatically if it fails. What action should you take?

Add an additional availability zone and a load balancer.

Configure the server in an auto scaling group with a minimum and maximum size of one

Monitor the server availability using Cloud Watch metrics to receive alerts of health check failures.

Perform snapshots of EBS volumes on a set schedule.

Explanation

Auto scaling provides redundancy for a single server with the option of launching a configuration using the attributes from a running instance. When you use this option, auto scaling copies the attributes from the specified instance into a template from which you can launch one or more auto scaling groups.

Note that if the specified instance has properties that are not currently supported by auto scaling, instances launched by auto scaling using the launch configuration created from the identified instance might not be identical to the identified instance.

Explanation

3 / 65

What features of VPC security groups are correct? (Choose 2 answers)

Security Groups are stateless.

Instances associated with the same security group can not talk to each other unless rules are added specifically allowing communication.

You can specify only deny rules, not allow rules.

You can change the security group that an instance is associated with after launch and the changes will take effect immediately.

Explanation

Instances associated with a security group can’t talk to each other unless you add rules allowing it (exception: the default security group has these rules by default). By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

Explanation

4 / 65

Set a default legal hold on all related S3 buckets

Set a retention period of 18 months on all relevant object versions via a batch operation

Set a default retention period of 18 months on all related S3 buckets.

Enable object locks on all relevant S3 buckets with a retention mode of compliance mode.

Explanation

The key points of this question are:

the difference between compliance mode and governance mode – compliance prevents objects from being updated or deleted, governance only prevents deletion.
Default Retention periods can be set at bucket level and then applied to all objects uploaded into the bucket. Otherwise they have to set at an object version level.
Legal holds have no specific time frame associated with them, and cannot be configured at a bucket level. They must be configured at an object version level.
Object lock setting cannot be configured via batch operations.

Explanation

The key points of this question are:

the difference between compliance mode and governance mode – compliance prevents objects from being updated or deleted, governance only prevents deletion.
Default Retention periods can be set at bucket level and then applied to all objects uploaded into the bucket. Otherwise they have to set at an object version level.
Legal holds have no specific time frame associated with them, and cannot be configured at a bucket level. They must be configured at an object version level.
Object lock setting cannot be configured via batch operations.

5 / 65

You have configured an AWS cloud environment for an ecommerce company. This environment is heavily reliant upon being highly available as downtime will lose the company a great deal of money. You monitor this environment very closely with numerous CloudWatch alarms. Recently you are seeing ‘InsufficientInstanceCapacity’ errors during auto scaling attempts during peak hours from 4:00 – 9:00 pm EST. This is causing costly downtime. Which option will best handle this situation?

Purchase Scheduled Reserved Instances for peak hours

Use spot instances in place of on-demand instances

Increase the maximum size of you auto scaling group to add more capacity

Scale up your RDS instance for more capacity

Explanation

If you get an InsufficientInstanceCapacity error when you try to launch an instance or start a stopped instance, AWS does not currently have enough available capacity to service your request. In this situation, reserved instances offer the required reliability to avoid outages and loss of money. Reserved Instances are a long-term capacity reservation, and you will not have to rely on Amazon having enough on-demand capacity. Usually these capacity issues are short term, but due to the nature of the company even short outages can be very costly.

Explanation

6 / 65

A user has launched an EC2 instance into a VPC with several private and public subnets. The VPC and EC2 instance have the following configurations in place:

A database server is hosted on a Linux EC2 instance located in a private subnet.
A hardened bastion host is launched in a separate public subnet. You have enabled SSH-agent forwarding, and the bastion host’s security group has been configured to allows traffic via Port 22.
A custom security group has been added and associated with the Linux EC2 instance in the private subnet. The custom security group has not updated from its default settings.

With these configurations in place, the user is not able to access the database instance in the private subnet via the bastion host.

What can be the possible reason for this failure?

The bastion host needs to be replaced with a NAT gateway.

The EC2 instance needs an elastic IP address to communicate with the bastion host.

The security group of the database instance is not configured to allow incoming traffic.

The bastion host needs to be placed in the same subnet as the EC2 instance.

Explanation

For the SSH agent forwarding to be successful, both security groups need to allow connection via port 22. Custom security groups by default allow all outbound traffic, but deny all inbound traffic.

Explanation

For the SSH agent forwarding to be successful, both security groups need to allow connection via port 22. Custom security groups by default allow all outbound traffic, but deny all inbound traffic.

7 / 65

Do you need to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices?

No, the snapshot would turn off your instance automatically

No, you only need to shutdown an instance before deleting it

Yes

Explanation

Yes, to create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.

Explanation

Yes, to create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.

8 / 65

You are contracted to manage cloud storage for a multi-national media company. During your informational analysis, you note a few crucial requirements: the need to upload very large files (greater than 5 GB), concerns about latency across continents, and a compliance requirement about storing backup data 1000 miles from the source.

Which Amazon S3 features will handle these requirements? (Choose 2 answers)

Read replicas

Cross-region replication

Multi-part upload

Pre-signed URLs

Explanation

Multipart uploads must be used for files greater than 5 GB. Cross-region replication is used to reduce latency by placing objects closer to users. This would address the issue of having users in different continents. Another use case for cross-region replication is to meet compliance requirements of storing backup data a certain distance from their origin.

Explanation

9 / 65

You run a stateless web application with the following components:

An Application Load Balancer (ALB)
A two-tier application with frontend instances processing user requests, and backend RDS MySQL instances
The MySQL RDS database offers a maximum of 3000 IOPS with Provisioned IOPS

You notice that the average response time for users is increasing. Looking at CloudWatch, you observe 85% CPU usage on the web and application servers and 20% CPU usage on the database. The average number of database disk operations varies between 1000 and 1500. How would you improve performance? (Choose 2 answers)

Use EC2 Auto Scaling to add additional frontend instances based on the CPU load threshold

Choose a different EC2 instance type for the frontend servers with a more appropriate CPU/Memory ratio

Replace the backend RDS database instances with Aurora database engine

Use Amazon RDS Read Replicas to improve your throughput

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

10 / 65

You are signed in as root user on your account but there is an Amazon S3 bucket under your account that you cannot access. What is a possible reason for this?

The S3 bucket has reached the maximum number of objects allowed

The S3 bucket is full.

You are in the wrong availability zone

An IAM user assigned a bucket policy to an Amazon S3 bucket and didn’t specify the root user as a principal

Explanation

With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access. In some cases, you might have an IAM user with full access to IAM and Amazon S3. If the IAM user assigns a bucket policy to an Amazon S3 bucket and doesn’t specify the root user as a principal, the root user is denied access to that bucket. However, as the root user, you can still access the bucket by modifying the bucket policy to allow root user access.

Explanation

11 / 65

HTML-formatted document

XML-formatted document

JSON-formatted document

CSS-formatted document

Explanation

You can write an AWS CloudFormation template (a JSON-formatted document) in a text editor or pick an existing template. The template describes the resources you want and their settings. For example, suppose you want to create an Amazon EC2. Your template can declare an instance Amazon EC2 and describe its properties

Explanation

12 / 65

DB security groups, VPC security groups, and EC2 security groups.

VPC security groups, and EC2 security groups.

DB Security groups only

EC2 security groups only

Explanation

13 / 65

A user has applied an S3 Bucket access control list (ACL) and a bucket policy to an S3 bucket. Then, the user enables cross-origin resource sharing (CORS) on the same bucket.

Which of the following statements is true in this context?

With CORS, only the policy can be applied

The ACLs and policies continue to apply when you enable CORS on the bucket

With CORS, only an ACL can be applied

It is not possible to have all three applied to the same bucket.

Explanation

14 / 65

You are running an Amazon EC2 EBS-backed instance with a Windows operating system. The hourly instance charge for your instance is $14. You’ve asked your team to stop the instance when they aren’t using it in an effort to save money. However, when the bill comes, you’re surprised to realize that there was an hour where you were charged $42 for the instance. How could this be?

Too many people attempted to access that instance in that particular hour, resulting in a higher bill.

That instance was stopped and never started again, resulting in a premature termination fee.

No one ever stopped the instance like they were supposed to when they weren’t using it.

That instance was stopped and restarted twice within that hour.

Explanation

When an Amazon EBS-backed instance is stopped, you’re not charged for instance usage; however, you’re still charged for volume storage. Amazon charges a full instance hour for every transition from a stopped state to a running state, even if you transition the instance multiple times within a single hour. In this scenario, the charge was $42, which is three times more than $14. This suggests that you stopped and restarted that instance twice during that hour (the initial $14, plus 2 x $14 for each restart).

Although some instances now have per-second billing available, this new billing structure does not apply to Windows instances at this point.

Explanation

Although some instances now have per-second billing available, this new billing structure does not apply to Windows instances at this point.

15 / 65

Can we attach an EBS volume to more than one EC2 instance at the same time?

Yes, all types of EBS volumes can attach to multiple instances

Yes, but only one type of EBS volume can be attached to multiple instances

Yes, all but one type of EBS volumes can attach to multiple instances

Explanation

With the new EBS multi-attach feature for Provisioned IOPS volumes, you can attach EBS volumes (of this type only) to more than one EC2 instance. So, yes it is possible, but not for all EBS volume types.

Explanation

16 / 65

You are reviewing an application’s compute resources in an effort to optimize cost and performance. Your application’s compute layer currently general-purpose on-demand instances. Now you want are considering launching multiple instance types that use various purchase options, including On-Demand Instances, Reserved Instances, and Spot Instances.

What considerations regarding AWS EC2 Auto Scaling should you bear in mind while optimizing your compute layer?

Auto Scaling launch templates can deploy instances of multiple purchase types, but all instances must have the same instance type.

Auto Scaling launch templates can deploy instances of multiple instance types, but all instances must have the same purchase type.

Auto Scaling launch templates can deploy instances of multiple instance types and purchase types.

Auto Scaling launch templates can deploy instances of the same instance type and purchase type.

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

17 / 65

Your supervisor asks you to set up a NAT gateway so that your private subnets can communicate with the Internet. Which of the following are the things that you will need to do to ensure this works successfully? (Choose 3 answers)

Open port 80 to all incoming traffic

Specify the public subnet in which the NAT gateway will reside.

Update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway

Specify an Elastic IP address to associate with the NAT gateway when you create it

Explanation

To create a NAT gateway, you must specify the public subnet in which the NAT gateway will reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the Internet.

Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. You have a limit on the number of NAT gateways you can create in an Availability Zone.

Explanation

Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone. You have a limit on the number of NAT gateways you can create in an Availability Zone.

18 / 65

You are creating an application that stores extremely sensitive financial information. All information in the system must be encrypted at rest and in transit. Which of these is a violation of this policy?

CloudFront Viewer Protocol Policy set to HTTPS redirection

Telling S3 to use AES-256 encryption on the server-side

ELB Using Proxy Protocol v1

Elastic Load Balancer SSL termination.

Explanation

Terminating SSL terminates the security of a connection over HTTP, removing the S for “Secure” in HTTPS. This violates the “encryption in transit” requirement in the scenario.

Explanation

Terminating SSL terminates the security of a connection over HTTP, removing the S for “Secure” in HTTPS. This violates the “encryption in transit” requirement in the scenario.

19 / 65

You are billed for the virtual tape data you store in Amazon S3 and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon Glacier and are billed for the size of the virtual tape

You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

You are billed for the virtual tape data you store in Amazon S3 and are billed for the size of the virtual tape.

Explanation

20 / 65

A user is implementing resources for a group of separate batch processes to be completed during non-business hours. The process is predicted to take 6 hours to complete. This group of batch processing will require a compute-optimized instance, which is a different instance family than any deployed within your production environment. Which option is the right instance type and purchase option in this case, assuming the user performs the same task for the next twelve months?

An instance on a compute savings plan

An instance on an EC2 instance savings plan

A spot instance

A convertible reserved instance

Explanation

A spot instance is not the right instance type for this scenario. Spot instances would very likely be interrupted before a 6 hour job would be complete.

A convertible instance and a compute savings plan both offer up to 66 percent off, but an EC2 instance savings plan offers up to 72 percent discount.

Explanation

A spot instance is not the right instance type for this scenario. Spot instances would very likely be interrupted before a 6 hour job would be complete.

A convertible instance and a compute savings plan both offer up to 66 percent off, but an EC2 instance savings plan offers up to 72 percent discount.

21 / 65

Your developers have created a sales application that works in tandem with the no SQL database. To ensure the fastest response for the application in production, the developers wish to remove the need to wait for acknowledgments from the database to the application after data have been sent. The acknowledgments can be stored and accessed asynchronously. Which managed application would be the best choice for their design?

CloudWatch Logs

Simple Queue Service

AWS Config

Simple Workflow Service

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

22 / 65

You are helping a client design a static website which will potentially grow exponentially in the first few years of existence. You outline the benefits of using S3 to host this Website. What characteristics of S3 elasticity and scalability can you feature? (Choose 2 answers)

S3 bucket names can be replicated in multiple regions.

S3 asynchronously replicates information to all availability zones within a region

S3 synchronously replicates information to all availability zones within a region

S3 supports an unlimited number of files in a bucket

Explanation

With Amazon S3, you can store as much data as you want and access it when needed. S3 supports and unlimited number of files in a bucket so it is not necessary to know your storage needs up front or try to estimate. S3 can be scaled quickly and appropriately to meet the storage demands of your environment. S3 asynchronously replicates information to all availability zones within a region. Amazon S3 scales to support very high request rates. If your request rate grows steadily, Amazon S3 automatically partitions your buckets as needed to support higher request rates

Explanation

23 / 65

As the Senior Architect assigned to your team, you must decide how to best maintain your application’s availability and ensure optimum service as the level of customer activity changes. As your business has grown an increasing international presence, the previous methods for tracking activity are no longer working. However, reviewing performance logs for the past several days, you’ve noticed that users experience connectivity issues once the CPU utilization rate increases beyond 70 percent. You would like to maintain optimum performance, you need to ensure CPU utilization remains at 50 percent.

What choice below will best address the issue and help maintain optimum performance? (Choose 2 answers)

Create a Target Tracking policy using AWS EC2 Auto Scaling

Create a CloudWatch Event to trigger a scaling activity once CPU utilization passes 50 percent

Enable CloudWatch monitoring for your EC2 auto scaling group with detailed monitoring

Enable CloudWatch monitoring for your EC2 auto scaling group with basic monitoring

Explanation

With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the target value, a target tracking scaling policy also adjusts to the changes in the metric due to a changing load pattern.

Explanation

24 / 65

You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?

Outputs

Resources

Conditions

Mappings

Explanation

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. A template is a JSON-formatted text file that describes your AWS infrastructure. Templates include several major sections. The Resources section is the only section that is required. The first character in the template must be an open brace ({), and the last character must be a closed brace (}). The following template fragment shows the template structure and sections

Explanation

25 / 65

A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which one of the following is the best way to terminate the instance automatically once the job is finished?

Configure the EC2 instance with a stop instance to terminate it.

Configure an Auto Scaling scheduled activity to terminate the instance after seven days.

Configure a CloudWatch alarm to terminate the instance once it is idle

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action

Explanation

26 / 65

When you force a failover of your DB instance in RDS, which of the following things does RDS do? (Choose 2 answers)

Automatically switches to a standby replica in another region

Allocates a new Elastic IP which points to the new replica

Automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ

Updates the DNS record for the DB instance to point to the standby DB instance

Explanation

27 / 65

When changing the database storage type

During the maintenance window for the database instances

When using CloudFront metrics

Immediately, when choosing a larger instance size

Explanation

28 / 65

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs. The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours. What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

Copy the data to AWS using AWS DataSync.

Store the data in Amazon S3 in the S3 Glacier Deep Archive storage class.

Store the data in Amazon S3 in the S3 Glacier storage class

Backup the data using AWS Storage Gateway tape gateways

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper – compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue – the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper – compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue – the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

29 / 65

You have 4 Direct Connect (DX) connections to your VPC from your Chicago, Boston, Houston, and Orlando offices. Your VPC’s address range is 10.20.0.0/16. You are using BGP routing. You would like to ensure AWS uses the Chicago connection to reach the IP addresses ranging from 10.20.30.0-10.20.30.127 on your network. The other three locations are currently advertising the following routes:

Boston: 10.20.0.0/16 AS 65000

Houston: 10.20.30.0/24 AS 65000 65000

Orlando: 10.20.30.254/32 AS 65000 65000 65000

Which of the following routes could you advertise from your Chicago connection to ensure AWS uses it to access IP addresses ranging from 10.20.30.0-10.20.30.127?

10.20.30.0/25 AS 65000 65000 65000

10.20.128.0/17 AS 65000

10.20.30.128/26 AS 65000

10.20.30.0/23 AS 65000 65000

Explanation

AWS will choose the most specific route first. If routes are equal after checking for the most specific routes, AWS will use AS path prepending to determine which route is preferred. In this example, 10.20.30.0/25 is more specific than 10.20.30.0/24 and 10.20.0.0/16, so AS path prepending will not matter. The other options are either outside of the address range in question (10.20.30.128/26 and 10.20.128.0/17) or less specific than the route advertised by Houston (10.20.30.0/23). The route advertised from Orlando, 10.20.30.254/32, identifies a single IPv4 address that is outside of the range in question

Explanation

30 / 65

Your company is migrating its infrastructure to AWS. When considering the migration level effort required, you determine there are a select number of VMs that fall under the “very low effort” category. After considering third-party migration options, you decide to utilize available AWS tools. What tools are available for migrating VMs to the AWS cloud? (Choose 2 answers)

AWS VM Import

AWS Snowmobile

AWS S3 Import

AWS Snowball

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

31 / 65

You are configuring a new nondefault VPC for a client’s cloud migration project with the following components:

one public subnet
a default network access control list with no custom rules
an internet gateway
a main route table with a local route for your VPC

You then launch an instance to support the client’s migration which includes the following:

an AWS assigned DNS hostname
an AWS assigned private IP address
an AWS assigned public IP address
associated with a default security group with no custom rules.

You want to connect to the public internet through your instance, but cannot. What could you do to resolve this?

Attach a secondary ENI to the instance and connect via the ENI.

Add a route with 0.0.0.0/0 as the destination and the internet gateway as the target.

Create a NAT instance, and forward all traffic to the NAT instance

You should modify your NACL to allow all inbound and outbound traffic

Explanation

Default security groups and NACLs allow inbound and outbound traffic. All traffic should be routed via internet gateway, so a route should be created with 0.0.0.0/0 as a source, and with your Internet Gateway as the target.

Explanation

32 / 65

When launching an instance using the Launch Wizard, what happens when a user does not provide the security group?

The launch wizard gives an error and a security group is not created.

The launch wizard creates one security group for that instance

The launch wizard is created and the instance with the default security group of EC2 is launched

There is no security group attached to the instance.

Explanation

If a user does not select the security group while creating the instance launch configuration, the Launch wizard automatically defines the “launch-wizard-x” security group to allow the user to connect to the instance, which enables all IP addresses (0.0.0.0/0) to access the instance over the specified ports.

Explanation

33 / 65

You are contacted by a client to troubleshoot an issue with their instances in a VPC. An initial review of an architectural diagram calls for an Internet-facing application load balancer (ALB) and two EC2 Auto Scaling groups within a VPC.

After logging in, you verify the health checks for the instances are acceptable. However, the instances are not receiving traffic from the ALB.

What steps should you take to resolve this issue? (Choose 2 answers)

Edit the load balancer’s security group to allow traffic to subnets and EC2 instances

Create an Access Control List (ACL) for your ALB

Attach an Elastic Network Interface (ENI) to the ALB

Explanation

These types of issues can be investigated in a checklist type manner. First, it’s important to verify manually that the EC2 instances are properly functioning. If so, it becomes a network issue. Are the Security Groups configured properly? Are the ACLs configured properly? Once the instances are verified, it is most likely that a Security Group or ACL is not configured properly.

Explanation

34 / 65

Select a true statement about Amazon EC2 Security Groups (EC2-Classic).

After you launch an instance in EC2-Classic, you can only add rules to a security group.

After you launch an instance in EC2-Classic, you can’t change its security groups.

After you launch an instance in EC2-Classic, you can change its security groups only once.

After you launch an instance in EC2-Classic, you cannot add or remove rules from a security group.

Explanation

After you launch an instance in EC2-Classic, you can’t change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group

Explanation

35 / 65

You are very concerned about security on your network because you have multiple programmers testing APIs and SDKs and you have no idea what is happening. You think CloudTrail may help but are not sure what it does. Which of the following statements best describes the AWS service CloudTrail?

With AWS CloudTrail you can get a history of CloudFormation JSON scripts used for your account.

With AWS CloudTrail you can get a history of AWS API calls and related events for your account.

With AWS CloudTrail you can get a history of S3 logfiles for your account.

With AWS CloudTrail you can get a history of IAM users for your account.

Explanation

With AWS CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

Explanation

36 / 65

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Order an on-demand instance matching the on-premises architecture.

Export all database records to S3.

Fix all MySQL issues in the local data center.

Use the AWS server migration service to migrate existing records

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

37 / 65

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions and if you have more than one Amazon EC2 instance in one or more regions, you can use _______ to route traffic to the correct region for fastest response and then use ________to route traffic to instances within the region, based on weights that you specify.

weighted-based routing; weighted resource record sets

latency-based routing; alias resource record sets

weighted-based routing; alias resource record sets

latency-based routing; weighted resource record sets

Explanation

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify

Explanation

38 / 65

You are designing your company’s new RDS database environment. Your design include multi-AZ for high availability and you have intentions of reviewing scalability options. But first, you need to determine which storage option meets your performance and cost requirements. You expect to have a small database that could grow to medium sized over time. You also want to have burst performance to meet short term spikes. Which storage option is best for you?

General Purpose (SSD)

Dual core processors

Magnetic

Provisioned IOPS (SSD)

Explanation

Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database workload. General purpose is good for small to medium sized databases and has the burst to handle spikes.

Explanation

39 / 65

A client has contracted you to design and implement their Amazon Virtual Private Cloud (VPC). The design called for several web servers in an auto scaling group behind an Application Load Balancer (ALB) in a public subnet. The database tier is in a private subnet. The client has sensitive data and would like to have it encrypted. You’ve decided to configure a public key on the ALB to handle SSL encryption but the public key authentication is failing. What is a possible cause?

The route table needs to contain a reference path to the SSL certificate

The auto scaling policy needs to contain an SSL certificate

Each EC2 instance must be configured for SSL not the ELB

Update the SSL certificate and re-install it on your load balancer

Explanation

An application load balancer configured to use the HTTPS or SSL protocol with back-end authentication enabled fails public key authentication it’s probable that the public key on the SSL certificate does not match the public key configured on the load balancer. You might need to update your SSL certificate. If your SSL certificate is current, try re-installing it on your load balancer.

Explanation

40 / 65

The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse

The user can zoom a particular period by double clicking on that period with the mouse

The user can zoom a particular period by specifying the aggregation data for that period

The user can zoom a particular period by specifying the period in the Time Range

Explanation

41 / 65

In Amazon Route 53, _______ lets you use DNS to route end-user requests to the EC2 region that will give your users the fastest response

simple-based routing

latency-based routing

failover-based routing

weighted-based routing

Explanation

In Amazon Route 53, if your application is hosted on Amazon EC2 instances in multiple EC2 regions, you can reduce latency for your end users by serving their requests from the Amazon EC2 region for which network latency is lowest. Amazon Route 53 latency-based routing lets you use DNS to route user requests to the Amazon EC2 region that will give your users the fastest response

Explanation

42 / 65

If your AWS data must meet specific regulations such as the EU Data protection laws, what must you do?

Move your data somewhere else so you don’t have to worry about extra security

Keep that data on-premise and do not move it to the cloud under any circumstance

Be aware that they exist and comply with them when and if you have time to do so

Architect your environment to meet these security requirements

Explanation

Some laws require specific security controls, retention requirements, etc, dependent on the data being stored. Other legislations exist where certain data may have to remain within a specific region and can not be transferred out of those boundaries. You need to architect your environment to meet these security requirement and mitigate the risk of data being stored in a geographic location that’s restricted. Breaches to this legislation could have a legal impact and lead to additional risks against your organization, so it’s fundamental that you are aware of your data privacy and storage location laws and regulations.

Explanation

43 / 65

What is the default maximum number of Access Keys per user?

The default maximum number of Access Keys per user is 2

44 / 65

A user has launched one EC2 instance in the US East region and one in the US West region. The user has launched an RDS instance in the US East region. ow can the user configure access from both the EC2 instances to RDS?

Configure the US West region’s security group to allow a request from the US East region’s instance and configure the RDS security group’s ingress rule for the US East EC2 group

It is not possible to access RDS of the US East region from the US West region

Configure the security group of both instances in the ingress rule of the RDS security group

Configure the security group of the US East region to allow traffic from the US West region’s instance and configure the RDS security group’s ingress rule for the US East EC2 group

Explanation

The user cannot authorize an Amazon EC2 security group if it is in a different AWS Region than the RDS DB instance. The user can authorize an IP range or specify an Amazon EC2 security group in the same region that refers to an IP address in another region. In this case allow IP of US West inside US East’s security group and open the RDS security group for US East region.

Explanation

45 / 65

Which of the following strategies can be used to control access to your Amazon EC2 instances?

None of the above

IAM Policies

EC2 security groups

DB security groups

Explanation

IAM policies allow you to specify what actions your IAM users are allowed to perform against your EC2 Instances. However, when it comes to access control, security groups are what you need in order to define and control the way you want your instances to be accessed, and whether or not certain kind of communications are allowed or not.

Explanation

46 / 65

A non-root EC2 instance store volume is added to an EBS-backed EC2 instance. Then the instance is somehow accidentally terminated or failed. What happened to the data on the non-root EC2 instance store volume?

The volume data is saved in S3

The data persists.

The data is deleted

The data is automatically copied to another instance store volume

Explanation

EC2 instance store volumes can be added as additional volumes to certain EBS-backed EC2 Instance types. Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues).

Explanation

47 / 65

Your company has a VPC with one public and one private subnet. The EC2 instances in the private subnet are configured to access the internet via a network access translation (NAT) instance.

However, the EC2 instances in the private subnet are currently unable to connect to the internet, and you need to troubleshoot the issue.

First, you verify that the security groups are configured correctly, and that the EC2 instances in the public subnet can connect to destinations on the Internet via the VPC’s internet gateway. It also appears that the NAT instance can access the Internet. The access control list (ACL) for the public subnet has one line allowing inbound HTTP traffic.

What steps can you take to enable the private EC2 instances to access the Internet? (Choose 2 answers)

Add an ACL rule allowing outbound HTTP traffic

Enable Source/Destination checks on the NAT instance.

Disable Source/Destination checks on the NAT instance.

Disable Source/Destination checks on the EC2 instances.

Explanation

There are some issues that could cause EC2 instances in a VPC to be unable to reach the Internet, including the following. An Internet Gateway must be attached to the VPC for a public subnet. Ingress and egress for Security Groups and Access Control Lists must be correct. EC2 instances in a private subnet need a NAT instance or a NAT Gateway, and for a NAT instance’s source/destination checks must be turned off. EC2 instances in a public subnet must have a route to the Internet Gateway in the route table

Explanation

48 / 65

A user is planning to launch a scalable web application. Which of the below mentioned options will not affect the latency of the application?

Instance size.

Availability Zone.

Region.

Provisioned IOPS.

Explanation

In AWS, the instance size decides the I/O characteristics. The provisioned IOPS ensures higher throughput, and lower latency. The region does affect the latency, latency will always be less when the instance is near to the end user. Within a region the user uses any AZ and this does not affect the latency. The AZ is mainly for fault toleration or HA

Explanation

49 / 65

You are building a system to distribute confidential documents to employees across the world. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Add the CloudFront account security group “amazon-cf/amazon-cf-sg” to the appropriate S3 bucket policy.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Explanation

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users’ behalf. If your users try to access objects using Amazon S3 URLs, they’re denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don’t.

Explanation

50 / 65

You are managing a group of EC2 instances in your company’s VPC. Your VPC has been experiencing much higher network traffic than expected and it is not expected to subside. You are considering using EC2 instances with enhanced networking capability. What benefits can enhanced networking instances provide? (Choose 3 answers)

Less jitter

Lower latency

Enhanced network security

More packets per second

Explanation

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces. Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies.

Explanation

51 / 65

A user has enabled static website hosting on an S3 bucket, and configured and uploaded an index document.

An S3 bucket configured for static website hosting provides what additional capabilities?

The user can directly access the website using the region-specific endpoint

None. The user can always access index.html without enabling static website hosting

It reduces costs related to I/O charges.

None. The website hosting feature only enables the user to point to the specific index file

Explanation

To host a static website, the user needs to configure an Amazon S3 bucket for website hosting and then upload the website contents to the bucket. The website is then available at the region-specific website endpoint of the bucket.

If the user has an index.html object as part of the bucket, the user can always host it without the website hosting feature. However, it will require an absolute URL of the object. In this case the user can access the whole bucket as a website and need not refer individual objects separately.

Explanation

52 / 65

/16

/24

/28

Explanation

53 / 65

A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following is important when thinking about being able to quickly launch resources in AWS to ensure business continuity in case of a disaster?

All items listed here are important when thinking about disaster recovery.

Ensure that you have all supporting custom software packages available in AWS.

Regularly run your servers, test them, and apply any software updates and configuration changes.

Create and maintain AMIs of key servers where fast recovery is required

Explanation

In the event of a disaster to your AWS infrastructure you should be able to quickly launch resources in Amazon Web Services (AWS) to ensure business continuity. The following are some key steps you should have in place for preparation: 1. Set up Amazon EC2 instances to replicate or mirror data. 2. Ensure that you have all supporting custom software packages available in AWS. 3. Create and maintain AMIs of key servers where fast recovery is required. 4. Regularly run these servers, test them, and apply any software updates and configuration changes. 5. Consider automating the provisioning of AWS resources.

Explanation

54 / 65

You are deploying over 50 EC2 in separate regions to support your new mobile photo editing app. All have implemented health checks for all Application Load Balancers, as well as CloudWatch alarms for key performance metrics. You have also created Route 53 endpoint health checks for each individual instance. You are growing concerned about the number of SNS notifications you will receive for each of these health checks.

Your ELB health checks can monitor individual instances, but how can you quickly determine whether enough instances in your production environment are unhealthy that it will negatively impact your application’s availability?

Monitor instance health using CloudWatch and set a CloudWatch alarm based on the number of unhealthy instances

Integrate with Amazon QuickSight, to display overall Route 53 Health Check status in a dashboard

Implement a Route 53 Calculated Health Check for your EC2 instance endpoints and create an SNS notification

Create a CloudTrail trail related to Route 53 health checks to a CloudWatch Logs log group, and create an alarm based on a threshold of unhealthy health check results.

Explanation

Implementing a Route 53 Calculated Health Check is the best solution in this case because it aggregates all of the individual health checks. Integrating QuickSight and CloudTrail will create an effective dashboard, but this is not an automated solution because someone has to continuously check the dashboard.

You can also create a CloudWatch Log log alarm, but this would be overly complex compared to the Calculated Health Checks.

For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.For example, let’s say you have deployed 15 EC2 instances, and created 15 separate Route 53 health checks to monitor each one. While you are concerned about each instance’s performance, you essentially need 10 of the 15 instances to be healthy for your system to run properly. Rather than setting up SNS notifications for each individual health check, you can create a calculated health check that collects the results of each health check into a single count between 0-15, and compares that count to a threshold you’ve set. In this case, the threshold could be 10. Now, if 10 instances are healthy, the calculated health check comes back healthy. If less than 10 instances are healthy, the health check comes back unhealthy.

Explanation

You can also create a CloudWatch Log log alarm, but this would be overly complex compared to the Calculated Health Checks.

55 / 65

Your team has found that a client’s load balancer needs to be configured with support for SSL offload using the default security policy. When negotiating the SSL connections between the client and the load balancer, you want the load balancer to determine which cipher is used for the SSL connection. Which actions perform this process on the load balancer? (Choose 3 answers)

Select a client configuration preference option

Enable SSL offload.

Choose the server order preference option

Select the default security policy.

Explanation

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option.

Explanation

56 / 65

You are designing an AWS cloud environment for a small company with limited budget. They have decided to go with a single-AZ database deployment to ensure the implementation remains within budget. You have convinced them of the benefits of doing automatic backups and saving incremental backups to Amazon S3. What would be the best time to perform these automatic backups?

During the daily low in write IOPS

Amazon will determine the best time

After midnight

Two hours before the work day starts

Explanation

It is best practice to enable automatic backups and set the backup window to occur during the daily low in write IOPS. Amazon RDS creates automated backups of your DB instance during the backup window of your DB instance. Amazon RDS saves the automated backups of your DB instance according to the backup retention period that you specify. If necessary, you can recover your database to any point in time during the backup retention period.

Explanation

57 / 65

The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants .

to read or modify any codecommit key of the table directly, without a middle-tier service

to check if an IAM policy requires the hash keys of the tables directly

to change the hash keys of the table directly

to read or modify the table directly, without a middle-tier service

Explanation

FGAC can benefit any application that tracks information in a DynamoDB table, where the end user (or application client acting on behalf of an end user) wants to read or modify the table directly, without a middle-tier service. For instance, a developer of a mobile app named Acme can use FGAC to track the top score of every Acme user in a DynamoDB table. FGAC allows the application client to modify only the top score for the user that is currently running the application

Explanation

58 / 65

An accountant asks you to design a small VPC network for him and, due to the nature of his business, just needs something where the workload on the network will be low, and dynamic data will be accessed infrequently. Being an accountant, low cost is also a major factor. Which EBS volume type would best suit his requirements?

Magnetic

General Purpose (SSD)

Any, as they all perform the same and cost the same

Magnetic or Provisioned IOPS (SSD)

Explanation

You can choose between three EBS volume types to best meet the needs of their workloads: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. General Purpose (SSD) is the new, SSD-backed, general purpose EBS volume type that we recommend as the default choice for customers. General Purpose (SSD) volumes are suitable for a broad range of workloads, including small to medium sized databases, development and test environments, and boot volumes. Provisioned IOPS (SSD) volumes offer storage with consistent and low-latency performance, and are designed for I/O intensive applications such as large relational or NoSQL databases. Magnetic volumes provide the lowest cost per gigabyte of all EBS volume types. Magnetic volumes are ideal for workloads where data is accessed infrequently, and applications where the lowest storage cost is important

Explanation

59 / 65

S3 bucket

EBS volume

instance store

EFS filesystem

Explanation

60 / 65

You are preparing a proposal for a prospective new client. They would like their cloud application environment to be highly scalable. Your proposal includes the benefits of scalability on AWS. Which statements regarding scaling are correct? (Choose 2 answers)

Dynamic scaling is always the best option.

The environment becomes more cost effective as it grows

More EC2 instances will ultimately pay for themselves in performance.

Increasing resources will have a proportional increase in performance.

Explanation

Dynamic scaling can provide a very robust scaling option. But it is not the only option and not always the best option in all scenarios. Manual scaling and scheduled scaling also have use cases where they may be a better choice than dynamic scaling. Increasing resources to improve performance is certainly the most common use case for scaling. However, it is important also to be aware of the effects of scaling on cost. Utilizing auto scaling in conjunction with Cloudwatch monitoring can help insure that resources are scaled in and out appropriately and that money is not wasted on idle or underused resources

Explanation

61 / 65

Your team is developing an application using Elastic Beanstalk and discussing the most appropriate environment for deployment. What two types of environments can be created when using Elastic Beanstalk? (Choose 2 answers)

Load-balancing and auto-scaling environment

Single-instance environment

Web worker environment

Multi-region, multiple-instance environment

Explanation

In Elastic Beanstalk, you can create a load-balancing, autoscaling environment or a single-instance environment. The type of environment that you require depends on the application that you deploy. For example, you can develop and test an application in a single-instance environment to save costs and then upgrade that environment to a load-balancing, autoscaling environment when the application is ready for production.

Explanation

62 / 65

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. As the environment and number of active resources continue to grow, your finance team is having a difficult time attributing your AWS costs to the various business units. How can you help the finance team assign costs to the correct business units? (Choose 2 answers)

Enable Cost and Usage reports.

Tag all resources with the appropriate business unit.

Set up consolidated billing

Give them access to TCO calculator.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

63 / 65

You’ve been contracted by a client to improve the resiliency of their VPC in preparation for increased Disaster Recovery requirements with shorter RTO and RPOs. One thing you’d like to improve upon is resource and application monitoring. Which services used together will allow for the monitoring of application logs on EC2, notification of users managing the services, and the overall health of AWS resources? (Choose 2 answers)

Cloudwatch

CloudFront

SNS

Trusted Advisor

Explanation

Amazon SNS and CloudWatch are integrated so you can collect, view, and analyze metrics for every active Amazon SNS notification. By configuring CloudWatch for Amazon SNS, you can gain better insight into the performance of your Amazon SNS topics, push notifications, and SMS deliveries.

Explanation

64 / 65

Your company uses multiple Amazon VPCs and is setting up a new office. The company is deciding on the best way to connect this new, remote office network with the company’s Amazon VPC environment. Due to the fact it is a new office, no VPN equipment or internet connections exist yet, so this office can design any network connection type it desires. The highest priorities are: A predictable network performance A private connection avoiding the public internet Reduced bandwidth costs Minimal administration required to maintain the high availability of network endpoints Which VPC connection option best fits your requirements to connect your new office to one of your VPCs?

Configure a VPN connection with a software VPN.

Use a hub-and-spoke model with AWS VPN CloudHub

Configure a VPN connection with a hardware VPN.

Connect via AWS Direct Connect

Explanation

Establish a private connection from your new office’s network to your Amazon VPC using AWS Direct Connect is the most suitable option in this case. This option provides predictable network performance, reduces bandwidth costs, and doesn’t require that customers be responsible for implementing high availability solutions for all VPN endpoints. The downside of this option (possible requiring additional telecom and hosting provider relationships) is mitigated in this instance because the office is new and would need to provision a whole new network anyway

Explanation

65 / 65

General Purpose SSD volumes smaller than 1 TB provide the ability to burst to __________ IOPS per volume, independent of volume size, to meet the performance needs of most applications.

3000

10000

5000

2500

Explanation

Amazon EBS provides three volume types: General Purpose SSD, Provisioned IOPS SSD, and Magnetic.

General Purpose SSD volumes are the default EBS volume type for Amazon EC2 instances.

GP2 volumes smaller than 1 TB can burst up to 3,000 IOPS. I/O is included in the price of gp2, so you pay only for each GB of storage you provision. GP2 is designed to deliver the provisioned performance 99% of the time. If you need a greater number of IOPS than gp2 can provide, or if you have a workload where low latency is critical or you need better performance consistency, we recommend that you use io1.

Explanation

Amazon EBS provides three volume types: General Purpose SSD, Provisioned IOPS SSD, and Magnetic.

General Purpose SSD volumes are the default EBS volume type for Amazon EC2 instances.

Your score is

The average score is 44%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Need more practice ? take the AWS Certified Solutions Architect Associate (SAA) – Learning mode

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation