AWS Certified Solutions Architect Professional - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Professional
AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 75 questions per test (similar to real AWS exam), 180 minutes, repeat tests

AWS Certified Solutions Architect Professional – Learning Mode

/25

1 votes, 5 avg

AWS Certified Solutions Architect Professional - Learning Mode

1 / 25

Your company decided to create AWS Account and start moving some workloads to the cloud. The security team would like to utilize the existing identity and access management system which is based on Active Directory to manage access to the new AWS Account. For that reason you decided to use SAML federation to allow users in local identity and access management system access to AWS Services.

Which of the following are primary components in SAML Federation configuration for the new AWS account? (Choose 2 answers)

SAML-Based identity provider has to be available to be used with company's identity store (Active Directory)

IAM Roles matching Active Directory groups that you would like to allow access to AWS

IAM trust policy that allows external identity store like Active Directory to be used as the primary IDP for this AWS account

Direct Connect or VPN connectivity must be established between AWS and your company's data center

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

1- Inside your organization's network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

3- You also need to create roles that will map to allowed groups in company's identity store, members of these groups will be presented with set of roles that map to their group membership to choose which role they would like to assume while logging in to AWS console

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

2 / 25

You are developing a static website using S3 for your company’s clients. Your team is configuring the site and has granted public read access. What other steps must they take? (Choose 2 answers)

Enable server-side scripting

Enable static website hosting.

Specify a default index document

Create a website page hierarchy

Explanation

To configure a bucket for static website hosting, you add a website configuration to your bucket. The configuration includes an index document, error documents, redirects of all requests that are intended for the index page, and any conditional redirects. Amazon S3 does not support server-side scripting.

Explanation

3 / 25

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Export all database records to S3.

Order an on-demand instance matching the on-premises architecture.

Use the AWS server migration service to migrate existing records

Fix all MySQL issues in the local data center.

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

4 / 25

You have an application that is generating a log file every 5 minutes and you need to store these log files appropriately. The requirements for storing the log files are:

They should be quickly retrievable when needed, as they may be required only for verification in case of some major issue.
The logs will need to be accessed frequently, as all log data is retrieved and compiled from the files into a bi-monthly report.
The logs are essential to quarterly audits, so the storage solution must offer a high level of durability.
Cost should also be minimized for the storage service as much as possible.

Which of the storage options below is the best choice to meet these requirements?

Amazon S3 Glacier

Amazon S3 OneZone-IA

Amazon S3 Standard

Amazon S3 Standard - Infrequent Access (IA)

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Standard is for Amazon S3 and provides very high durability. Standard - Infrequent Access is designed for with a minimum data amount required and paid storage for at least 30 days. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files.

S3 OneZone IA is a variation of Standard-IA, which offers data archival at a reduced price, but also with less durability because the data within this class is stored within a single availability zone rather than spread throughout all availability zones within the S3 buckets region, as it is with S3 Standard storage.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

5 / 25

Your company is migrating into Amazon Web Services and has selected the US East region in which to operate. The majority of your work involves interfacing with government departments in the United States and Germany. Your company expects the deployment into the cloud to be up and running in a minimum of time. Before deploying any resources in the European region, what should be your first consideration?

Industry rules and standards

European privacy laws

The pre-warming storage and load balancers

The number of web servers to deploy

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

6 / 25

Due to compliance rules and regulations, your company's workload has to run on dedicated instances. How can you make sure that all EC2 instances created for your workload now and in the future are dedicated instances? (Choose 2 answers)

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Explanation

You can create a VPC with an instance tenancy of dedicated to ensure that all instances launched into the VPC are dedicated instances. Alternatively, you can specify the tenancy of the instance during launch

Explanation

7 / 25

Your developers have created a sales application that works in tandem with the no SQL database. To ensure the fastest response for the application in production, the developers wish to remove the need to wait for acknowledgments from the database to the application after data have been sent. The acknowledgments can be stored and accessed asynchronously. Which managed application would be the best choice for their design?

Simple Queue Service

AWS Config

CloudWatch Logs

Simple Workflow Service

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

8 / 25

Which statement regarding Elastic Load Balancing is incorrect?

ELB can distribute the requests to Amazon EC2 instances (servers) in multiple Availability Zones.

ELB supports the use of both the Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6).

ELB can associate the load balancer with your domain name

ELB is free as you only pay for EC2 instances.

Explanation

As with all Amazon Web Services, you pay only for what you use. For Elastic Load Balancing, you pay for each hour or portion of an hour that the service is running, and you pay for each gigabyte of data that is transferred through your load balancer.

Explanation

9 / 25

Your company wants to migrate an on-premises SQL Server DB to AWS RDS SQL Server. As the DBA, you have determined that your database can be offline while the backup is created, copied, and restored. You decide to use native backup and restore. Which steps are required during setup? (Choose 3 answers)

Create an AWS IAM role for access to the S3 bucket

Add the SQLSERVER_BACKUP_RESTORE option to an option group on your DB instance.

Create an Amazon S3 bucket for your backup files

Turn on compression for your backup files by running “exec rdsadmin..rds_set_configuration ‘S3 backup compression’, ‘true.’”

Explanation

There are three components you'll need to set up for native backup and restore: an Amazon S3 bucket to store your backup files; an AWS Identity and Access Management (IAM) role to access the bucket, and the SQLSERVER_BACKUP_RESTORE option added to an option group on your DB instance.

Explanation

10 / 25

One of your customers is a large multi-national company whose infrastructure on AWS has grown significantly over the past year. The CIO has come to you asking how the huge amount of data that is being generated can be accessed in real-time which would give them a significant edge over all of their competitors. You know that AWS can provide a range of analytics but which of the following would be best to try and accomplish this?

Amazon Kinesis

Amazon Elasticsearch

AWS Data Pipeline

Amazon EMR

Explanation

Amazon Kinesis is a fully managed service for real-time processing of streaming data at massive scale. Amazon Kinesis can continuously capture and store terabytes of data per hour from hundreds of thousands of sources such as website clickstreams, financial transactions, social media feeds, IT logs, and location-tracking events. With Amazon Kinesis Client Library (KCL), you can build Amazon Kinesis Applications and use streaming data to power real-time dashboards, generate alerts, implement dynamic pricing and advertising, and more.

Explanation

11 / 25

You are architecting for a hybrid cloud solution that will require continuous connectivity between on-premises servers and instances on AWS. You found that the connectivity between on-premises and AWS does not require high bandwidth for now so you decided to go with resilient VPN connectivity. Which of the following services are part of establishing a resilient VPN connection between on-premises networks and AWS? (Choose 3 answers)

Public VIFs

VPN connection

Customer gateway

Virtual private gateway

Explanation

A customer gateway CGW is the anchor on the customer side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway VGW. There are two lines between the customer gateway and virtual private gateway because the VPN connection consists of two tunnels in case of device failure. When you configure your customer gateway, it's important you configure both tunnels.

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

Explanation

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

12 / 25

Your new client is a federal agency utilizing a hybrid cloud environment. The agency distributes large amounts of sensitive data throughout the world. Your task is to ensure that the data is secure using various encryption techniques as well as security groups and access control lists.

One of the requirements is to distribute content utilizing CloudFront for optimal performance but to completely restrict access from within certain blacklisted countries. What service can you use with CloudFront to fulfill this requirement?

Server-side encryption

Geo-restriction

IAM roles

firewall rules

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

13 / 25

You have deployed an application hosted on both a primary instance and a secondary standby instance. The instances are in the same subnet within a VPC.

If the primary instance fails, you would like to failover to the secondary instance without having to reconfigure the application. How can you accomplish this? (Choose 3 answers)

Add a second private IP address to the primary instance's ENI that can be moved to the secondary instance's ENI.

Attach elastic network interfaces to the primary and secondary instances

Use load balancing to redirect traffic to the secondary instance

Use an additional elastic network interface for failover to another instance

Explanation

The ENI can only be attached to an instance hosted in a VPC. When you move a network interface from one instance to another, network traffic is redirected to the new instance. Some network and security appliances, such as load balancers, network address translation (NAT) servers, and proxy servers prefer to be configured with multiple network interfaces. You can create and attach secondary network interfaces to instances in a VPC that are running these types of applications and configure the additional interfaces with their own public and private IP addresses, security groups, and source/destination checking

Explanation

14 / 25

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs. The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours. What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

Backup the data using AWS Storage Gateway tape gateways

Store the data in Amazon S3 in the S3 Glacier storage class

Copy the data to AWS using AWS DataSync.

Store the data in Amazon S3 in the S3 Glacier Deep Archive storage class.

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

The company needs to back up roughly 200 TB of data to the cloud per month, and the speed of the backup is not a critical factor. The backups are rarely accessed, but when requested, they should be available in less than 6 hours.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper - compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue - the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

Explanation

Review the questions and consider the key points in bold:

A company stores its archival data backups on large storage volumes located at an on-premises data center, and now management wants to identify cloud solutions to minimize data archival costs.

What are the most cost-effective steps to archiving the data and meeting additional requirements? (Choose 2 answers)

So why is Storage Gateway the better option?

It is cheaper - compare uploading 200 TB per month on each service using the AWS Pricing Calculator. DataSync costs more than double what it does on Storage Gateway.
Speed is not an issue - the main advantage of DataSync is that it is faster, so if speed is not an issue, you do not need DataSync.

Why use S3 Glacier and not S3 Glacier Deep Archive?

You need to retrieve data from the tape gateway in less than 6 hours. This is possible with S3 Glacier storage, but not possible with S3 Glacier Deep Archive.

15 / 25

You are performing some testing of an application in development and wish to delete the parts of a multipart upload after a mistake is made with part numbering. Which command would you run to stop the upload and delete all the parts?

Remove multipart upload

Delete multipart upload

Abort multipart upload

Cancel multipart upload

Explanation

To delete the parts of a failed multipart upload so that you do not get charged for storage of those parts, you must use the command “Abort Multipart Upload” and provide the upload ID of upload you wish to abort. After aborting a multipart upload, you cannot upload any part using that upload ID again. All storage that any parts from the aborted multipart upload consumed is then freed.

Explanation

16 / 25

After reviewing the reports from AWS Trusted Advisor, your company has decided to enable multi-factor authentication for IAM users and the root account. Which of the following MFA options can be used for both account types? (Choose 2 answers)

A software-based Virtual MFA device

SNS Notification Service

AWS Security Token Service

Hardware MFA Device

Explanation

For increased security, AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services. This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS root account.

Explanation

17 / 25

You have configured an AWS cloud environment for an ecommerce company. This environment is heavily reliant upon being highly available as downtime will lose the company a great deal of money. You monitor this environment very closely with numerous CloudWatch alarms. Recently you are seeing 'InsufficientInstanceCapacity' errors during auto scaling attempts during peak hours from 4:00 - 9:00 pm EST. This is causing costly downtime. Which option will best handle this situation?

Scale up your RDS instance for more capacity

Purchase Scheduled Reserved Instances for peak hours

Increase the maximum size of you auto scaling group to add more capacity

Use spot instances in place of on-demand instances

Explanation

If you get an InsufficientInstanceCapacity error when you try to launch an instance or start a stopped instance, AWS does not currently have enough available capacity to service your request. In this situation, reserved instances offer the required reliability to avoid outages and loss of money. Reserved Instances are a long-term capacity reservation, and you will not have to rely on Amazon having enough on-demand capacity. Usually these capacity issues are short term, but due to the nature of the company even short outages can be very costly.

Explanation

18 / 25

You have been asked to create a new S3 Bucket that will be used by the financial auditing team to store and share some files. There are a lot of different permissions between listing only, read-only and read-write access. You have decided to use resource-based permissions for the flexibility of it. Which statements below are correct with regards to resource-based permissions on your S3 bucket? (Choose 2 answers)

Resource-based permissions are managed policies you can apply directly to your bucket

Resource-based permissions could be attached to a user, role or group

With resource-based permissions, you can define permissions for sub-directories of your bucket separately

An explicit deny in resource-based permissions will overwrite an allow permissions the user might have for the same resource

Explanation

Resource-based permissions are permissions you attach directly to a resource. Resource-level permissions refer to the ability to specify not just what actions users can perform, but which resources they're allowed to perform those actions on. Resource-based policies are inline only, not managed. You can specify resource-based permissions for Amazon S3 buckets, Amazon Glacier vaults, Amazon SNS topics, Amazon SQS queues, and AWS Key Management Service encryption keys.

Explanation

19 / 25

Your company has decided to use cloud methods for disaster recovery. The company is most concerned with RTO and RPO and is willing to accept the extra cost of Warm Standby over Pilot Light. When a disaster occurs, your top priority is to increase the processing capacity of your scaled-down environment. Once that is accomplished, you can then increase the environment's resilience and self-management capabilities.

What steps will help you accomplish your top priority when a disaster occurs? (Choose 2 answers)

Re-size the small capacity servers to run on larger EC2 instances

Modify your Amazon RDS servers to a multi-AZ deployment

Extend your auto scaling group across multiple availability zones

Explanation

The Warm Standby scenario uses a scaled-down version of a fully functional environment that is always running. Business-critical applications can always be running in the cloud. When a DR scenario comes about, the servers can be quickly scaled up, scaled out or both, but horizontal scaling is preferred over vertical scaling.

The two incorrect choices will increase your environment's resilience by adding availability

Explanation

The two incorrect choices will increase your environment's resilience by adding availability

20 / 25

Your company uses an on-premise identity system such as Active Directory to authenticate users locally. You would like to grant the same users access into the AWS console without requiring them to authenticate again. What possible solution below can be used to provide this type of access:

If your company's identity system is compatible with OpenID Connect (OIDC), establish trust between your company's identity system and AWS

If your company's identity system is compatible with Kerberos, establish trust between your company's identity system and AWS

If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS

If your company's identity system is compatible with OAuth 2.0, establish trust between your company's identity system and AWS

Explanation

Answer “If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS” is correct. AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS API operations without you having to create an IAM user for everyone in your organization.

Explanation

21 / 25

Your organization is thinking of running parts of their workload on AWS while keeping the critical and sensitive servers on-premises with continuous connectivity between instances in AWS and corporate data center. In such a hybrid cloud environment what are the minimum requirements to maintain resilient continuous connectivity between AWS and corporate data center?

A primary direct connect line connected to at least two routers in the corporate data center

A primary direct connect line and a VPN connection for backup connected to the corporate primary router

A primary and a backup direct connect line and at least two routers in the corporate data center

A primary and a backup direct connect line connected to the primary router in the corporate data center

Explanation

In Hybrid cloud environment where connectivity between AWS and Corporate datacenter is critical, redundant active/active or active/passive configurations should be implemented for connectivity resources. redundancy has to be on both sides (AWS and On-premises) hence the minimum requirements to implement this architecture is two direct connect lines and two customer devices (ideally in two different data centers)

Explanation

22 / 25

You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images in one batch, with an average of 3 batches per day. These images are loaded into an Amazon S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket.

Which of these is the best system architectures for this system?

Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an always-on instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances

Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket. Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty.

Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application, and Environment. Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.

Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis. Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

23 / 25

To provide adequate computer resources for your company portal during busy sales cycles, you have your instances assigned to an EC2 auto scaling group associated with an application load balancer. You are now configuring the health checks for the auto scaling group.

What statement regarding health check configuration options for your auto scaling group is correct?

You can use either EC2 Instance Status Checks or ALB health checks for your auto scaling group., but not both simultaneously

You can use both EC2 Instance Status Checks and ALB health checks simultaneously for your auto scaling group

You can only use EC2 Instance Status Checks as a health check for your auto scaling group

You can only use ALB health checks as a health check for your auto scaling group

Explanation

Both instance status checks and health checks must be enabled before unhealthy instances will be terminated. It is critical that you test not only the saturation and breaking points but also the "normal" traffic profile you expect

Explanation

24 / 25

Which of the following accurately describes Elastic Load Balancing? (Choose 3 answers)

Elastic Load Balancing delivers your content through a worldwide network of edge locations.

Elastic Load Balancing works with Amazon Virtual Private Cloud (VPC) to provide robust networking and security features.

Elastic Load Balancing automatically scales its request handling capacity to meet the demands of application traffic.

Elastic Load Balancing ensures that only healthy Amazon EC2 instances receive traffic by detecting unhealthy instances and rerouting traffic across the remaining healthy instances.

Explanation

Elastic Load Balancing works with Amazon Virtual Private Cloud (VPC) to provide robust networking and security features. Elastic Load Balancing ensures that only healthy Amazon EC2 instances receive traffic by detecting unhealthy instances and rerouting traffic across the remaining healthy instances. Elastic Load Balancing automatically scales its request handling capacity to meet the demands of application traffic.

CloudFront delivers your content through a worldwide network of edge locations. Using Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications

Explanation

25 / 25

You are configuring a new nondefault VPC for a client's cloud migration project with the following components:

one public subnet
a default network access control list with no custom rules
an internet gateway
a main route table with a local route for your VPC

You then launch an instance to support the client's migration which includes the following:

an AWS assigned DNS hostname
an AWS assigned private IP address
an AWS assigned public IP address
associated with a default security group with no custom rules.

You want to connect to the public internet through your instance, but cannot. What could you do to resolve this?

Attach a secondary ENI to the instance and connect via the ENI.

Create a NAT instance, and forward all traffic to the NAT instance

You should modify your NACL to allow all inbound and outbound traffic

Add a route with 0.0.0.0/0 as the destination and the internet gateway as the target.

Explanation

Default security groups and NACLs allow inbound and outbound traffic. All traffic should be routed via internet gateway, so a route should be created with 0.0.0.0/0 as a source, and with your Internet Gateway as the target.

Explanation

Your score is

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

AWS Certified Solutions Architect Professional – Exam Mode

/75

0 votes, 0 avg

Click Start button to start exam !

Time Out !

1 / 75

You need to design secure administrative access to application servers residing in private subnets in multiple availability zones. You require a select group of administrators to have access from specific IP addresses. You also want the solution to be automated and repeatable. Which of the following options could achieve your goals? (Choose 2 answers)

Elastic Beanstalk

NAT Gateway

Cloud Formation

Quick Start

Explanation

Quick Start is a new solution that is worth checking out. You can use IAM with AWS CloudFormation to control what users can do with AWS CloudFormation. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. Elastic Beanstalk is primarily for web applications only

Explanation

2 / 75

You have recently configured an AWS VPC for a new client. The VPC consists of several EC2 instances in a public subnet. An IT administrator for one of your clients has called you about an inability to connect to an EC2 instance. He is trying to connect from a Windows laptop using Putty for Windows and the .pem file you provided him along with instructions for using PuTTY and PuTTYgen. What could be the problem?

The RDP port is not open

The administrator's access permissions are not configured in IAM

The .pem file needs to be converted to a .ppk file

There is no Virtual Private Gateway

Explanation

If you use PuTTY to connect to your instances verify that your private key (.pem) file has been converted to the format recognized by PuTTY (.ppk). PuTTY does not natively support the private key format (.pem) generated by Amazon EC2. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into this format (.ppk) before attempting to connect to your instance using PuTTY.

Explanation

3 / 75

Industry rules and standards

European privacy laws

The number of web servers to deploy

The pre-warming storage and load balancers

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

4 / 75

You are an AWS Solutions Architect helping a client plan a migration to the AWS cloud. The client is very cost-conscious and needs to understand the budget implications of any design decisions prior to signing off. Now that you’ve identified the resources that must be created in the AWS environment to support the migration, what tool could you use to help project future costs given this information?

Cost Explorer

Simple Monthly Calculator

Detailed Billing Reports

TCO Calculator

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

5 / 75

Your account has 3 VPCs deployed in the same region.

The IPv4 address ranges of the VPCs are:

VPC A 172.22.0.0/16

VPC B 10.3.0.0/16

VPC C 10.4.0.0/16

VPC B and VPC C are already connected through VPC peering connection (PCX) named pcx-abcxyz. VPC A has resources that VPC B and VPC C must access. Which of the options below best achieves the objective of allowing VPC B and VPC C to access VPC A?

Create separate VPC Peering connections between VPC A & VPC B and VPC A & VPC C

Connect VPC A to VPC B using VPC Peering and allow VPC C to access VPC A through VPC B

Connect VPC A to pcx-abcxyz

Add static routes to VPC A with Targets of 10.3.0.0/16 and 10.4.0.0/16 and a Destination of pcx-abcxyz

Explanation

Creating separate VPC Peering connections between each VPC is required for Peering 3 VPCs together. Transitive routing is not supported in VPC Peering so VPC C could not reach VPC A through VPC B. A new VPC Peering connection is required for connecting additional VPCs, so connecting VPC A to pcx-abcxyz is not a viable option. Adding a static route to VPC A that points to pcx-abcxyz would not work as pcx-abcxyz is not connected to VPC A.

Explanation

6 / 75

Your team is developing an application using Elastic Beanstalk and discussing the most appropriate environment for deployment. What two types of environments can be created when using Elastic Beanstalk? (Choose 2 answers)

Load-balancing and auto-scaling environment

Web worker environment

Single-instance environment

Multi-region, multiple-instance environment

Explanation

In Elastic Beanstalk, you can create a load-balancing, autoscaling environment or a single-instance environment. The type of environment that you require depends on the application that you deploy. For example, you can develop and test an application in a single-instance environment to save costs and then upgrade that environment to a load-balancing, autoscaling environment when the application is ready for production.

Explanation

7 / 75

A primary direct connect line and a VPN connection for backup connected to the corporate primary router

A primary and a backup direct connect line connected to the primary router in the corporate data center

A primary direct connect line connected to at least two routers in the corporate data center

A primary and a backup direct connect line and at least two routers in the corporate data center

Explanation

8 / 75

True or False: In Amazon Route 53, you can create a hosted zone for a top-level domain (TLD).

False, Amazon Route 53 automatically creates it for you.

FALSE

True, only if you send an XML document with a CreateHostedZoneRequest element for TL

TRUE

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

Explanation

In Amazon Route 53, you cannot create a hosted zone for a top-level domain (TLD).

9 / 75

You are asked to add an application to an EC2 instance within your company's VPC. Because it is a Windows 2012 instance, you will RDP into it. When you attempt to connect via RDP, you receive the following message: Error connecting to your instance: Connection timed out.

How could you fix this issue? (Choose 3 answers)

Add a route to your Internet gateway for the VPC

Add a security group rule to allow inbound traffic from your public IPv4 address on port 3389.

Make sure network ACLs allow inbound/outbound traffic from your local IP address on port 3389.

Disable the source/destination check on your Internet gateway.

Explanation

Check the network access control list (ACL) for the subnet. The network ACLs must allow inbound and outbound traffic from your local IP address on the proper port. The default network ACL allows all inbound and outbound traffic. To enable Internet access for the EC2 instances in a VPC, you must create an Internet Gateway as well as a route to it in the router table.

Explanation

10 / 75

Your organization is migrating applications to AWS. Your new security policy mandates that all user accounts be created and managed through IAM. Currently, your corporation is using Active Directory as their on-premise LDAP service. Once applications go live at AWS, all users must access applications using temporary access credentials, and all IAM users must have passwords that are rotated on a set schedule. Which of the following actions will allow you to enforce this security policy? (Choose 3 answers)

Create required IAM user accounts

Create and enforce a password expiration policy option for all IAM users.

Deploy federation services that support the Security Token Service

Disable the root account for your AWS account.

Explanation

STS is the “glue” that supports temporary access credentials for federation. If you are running code, AWS CLI, or Tools for Windows PowerShell commands inside an EC2 instance, you can take advantage of roles for Amazon EC2. Otherwise, you can call an AWS STS API to get the temporary credentials, and then use them explicitly to make calls to AWS services.

Explanation

11 / 75

You are designing your company's new RDS database environment. Your design include multi-AZ for high availability and you have intentions of reviewing scalability options. But first, you need to determine which storage option meets your performance and cost requirements. You expect to have a small database that could grow to medium sized over time. You also want to have burst performance to meet short term spikes. Which storage option is best for you?

Magnetic

Dual core processors

Provisioned IOPS (SSD)

General Purpose (SSD)

Explanation

Amazon RDS provides three storage types: magnetic, General Purpose (SSD), and Provisioned IOPS (input/output operations per second). They differ in performance characteristics and price, allowing you to tailor your storage performance and cost to the needs of your database workload. General purpose is good for small to medium sized databases and has the burst to handle spikes.

Explanation

12 / 75

A user wants to use an EBS-backed Amazon EC2 instance for a temporary job. Based on the input data, the job is most likely to finish within a week. Which one of the following is the best way to terminate the instance automatically once the job is finished?

Associate the EC2 instance with an ELB to terminate the instance when it remains idle

Configure the EC2 instance with a stop instance to terminate it.

Configure an Auto Scaling scheduled activity to terminate the instance after seven days.

Configure a CloudWatch alarm to terminate the instance once it is idle

Explanation

Auto Scaling can start and stop the instance at a pre-defined time. Here, the total running time is unknown. Thus, the user has to use the CloudWatch alarm, which monitors the CPU utilization. The user can create an alarm that is triggered when the average CPU utilization percentage has been lower than 10 percent for 24 hours, signaling that it is idle and no longer in use. When the utilization is below the threshold limit, it will terminate the instance as a part of the instance action

Explanation

13 / 75

Your database is very frequently receiving more read and write requests than it can handle. To process the higher loads more effectively you’ve decided to vertically scale your RDS database instance. You’ve confirmed that your licensing can handle the increased scale; next, you must determine when the changes will be applied. When can you apply the changes? (Choose 2 answers)

During the maintenance window for the database instances

Immediately, when choosing a larger instance size

When changing the database storage type

When using CloudFront metrics

Explanation

When scaling an RDS instance, changes can be applied immediately or during the maintenance window specified. It is also recommended that you before you scale, make sure you have the correct licensing in place for commercial engines (SQL Server, Oracle) especially if you Bring Your Own License (BYOL). One important thing to call out is that for commercial engines, you are restricted by the license, which is usually tied to the CPU sockets or cores.

Explanation

14 / 75

Your company has recently discovered a massive security leak in which several users' access credentials were compromised. As a response, the Senior IT Security Manager has requested you to prevent all high-risk data from being modified or deleted by any users, including the root user.

What if the most efficient way to implement this security measure?

Enable object locks for all existing buckets with high-risk data. Configure a retention mode of governance mode.

Migrate the high-risk data to new S3 buckets and enable object versioning. Enable MFA Delete for all buckets.

Enable object versioning for all existing buckets with high-risk data. Enable a default legal hold for the bucket

Migrate the high-risk data to new S3 buckets and enable object locks. Configure a retention mode of compliance mode.

Explanation

There are a few key points to this question:

Object locks can prevent objects from modification or deletion; objection versioning does not - it only maintains versions of an object until those versions are deleted.
Users can only enable Object locks can on new S3 buckets.
Object locks have two retention modes - governance mode and compliance mode. Compliance mode prevents objects from being deleted or updated by users, including the root user. Governance mode allows objects to be modified, but prevents objects from being deleted.

Explanation

There are a few key points to this question:

Object locks can prevent objects from modification or deletion; objection versioning does not - it only maintains versions of an object until those versions are deleted.
Users can only enable Object locks can on new S3 buckets.
Object locks have two retention modes - governance mode and compliance mode. Compliance mode prevents objects from being deleted or updated by users, including the root user. Governance mode allows objects to be modified, but prevents objects from being deleted.

15 / 75

Your company is considering migrating to AWS, but they are concerned about the initial and mid- to short-term costs due to the complexity of the migration cycle. To effectively calculate the total cost of ownership, certain costs must be understood and planned for.

What costs should be primary considerations? (Choose 3 answers)

The cost of outside consulting services

The cost of running duplicate environments

The cost of using a Direct Link connection

The cost of running migration tools

Explanation

Failing to accurately estimate your costs before migration and during the migration process is a recipe for disaster. To build a migration model for optimal efficiency, it is important to accurately understand the current costs of running on-premises applications, as well as the interim costs incurred during the transition

Explanation

16 / 75

With resource-based permissions, you can define permissions for sub-directories of your bucket separately

An explicit deny in resource-based permissions will overwrite an allow permissions the user might have for the same resource

Resource-based permissions could be attached to a user, role or group

Resource-based permissions are managed policies you can apply directly to your bucket

Explanation

17 / 75

You are an AWS Solutions Architect helping a client plan a migration to the AWS Cloud. The client has provided you with a detailed inventory of their current on-premises compute infrastructure, including metrics related to storage and bandwidth. What tool would you use to estimate the amount of money they will save by migrating to the AWS Cloud?

Cost Explorer

Detailed Billing Reports

TCO Calculator

Trusted Advisor

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

18 / 75

Which of these is the best system architectures for this system?

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

19 / 75

Your company is migrating their environment to AWS. The legacy environment relied on Chef for automation, and your engineers are comfortable with that solution. In addition, your compliance officer has indicated that the new environment needs centralized, auditable configuration management for regulatory reasons. Which of the following AWS automation tools is most appropriate for this scenario?

OpsWorks for Chef Automate

CloudFormation

Elastic Beanstalk

OpsWorks stacks

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

20 / 75

You are an administrator managing Windows File Servers in Amazon Web Services. You need to set up a fault-tolerant system to protect your shared files. You decide to use DFS Namespaces and DFS Replication.

Which of the following are prerequisites? (Choose 2 answers)

File servers running Windows Server 2012 R2

File servers running Windows Server 2008 R2

The File Server Resource Manager role installed by your domain controllers

An Active Directory Schema of 2008 R2 or later

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

21 / 75

What statement regarding health check configuration options for your auto scaling group is correct?

You can use either EC2 Instance Status Checks or ALB health checks for your auto scaling group., but not both simultaneously

You can only use EC2 Instance Status Checks as a health check for your auto scaling group

You can use both EC2 Instance Status Checks and ALB health checks simultaneously for your auto scaling group

You can only use ALB health checks as a health check for your auto scaling group

Explanation

22 / 75

You are responsible for maintaining an RDS database deployed in a Multi-AZ deployment architecture. What would be the downtime and/or failover cycle associated with maintenance events on your database? (Choose 2 answers)

Maintenance will be applied to the primary instance first

Maintenance will be applied to standby instance first.

Standby instance will become the new primary after maintenance

The old primary will be promoted back to the new primary after maintenance

Explanation

Running a DB Instance as a Multi-AZ deployment can further reduce the impact of a maintenance event because Amazon RDS will conduct maintenance by following these steps: Perform maintenance on the standby.

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

23 / 75

Your company is migrating its infrastructure to AWS. When considering the migration level effort required, you determine there are a select number of VMs that fall under the “very low effort” category. After considering third-party migration options, you decide to utilize available AWS tools. What tools are available for migrating VMs to the AWS cloud? (Choose 2 answers)

AWS Snowmobile

AWS S3 Import

AWS VM Import

AWS Snowball

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

24 / 75

Your on-premise bare-metal servers are over five years old. You’re considering moving to AWS. The offerings of virtual instances far surpass what you can access on-premises. Before you choose your test instance at AWS, what questions should you ask? (Choose 3 answers)

How much network bandwidth do you need?

What is the average server utilization?

When peak load occurs, how much over-provisioning is required?

What is the cost of over-provisioning?

Explanation

On-premises data centers have costs associated with the servers, storage, networking, power, cooling, physical space, and IT labor required to support applications and services running in the production environment. For servers, these questions are most applicable: What is your average server utilization? How much do you overprovision for peak load? What is the cost of over-provisioning?

Explanation

25 / 75

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

CIFS

NFS

iSCSI

Fibre

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway's volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

26 / 75

An organization is planning to implement a scalable web application with Amazon EC2. The organization is planning to achieve high availability with Multi-AZ features. A single deployment of your application requires 8 vCPUs and 16 GiB total memory. The application workload is very stable, and does not experience spikes in activity. It is possible to divide the workload across separate instances.

Which configuration is the best choice for high availability, disaster recovery, and cost-effectiveness in this scenario?

Launch four instances with 8 vCPUs and 16 GiB memory each. Associate all four instances with one auto scaling group, and deploy them into two separate availability zones. Finally, load balancer them with an elastic load balancer.

Launch four instances with 4 vCPUs and 8 GiB memory each. Associated all four instances with one auto scaling group, and deploy the instances into two separate availability zones, and then load balance them with an elastic load balancer

Launch two instances with 8 vCPUs and 16 GiB memory each. Associate both instances with one auto scaling group, and deploy them in separate availability zones. Finally, load balance them with an elastic load balancer

Launch eight instances with 4 vCPUs and 8 GiB memory each. Divide the instances into separate availability zones, and also divide the instances into two separate auto scaling groups across the two availability zones. Deploy a separate load balancer for each group of instances within an availability zone

Explanation

The organization can always launch multiple EC2 instances in the same region across multiple availability zones for high availability and disaster recovery. It is recommended that the application should be load balanced for better load distribution. When the organization must support a workload that could be met with a small number of large instances, it is recommended to distribute the load by creating four small instances across availability zones. The two large instances give only 50% redundancy while the four small instances give 75% redundancy. As for cost, both the scenarios are the same it is recommended to run four small instances across availability zones

Explanation

27 / 75

Increase the maximum size of you auto scaling group to add more capacity

Purchase Scheduled Reserved Instances for peak hours

Scale up your RDS instance for more capacity

Use spot instances in place of on-demand instances

Explanation

28 / 75

You have been put in charge of your company's AWS RDS environment. You have begun designing a highly available RDS database using MySQL. You've designed the failover solution using multi-AZ. Additionally, you would like to design a proactive environment that self corrects before a failover occurs. You are reviewing ways to increase the I/O capacity of a DB instance. Which method is not an appropriate way to increase I/O for a database?

Convert from standard storage to either General Purpose or Provisioned IOPS storage

Migrate to a DB instance class with High I/O capacity.

Convert the database from MySQL to MariaDB

If you are already using Provisioned IOPS storage, provision additional throughput capacity.

Explanation

If your database workload requires more I/O than you have provisioned, recovery after a failover or database failure will be slow. To increase the I/O capacity of a DB instance, do any or all of the following:

Migrate to a DB instance class with High I/O capacity.
Convert from standard storage to either General Purpose or Provisioned IOPS storage, depending on how much of an increase you need.
If you convert to Provisioned IOPS storage, make sure you also use a DB instance class that is optimized for Provisioned IOPS.
If you are already using Provisioned IOPS storage, provision additional throughput capacity.

Explanation

Migrate to a DB instance class with High I/O capacity.
Convert from standard storage to either General Purpose or Provisioned IOPS storage, depending on how much of an increase you need.
If you convert to Provisioned IOPS storage, make sure you also use a DB instance class that is optimized for Provisioned IOPS.
If you are already using Provisioned IOPS storage, provision additional throughput capacity.

29 / 75

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. The finance team has approached you, indicating their concern over the growing AWS budget, and has asked you to investigate ways to lower it. Since your firm has enterprise-level support, you decide to use the AWS Trusted Advisor tool for this effort. What are some of the cost optimization checks that Trusted Advisor will perform? (Choose 3 answers)

Underutilized Amazon EBS Volumes

EC2 Spot Instance Optimization

Idle Load Balancers

Underutilized Amazon Redshift Clusters

Explanation

Trusted Advisor checks for Amazon EC2 reserved instances optimization, low utilization of Amazon EC2 instances, idle Load Balancers, underutilized Amazon EBS Volumes, unassociated Elastic IP Addresses, Amazon RDS idle DB instances, Amazon Route 53 Latency Resource Record Sets, Amazon EC2 reserved instance lease expiration and underutilized Amazon Redshift Clusters

Explanation

30 / 75

As the lead architect managing the migration from an on-premises data center to the AWS cloud, you are currently considering the most effective network configuration to meet your requirements.

You want your application servers, which will be hosted within Amazon VPC on multiple EC2 instances in a private subnet, to be able to send read and write requests to specific DynamoDB tables without sending HTTP requests over the public internet or VPN.

How can you allow EC2 to connect with your DynamoDB tables given these requirements?

Create a dedicated network connection with Direct Connect

Create a VPC peering connection

Create a VPC Interface Endpoint

Create a VPC Gateway Endpoint

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

Explanation

You can create a VPC Gateway Endpoint to allow resources within a VPC to connect to DynamoDB without network communication extending outside your own VPC.

31 / 75

Order an on-demand instance matching the on-premises architecture.

Export all database records to S3.

Use the AWS server migration service to migrate existing records

Fix all MySQL issues in the local data center.

Explanation

32 / 75

You are looking for a simple way to configure high availability for your EC2 instances. You need to create a plan for replacing unhealthy or failed instances. It is acceptable to have a short amount of downtime to keep costs down. Which process is appropriate for achieving this?

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Reboot this instance.”

Create a custom AMI and use it to create an Auto Scaling Launch Configuration; then create a “Steady State” auto scaling policy using a minimum of 2 instances and a maximum of 2 instances.

Create a custom AMI of your EC2 instances. Use the custom AMI to create a new EC2 instance if there are issues with a current EC2 instance, and move the EIP to the new instance.

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Recover this instance.”

Explanation

Creating a custom AMI of the instance for which you are trying to provide HA allows you to bring the instance online quickly with no build time. Moving the EIP from the instance, you are replacing to the new instance will send all traffic to the new instance without any change to DNS, which would take time to propagate. Using the AutoRecover option will not replace the unhealthy or failing instance. It will only try to restart it on another host. Creating a “Steady State” Auto Scaling Group would also be a good solution, although using two as a minimum would have a higher cost.

Explanation

33 / 75

You are building a system to distribute confidential documents to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Explanation

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users' behalf. If your users try to access objects using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't.

Explanation

34 / 75

_____ is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend.

Consolidated Billing

AWS Budgets

AWS Cost Explorer

Cost Allocation Tags

Explanation

Cost Explorer, this is a useful and powerful tool within Billing and Cost Management. It allows you to view historical billing information in a graphical format giving you greater insight to your AWS spend. A valuable tool that can help to identify where you should be focusing your cost optimization efforts. It also can forecast your estimated spend up to two months ahead using existing data as a reference. If you can see that your estimated future bills are becoming too high, you have the time now to identify where you can make and initiate cost reduction mechanisms to help mitigate the risk.

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view - this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View - this covers the current and previous two months and is grouped by linked accounts
Daily Spend view - this covers the daily spend over the previous sixty days

Explanation

Cost Explorer comes configured with three pre-defined views which are commonly used to analyze spending across your account:

Monthly Spend by Service view - this covers the current and previous two months and is grouped by AWS services
Monthly Spend by Linked Account View - this covers the current and previous two months and is grouped by linked accounts
Daily Spend view - this covers the daily spend over the previous sixty days

35 / 75

You are configuring your application's compute layer using AWS EC2 Auto Scaling. When configuring the group's capacity, you have set the auto scaling group's minimum capacity to four, the desired capacity to 8, and the maximum capacity to 16. When you deploy your auto scaling group, and the instances have completely deployed, how many instances will there be within your group?

Explanation

You configure the size of your Auto Scaling group by setting the minimum, maximum, and desired capacity. The minimum and maximum capacity are required to create an Auto Scaling group, while the desired capacity is optional. If you do not define your desired capacity upfront, it defaults to your minimum capacity.

By default, the minimum, maximum, and desired capacity are set to one instance when you create an Auto Scaling group from the console. If you change the desired capacity, the capacity that you specify will be the total number of instances launched right after creating your Auto Scaling group.

An Auto Scaling group is elastic as long as it has different values for minimum and maximum capacity. All requests to change the Auto Scaling group's desired capacity (either by manual scaling or automatic scaling) must fall within these limits.

If you choose to automatically scale your group, the maximum limit lets Amazon EC2 Auto Scaling scale out the number of instances as needed to handle an increase in demand. The minimum limit helps ensure that you always have a certain number of instances running at all times

Explanation

36 / 75

Amazon Kinesis

Amazon Elasticsearch

AWS Data Pipeline

Amazon EMR

Explanation

37 / 75

You are creating a custom Virtual Private Cloud (VPC) which will host a mix of public and private instances. An EC2 instance has been deployed to one of the public subnets in this VPC. What are the configurations that have to be implemented to make this instance accessible from the internet? (Choose 3 answers)

Make sure the instance has a public IP address

Attach an Internet gateway to the VPC and add a default route to the IGW in public subnet's route table

Create a new record set and custom domain name for the new instance in Route 53

Edit security group to allow traffic to and from the internet on required ports

Explanation

Public and private subnets, except for the default VPC, do not automatically have Internet access enabled. To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance

Explanation

Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance

38 / 75

You are migrating your Oracle database using the AWS Database Migration Service. Due to a large amount of data being replicated, you need the replication process to be continuous. What must be changed on your replication instance to use ongoing replication?

Increase the number of tables that are cached in RAM.

Enable the Multi-AZ option on the replication instance.

Disable Multi-AZ on the target instance

Disable backups on the target instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

39 / 75

You've been assigned to a client that has an auto scaling group behind an Application Load Balancer. The autoscaling group is handling traffic spikes well, but the client is concerned about cost. After reviewing statistics, you find that a large number of instances are being launched for just a short time period (15 - 30 minutes) and you know that Amazon charges per second for the time these instances are running.

You're concerned that when these bursts occur, instances that scale out in a larger number than required and actually outlive the short bursts of increased workload.

What steps can you take to maintain performance but reduce costs? (Choose 2 answers)

Create scheduled scaling events instead of using your simply scaling policy.

Use Trusted Advisor to terminate instances immediately when no longer needed.

Create a cool down period for your auto scaling group

Create a step scaling policy for improved scale-out events

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you've selected.

Adjusting the cooldown period also minimizes the likelihood of scaling out again before the instances that were deployed in a previous scale out event have had time to warm up and handle requests to their full capability.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you've selected.

40 / 75

You are responsible for a web application where the web server instances are hosted in auto-scaling group. You discover the following after monitoring your application workload for the past year:

You need a minimum of nine EC2 instances to handle the lowest levels of activity during non-business hours.
During local business hours, you require between 12-16 instances.
Roughly 35 percent of non-business workload involves backend data processing and analysis.

With this information, what recommendations would you make to minimize operating costs while providing the required availability?

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 scheduled reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase spot instances to handle the data processing workload.

Purchase nine convertible reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during local business hours. Purchase spot instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 convertible reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase nine standard reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during non-business hours. Purchase spot instances to handle additional capacity needs

Explanation

The spot instances are ideal for the data processing workload during non-business hours, and deducting those instances from your minimum workload requirements leaves roughly six instances that are running all day. Purchase six standard reserved instances to meet this need with the greatest discount. You can then schedule reserved instances to run during business hours to meet the increase, and on-demand instances to scale as needed while providing necessary availability.

Explanation

41 / 75

You have been charged with investigating cloud security options for your company in light of recent suspected threats. You are aware that certain AWS services can help mitigate DDoS attacks, and you are specifically looking for a service that provides protection from counterfeit requests (Layer 7) or SYN floods (Layer 4). Which services provide this protection? (Choose 2 answers)

VPC Security Groups

CloudFront with AWS Shield

Route 53

Amazon API Gateway

Explanation

Amazon API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3). Additional reading is available here (https://aws.amazon.com/api-gateway/faqs/).

AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for the network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.

NACLs do not provide DDoS mitigation. They are used to control ingress and egress into a subnet based on port and source IP range. Route 53 can protect against DNS based DDoS attacks but does not protect entire layers. Elastic Load Balancing can protect EC2 instances specifically, but not other AWS resources.

Explanation

42 / 75

firewall rules

IAM roles

Geo-restriction

Server-side encryption

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

43 / 75

The IAM administrator is trying to create IAM groups and IAM users for employees within numerous separate company departments. The owner has created groups for each department, but needs even further separation between department subgroups within IAM groups. For example, two users from different department subgroups should be identified separately and have separate permissions.

How can the IAM administrator configure this?

Create a nested IAM group

Use the paths to separate IAM users within the same IAM group

Create a hierarchy of separate IAM users based on their department

It is not possible to subdivide IAM users within an IAM group

Explanation

The path functionality within an IAM group and user allows them to delineate by further levels. In this case, the user needs to use the path with each user or group so that the ARN of the user will look similar to:

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user1
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user2

Explanation

arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user1
arn:aws:iam::123456789012:user/division_abc/subdivision_xyz/user2

44 / 75

While monitoring your application servers hosted behind an elastic load balancer, you discover that the servers always operate at between 75 and 80% of their capacity after five minutes of operation. Also, there is a constant number of servers being marked as unhealthy very early in their initial lifecycle. Upon further analysis, you also discover that your servers are taking between three and four minutes to become operational after launch. What two tasks should you complete as soon as possible? (Choose 2 answers)

Increase the length of your scaling cool down period

Increase the maximum number of instances in your auto-scaling group

Decrease the length of your scaling cool down period

Increase the size of instances in your launch configuration.

Explanation

A prolonged grace period and a larger number of instances will solve these issues. You can use scaling policies to increase or decrease the number of running EC2 instances in your group automatically to meet changing conditions. When the scaling policy is in effect, the Auto Scaling group adjusts the desired capacity of the group and launches or terminates the instances as needed. If you manually scale or scale on a schedule, you must adjust the desired capacity of the group for the changes to take effect.

Explanation

45 / 75

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. As the environment and number of active resources continue to grow, your finance team is having a difficult time attributing your AWS costs to the various business units. How can you help the finance team assign costs to the correct business units? (Choose 2 answers)

Give them access to TCO calculator.

Enable Cost and Usage reports.

Set up consolidated billing

Tag all resources with the appropriate business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

46 / 75

You’ve designed a public portal (with a MySQL database) featuring popular scientific journals. Due to its popularity, users are complaining it takes much longer to review selected journals than in the past. In addition, the popularity of your site is worldwide.

What are the first steps that you should take to resolve your performance issues? (Choose 2 answers)

Deploy ElasticSearch for faster searching of available scientific journals

Redesign your database as a Multi-AZ solution

Place additional read replicas in AWS regions closer to your users

Create a read replica of your master database

Explanation

Read replicas of your master database allow you to increase performance. Placing your read replicas in different AWS regions closer to your users will maximize performance and increase the availability of your database.

Explanation

47 / 75

You have an application that is generating a log file every 5 minutes and you need to store these log files appropriately. The requirements for storing the log files are:

They should be quickly retrievable when needed, as they may be required only for verification in case of some major issue.
The logs will need to be accessed frequently, as all log data is retrieved and compiled from the files into a bi-monthly report.
The logs are essential to quarterly audits, so the storage solution must offer a high level of durability.
Cost should also be minimized for the storage service as much as possible.

Which of the storage options below is the best choice to meet these requirements?

Amazon S3 Standard

Amazon S3 OneZone-IA

Amazon S3 Glacier

Amazon S3 Standard - Infrequent Access (IA)

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

48 / 75

A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to configure that the instance can be accessed only from this IP?

In the security group, open port 22 for IP 10.20.30.40/0

In the security group, open port 22 for IP 10.20.30.40/24

In the security group, open port 22 for IP 10.20.30.40

In the security group, open port 22 for IP 10.20.30.40/32

Explanation

In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIDR format

Explanation

49 / 75

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it. You granted a database administrator access in IAM to the RDS database instance, who is now attempting to connect from a secure, company-managed on-premise IP address range. However, she is unable to connect to the RDS instance. You have reviewed IAM permissions for the administrator and AWS resources that need to connect to the database, and they appear correctly configured. All application instances are able to connect to the RDS instance, but other employees on the same approved IP address range cannot connect to the database. What steps is a recommended first step to troubleshoot the issue?

Enable multi-factor authentication for your database administrator.

Check the database security group's specific ingress and egress rules.

Create a key pair for your database administrator to log into the environment's EC2 instances

Configure single sign-on for your database administrator.

Explanation

When you are unable to connect to a new database, it is often because the DB instance creation is still in progress and is not available yet. A reasonable amount of time to wait (at most) is 20 to 30 minutes. Beyond that, there is likely a problem. A common pattern in DB implementation involves placing databases in private subnets for additional security. If you follow this practice, make sure that the Security Groups provide appropriate ingress and egress to the DB instance.

Explanation

50 / 75

You are working as a Solutions Architect for a healthcare company. You’ve been tasked with creating a Virtual Private Cloud to create a hybrid cloud solution. The cloud environment will need to connect to on-premises applications which can not be migrated to the VPC. Your requirements are to use the most reliable connection with the highest throughput possible. Which option can you use to get the hybrid environment operational to meet these requirements?

AWS Direct Connect

VPN

Internet Gateway

AWS Cloudfront

Explanation

Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. Network latency over the Internet can vary given that the Internet is constantly changing how data gets from point A to B. With AWS Direct Connect, you choose the data that utilizes the dedicated connection and how that data is routed which can provide a more consistent network experience over Internet-based connections

Explanation

51 / 75

VPN connection

Customer gateway

Public VIFs

Virtual private gateway

Explanation

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

Explanation

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

52 / 75

You are running a legacy application hosted in AWS on an Amazon EC2 instance. The legacy application has the EC2 instance's IP address hard-coded into its code. Which of the following scenarios would successfully provide a High Availability solution for the instance that is running the application? (Choose 2 answers)

Assign an elastic IP address to the EC2 instance and have a backup instance running. In the event of failure, move the Elastic IP from the primary instance to the backup instance.

Have a backup instance running with Elastic Load Balancing and configure Amazon Route 53 to check the health of your resources and respond to DNS queries using only the healthy resources

You don't need to do anything as it is hard-coded and hence will always be highly available.

Use spot instances to be allocated if the instance becomes unavailable

Explanation

Amazon Route 53 lets you configure DNS failover in active-active, active-passive, and mixed configurations to improve the availability of your application. When you have more than one resource performing the same function, you can configure Amazon Route 53 to check the health of your resources and respond to DNS queries using only the healthy resources.

Another solution would be to assign an elastic IP address to the EC2 instance and have a backup instance running. In the event of failure, move the Elastic IP from the primary instance to the backup instance.

Explanation

53 / 75

You have deployed an application hosted on both a primary instance and a secondary standby instance. The instances are in the same subnet within a VPC.

If the primary instance fails, you would like to failover to the secondary instance without having to reconfigure the application. How can you accomplish this? (Choose 3 answers)

Attach elastic network interfaces to the primary and secondary instances

Add a second private IP address to the primary instance's ENI that can be moved to the secondary instance's ENI.

Use load balancing to redirect traffic to the secondary instance

Use an additional elastic network interface for failover to another instance

Explanation

54 / 75

After setting up several database instances in Amazon Relational Database Service (Amazon RDS) you decide that you need to track the performance and health of your databases. How can you do this?

Use the free Amazon CloudWatch service to monitor the performance and health of a DB instance

All of the items listed will track the performance and health of a database

Subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB snapshot, DB parameter group, or DB security group

View, download, or watch database log files using the Amazon RDS console or Amazon RDS APIs. You can also query some database log files that are loaded into database tables.

Explanation

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizeable capacity for an industry-standard relational database and manages common database administration tasks. There are several ways you can track the performance and health of a database or a DB instance. You can: Use the free Amazon CloudWatch service to monitor the performance and health of a DB instance. Subscribe to Amazon RDS events to be notified when changes occur with a DB instance, DB snapshot, DB parameter group, or DB security group.View, download, or watch database log files using the Amazon RDS console or Amazon RDS APIs. You can also query some database log files that are loaded into database tables. Use the AWS CloudTrail service to record AWS calls made by your AWS account. The calls are recorded in log files and stored in an Amazon S3 bucket.

Explanation

55 / 75

You have been contracted to start building the latest and greatest mobile chat app. The schedule for this development and delivery is time critical. What correct mix of AWS services and components should you consider to ensure that your mobile chat app can be produced on time, ensuring that the mobile chat app can authenticate and authorize users?

Create an auto scaling group of EC2 instances with SAML 2.0 service endpoint, setup and install a custom LDAP directory, configure SSO within the mobile app to use the SAML 2.0 service endpoint to perform user authentication and authorization

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Explanation

Answer “Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization” is correct. The question highlights that the “development and delivery is time critical” - therefore the best approach time wise is to use the fit for purpose managed services provided by AWS - in this case, Amazon Cognito, IAM Roles and Policies, and the AWS Mobile SDK.

Explanation

56 / 75

Your team has found that a client's load balancer needs to be configured with support for SSL offload using the default security policy. When negotiating the SSL connections between the client and the load balancer, you want the load balancer to determine which cipher is used for the SSL connection. Which actions perform this process on the load balancer? (Choose 3 answers)

Enable SSL offload.

Choose the server order preference option

Select the default security policy.

Select a client configuration preference option

Explanation

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option.

Explanation

57 / 75

You are developing a static website using S3 for your company’s clients. Your team is configuring the site and has granted public read access. What other steps must they take? (Choose 2 answers)

Create a website page hierarchy

Enable static website hosting.

Enable server-side scripting

Specify a default index document

Explanation

58 / 75

SNS Notification Service

AWS Security Token Service

A software-based Virtual MFA device

Hardware MFA Device

Explanation

59 / 75

Your team is setting up DynamoDB for a client. You need to explain to them how DynamoDB tables are partitioned. Which calculations are used to determine the number of partitions that will be created? (Choose 2 answers)

The total table size divided by 10 GB

The total table size divided by 40 GB

The total RCU divided by 3000 + total WCU divided by 1000

The total RCU divided by 5000 + total WCU divided by 1000

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

60 / 75

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Explanation

61 / 75

A client has contacted you about designing their AWS cloud environment. They want to fully migrate their compute environment to the cloud. Their biggest requirement is that they need high availability at both the web and database tiers. Their current database is MySQL. How might you best design high availability for their environment with cost being a consideration as well?

Cross-region replication

Auto scaling

Read Replicas

Multi-AZ Deployment

Explanation

Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. Amazon RDS uses several different technologies to provide failover support. Multi-AZ deployments for Oracle, PostgreSQL, MySQL, and MariaDB DB instances use Amazon's failover technology. SQL Server DB instances use SQL Server Mirroring. Amazon Aurora instances stores copies of the data in a DB cluster across multiple Availability Zones in a single region, regardless of whether the instances in the DB cluster span multiple Availability Zones.

Explanation

62 / 75

Which of the following types of Amazon S3 metadata or subresources can be tracked by AWS Usage and Cost Reports?

User-defined object metadata

S3 Object tags

System-defined object metadata

S3 Bucket tags

Explanation

S3 Bucket tags are one of several AWS resources in numerous services that fall within the group of cost allocation tags. These tags can be tracked and included within AWS Usage and Billing Reports.

Explanation

S3 Bucket tags are one of several AWS resources in numerous services that fall within the group of cost allocation tags. These tags can be tracked and included within AWS Usage and Billing Reports.

63 / 75

You have begun your migration into Amazon Web Services using the AWS Database Migration Service. You are pleased that there are no errors; however, the migration tasks are running slowly. You review the resources that have been assigned to the AWS DMS replication instance, and they seem to be adequate. Which other task could you perform to help speed up the initial migration tasks?

Increase the IOPs on the replication instance.

Reduce the frequency of automatic backups.

Enable multi-availability zones on the target database instance.

Turn off all logging on the target database

Explanation

Turning off automatic backups or logging on the target database during the migration will help increase the speed of the initial migration load.

Explanation

Turning off automatic backups or logging on the target database during the migration will help increase the speed of the initial migration load.

64 / 75

You are configuring a new VPC for one of your clients for a cloud migration project, and only a public VPN will be in place. After you created your VPC, you created a new subnet, a new Internet gateway, and attached your internet gateway to your VPC. When you launched your first instance into your VPC, you realized that you aren't able to connect to the instance, even if it is configured with an elastic IP. What should be done to access the instance?

A route should be created as 0.0.0.0/0 and your internet gateway as target.

A NACL should be created that allows all outbound traffic

Attach another ENI to the instance and connect via new ENI.

A NAT instance should be created and all traffic should be forwarded to NAT instance

Explanation

All traffic should be routed via Internet Gateway. So, a route should be created with 0.0.0.0/0 as a source, and your Internet Gateway as your target.

Explanation

All traffic should be routed via Internet Gateway. So, a route should be created with 0.0.0.0/0 as a source, and your Internet Gateway as your target.

65 / 75

Create an AWS IAM role for access to the S3 bucket

Create an Amazon S3 bucket for your backup files

Turn on compression for your backup files by running “exec rdsadmin..rds_set_configuration ‘S3 backup compression’, ‘true.’”

Add the SQLSERVER_BACKUP_RESTORE option to an option group on your DB instance.

Explanation

66 / 75

Your engineers are concerned about application availability during in-place updates to a live Elastic Beanstalk stack. You advise them to consider a blue/green deployment and then list the necessary steps to carry out this deployment. Which steps are valid to include? (Choose 3 answers)

From the new environment’s dashboard, choose Restart Environment

Deploy the new version of the application

From the new environment’s dashboard, swap environmental URLs and click Swap

Clone your current environment

Explanation

Blue/green deployments resolve application unavailability during updates.

To perform a blue/green deployment:

Open the Elastic Beanstalk console.
Clone your current environment, or launch a new environment running the desired configuration.
Deploy the new application version to the new environment.
Test the new version in the new environment.
From the new environment's dashboard, choose Actions and then choose Swap Environment URLs.

Explanation

Blue/green deployments resolve application unavailability during updates.

To perform a blue/green deployment:

Open the Elastic Beanstalk console.
Clone your current environment, or launch a new environment running the desired configuration.
Deploy the new application version to the new environment.
Test the new version in the new environment.
From the new environment's dashboard, choose Actions and then choose Swap Environment URLs.

67 / 75

You have determined specific instances will need to be resized by either scaling the instance(s) up or down.

What basic rules apply when resizing EC2 instances? (Choose 2 answers

Instances need to be from the same AMI

Instances need to have the same virtualization type

You can only resize spot or on-demand instances but not reserved instances

Instances with limited storage compatibility require migration instead of resizing

Explanation

When you resize an instance, you must select an instance type that is compatible with the configuration of the instance. If the instance type that you want is not compatible with the instance configuration you have, then you must migrate your application to a new instance with the instance type that you need. As your needs change, you might find that your instance is over-utilized (the instance type is too small) or under-utilized (the instance type is too large). If this is the case, you can change the size of your instance. For example, if your t2.micro instance is too small for its workload, you can change it to an m3. medium instance

Explanation

68 / 75

A customer needs to migrate several hundred terabytes of data into AWS. You typically use Amazon Snowball for these types of requests. What method does AWS recommend regarding data upload to the Snowball appliance? (Choose 2 answers)

Use the latest Mac or Linux Snowball client.

When testing data transfer, avoid long test commands in favor of short ones

Use a single workstation to avoid redundant data transfers to the same Snowball appliance

Use multiple workstations to run the client software to expedite the transfer.

Explanation

Uploading data to the Snowball Appliance requires a client application. The upload is CPU, memory, and networking intensive. If you are uploading large amounts of data, Amazon recommends that you run the client software on multiple workstations to distribute the load and thereby shorten the time the upload will take.

Explanation

69 / 75

What is one security benefit of utilizing the Elastic Load Balancer?

Providing TLS/SSL termination as well as centralized certificate management

Providing encrypted data storage for use in application development

Blocking network traffic based on heuristic analysis

Performing network address translation

Explanation

The Elastic Load Balancer can integrate with the AWS Certificate Manager to provide a central method of managing your TLS/SSL certificates. It allows you to renew, deploy and configure your TLS/SSL certificates for your application or website from a single location.

Explanation

70 / 75

Which of the following statements is true of creating a launch configuration using an EC2 instance?

Auto Scaling automatically creates a launch configuration directly from an EC2 instance.

The launch configuration can be created only using the Query APIs.

A user should manually create a launch configuration before creating an Auto Scaling group.

The launch configuration should be created manually from the AWS CLI.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

Explanation

You can create an Auto Scaling group directly from an EC2 instance. When you use this feature, Auto Scaling automatically creates a launch configuration for you as well.

71 / 75

You have a client in the financial industry who is moving to AWS for their IT infrastructure and applications. They need to become PCI compliant to protect their client’s card information. Amazon has many processes in place for PCI compliance. What steps do you need to take to help them become compliant? (Choose 3 answers)

Monitor access with CloudTrail and VPC Flow Logs

Use server side encryption to protect card holder data.

Encrypt data in transit.

Secure private subnets with ACLs and Security Groups

Explanation

AWS provides customers with a PCI-compliant environment and the necessary tools to secure their environment. PCI compliance falls very much in line with the shared responsibility model. But ultimately, it is the customers responsibility to build and maintain a PCI-compliant environment.

Explanation

72 / 75

You need to change a deployed Elastic Beanstalk environment to provide additional performance for EC2 instances that a client is currently running on their application. To change your instance count for Elastic Beanstalk, select the necessary steps (in any order). (Choose 3 answers)

Choose Configuration and then choose Scaling.

Change the Minimum Instance Count and then Apply

Open a command prompt window and execute the command change-elastic-beanstock -env.

Open the Elastic Beanstalk console and navigate to the management page

Explanation

Elastic Beanstalk environments can be changed after creation. For example, if you have a compute-intensive application, you can change the type of Amazon EC2 instance that is running your application. To do this, you use the Scaling option in the management page of the Elastic Beanstalk console and change the minimum instance count.

Explanation

73 / 75

You receive a bill from AWS but are confused because you see you are incurring different costs for the exact same storage size in different regions on Amazon S3. You ask AWS why this is so. What response would you expect to receive from AWS?

We charge less in different time zones.

We charge less where our costs are less.

This will balance out next bill.

It must be a mistake

Explanation

Amazon S3 is storage for the Internet. It's a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs. AWS charges less where their costs are less. For example, their costs are lower in the US Standard Region than in the US West (Northern California) Region.

Explanation

74 / 75

After monitoring your online sales application for the last two weeks of holiday sales, it is apparent that your database tier’s current architectural design is not sufficient. Your database is currently managed within Amazon RDS. The decision is made to scale your instance to a greater size based on database recommendations from the vendor. Your current database storage type is magnetic, and storage usage is currently at 70%.

Which modifications could potentially improve the performance of your database? (Choose 2 answers)

Increase the number of read replicas.

Decrease the currently allocated storage space

Change the storage type to general-purpose SSD.

Increase the currently allocated storage space

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

75 / 75

What steps will help you accomplish your top priority when a disaster occurs? (Choose 2 answers)

Modify your Amazon RDS servers to a multi-AZ deployment

Extend your auto scaling group across multiple availability zones

Re-size the small capacity servers to run on larger EC2 instances

Explanation

The two incorrect choices will increase your environment's resilience by adding availability

Explanation

The two incorrect choices will increase your environment's resilience by adding availability

Your score is

The average score is 14%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Professional – Free Practice Tests

AWS Certified Solutions Architect Professional – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Professional – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation