AWS Certified Solutions Architect Associate (SAA02) - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 65 questions per test (similar to real AWS exam), 130 minutes, repeat tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

/25

10 votes, 4.5 avg

341

1 / 25

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing EC2 budget. They have asked you to identify strategies to reduce the EC2 spend by at least 25% before the next monthly billing cycle. How choices below could assist in accomplishing this? (Choose 3 answers)

Consolidate AWS accounts for billing.

Reduce or eliminate over-provisioned or unused instances.

Look for opportunities to use reserved or spot instances.

Look for opportunities to use dedicated instances.

Explanation

You can reduce EC2 spend by migrating to reserved/spot instances, eliminating/shrinking unused resources, or consolidating AWS accounts (to qualify for volume discounts). The paying account’s use of consolidated billing can benefit from volume pricing discounts gained thru aggregate account usage.

Explanation

2 / 25

Your business is slowly migrating to the AWS cloud, but must continue to support its on-premises servers and networks while extending to the cloud. As a result, you are looking for every possible way to optimize costs while ensuring resources remain secure. In order to provide an extra layer of security, you would like for your servers hosted within your VPCs to communicate with other AWS services without leaving your VPC network. You would also like your on-premises servers to be able to connect to these same AWS services through your VPC instead of sending and receiving requests over the public internet. Which AWS networking service or component would satisfy these requirements?

VPC Gateway Endpoints

VPC Virtual Private Gateways

VPC Interface Endpoints

VPC Peering Connections

Explanation

With VPC Interface Endpoints, it is possible to connect to a number of AWS services both from resources within your Amazon VPC and from resources in your on-premises environment. This is not possible with VPC Gateway Endpoints.

Explanation

3 / 25

Your client is using EBS volumes for storage. In general, things are working well but they’d like to increase the size if possible. It’s used for a critical application that has no tolerance for latency. What steps can you take to increase the size and avoid any latency? (Choose 2 answers)

Create a RAID 5 array to increase size and improve performance.

Create a snapshot of the volume add a new larger volume from the snapshot, then replace the original volume.

Scale the existing volume up to a larger size in the AWS console.

Initialize a volume from a snapshot by accessing all the blocks in the snapshot to avoid latency.

Explanation

You can use snapshots to increase the size of EBS volumes. Take a snapshot of the existing volume, create a new volume from the snapshot but with a larger size, then replace the original snapshot with the new volume. There is a performance hit with new volumes because, while the volume is created immediately, the data is lazy loaded. So there will be a first time performance hit when accessing each block on the volume. This problem can be resolved by initializing the volume and accessing each block one time before the volume is put into service.

Explanation

4 / 25

In Amazon EC2, if your EBS volume stays in the detaching state, you can force the detachment by clicking

Force Detach

AttachInstance

AttachVolume

Detach Instance

Explanation

If your volume stays in the detaching state, you can force the detachment by clicking Force Detach

Explanation

If your volume stays in the detaching state, you can force the detachment by clicking Force Detach

5 / 25

You have been assigned as a technical lead to a client that has their own development team. The team is relatively new to developing in the cloud. In a design meeting the developers begin discussing developing a messaging queue for data that does not need processed immediately. You begin telling them about the merits of Amazon SQS. What are the benefits of SQS over an in-house developed messaging queue? (Choose 3 answers)

SQS requires no administrative overhead and little configuration

SQS also provides extremely high message durability

You can scale the amount of traffic you send to Amazon SQS up or down without any configuration.

You can work with AWS in developing your SQS message queue

Explanation

SQS provides several advantages over building your own software for managing message queues that require significant up-front time for development and configuration. Homegrown solutions require ongoing hardware maintenance and system administration resources. The complexity of configuring and managing these systems is compounded by the need for redundant storage of messages that ensures messages are not lost if hardware fails. In contrast, Amazon SQS requires no administrative overhead and little configuration. SQS works on a massive scale, processing billions of messages per day. You can scale the amount of traffic you send to Amazon SQS up or down without any configuration. Amazon SQS also provides extremely high message durability.

Explanation

6 / 25

You are setting up your first Amazon Virtual Private Cloud (Amazon VPC) so you decide to use the VPC wizard in the AWS console to help make it easier for you. Which of the following statements is correct regarding instances that you launch into a default subnet via the VPC wizard?

Instances that you launch into a default subnet receive a public IP address and 10 private IP addresses.

Instances that you launch into a default subnet receive both a public IP address and a private IP address.

Instances that you launch into a default subnet receive a public IP address and 5 private IP addresses.

Instances that you launch into a default subnet don’t receive any ip addresses and you need to define them manually.

Explanation

Instances that you launch into a default subnet receive both a public IP address and a private IP address. Instances in a default subnet also receive both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don’t receive a public IP address or a DNS hostname. You can change your subnet’s default public IP addressing behavior

Explanation

7 / 25

A user has attached 1 EBS volume to a VPC instance. The user wants to achieve the best fault tolerance of data possible. Which of the below mentioned options can help achieve fault tolerance?

Attach one more volume with RAID 1 configuration

Use the EBS volume as a root device

Attach one more volume with RAID 0 configuration.

Connect multiple volumes and stripe them with RAID 6 configuration.

Explanation

The user can join multiple provisioned IOPS volumes together in a RAID 1 configuration to achieve better fault tolerance. RAID 1 does not provide a write performance improvement, it requires more bandwidth than non-RAID configurations since the data is written simultaneously to multiple volumes.

Explanation

8 / 25

You have 4 Direct Connect (DX) connections to your VPC from your Chicago, Boston, Houston, and Orlando offices. Your VPC’s address range is 10.20.0.0/16. You are using BGP routing. You would like to ensure AWS uses the Chicago connection to reach the IP addresses ranging from 10.20.30.0-10.20.30.127 on your network. The other three locations are currently advertising the following routes:

Boston: 10.20.0.0/16 AS 65000

Houston: 10.20.30.0/24 AS 65000 65000

Orlando: 10.20.30.254/32 AS 65000 65000 65000

Which of the following routes could you advertise from your Chicago connection to ensure AWS uses it to access IP addresses ranging from 10.20.30.0-10.20.30.127?

10.20.30.0/23 AS 65000 65000

10.20.30.0/25 AS 65000 65000 65000

10.20.30.128/26 AS 65000

10.20.128.0/17 AS 65000

Explanation

AWS will choose the most specific route first. If routes are equal after checking for the most specific routes, AWS will use AS path prepending to determine which route is preferred. In this example, 10.20.30.0/25 is more specific than 10.20.30.0/24 and 10.20.0.0/16, so AS path prepending will not matter. The other options are either outside of the address range in question (10.20.30.128/26 and 10.20.128.0/17) or less specific than the route advertised by Houston (10.20.30.0/23). The route advertised from Orlando, 10.20.30.254/32, identifies a single IPv4 address that is outside of the range in question

Explanation

9 / 25

You are developing a static website using S3 for your company’s clients. Your team is configuring the site and has granted public read access. What other steps must they take? (Choose 2 answers)

Specify a default index document

Enable server-side scripting

Enable static website hosting.

Create a website page hierarchy

Explanation

To configure a bucket for static website hosting, you add a website configuration to your bucket. The configuration includes an index document, error documents, redirects of all requests that are intended for the index page, and any conditional redirects. Amazon S3 does not support server-side scripting.

Explanation

10 / 25

Making use of a(n) ____ when creating instances in Amazon EC2 is your best solution for providing the lowest latency network communication between multiple instances in EC2.

virtual cluster

virtual private cloud

isolated network

cluster placement group

Explanation

A cluster placement group is a logical grouping of instances within a single AWS Availability Zone. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. To provide the lowest latency, and the highest packet-per-second network performance for your placement group, choose an instance type that supports enhanced networking.

Explanation

11 / 25

You run a stateless web application with the following components:

An Application Load Balancer (ALB)
A two-tier application with frontend instances processing user requests, and backend RDS MySQL instances
The MySQL RDS database offers a maximum of 3000 IOPS with Provisioned IOPS

You notice that the average response time for users is increasing. Looking at CloudWatch, you observe 85% CPU usage on the web and application servers and 20% CPU usage on the database. The average number of database disk operations varies between 1000 and 1500. How would you improve performance? (Choose 2 answers)

Use EC2 Auto Scaling to add additional frontend instances based on the CPU load threshold

Replace the backend RDS database instances with Aurora database engine

Use Amazon RDS Read Replicas to improve your throughput

Choose a different EC2 instance type for the frontend servers with a more appropriate CPU/Memory ratio

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

Explanation

Because of the 97% CPU usage on the Web/Application servers using larger instance types or using auto scaling to add more servers will alleviate this problem.

You have 3000 provisioned IOPS and the average number of database disk operations varies between 1000 and 1500 so you do not need to change your database at all.

12 / 25

A client has requested additional compute power for end-of-year transaction processing. You estimate that they will need an additional 10 servers during a three-day period. You begin creating the servers by specifying the instance type and selecting an AMI. What two key features do the instance type and AMI encapsulate? (Choose 2 answers)

The key pair for the instance

The number of virtual licenses for software provided

The amount of virtual hardware dedicated to the instance

The software loaded on the instance

Explanation

When creating an EC2 instance, by selecting the instance type and the Amazon Machine Image (AMI), you are selecting the the hardware type of the machine and the type of software you want on the machine, respectively. Various Linux types as well as Windows operating systems are available. In certain instances, you can also choose an AMI that comes with a database.

Explanation

13 / 25

You are working as a Solutions Architect for a civil engineering company. You’ve been tasked with creating a Virtual Private Cloud to support a hybrid cloud solution. The cloud environment will need to connect to an on-premises application that cannot be migrated to the VPC. Your requirements are to get the connection setup as quickly as possible. Which option can you use to connect the VPC to the on-premise environment as quickly as possible?

Virtual Private Gateway

NAT Gateway

AWS-managed VPN

Direct Connect

Explanation

You can connect your VPC to remote networks by using a VPN connection. You can create an IPsec, hardware VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints for automatic failover. You configure your customer gateway, which is the physical device or software application on the remote side of the VPN connection. A VPN connection is the fastest way to complete the connection between on-premises computing and your VPC. However, VPN is not as reliable or as fast as Direct Connect.

Explanation

14 / 25

You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?

Amazon SQS is for single-threaded sending or receiving speeds.

Amazon SQS is a non-distributed queuing system.

Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

Explanation

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to a queue is available to be received.

Explanation

15 / 25

A user has launched an EC2 instance into a VPC with several private and public subnets. The VPC and EC2 instance have the following configurations in place:

A database server is hosted on a Linux EC2 instance located in a private subnet.
A hardened bastion host is launched in a separate public subnet. You have enabled SSH-agent forwarding, and the bastion host’s security group has been configured to allows traffic via Port 22.
A custom security group has been added and associated with the Linux EC2 instance in the private subnet. The custom security group has not updated from its default settings.

With these configurations in place, the user is not able to access the database instance in the private subnet via the bastion host.

What can be the possible reason for this failure?

The EC2 instance needs an elastic IP address to communicate with the bastion host.

The security group of the database instance is not configured to allow incoming traffic.

The bastion host needs to be replaced with a NAT gateway.

The bastion host needs to be placed in the same subnet as the EC2 instance.

Explanation

For the SSH agent forwarding to be successful, both security groups need to allow connection via port 22. Custom security groups by default allow all outbound traffic, but deny all inbound traffic.

Explanation

For the SSH agent forwarding to be successful, both security groups need to allow connection via port 22. Custom security groups by default allow all outbound traffic, but deny all inbound traffic.

16 / 25

A user is planning to make a mobile game which can be played online over the internet with multiplayer functionality or played offline individually, this game will be hosted on EC2. The user wants to ensure that if someone breaks the highest score or they achieve some milestone they can inform all their colleagues through emails. Which of the below mentioned AWS services would be best suited to achieve this goal?

Amazon Cognito

AWS Simple Queue Service

AWS Simple Email Service.

AWS Simple Workflow Service

Explanation

Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. It integrates with other AWS services, making it easy to send emails from applications that are hosted on AWS

Explanation

17 / 25

When you force a failover of your DB instance in RDS, which of the following things does RDS do? (Choose 2 answers)

Automatically switches to a standby replica in another region

Allocates a new Elastic IP which points to the new replica

Updates the DNS record for the DB instance to point to the standby DB instance

Automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ

Explanation

When you force a failover of your DB instance, Amazon RDS automatically switches to a standby replica in another Availability Zone if you have enabled Multi-AZ. The time it takes for the failover to complete depends on the database activity and other conditions at the time the primary DB instance became unavailable. Failover times are typically 60-120 seconds. However, large transactions or a lengthy recovery process can increase failover time. When the failover is complete, it can take additional time for the RDS console UI to reflect the new Availability Zone.

The failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance. As a result, you will need to re-establish any existing connections to your DB instance.

Explanation

18 / 25

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

iSCSI

CIFS

Fibre

NFS

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway’s volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

19 / 25

A user needs to run a batch process which runs for 10 minutes. This will only be run once, or at maximum twice, in the next month, so the processes will be temporary only. The process needs 15 X-Large instances. The process downloads the code fromS3 on each instance when it is launched, and then generates a temporary log file. Once the instance is terminated, all the data will be lost. Which of the below mentioned pricing models should the user choose in this case?

Spot instance

EBS optimized instance

On-demand instance

Reserved instance

Explanation

In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the instance if the other user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a good option to save money

Explanation

20 / 25

You are reviewing an application’s compute resources in an effort to optimize cost and performance. Your application’s compute layer currently general-purpose on-demand instances. Now you want are considering launching multiple instance types that use various purchase options, including On-Demand Instances, Reserved Instances, and Spot Instances.

What considerations regarding AWS EC2 Auto Scaling should you bear in mind while optimizing your compute layer?

Auto Scaling launch templates can deploy instances of the same instance type and purchase type.

Auto Scaling launch templates can deploy instances of multiple purchase types, but all instances must have the same instance type.

Auto Scaling launch templates can deploy instances of multiple instance types, but all instances must have the same purchase type.

Auto Scaling launch templates can deploy instances of multiple instance types and purchase types.

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

Explanation

The key benefit of launch templates is their capability to support multiple instance types and purchase types within the same template.

21 / 25

You are leading the design of your company’s AWS cloud environment. The majority of the traffic on the cloud network will be between virtual servers hosted on EC2 instances within each department. The key priorities are low network latency and high network throughput. What choices below are best-suited to the traffic patterns, and address the organizational requirements? (Choose 3 answers)

Using cluster placement groups

Use instances with enhanced networking capability

Only use instance types offering at least 10 GBPS network connectivity

Use spread placement groups

Explanation

A placement group is a logical grouping of instances within a single Availability Zone. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. To provide the lowest latency, and the highest packet-per-second network performance for your placement group, choose an instance type that supports enhanced networking

Explanation

22 / 25

You are placed in charge of a client’s existing AWS cloud environment. They have several web servers in a public subnet and three database servers in a private subnet. The database is an RDS solution using SQL Server. AWS limits the types of changes the customer can make to the underlying infrastructure. What change will you be responsible for when administering this RDS database?

Patching the database instance operating system

Performing daily database backups

Setting up database accounts and privileges for non-admin

Deploying virtual infrastructure

Explanation

Amazon RDS manages the work involved in setting up a relational database: from provisioning the infrastructure capacity you request to installing the database software. Once your database is up and running, Amazon RDS automates common administrative tasks such as performing backups and patching the software that powers your database. With optional multi-AZ deployments, Amazon RDS also manages synchronous data replication across Availability Zones with automatic failover.

Since Amazon RDS provides native database access, you interact with the relational database software as you normally would. This means you’re still responsible for managing the database settings that are specific to your application. You’ll need to build the relational schema that best fits your use case and are responsible for any performance tuning to optimize your database for your application’s workflow.

Explanation

23 / 25

You have started your own consulting business and have been contracted by a doctors office to help move their outdated scheduling and billing system to the cloud. One feature you have offered at low cost is a disaster recovery solution that will keep their offices operational with minimal downtime. You’ve configured a standby EC2 instance that can be spun up in minutes. What feature can be quickly attached to the standby EC2 instance in a failover situation, to get the standby operational as quickly as possible?

MAC address

Elastic Network Interface

IPv6 address

Elastic Load Balancer

Explanation

An elastic network interface is a virtual network interface that you can attach to an instance in a VPC. Network interfaces are available only for instances running in a VPC. If one of your instances serving a particular function fails, its network interface can be attached to a replacement or hot standby instance pre-configured for the same role to rapidly recover the service.

Explanation

24 / 25

A root account owner has created an S3 bucket named ‘testmycloud’. The account owner wants to allow separate AWS accounts to upload objects, and require the separate accounts to manage permissions for their uploaded objects.

Which choice is the easiest way to achieve this?

The root account should create an S3 Bucket Access Control List (ACL) for the bucket allowing separate AWS accounts to upload content to the bucket.

The root account owner should create an S3 bucket policy allowing other account owners to set the object permissions for that bucket.

The root account owner should create an S3 bucket policy allowing specified IAM users with separate AWS accounts to upload content to the bucket.

The root account should create the IAM users for separate AWS accounts, and provide them the permission to upload content to the bucket.

Explanation

Each Amazon S3 bucket and object has an ACL (Access Control List) associated with it. An ACL is a list of grants identifying the grantee and the permission granted. The user can use ACLs to grant basic read/write permissions to other AWS accounts. ACLs use an Amazon S3–specific XML schema. The user cannot grant permissions to other users in his account. ACLs are suitable for specific scenarios. For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using the object ACL by the AWS account that owns the object

Explanation

25 / 25

You are designing a AWS cloud environment for a client who has a contract with a federal government agency. The cloud environment will have multiple VPCs and be in multiple regions. The government agency wants to whitelist only a handful of instances in your organization. This will dictate that these instances have static IP addresses. Elastic ip addresses can be used to keep a fixed set of IP addresses. How can the Elastic IP addresses (EIP) be used in this environment?

EIPs can be moved from one instance to another within the same Availability Zone

EIPs can be moved from one instance to another in multiple VPCs within the same region

EIPs can be moved from one instance to another in multiple VPCs and multiple regions

EIPs are attached to an instance and exist only for the life of that instance

Explanation

An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource. A disassociated Elastic IP address remains allocated to your account until you explicitly release it. An Elastic IP address is for use in a specific region only.

Explanation

Your score is

The average score is 54%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Ready to take AWS Certified Solutions Architect Associate (SAA) – Exam mode ?

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

/65

5 votes, 4.8 avg

163

Click Start button to start exam !

Time Out !

1 / 65

True or False: In Amazon Route 53, you can create a hosted zone for a top-level domain (TLD).

False, Amazon Route 53 automatically creates it for you.

True, only if you send an XML document with a CreateHostedZoneRequest element for TL

FALSE

TRUE

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

2 / 65

You need to create a JSON-formatted text file for AWS CloudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?

Conditions

Mappings

Resources

Outputs

Explanation

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. A template is a JSON-formatted text file that describes your AWS infrastructure. Templates include several major sections. The Resources section is the only section that is required. The first character in the template must be an open brace ({), and the last character must be a closed brace (}). The following template fragment shows the template structure and sections

Explanation

3 / 65

You are in the process of planning your backup strategy between an on-premises data center and AWS cloud. You are considering Storage Gateway technology for backup and restore in your hybrid environment. What are the primary factors that affect Backup and Recovery times when using Storage Gateways? (Choose 2 answers)

Amount of data required for backup each day before on-premise data deduplication and compression

Net available bandwidth between on-premises and AWS over the public internet or Direct Connect line.

Amount of data required for backup each day after on-premise data deduplication and compression

Compute power of on-premises instances that need to be backed up

Explanation

Storage gateways interact with AWS over the public Internet or direct connect. You will need to know the amount of data per day that needs to be transferred to Amazon S3 and the net available bandwidth of your network connection. Storage Gateway is capable of running data compression, and comparison so only changed data is being backed up.

Explanation

4 / 65

You have recently configured an AWS VPC for a new client. The VPC consists of several EC2 instances in a public subnet. An IT administrator for one of your clients has called you about an inability to connect to an EC2 instance. He is trying to connect from a Windows laptop using Putty for Windows and the .pem file you provided him along with instructions for using PuTTY and PuTTYgen. What could be the problem?

The .pem file needs to be converted to a .ppk file

There is no Virtual Private Gateway

The RDP port is not open

The administrator’s access permissions are not configured in IAM

Explanation

If you use PuTTY to connect to your instances verify that your private key (.pem) file has been converted to the format recognized by PuTTY (.ppk). PuTTY does not natively support the private key format (.pem) generated by Amazon EC2. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into this format (.ppk) before attempting to connect to your instance using PuTTY.

Explanation

5 / 65

Amazon S3 allows you to set per-file permissions to grant read and/or write access. However, you have decided that you want an entire bucket with 100 files already in it to be accessible to the public. You don’t want to go through 100 files individually and set permissions. What would be the best way to do this?

Use Amazon EBS instead of S3

Move the bucket to a new region

Add a bucket policy to the bucket.

Move the files to a new bucket.

Explanation

Amazon S3 supports several mechanisms that give you flexibility to control who can access your data as well as how, when, and where they can access it. Amazon S3 provides four different access control mechanisms: AWS Identity and Access Management (IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication. IAM enables organizationsto create and manage multiple users under a single AWS account. With IAM policies, you can grant IAM users fine-grained control to your Amazon S3 bucket or objects. You can use ACLs to selectively add (grant) certain permissions on individual objects. Amazon S3 bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket. With Query string authentication, you have the ability to share Amazon S3 objects through URLs that are valid for a specified period of time.

Explanation

6 / 65

After monitoring your online sales application for the last two weeks of holiday sales, it is apparent that your database tier’s current architectural design is not sufficient. Your database is currently managed within Amazon RDS. The decision is made to scale your instance to a greater size based on database recommendations from the vendor. Your current database storage type is magnetic, and storage usage is currently at 70%.

Which modifications could potentially improve the performance of your database? (Choose 2 answers)

Decrease the currently allocated storage space

Change the storage type to general-purpose SSD.

Increase the currently allocated storage space

Increase the number of read replicas.

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

7 / 65

A user has launched an instance-store backed EC2 instance in the US-East-1a zone. The user then creates AMI-1 and copied it to the EU-West-1 region. The AMI copy in the EU-West-1 region is named AMI-1-West. Later, the user updates the application running on the instance in US-East-1a, and updates AMI-1 with this version of the instance. The updated version of AMI-1 is named AMI-1.1. Finally, the user attempts to launch a new instance from AMI-1-West in the EU-West-1 region. Which statement below is correct regarding this scenario?

The attempt to launch an instance based on AMI-1-West will fail because the copy is outdated

The new instance launches successfully and matches AMI-1, not AMI-1.1

The new instance will launch successfully and match AMI-1.1

EC2 will allow the user to select which AMI version should apply to this instance because AMI versioning is enabled by default for all AMI copies

Explanation

Within EC2, when the user copies an AMI, the new AMI is fully independent of the source AMI; there is no link to the original (source) AMI. The user can modify the source AMI without affecting the new AMI and vice versa. Therefore, in this case even if the source AMI is modified, the copied AMI of the EU region will not have the changes. The user needs to copy the new source AMI to the destination region to get those changes

Explanation

8 / 65

Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement?

Active-active failover

Active-passive failover

Active-active-passive and other mixed configurations

None. Route 53 can’t failover

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets.

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it’s unhealthy and stop including it when responding to queries.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets.

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it’s unhealthy and stop including it when responding to queries.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

9 / 65

What features of VPC security groups are correct? (Choose 2 answers)

Instances associated with the same security group can not talk to each other unless rules are added specifically allowing communication.

You can specify only deny rules, not allow rules.

You can change the security group that an instance is associated with after launch and the changes will take effect immediately.

Security Groups are stateless.

Explanation

Instances associated with a security group can’t talk to each other unless you add rules allowing it (exception: the default security group has these rules by default). By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic is allowed.

Explanation

10 / 65

You are configuring a new nondefault VPC for a client’s cloud migration project with the following components:

one public subnet
a default network access control list with no custom rules
an internet gateway
a main route table with a local route for your VPC

You then launch an instance to support the client’s migration which includes the following:

an AWS assigned DNS hostname
an AWS assigned private IP address
an AWS assigned public IP address
associated with a default security group with no custom rules.

You want to connect to the public internet through your instance, but cannot. What could you do to resolve this?

You should modify your NACL to allow all inbound and outbound traffic

Attach a secondary ENI to the instance and connect via the ENI.

Create a NAT instance, and forward all traffic to the NAT instance

Add a route with 0.0.0.0/0 as the destination and the internet gateway as the target.

Explanation

Default security groups and NACLs allow inbound and outbound traffic. All traffic should be routed via internet gateway, so a route should be created with 0.0.0.0/0 as a source, and with your Internet Gateway as the target.

Explanation

11 / 65

You are deploying a two-tiered web application with web servers in a public subnet of your VPC and your database isolated in a private subnet. Your requirements call for the web tier to be highly available. Which services listed will be needed to make the web-tier highly available? (Choose 3 answers)

Route 53

Cross-region replication

Elastic Load Balancer

Auto Scaling

Explanation

The key is that the requirement is for high availability at the web-tier. While multi-AZ deployments and cross-region replication can contribute to high availability, they are each at the storage tier. Route 53 with Health Checks and Failover, Elastic Load Balancer (with health checks and various forms of load balancing, and auto scaling groups create high availability at the web tier.

Explanation

12 / 65

A client has called you about an auto scaling group behind an Application Load Balancer your company had configured for them over a year ago. Their company is being featured on national news and they are expecting a very large spike to their website within several hours. What immediate steps can you take to prepare for this spike? (Choose 2 answers)

Enable slow start mode for your ALB.

Create a VPN for higher network throughput.

Add read replicas to your RDS.

Increase the maximum setting of your autoscaling group.

Explanation

By default, a target starts to receive its full share of requests as soon as it is registered with a target group and passes an initial health check. Using slow start mode gives targets time to warm up before the load balancer sends them a full share of requests.

Increasing the maximum threshold for your auto scaling group will allow you to process more requests.

Explanation

Increasing the maximum threshold for your auto scaling group will allow you to process more requests.

13 / 65

Your client is a major U.S. semi-professional sports league. Their website streams live sporting events in high definition and special feature videos which they distribute to free and premium customers alike. They want to improve the speed of content delivery and you recommend implementing AWS CloudFront. They would like to restrict access to a portion of this content to premium level subscription customers only. What technique can you use to limit access to premium content to approved customers?

third party geo-location

S3 Access Control Lists

geo restriction

signed urls

Explanation

Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can do the following:

Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

Explanation

Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

14 / 65

You have implemented multipart uploading in your company’s AWS cloud storage environment. The overall performance has been good but there is some concern about network utilization. Your CFO has also raised concerns about greater than expected storage costs. What steps can you take to address each of these issues with cost as a primary concern? (Choose 2 answers)

Use Direct Connect for greater throughput

Pause uploads during high traffic periods.

Compress data for faster upload times.

Abort incomplete uploads after a specified time with an object lifecycle policy.

Explanation

The ability to pause multipart uploads offers great flexibility in its usage. A pause could be initiated for a number of reasons but pausing to relieve network traffic is a prime use case. If a multipart upload aborts, it is good practice to have a lifecycle policy, which will delete incomplete uploads after a predetermined number of days. This will reduce storage costs.

Explanation

15 / 65

Your account has 3 VPCs deployed in the same region.

The IPv4 address ranges of the VPCs are:

VPC A 172.22.0.0/16

VPC B 10.3.0.0/16

VPC C 10.4.0.0/16

VPC B and VPC C are already connected through VPC peering connection (PCX) named pcx-abcxyz. VPC A has resources that VPC B and VPC C must access. Which of the options below best achieves the objective of allowing VPC B and VPC C to access VPC A?

Connect VPC A to pcx-abcxyz

Connect VPC A to VPC B using VPC Peering and allow VPC C to access VPC A through VPC B

Create separate VPC Peering connections between VPC A & VPC B and VPC A & VPC C

Add static routes to VPC A with Targets of 10.3.0.0/16 and 10.4.0.0/16 and a Destination of pcx-abcxyz

Explanation

Creating separate VPC Peering connections between each VPC is required for Peering 3 VPCs together. Transitive routing is not supported in VPC Peering so VPC C could not reach VPC A through VPC B. A new VPC Peering connection is required for connecting additional VPCs, so connecting VPC A to pcx-abcxyz is not a viable option. Adding a static route to VPC A that points to pcx-abcxyz would not work as pcx-abcxyz is not connected to VPC A.

Explanation

16 / 65

A major customer has asked you to set up his AWS infrastructure so that it will be easy to recover in the case of a disaster of some sort. Which of the following is important when thinking about being able to quickly launch resources in AWS to ensure business continuity in case of a disaster?

Create and maintain AMIs of key servers where fast recovery is required

All items listed here are important when thinking about disaster recovery.

Ensure that you have all supporting custom software packages available in AWS.

Regularly run your servers, test them, and apply any software updates and configuration changes.

Explanation

In the event of a disaster to your AWS infrastructure you should be able to quickly launch resources in Amazon Web Services (AWS) to ensure business continuity. The following are some key steps you should have in place for preparation: 1. Set up Amazon EC2 instances to replicate or mirror data. 2. Ensure that you have all supporting custom software packages available in AWS. 3. Create and maintain AMIs of key servers where fast recovery is required. 4. Regularly run these servers, test them, and apply any software updates and configuration changes. 5. Consider automating the provisioning of AWS resources.

Explanation

17 / 65

You have been chosen to lead the design of an AWS cloud environment for an accounting firm. The firm needs high availability and scalability and your team is considering a multi-AZ deployment. In addition, the firm expects to need Online Analytics processing (OLAP) for their Actuarial Department. What AWS service is best to meet the OLAP requirement?

Amazon Redshift

Amazon RDS with DynamoDB for caching

Amazon Elasticahe

Amazon RDS

Explanation

Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columnar storage on high-performance local disks, and massively parallel query execution.

Explanation

18 / 65

Amazon RDS provides high availability and failover support for DB instances using .

customized deployments

log events

Multi-AZ deployments

Appstream customizations

Explanation

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon technology, while SQL Server DB instances use SQL Server Mirroring.

Explanation

19 / 65

An organization has set up an application on AWS. The organization wants to achieve scalability and high availability for the application, which should scale up and down to address workload changes on the application.

Which configuration step is not required in this scenario?

Create an AMI of a running instance and configure that AMI with Auto Scaling

Set up a schedule to shut off the instance when the instance is not in use.

Set up an ELB load balancer with instances to distribute the load on the web server

Set up EC2 instance bootstrapping to start the web and DB servers on instance boot.

Explanation

Amazon EC2 allows the user to launch On-Demand instances. Auto Scaling offers automation which can scale up or down resources as per the configured policy.

To set up Auto Scaling, the organization must first create an AMI. The organization should set up bootstrapping for the AMI so that when the instance is launched, it will automatically start the app server and DB server.

The organization should also setup ELB with instances to distribute the incoming load. Auto Scaling should be configured to scale up and down based on the application load and not on a particular schedule.

Explanation

Amazon EC2 allows the user to launch On-Demand instances. Auto Scaling offers automation which can scale up or down resources as per the configured policy.

20 / 65

A national auto parts chain contracted your firm to design and implement their AWS environment. It is a very large-scale system that handles order processing, accounting, stocking, and logistics. This system spans multiple availability zones and requires a multi-AZ environment for high availability. The system has been implemented and you need to test the database failover mechanism. It is imperative that the failover occurs within the specified RTO. How can you consistently test database failover?

Backup then delete the primary database instance

Contact Amazon to conduct a failover test.

Amazon has thoroughly tested failover and customers can not test failover.

Reboot the primary database instance

Explanation

If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. Multi-AZ deployments utilize synchronous replication, making database writes concurrently on both the primary and standby so that the standby will be up-to-date in the event a failover occurs.

Explanation

21 / 65

You are designing your company’s new RDS database environment. Your design include multi-AZ for high availability and you have intentions of reviewing scalability options. But first, you need to determine which storage option meets your performance and cost requirements. You expect to have a small database that could grow to medium sized over time. You also want to have burst performance to meet short term spikes. Which storage option is best for you?

Provisioned IOPS (SSD)

General Purpose (SSD)

Magnetic

Dual core processors

Explanation

Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database workload. General purpose is good for small to medium sized databases and has the burst to handle spikes.

Explanation

22 / 65

A user has set up the CloudWatch alarm on the CPU utilization metric at 50%, with a time interval of 5 minutes and 10 periods to monitor. What will be the state of the alarm at the end of 90 minutes, if the CPU utilization is constant at 80%?

ALERT

ALARM

INSUFFICIENT_DATA

Explanation

In this case the alarm watches a metric every 5 minutes for 10 intervals. Thus, it needs at least 50 minutes to come to the “OK” state. Till then it will be in the INSUFFUCIENT_DATA state. Since 90 minutes have passed and CPU utilization is at 80% constant, the state of alarm will be “ALARM”.

Explanation

23 / 65

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

Amazon SQS is a non-distributed queuing system.

Amazon SQS is for single-threaded sending or receiving speeds.

Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds

Explanation

24 / 65

Your company is migrating their environment to AWS. The legacy environment relied on Chef for automation, and your engineers are comfortable with that solution. In addition, your compliance officer has indicated that the new environment needs centralized, auditable configuration management for regulatory reasons. Which of the following AWS automation tools is most appropriate for this scenario?

OpsWorks stacks

Elastic Beanstalk

CloudFormation

OpsWorks for Chef Automate

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

25 / 65

You want to configure DNS failover in Route 53 so that all of your resources are available for the majority of the time. Which of the following failover configurations would be most suited for this?

Passive-passive failover

Disable failover

Enable failover

Active-active failover

Explanation

You can configure DNS Failover in Route 53 in the following failover configurations:

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

You can configure DNS Failover in Route 53 in the following failover configurations:

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

26 / 65

You are troubleshooting issues in an AWS Auto Scaling group. The Auto Scaling group is behind an application load balancer (ALB) and is not replacing a faulty instance.

What must you ensure that Auto Scaling is checking so that instances in your Auto Scaling group are properly marked as unhealthy? (Choose 2 answers)

Instance Status Check

ELB Health Check

Cloudtrail Logs

Event Viewer

Explanation

Auto Scaling uses EC2 status checks to detect hardware and software issues with the instances, but the load balancer performs health checks by sending a request to the instance and then waiting for a 200 response code, or by establishing a TCP connection (for a TCP-based health check) with the instance. Even if you’ve configured an Elastic Load Balancer, the autoscaler does not automatically check the ELBs health checks. You must add the ELB Health Check to your autoscaling policy.

Explanation

27 / 65

A user has enabled versioning on an S3 bucket. The user applies server side encryption for data at rest. If the user is supplying his own keys for encryption (SSE-C), which of the below mentioned statements is true?

Amazon S3 does not allow the user to upload his own keys for server side encryption

It is possible to have different encryption keys for different versions of the same object

The SSE-C does not work when versioning is enabled

The user should use the same encryption key for all versions of the same object

Explanation

Amazon S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key, or the user can send the key along with each API call to supply his own encryption key (SSE-C). If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object’s version

Explanation

28 / 65

A company needs to maintain system access logs for a minimum of 2 years due to financial compliance policies. Logs are rarely accessed, and access must be requested at least 12 hours in advance. What is the most cost-effective method to store logs that satisfies the compliance requirement, and delivers logs as requested in a timely manner?

Store the logs in Amazon S3 in the S3 One Zone-IA storage class. Configure a lifecycle policy to delete the logs after 2 years.

Store the logs in CloudWatch logs and configure a 2 years retention period.

Store the logs in Amazon S3 in the Intelligent-Tiering storage class. Configure a lifecycle policy to delete the logs after 2 years.

Store the logs in Amazon S3 in the S3 Glacier Deep Archive storage class. Configure a lifecycle policy that deletes the logs after 2 years.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

The other options offer some cost savings compared to Amazon S3 Standard storage class, but Intelligent tiering would not cycle the files to an archive storage class for roughly 120 days, and the One Zone-IA storage class would provide some cost savings, but offers less durable storage, so the likelihood of losing logs is higher.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

29 / 65

Your company has decided to use cloud methods for disaster recovery. The company is most concerned with RTO and RPO and is willing to accept the extra cost of Warm Standby over Pilot Light. When a disaster occurs, your top priority is to increase the processing capacity of your scaled-down environment. Once that is accomplished, you can then increase the environment’s resilience and self-management capabilities.

What steps will help you accomplish your top priority when a disaster occurs? (Choose 2 answers)

Modify your Amazon RDS servers to a multi-AZ deployment

Extend your auto scaling group across multiple availability zones

Re-size the small capacity servers to run on larger EC2 instances

Explanation

The Warm Standby scenario uses a scaled-down version of a fully functional environment that is always running. Business-critical applications can always be running in the cloud. When a DR scenario comes about, the servers can be quickly scaled up, scaled out or both, but horizontal scaling is preferred over vertical scaling.

The two incorrect choices will increase your environment’s resilience by adding availability

Explanation

The two incorrect choices will increase your environment’s resilience by adding availability

30 / 65

A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which one of the following is the best way to terminate the instance automatically once the job is finished?

Configure an Auto Scaling scheduled activity to terminate the instance after seven days

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Configure a CloudWatch alarm to terminate the instance once it is idle.

Configure the EC2 instance with a stop instance to terminate it.

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action.

Explanation

31 / 65

You are designing an AWS cloud environment for a small company with limited budget. They have decided to go with a single-AZ database deployment to ensure the implementation remains within budget. You have convinced them of the benefits of doing automatic backups and saving incremental backups to Amazon S3. What would be the best time to perform these automatic backups?

Two hours before the work day starts

After midnight

During the daily low in write IOPS

Amazon will determine the best time

Explanation

It is best practice to enable automatic backups and set the backup window to occur during the daily low in write IOPS. Amazon RDS creates automated backups of your DB instance during the backup window of your DB instance. Amazon RDS saves the automated backups of your DB instance according to the backup retention period that you specify. If necessary, you can recover your database to any point in time during the backup retention period.

Explanation

32 / 65

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB

The user should attach an IAM role with DynamoDB access to the EC2 instance

The user should create an IAM role, which has EC2 access so that it will allow deploying the application

The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials

Explanation

With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user’s credentials to the application or embed those credentials inside the application. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security credentials to the application hostedon that EC2, to connect with DynamoDB / S3.

Explanation

33 / 65

You are an administrator managing Windows File Servers in Amazon Web Services. You need to set up a fault-tolerant system to protect your shared files. You decide to use DFS Namespaces and DFS Replication.

Which of the following are prerequisites? (Choose 2 answers)

File servers running Windows Server 2008 R2

File servers running Windows Server 2012 R2

An Active Directory Schema of 2008 R2 or later

The File Server Resource Manager role installed by your domain controllers

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

34 / 65

AWS can be used as a disaster recovery solution for on-premises infrastructure, and AWS offerings can be deployed to meet a variety of disaster recovery requirements. When deploying disaster recovery in AWS, which strategy incorporates traditional off-site backups to AWS, but has the longest recovery time?

Pilot light

Active/active

Backup and restore

Multi-region

Explanation

Backup and restore, as defined in the “Using Amazon Web Services for Disaster Recovery” white paper, is most like traditional off-site backup replication. You can leverage services such as Amazon S3 or Amazon Storage Gateway to provide a backup replication target and Amazon EC2 can be used to restore access to your applications. This strategy for disaster recovery is the slowest of all AWS DR strategies.

Explanation

35 / 65

Which IAM role do you use to grant AWS Lambda permission to access a DynamoDB Stream?

Invocation role

Dynamic role

Execution role

Event Source role

Explanation

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the “execution role”.

Explanation

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the “execution role”.

36 / 65

You are the Lead Architect within an IT department of a company that has recently acquired several small start-up application development companies within the last year. In an effort to consolidate your resources, you are gradually migrating all digital files to your parent company AWS accounts, and storing a large number of files within an S3 bucket.

You are uploading millions of files, to save costs, but have not had the opportunity to review many of the files and documents to understand which files will be accessed frequently or infrequently.

What would be the best way to quickly upload the objects to S3 and ensure the best storage class from a cost perspective, without prior knowledge of the object or its access patterns throughout the financial year?

Upload all the files to Amazon S3 Standard-IA storage class and review costs for access frequency over time.

Upload all files to Amazon S3 Standard-IA storage class and immediately set up all objects to be processed with Storage Class Analysis.

Upload all files to Amazon S3 Standard storage class and immediately set up all objects to be processed with Storage Class Analysis.

Upload all files to Amazon S3 Intelligent_Tiering storage class and review costs related to access frequency over time.

Explanation

There are essentially three types of answers here – choices that use no automation, choices that use the incorrect type of automation given the situation, and a choice that uses the correct type of automation.

First, the choices that use little to no automation in this case would be the least recommended decision. Uploading millions of files to either Standard or Standard-IA and then waiting to review costs and access patterns could be very costly.

Second, the choice to use storage class analysis could work eventually, if you have the time to wait for analytics to be gathered (which could still be as costly as the choice above) and the time to then review the analytics, and then sift through the files to migrate them to the correct storage class. This is a better choice, but not the best choice.

Finally, the correct answer would be to use Intelligent_Tiering, which continuously monitors the access frequency and shifts the objects between a standard and infrequent-access tier depending on how access patterns may change. This happens automatically, and starts immediately, so it is the best choice of the options provided.

Explanation

37 / 65

Which choice below accurately describes the ‘warm standby’ disaster recovery method?

A complete duplicate of your entire system, to which all traffic can be directed in the event of a disaster.

A duplicate version of only your business-critical systems that is always running, in case you need to divert your workloads to them in the event of a disaster.

Storing critical systems as a template, from which resources can be scaled out in the event of a disaster.

Keeping data backed up to tape and sent offsite regularly, from which all data can be restored in the event of a disaster.

Explanation

Warm standby is essentially ready to go with all key services running in the most minimal possible way, essentially a smaller version of the production environment. In the event of a disaster, the standby environment will be scaled up for production load quickly and easily. DNS records will be changed to route all traffic to the AWS environment.

Explanation

38 / 65

You notice that your administrator has not created a security group. He created 3 EC2 instances and they were launched into the default security group. No changes were made to the default security group. What characteristics will the default security group provide? (Choose 3 answers)

No outbound traffic will be allowed from the EC2 instances

No inbound traffic will be allowed to the EC2 instances.

The EC2 instances will be able to communicate with each other.

All outbound traffic from the EC2 instances will be allowed.

Explanation

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don’t specify a different security group when you launch the instance. The default security group disallows all inbound traffic and allows all outbound traffic. However, the rules for a default security group can be changed.

Explanation

39 / 65

Which choice is the easiest way to achieve this?

The root account owner should create an S3 bucket policy allowing other account owners to set the object permissions for that bucket.

The root account should create an S3 Bucket Access Control List (ACL) for the bucket allowing separate AWS accounts to upload content to the bucket.

The root account should create the IAM users for separate AWS accounts, and provide them the permission to upload content to the bucket.

The root account owner should create an S3 bucket policy allowing specified IAM users with separate AWS accounts to upload content to the bucket.

Explanation

40 / 65

Your throughput-optimized HDD (st1) EBS volumes do not seem to be performing as expected and your team leader has requested you look into improving their performance.

Which statement regarding the performance of your EBS volumes is incorrect?

General Purpose (SSD) and Provisioned IOPS (SSD) volumes throughput limit can go from 128 MB/s to 320 MB/s per volume.

Amazon Web Services provides performance metrics for EBS that you can analyze and view with Amazon CloudWatch.

Frequent snapshots provide a higher level of data durability and will not degrade the IOPS performance of your application while the snapshot is in progress.

You can benchmark your storage and compute configuration to make sure you achieve the level of performance you expect to see before taking your application live.

Explanation

When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behavior is specific to these volume types.

Explanation

41 / 65

You are managing a VPC environment that is spread across two Availability Zones, and contains EC2 instances in an auto scaling group. CloudWatch monitoring shows the following data on EC2 utilization.

Only two servers are needed during low-utilization off hours.
During normal business hours, four additional servers are needed.
During a five-day end of the year processing period, you may need for an additional 10 servers.

Which choices will best meet the needs of these three scenarios while providing high availability and cost control? (Choose 2 answers)

Launch two on-demand (convertible) instances for day-to-day processing.

Launch four reserved instances (standard) for the day to day processing

Modify your existing Auto scaling group to allow up to ten additional servers using Reserved instances (standard) for year-end processing.

Modify the existing Auto scaling group to allow of up to ten additional On-demand instances for year-end processing

Explanation

Reserved instances are the best and cheapest option when you are able to make a long-term commitment to use the instances. Typical contract lengths are one or three years. On-demand instances are best when you need instances for a short time period but their end of life needs to be decided by you. Spot instances are a good option when you can afford to lose an instance on very short notice. This happens when the current price of the spot instance exceeds the price you had bid on it. In the case of year-end processing over a short time period, it would not be advisable to use spot instances. A good example of using spot instances would be in mass producing bar codes where you can easily pick up where you left off in processing.

Explanation

42 / 65

A user is making a scalable web application with compartmentalization. The user wants the log module to be accessible by all the application functionalities in an asynchronous way. Each module of the application sends data to the log module, and based on the resource availability it will process the logs. Which AWS service helps achieving this functionality?

AWS Simple Queue Service.

AWS Simple Workflow Service.

AWS Simple Email Service.

AWS Simple Notification Service.

Explanation

Amazon Simple Queue Service (SQS) is a highly reliable distributed messaging system for storing messages as they travel between computers. By using Amazon SQS, developers can simply move data between distributed application components. It is used to achieve compartmentalization or loose coupling. In this case all the modules will send a message to the logger queue and the data will be processed by queue as per the resource availability.

Explanation

43 / 65

VPC Gateway Endpoints

VPC Interface Endpoints

VPC Virtual Private Gateways

VPC Peering Connections

Explanation

44 / 65

Regarding EC2 instances, when are users billed per-second rather than per-hour? (Choose 2 answers)

When you use Dedicated or Dedicated Host instances

When you use On-Demand or Spot instances

When your instance has a Windows operating system

When your instance has a Linux operating system

Explanation

You are billed per-second with a one-minute minimum for On-Demand, Spot and Reserved instances as long as your EC2 instance is in a running state, provided the instance is Linux (with some exceptions), and not a Windows operating system, in which case the instance would be billed per-hour.

Explanation

45 / 65

Your company allows technical personnel to manage their own S3 buckets. But there have been too many instances of users deleting important project related data. What additional steps can you take to prevent accidental deletion or overwriting of data? (Choose 3 answers)

Add cross-region replication

Add versioning

Add MFA Delete

Create read replicas.

Explanation

Amazon S3 storage offers very high durability, but it is still a best practice to protect against user level deletion or overwriting of data using versioning, cross-region replication, and MFA Delete.

Explanation

46 / 65

You’ve taken over management of your company’s AWS cloud environment. You know very little about the environment and have been provided very little documentation. You have been given access to the environment and begin a discovery and documentation process. You begin by looking at the route table. Without seeing the specific route table, what information do you know it contains about the subnets in the VPC? (Choose 2 answers)

Subnets that direct traffic to an Internet Gateway are public

Subnets that do not direct traffic to an Internet Gateway are private

The default mask of the subnet can be identified.

The subnets region is indicated

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table. When you add an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint in your VPC, you must update the route table for any subnet that uses these gateways or connections.

Explanation

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed.

47 / 65

Your client has a need to store data which could grow quickly but unpredictably. You recommend EBS as a storage solution. But they have voiced concerns about scalability. What features of EBS can you highlight to provide assurances of its elasticity and scalabilty? (Choose 3 answers)

An Elastic Load Balancer can scale EBS appropriately

You can resize an existing volume by creating a snapshot and launching a new (larger volume) from the snapshot

EBS volumes are redundantly replicated on different hardware within the same AZ.

You can quickly provision additional capacity by adding new EBS volumes

Explanation

AWS can be quickly provisioned for additional capacity by adding new EBS volumes. Existing volumes can be resized by creating a snapshot and launching a new (larger volume) from the snapshot. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS is designed for application workloads that benefit from fine tuning for performance, cost and capacity

Explanation

48 / 65

You need to measure the performance of your EBS volumes as they seem to be under performing. You have come up with a measurement of 1,024 KB I/O but your colleague tells you that EBS volume performance is measured in IOPS. How many IOPS is equal to 1,024 KB I/O?

256

Explanation

Several factors can affect the performance of Amazon EBS volumes, such as instance configuration, I/O characteristics, workload demand, and storage configuration. IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second (that is 256 KB or smaller) as one IOPS. I/O operations that are larger than 256 KB are counted in 256 KB capacity units. For example, a 1,024 KB I/O operation would count as 4 IOPS. When you provision a 4,000 IOPS volume and attach it to an EBS-optimized instance that can provide the necessary bandwidth, you can transfer up to 4,000 chunks of data per second (provided that the I/O does not exceed the 128 MB/s per volume throughput limit of General Purpose (SSD) and Provisioned IOPS (SSD) volumes).

Explanation

49 / 65

A secured web application running on an EC2 instance needs to perform PUT and GET operations on objects within an S3 bucket. The EC2 instance and S3 bucket are owned by the same AWS account. Of the policies listed below, which two grant the necessary permissions for this web application? (Choose 2 answers)

An S3 Bucket Trust policy that allows the application (as a principal) to assume S3Admin role to PUT/GET objects to this bucket

An S3 Bucket policy that allows the application (as a principal) to perform PUT/GET operations on approved S3 resources within the bucket

An IAM role assigned to the application hosted on the EC2 instance which allows the application (as a service) to perform PUT/GET operations in Amazon S3.

A service-linked policy applied to the S3 bucket allowing access to the web application.

Explanation

For internal communication between S3 and an application running on EC2 instance, you need two policies:

An IAM trust policy that allows the EC2 instance to assume a role
An IAM policy or S3 bucket policy that allows the role to get/put objects to the specific bucket

So, the kind of policies that control access to S3 bucket are either an IAM Policy or S3 Bucket Policy. The IAM trust policy is required, but it doesn’t control access to S3.

Explanation

For internal communication between S3 and an application running on EC2 instance, you need two policies:

An IAM trust policy that allows the EC2 instance to assume a role
An IAM policy or S3 bucket policy that allows the role to get/put objects to the specific bucket

So, the kind of policies that control access to S3 bucket are either an IAM Policy or S3 Bucket Policy. The IAM trust policy is required, but it doesn’t control access to S3.

50 / 65

You are looking for a simple way to configure high availability for your EC2 instances. You need to create a plan for replacing unhealthy or failed instances. It is acceptable to have a short amount of downtime to keep costs down. Which process is appropriate for achieving this?

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Recover this instance.”

Create a custom AMI and use it to create an Auto Scaling Launch Configuration; then create a “Steady State” auto scaling policy using a minimum of 2 instances and a maximum of 2 instances.

Create a custom AMI of your EC2 instances. Use the custom AMI to create a new EC2 instance if there are issues with a current EC2 instance, and move the EIP to the new instance.

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Reboot this instance.”

Explanation

Creating a custom AMI of the instance for which you are trying to provide HA allows you to bring the instance online quickly with no build time. Moving the EIP from the instance, you are replacing to the new instance will send all traffic to the new instance without any change to DNS, which would take time to propagate. Using the AutoRecover option will not replace the unhealthy or failing instance. It will only try to restart it on another host. Creating a “Steady State” Auto Scaling Group would also be a good solution, although using two as a minimum would have a higher cost.

Explanation

51 / 65

In S3, how is storage class analysis intended to improve data lifecycle management?

Identify data that can be stored in Reduced Redundancy Storage instead of Standard

Identify data to transition from Standard Storage to Glacier storage class

Identify data in all storage classes that may benefit from increased redundancy

Identify data to transition from Standard Storage to Standard_IA storage class

Explanation

By using Amazon S3 analytics storage class analysis you can analyze storage access patterns to help you decide when to transition the right data to the right storage class. This new Amazon S3 analytics feature observes data access patterns to help you determine when to transition less frequently accessed STANDARD storage to the STANDARD_IA (IA, for infrequent access) storage class.

Explanation

52 / 65

Your on-premise bare-metal servers are over five years old. You’re considering moving to AWS. The offerings of virtual instances far surpass what you can access on-premises. Before you choose your test instance at AWS, what questions should you ask? (Choose 3 answers)

What is the average server utilization?

When peak load occurs, how much over-provisioning is required?

What is the cost of over-provisioning?

How much network bandwidth do you need?

Explanation

On-premises data centers have costs associated with the servers, storage, networking, power, cooling, physical space, and IT labor required to support applications and services running in the production environment. For servers, these questions are most applicable: What is your average server utilization? How much do you overprovision for peak load? What is the cost of over-provisioning?

Explanation

53 / 65

Which of the following statements is true of creating a launch configuration using an EC2 instance?

The launch configuration should be created manually from the AWS CLI.

The launch configuration can be created only using the Query APIs.

A user should manually create a launch configuration before creating an Auto Scaling group.

Auto Scaling automatically creates a launch configuration directly from an EC2 instance.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

54 / 65

An organization has launched five instances: two for production and three for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often be deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, production, and testing will not change in the foreseeable future.

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Define the IAM policy that allows access based on the instance ID

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Launch the test and production instances in separate regions and allowing region wise access to the group

Explanation

AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parameters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.
"Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/InstanceType": "Production" } } } ]

Explanation

55 / 65

A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1-week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch?

The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse

The user can zoom a particular period by double clicking on that period with the mouse

The user can zoom a particular period by specifying the period in the Time Range

The user can zoom a particular period by specifying the aggregation data for that period

Explanation

Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. The AWS CloudWatch console provides the option to change the granularity of a graph and zoom in to see data over a shorter time period. To zoom, the user has to click in the graph details pane, drag on the graph area for selection, and then release the mouse button.

Explanation

56 / 65

What is one security benefit of utilizing the Elastic Load Balancer?

Providing encrypted data storage for use in application development

Blocking network traffic based on heuristic analysis

Providing TLS/SSL termination as well as centralized certificate management

Performing network address translation

Explanation

The Elastic Load Balancer can integrate with the AWS Certificate Manager to provide a central method of managing your TLS/SSL certificates. It allows you to renew, deploy and configure your TLS/SSL certificates for your application or website from a single location.

Explanation

57 / 65

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Use the AWS server migration service to migrate existing records

Export all database records to S3.

Fix all MySQL issues in the local data center.

Order an on-demand instance matching the on-premises architecture.

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

58 / 65

You are configuring your application’s compute layer using AWS EC2 Auto Scaling. When configuring the group’s capacity, you have set the auto scaling group’s minimum capacity to four, the desired capacity to 8, and the maximum capacity to 16. When you deploy your auto scaling group, and the instances have completely deployed, how many instances will there be within your group?

Explanation

You configure the size of your Auto Scaling group by setting the minimum, maximum, and desired capacity. The minimum and maximum capacity are required to create an Auto Scaling group, while the desired capacity is optional. If you do not define your desired capacity upfront, it defaults to your minimum capacity.

By default, the minimum, maximum, and desired capacity are set to one instance when you create an Auto Scaling group from the console. If you change the desired capacity, the capacity that you specify will be the total number of instances launched right after creating your Auto Scaling group.

An Auto Scaling group is elastic as long as it has different values for minimum and maximum capacity. All requests to change the Auto Scaling group’s desired capacity (either by manual scaling or automatic scaling) must fall within these limits.

If you choose to automatically scale your group, the maximum limit lets Amazon EC2 Auto Scaling scale out the number of instances as needed to handle an increase in demand. The minimum limit helps ensure that you always have a certain number of instances running at all times

Explanation

59 / 65

Performing daily database backups

Deploying virtual infrastructure

Patching the database instance operating system

Setting up database accounts and privileges for non-admin

Explanation

60 / 65

A gaming company comes to you and asks you to build infrastructure for their site. They are not sure how big they will be because, as with all startups, they have limited money and big ideas. What they do tell you is that if the game becomes successful, like one of their previous games, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. After considering all of this, you decide that they need a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability and persistent storage. Which of the following databases do you think would best fit their needs?

Amazon Aurora

Amazon DynamoDB

Amazon Redshift

Amazon Elasticache

Explanation

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables customers to offload the administrative burdens of operating and scaling distributed databases to AWS, so they don’t have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling.

Today’s web-based applications generate and consume massive amounts of data. For example, an online game might start out with only a few thousand users and a light database workload consisting of 10 writes per second and 50 reads per second. However, if the game becomes successful, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. It may also create terabytes or more of data per day. Developing your applications against Amazon DynamoDB enables you to start small and simply dial-up your request capacity for a table as your requirements scale, without incurring downtime. You pay highly cost-efficient rates for the request capacity you provision, and let Amazon DynamoDB do the work over partitioning your data and traffic over sufficient server capacity to meet your needs. Amazon DynamoDB does the database management and administration, and you simply store and request your data. Automatic replication and failover provides built-in fault tolerance, high availability, and data durability. Amazon DynamoDB gives you the peace of mind that your database is fully managed and can grow with your application requirements.

Explanation

61 / 65

When launching an instance using the Launch Wizard, what happens when a user does not provide the security group?

The launch wizard is created and the instance with the default security group of EC2 is launched

The launch wizard creates one security group for that instance

The launch wizard gives an error and a security group is not created.

There is no security group attached to the instance.

Explanation

If a user does not select the security group while creating the instance launch configuration, the Launch wizard automatically defines the “launch-wizard-x” security group to allow the user to connect to the instance, which enables all IP addresses (0.0.0.0/0) to access the instance over the specified ports.

Explanation

62 / 65

A user has applied an S3 Bucket access control list (ACL) and a bucket policy to an S3 bucket. Then, the user enables cross-origin resource sharing (CORS) on the same bucket.

Which of the following statements is true in this context?

The ACLs and policies continue to apply when you enable CORS on the bucket.

With CORS, only an ACL can be applied.

It is not possible to have all three applied to the same bucket.

With CORS, only the policy can be applied.

Explanation

The CORS specification gives a user the ability to build web applications that make requests to domains other than the one which supplied the primary content. The ACLs and policies continue to apply when you enable CORS on the bucket.

Explanation

63 / 65

You are the DevOps engineer at a mid-sized technology firm, responsible for the automated disaster recovery of your company’s AWS infrastructure. Your supervisor has recently learned about the EC2 Auto Recovery feature, and she has asked you to evaluate whether or not it would be a good fit for your environment. She is particularly interested in the types of failures it can detect. Which conditions would be detectable by EC2 Auto Recovery? (Choose 3 answers)

Application errors or crashes

Software or hardware issues on the physical host (hypervisor)

Loss of system power

Loss of network connectivity

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

64 / 65

Which of the following are IAM best practices (Choose 3 answers)

Discontinue use of the root access key.

Create privileged users and enable multi-factor authentication.

Assign permissions to IAM groups instead of IAM users

Designate a backup administrator to use the root access key

Explanation

You use an access key (consisting of an access key ID and secret access key) to make programmatic requests to AWS. However, do not use your AWS account (root) access key. Create groups that relate to job functions so that you can make changes for everyone in a group in just one place.

Explanation

65 / 65

You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information stored in it. What are all the possible security groups that RDS uses?

VPC security groups, and EC2 security groups.

DB security groups, VPC security groups, and EC2 security groups.

EC2 security groups only

DB Security groups only

Explanation

A security group controls the access to a DB instance. It does so by allowing access to IP address ranges or Amazon EC2 instances that you specify. Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and can be used with a DB instance.

Explanation

Your score is

The average score is 41%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Need more practice ? take the AWS Certified Solutions Architect Associate (SAA) – Learning mode

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Associate (SAA02) – Free Practice Tests

AWS Certified Solutions Architect Associate (SAA) – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Associate (SAA) – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation