AWS Certified Solutions Architect Professional - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Professional
AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 75 questions per test (similar to real AWS exam), 180 minutes, repeat tests

AWS Certified Solutions Architect Professional – Learning Mode

/25

1 votes, 5 avg

AWS Certified Solutions Architect Professional - Learning Mode

1 / 25

You are in the process of planning your backup strategy between an on-premises data center and AWS cloud. You are considering Storage Gateway technology for backup and restore in your hybrid environment. What are the primary factors that affect Backup and Recovery times when using Storage Gateways? (Choose 2 answers)

Amount of data required for backup each day after on-premise data deduplication and compression

Amount of data required for backup each day before on-premise data deduplication and compression

Net available bandwidth between on-premises and AWS over the public internet or Direct Connect line.

Compute power of on-premises instances that need to be backed up

Explanation

Storage gateways interact with AWS over the public Internet or direct connect. You will need to know the amount of data per day that needs to be transferred to Amazon S3 and the net available bandwidth of your network connection. Storage Gateway is capable of running data compression, and comparison so only changed data is being backed up.

Explanation

2 / 25

Which choice correctly describes the differences between security groups and Network Access Control Lists (NACLs)? (Choose 2 answers)

Security Groups operate at the instance level and support allow rules only.

NACLs operate at the subnet level and support deny rules only.

Security Groups operate at the subnet level, and they support allow rules only

NACLs operate at the subnet level and support allow and deny rules

Explanation

You can secure your VPC instances using only security groups; however, you can add NACLs as a second layer of defense. Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level . Network access control lists (NACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level . Security Groups supports allow rules only while Network Access Control Lists support allow and deny rules.

Explanation

3 / 25

You have been assigned to a client who has an existing AWS cloud environment. They are already using CloudFormation to deploy web dev, test, and production environments. You immediately recognize that they are using the same CloudFormation template for dev and production. The Project Plan calls for major performance testing at the end of the project and the client wants to cut cost wherever possible. You recommend using smaller EC2 instances for the Developers dev environments. What section of a CloudFormation template can you use to deploy variable sized instances depending on the environment?

Mappings

Metadata

Conditions

Transform

Explanation

The conditions section of a CloudFormation template defines conditions that control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update. For example, you could conditionally create a resource that depends on whether the stack is for a production or test environment

Explanation

4 / 25

What is one security benefit of utilizing the Elastic Load Balancer?

Providing TLS/SSL termination as well as centralized certificate management

Providing encrypted data storage for use in application development

Blocking network traffic based on heuristic analysis

Performing network address translation

Explanation

The Elastic Load Balancer can integrate with the AWS Certificate Manager to provide a central method of managing your TLS/SSL certificates. It allows you to renew, deploy and configure your TLS/SSL certificates for your application or website from a single location.

Explanation

5 / 25

You are an AWS Solutions Architect helping a client plan a migration to the AWS cloud. The client is very cost-conscious and needs to understand the budget implications of any design decisions prior to signing off. Now that you’ve identified the resources that must be created in the AWS environment to support the migration, what tool could you use to help project future costs given this information?

Detailed Billing Reports

TCO Calculator

Cost Explorer

Simple Monthly Calculator

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

6 / 25

You are responsible for maintaining an RDS database deployed in a Multi-AZ deployment architecture. What would be the downtime and/or failover cycle associated with maintenance events on your database? (Choose 2 answers)

Maintenance will be applied to the primary instance first

The old primary will be promoted back to the new primary after maintenance

Standby instance will become the new primary after maintenance

Maintenance will be applied to standby instance first.

Explanation

Running a DB Instance as a Multi-AZ deployment can further reduce the impact of a maintenance event because Amazon RDS will conduct maintenance by following these steps: Perform maintenance on the standby.

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

7 / 25

You are designing monitoring and operation management for your environment on AWS and in the process of deciding which metrics to start with for your monitoring. Which of the following metrics should be included in your initial monitoring plan at a minimum? (Choose 3 answers)

Volume Queue Length

Disk Performance (Read and Write OPS)

CPU Utilization

Memory Utilization

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

8 / 25

You have determined specific instances will need to be resized by either scaling the instance(s) up or down.

What basic rules apply when resizing EC2 instances? (Choose 2 answers

Instances with limited storage compatibility require migration instead of resizing

You can only resize spot or on-demand instances but not reserved instances

Instances need to have the same virtualization type

Instances need to be from the same AMI

Explanation

When you resize an instance, you must select an instance type that is compatible with the configuration of the instance. If the instance type that you want is not compatible with the instance configuration you have, then you must migrate your application to a new instance with the instance type that you need. As your needs change, you might find that your instance is over-utilized (the instance type is too small) or under-utilized (the instance type is too large). If this is the case, you can change the size of your instance. For example, if your t2.micro instance is too small for its workload, you can change it to an m3. medium instance

Explanation

9 / 25

You have deployed an application hosted on both a primary instance and a secondary standby instance. The instances are in the same subnet within a VPC.

If the primary instance fails, you would like to failover to the secondary instance without having to reconfigure the application. How can you accomplish this? (Choose 3 answers)

Add a second private IP address to the primary instance's ENI that can be moved to the secondary instance's ENI.

Use an additional elastic network interface for failover to another instance

Use load balancing to redirect traffic to the secondary instance

Attach elastic network interfaces to the primary and secondary instances

Explanation

The ENI can only be attached to an instance hosted in a VPC. When you move a network interface from one instance to another, network traffic is redirected to the new instance. Some network and security appliances, such as load balancers, network address translation (NAT) servers, and proxy servers prefer to be configured with multiple network interfaces. You can create and attach secondary network interfaces to instances in a VPC that are running these types of applications and configure the additional interfaces with their own public and private IP addresses, security groups, and source/destination checking

Explanation

10 / 25

To provide adequate computer resources for your company portal during busy sales cycles, you have your instances assigned to an EC2 auto scaling group associated with an application load balancer. You are now configuring the health checks for the auto scaling group.

What statement regarding health check configuration options for your auto scaling group is correct?

You can use both EC2 Instance Status Checks and ALB health checks simultaneously for your auto scaling group

You can use either EC2 Instance Status Checks or ALB health checks for your auto scaling group., but not both simultaneously

You can only use ALB health checks as a health check for your auto scaling group

You can only use EC2 Instance Status Checks as a health check for your auto scaling group

Explanation

Both instance status checks and health checks must be enabled before unhealthy instances will be terminated. It is critical that you test not only the saturation and breaking points but also the "normal" traffic profile you expect

Explanation

11 / 25

After reviewing the reports from AWS Trusted Advisor, your company has decided to enable multi-factor authentication for IAM users and the root account. Which of the following MFA options can be used for both account types? (Choose 2 answers)

AWS Security Token Service

SNS Notification Service

A software-based Virtual MFA device

Hardware MFA Device

Explanation

For increased security, AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services. This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS root account.

Explanation

12 / 25

You have started your own consulting business and have been contracted by a doctors office to help move their outdated scheduling and billing system to the cloud. One feature you have offered at low cost is a disaster recovery solution that will keep their offices operational with minimal downtime. You've configured a standby EC2 instance that can be spun up in minutes. What feature can be quickly attached to the standby EC2 instance in a failover situation, to get the standby operational as quickly as possible?

Elastic Load Balancer

IPv6 address

MAC address

Elastic Network Interface

Explanation

An elastic network interface is a virtual network interface that you can attach to an instance in a VPC. Network interfaces are available only for instances running in a VPC. If one of your instances serving a particular function fails, its network interface can be attached to a replacement or hot standby instance pre-configured for the same role to rapidly recover the service.

Explanation

13 / 25

After monitoring your online sales application for the last two weeks of holiday sales, it is apparent that your database tier’s current architectural design is not sufficient. Your database is currently managed within Amazon RDS. The decision is made to scale your instance to a greater size based on database recommendations from the vendor. Your current database storage type is magnetic, and storage usage is currently at 70%.

Which modifications could potentially improve the performance of your database? (Choose 2 answers)

Increase the number of read replicas.

Change the storage type to general-purpose SSD.

Decrease the currently allocated storage space

Increase the currently allocated storage space

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

14 / 25

You are responsible for a web application where the web server instances are hosted in auto-scaling group. You discover the following after monitoring your application workload for the past year:

You need a minimum of nine EC2 instances to handle the lowest levels of activity during non-business hours.
During local business hours, you require between 12-16 instances.
Roughly 35 percent of non-business workload involves backend data processing and analysis.

With this information, what recommendations would you make to minimize operating costs while providing the required availability?

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 scheduled reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase spot instances to handle the data processing workload.

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 convertible reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase nine convertible reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during local business hours. Purchase spot instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase nine standard reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during non-business hours. Purchase spot instances to handle additional capacity needs

Explanation

The spot instances are ideal for the data processing workload during non-business hours, and deducting those instances from your minimum workload requirements leaves roughly six instances that are running all day. Purchase six standard reserved instances to meet this need with the greatest discount. You can then schedule reserved instances to run during business hours to meet the increase, and on-demand instances to scale as needed while providing necessary availability.

Explanation

15 / 25

A customer needs to migrate several hundred terabytes of data into AWS. You typically use Amazon Snowball for these types of requests. What method does AWS recommend regarding data upload to the Snowball appliance? (Choose 2 answers)

Use multiple workstations to run the client software to expedite the transfer.

Use a single workstation to avoid redundant data transfers to the same Snowball appliance

When testing data transfer, avoid long test commands in favor of short ones

Use the latest Mac or Linux Snowball client.

Explanation

Uploading data to the Snowball Appliance requires a client application. The upload is CPU, memory, and networking intensive. If you are uploading large amounts of data, Amazon recommends that you run the client software on multiple workstations to distribute the load and thereby shorten the time the upload will take.

Explanation

16 / 25

Your team has found that a client's load balancer needs to be configured with support for SSL offload using the default security policy. When negotiating the SSL connections between the client and the load balancer, you want the load balancer to determine which cipher is used for the SSL connection. Which actions perform this process on the load balancer? (Choose 3 answers)

Choose the server order preference option

Enable SSL offload.

Select a client configuration preference option

Select the default security policy.

Explanation

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option.

Explanation

17 / 25

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing EC2 budget. They have asked you to identify strategies to reduce the EC2 spend by at least 25% before the next monthly billing cycle. How choices below could assist in accomplishing this? (Choose 3 answers)

Look for opportunities to use reserved or spot instances.

Reduce or eliminate over-provisioned or unused instances.

Look for opportunities to use dedicated instances.

Consolidate AWS accounts for billing.

Explanation

You can reduce EC2 spend by migrating to reserved/spot instances, eliminating/shrinking unused resources, or consolidating AWS accounts (to qualify for volume discounts). The paying account's use of consolidated billing can benefit from volume pricing discounts gained thru aggregate account usage.

Explanation

18 / 25

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. The finance team has approached you, indicating their concern over the growing AWS budget, and has asked you to investigate ways to lower it. Since your firm has enterprise-level support, you decide to use the AWS Trusted Advisor tool for this effort. What are some of the cost optimization checks that Trusted Advisor will perform? (Choose 3 answers)

Underutilized Amazon EBS Volumes

Underutilized Amazon Redshift Clusters

EC2 Spot Instance Optimization

Idle Load Balancers

Explanation

Trusted Advisor checks for Amazon EC2 reserved instances optimization, low utilization of Amazon EC2 instances, idle Load Balancers, underutilized Amazon EBS Volumes, unassociated Elastic IP Addresses, Amazon RDS idle DB instances, Amazon Route 53 Latency Resource Record Sets, Amazon EC2 reserved instance lease expiration and underutilized Amazon Redshift Clusters

Explanation

19 / 25

Which of the following is NOT a characteristic of Amazon Elastic Compute Cloud (Amazon EC2)?

It increases the need to forecast traffic by providing dynamic IP addresses for static cloud computing.

It eliminates your need to invest in hardware up front, so you can develop and deploy applications faster.

It offers scalable computing capacity in the Amazon Web Services (AWS) cloud.

It can be used to launch as many or as few virtual servers as you need.

Explanation

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic

Explanation

20 / 25

Your database is very frequently receiving more read and write requests than it can handle. To process the higher loads more effectively you’ve decided to vertically scale your RDS database instance. You’ve confirmed that your licensing can handle the increased scale; next, you must determine when the changes will be applied. When can you apply the changes? (Choose 2 answers)

When using CloudFront metrics

During the maintenance window for the database instances

Immediately, when choosing a larger instance size

When changing the database storage type

Explanation

When scaling an RDS instance, changes can be applied immediately or during the maintenance window specified. It is also recommended that you before you scale, make sure you have the correct licensing in place for commercial engines (SQL Server, Oracle) especially if you Bring Your Own License (BYOL). One important thing to call out is that for commercial engines, you are restricted by the license, which is usually tied to the CPU sockets or cores.

Explanation

21 / 25

Your team is setting up DynamoDB for a client. You need to explain to them how DynamoDB tables are partitioned. Which calculations are used to determine the number of partitions that will be created? (Choose 2 answers)

The total table size divided by 10 GB

The total RCU divided by 3000 + total WCU divided by 1000

The total RCU divided by 5000 + total WCU divided by 1000

The total table size divided by 40 GB

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

22 / 25

Due to compliance rules and regulations, your company's workload has to run on dedicated instances. How can you make sure that all EC2 instances created for your workload now and in the future are dedicated instances? (Choose 2 answers)

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Explanation

You can create a VPC with an instance tenancy of dedicated to ensure that all instances launched into the VPC are dedicated instances. Alternatively, you can specify the tenancy of the instance during launch

Explanation

23 / 25

You are configuring Amazon Route 53 to route traffic destined for yourwebsite.com to an Application Load Balancer that is configured to distribute traffic in two availability zones in the same AWS region. Which record set should you edit to point traffic for yourwebsite.com to your Application Load Balancer? Select the answer that is the most cost-effective and scalable.

Alias

CNAME

Explanation

yourwebsite.com is a zone apex. Alias record sets can be used to set a zone apex, but CNAME records cannot. Additionally, queries to Alias records that are mapped to an ELB are free. A records are used to map IPv4 addresses to FQDNs, the IP address of the ELB may change. MX records are used for email servers.

Explanation

24 / 25

You have taken on a client that has been configured for AWS cloud and is fully operational. Your investigation of the environment reveals that your predecessor was a highly skilled AWS Architect. You view one instance that handles Internet traffic but also handles back end database traffic in a private subnet. This one instance is configured as a full management network attached to both a public subnet and a private subnet. What AWS device will enable such a configuration for a single instance?

Elastic ip address

Elastic Network Interface

Auto scaling group

Elastic Load Balancer

Explanation

You can create a management network using network interfaces. In this scenario, the secondary network interface on the instance handles public-facing traffic and the primary network interface handles back-end management traffic and is connected to a separate subnet in your VPC that has more restrictive access controls. The public-facing interface, which may or may not be behind a load balancer, has an associated security group that allows access to the server from the Internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the Internet, a private subnet within the VPC or a virtual private gateway.

Explanation

25 / 25

You are helping a client design a static website which will potentially grow exponentially in the first few years of existence. In addition, the website will serve end users in multiple regions throughout the world. You propose using S3 to house this website. What benefits of S3 can you outline in handling a fast growing load as well as multi-region clients? (Choose 2 answers)

S3 can utilize cross-region replication to serve content.

S3 can be integrated with CloudTrail to deliver content throughout the world

S3 can be integrated with CloudFront to deliver content throughout the world

S3 can scale to handle virtually any load given

Explanation

You can store your content in an Amazon S3 bucket and use CloudFront to distribute the content.

If you store your objects in an Amazon S3 bucket, you can either have your users get your objects directly from S3, or you can configure CloudFront to get your objects from S3 and distribute them to your users.

Using CloudFront can be more cost effective if your users access your objects frequently because, at higher usage, the price for CloudFront data transfer is lower than the price for Amazon S3 data transfer. In addition, downloads are faster with CloudFront than with Amazon S3 alone because your objects are stored closer to your users.

Explanation

You can store your content in an Amazon S3 bucket and use CloudFront to distribute the content.

Your score is

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

AWS Certified Solutions Architect Professional – Exam Mode

/75

0 votes, 0 avg

Click Start button to start exam !

Time Out !

1 / 75

You have created an S3 bucket where project managers can upload their projects' files. Project files change frequently, so retaining multiple copies of files when changes occur is essential. Each project is also considered confidential, each project file must be encrypted at rest when stored in S3.

How could you meet these requirements for your bucket and contents?

Server-side encryption should be enabled on the S3 bucket

Delete all prior versions after a certain timestamp alert is met

Enable versioning for the S3 bucket, and encrypt project files using client-side or server-side encryption

Each PM should compress project files and assign a password for compressed files, and encryption needs to be enabled on the bucket

Explanation

Versioning provides redundancy as it keeps multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures.

Explanation

2 / 75

Your company is migrating into Amazon Web Services and has selected the US East region in which to operate. The majority of your work involves interfacing with government departments in the United States and Germany. Your company expects the deployment into the cloud to be up and running in a minimum of time. Before deploying any resources in the European region, what should be your first consideration?

Industry rules and standards

The pre-warming storage and load balancers

European privacy laws

The number of web servers to deploy

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

3 / 75

You have been charged with investigating cloud security options for your company in light of recent suspected threats. You are aware that certain AWS services can help mitigate DDoS attacks, and you are specifically looking for a service that provides protection from counterfeit requests (Layer 7) or SYN floods (Layer 4). Which services provide this protection? (Choose 2 answers)

CloudFront with AWS Shield

VPC Security Groups

Route 53

Amazon API Gateway

Explanation

Amazon API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3). Additional reading is available here (https://aws.amazon.com/api-gateway/faqs/).

AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for the network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.

NACLs do not provide DDoS mitigation. They are used to control ingress and egress into a subnet based on port and source IP range. Route 53 can protect against DNS based DDoS attacks but does not protect entire layers. Elastic Load Balancing can protect EC2 instances specifically, but not other AWS resources.

Explanation

4 / 75

A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to configure that the instance can be accessed only from this IP?

In the security group, open port 22 for IP 10.20.30.40

In the security group, open port 22 for IP 10.20.30.40/32

In the security group, open port 22 for IP 10.20.30.40/0

In the security group, open port 22 for IP 10.20.30.40/24

Explanation

In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIDR format

Explanation

5 / 75

You are migrating your Oracle database using the AWS Database Migration Service. Due to a large amount of data being replicated, you need the replication process to be continuous. What must be changed on your replication instance to use ongoing replication?

Disable Multi-AZ on the target instance

Increase the number of tables that are cached in RAM.

Enable the Multi-AZ option on the replication instance.

Disable backups on the target instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

6 / 75

An existing client comes to you and says that he has heard that launching instances into a VPC (virtual private cloud) is a better strategy than launching instances into a EC2-classic which he knows is what you currently do. You suspect that he is correct and he has asked you to do some research about this and get back to him. Which of the following statements is true in regards to what ability launching your instances into a VPC instead of EC2-Classic gives you?

Define network interfaces, and attach one or more network interfaces to your instances

All of the things listed here

Change security group membership for your instances while they're running

Assign static private IP addresses to your instances that persist across starts and stops

Explanation

By launching your instances into a VPC instead of EC2-Classic, you gain the ability to: Assign static private IP addresses to your instances that persist across starts andstops Assign multiple IP addresses to your instances. Define network interfaces, and attach one or more network interfaces to your instances Change security group membership for your instances while they're running Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering). Add an additional layer of access control to your instances in the form of network access control lists (ACL). Run your instances on single-tenant hardware

Explanation

7 / 75

Your account has 3 VPCs deployed in the same region.

The IPv4 address ranges of the VPCs are:

VPC A 172.22.0.0/16

VPC B 10.3.0.0/16

VPC C 10.4.0.0/16

VPC B and VPC C are already connected through VPC peering connection (PCX) named pcx-abcxyz. VPC A has resources that VPC B and VPC C must access. Which of the options below best achieves the objective of allowing VPC B and VPC C to access VPC A?

Create separate VPC Peering connections between VPC A & VPC B and VPC A & VPC C

Add static routes to VPC A with Targets of 10.3.0.0/16 and 10.4.0.0/16 and a Destination of pcx-abcxyz

Connect VPC A to pcx-abcxyz

Connect VPC A to VPC B using VPC Peering and allow VPC C to access VPC A through VPC B

Explanation

Creating separate VPC Peering connections between each VPC is required for Peering 3 VPCs together. Transitive routing is not supported in VPC Peering so VPC C could not reach VPC A through VPC B. A new VPC Peering connection is required for connecting additional VPCs, so connecting VPC A to pcx-abcxyz is not a viable option. Adding a static route to VPC A that points to pcx-abcxyz would not work as pcx-abcxyz is not connected to VPC A.

Explanation

8 / 75

You are very concerned about security on your network because you have multiple programmers testing APIs and SDKs and you have no idea what is happening. You think CloudTrail may help but are not sure what it does. Which of the following statements best describes the AWS service CloudTrail?

With AWS CloudTrail you can get a history of S3 logfiles for your account.

With AWS CloudTrail you can get a history of IAM users for your account.

With AWS CloudTrail you can get a history of CloudFormation JSON scripts used for your account.

With AWS CloudTrail you can get a history of AWS API calls and related events for your account.

Explanation

With AWS CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services. You can also identify which users and accounts called AWS APIs for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can identify which users and accounts called AWS for services that support CloudTrail, the source IP address the calls were made from, and when the calls occurred. You can integrate CloudTrail into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CloudTrail logging on and off.

Explanation

9 / 75

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. As the environment and number of active resources continue to grow, your finance team is having a difficult time attributing your AWS costs to the various business units. How can you help the finance team assign costs to the correct business units? (Choose 2 answers)

Give them access to TCO calculator.

Enable Cost and Usage reports.

Set up consolidated billing

Tag all resources with the appropriate business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

10 / 75

You have been contracted to start building the latest and greatest mobile chat app. The schedule for this development and delivery is time critical. What correct mix of AWS services and components should you consider to ensure that your mobile chat app can be produced on time, ensuring that the mobile chat app can authenticate and authorize users?

Create an auto scaling group of EC2 instances with SAML 2.0 service endpoint, setup and install a custom LDAP directory, configure SSO within the mobile app to use the SAML 2.0 service endpoint to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Explanation

Answer “Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization” is correct. The question highlights that the “development and delivery is time critical” - therefore the best approach time wise is to use the fit for purpose managed services provided by AWS - in this case, Amazon Cognito, IAM Roles and Policies, and the AWS Mobile SDK.

Explanation

11 / 75

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing S3 budget. They have asked you to identify strategies to reduce the S3 spend by at least 25% before the next monthly billing cycle.

How could you accomplish this? (Choose 2 answers)

Utilize Infrequent Access storage for objects that are not requested so frequently

Use Snowball for large data objects to avoid data transfer rates

Implement lifecycle to archive older objects to Glacier

Enable object compression to reduce object sizes

Explanation

You can use the infrequent access to reduce the cost of certain classes of objects, as well as send older objects to Glacier for archiving at a much lower cost.

Note that data transfer into S3 is always free. So if you want to reduce your cost, using Snowball might speed up moving large data sets however it will not reduce your cost

Explanation

You can use the infrequent access to reduce the cost of certain classes of objects, as well as send older objects to Glacier for archiving at a much lower cost.

Note that data transfer into S3 is always free. So if you want to reduce your cost, using Snowball might speed up moving large data sets however it will not reduce your cost

12 / 75

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

iSCSI

NFS

Fibre

CIFS

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway's volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

13 / 75

Which modifications could potentially improve the performance of your database? (Choose 2 answers)

Increase the currently allocated storage space

Increase the number of read replicas.

Change the storage type to general-purpose SSD.

Decrease the currently allocated storage space

Explanation

14 / 75

Maintenance will be applied to standby instance first.

Standby instance will become the new primary after maintenance

The old primary will be promoted back to the new primary after maintenance

Maintenance will be applied to the primary instance first

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

15 / 75

Your company is planning to deploy a hybrid environment linking their on-premise database to an application hosted at AWS. When considering performance rather than security, what are key concerns when designing a network between AWS and the on-site database? (Choose 2 answers)

Network latency

Private network access

Control of data resources

Network bandwidth

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

16 / 75

You are an administrator managing Windows File Servers in Amazon Web Services. You need to set up a fault-tolerant system to protect your shared files. You decide to use DFS Namespaces and DFS Replication.

Which of the following are prerequisites? (Choose 2 answers)

An Active Directory Schema of 2008 R2 or later

File servers running Windows Server 2008 R2

File servers running Windows Server 2012 R2

The File Server Resource Manager role installed by your domain controllers

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

Explanation

The technical requirements are file servers running Windows Server 2012 R2 and an Active Directory Schema of at least Server 2008 R2.

17 / 75

A legacy application in your company has been deployed in a single availability zone. It is used only sporadically but must be available nevertheless. Due to your heavy administrative workload, you wish to automate a process that will rebuild the application automatically if it fails. What action should you take?

Configure the server in an auto scaling group with a minimum and maximum size of one

Add an additional availability zone and a load balancer.

Perform snapshots of EBS volumes on a set schedule.

Monitor the server availability using Cloud Watch metrics to receive alerts of health check failures.

Explanation

Auto scaling provides redundancy for a single server with the option of launching a configuration using the attributes from a running instance. When you use this option, auto scaling copies the attributes from the specified instance into a template from which you can launch one or more auto scaling groups.

Note that if the specified instance has properties that are not currently supported by auto scaling, instances launched by auto scaling using the launch configuration created from the identified instance might not be identical to the identified instance.

Explanation

18 / 75

Your company has recently discovered a massive security leak in which several users' access credentials were compromised. As a response, the Senior IT Security Manager has requested you to prevent all high-risk data from being modified or deleted by any users, including the root user.

What if the most efficient way to implement this security measure?

Migrate the high-risk data to new S3 buckets and enable object locks. Configure a retention mode of compliance mode.

Enable object locks for all existing buckets with high-risk data. Configure a retention mode of governance mode.

Migrate the high-risk data to new S3 buckets and enable object versioning. Enable MFA Delete for all buckets.

Enable object versioning for all existing buckets with high-risk data. Enable a default legal hold for the bucket

Explanation

There are a few key points to this question:

Object locks can prevent objects from modification or deletion; objection versioning does not - it only maintains versions of an object until those versions are deleted.
Users can only enable Object locks can on new S3 buckets.
Object locks have two retention modes - governance mode and compliance mode. Compliance mode prevents objects from being deleted or updated by users, including the root user. Governance mode allows objects to be modified, but prevents objects from being deleted.

Explanation

There are a few key points to this question:

Object locks can prevent objects from modification or deletion; objection versioning does not - it only maintains versions of an object until those versions are deleted.
Users can only enable Object locks can on new S3 buckets.
Object locks have two retention modes - governance mode and compliance mode. Compliance mode prevents objects from being deleted or updated by users, including the root user. Governance mode allows objects to be modified, but prevents objects from being deleted.

19 / 75

You wish to perform detailed monitoring on servers that are marked as unhealthy before they are terminated. After researching the issue, you find that lifecycle hooks can be deployed as necessary. Which strategies could you use to perform detailed monitoring? (Choose 2 answers)

Define a notification target for the lifecycle hook

Use a CloudWatch event to invoke a Lambda function

Query 160.254.169.254 when instances are first marked as unhealthy

Create a longer cooldown period in the launch configuration

Explanation

Lifecycle hooks allow customization of existing auto-scaling groups

Explanation

Lifecycle hooks allow customization of existing auto-scaling groups

20 / 75

Your developers have created a sales application that works in tandem with the no SQL database. To ensure the fastest response for the application in production, the developers wish to remove the need to wait for acknowledgments from the database to the application after data have been sent. The acknowledgments can be stored and accessed asynchronously. Which managed application would be the best choice for their design?

Simple Workflow Service

AWS Config

Simple Queue Service

CloudWatch Logs

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

21 / 75

You’ve been contracted by a client to improve the resiliency of their VPC in preparation for increased Disaster Recovery requirements with shorter RTO and RPOs. One thing you’d like to improve upon is resource and application monitoring. Which services used together will allow for the monitoring of application logs on EC2, notification of users managing the services, and the overall health of AWS resources? (Choose 2 answers)

Trusted Advisor

CloudFront

SNS

Cloudwatch

Explanation

Amazon SNS and CloudWatch are integrated so you can collect, view, and analyze metrics for every active Amazon SNS notification. By configuring CloudWatch for Amazon SNS, you can gain better insight into the performance of your Amazon SNS topics, push notifications, and SMS deliveries.

Explanation

22 / 75

Your company is migrating their environment to AWS. The legacy environment relied on Chef for automation, and your engineers are comfortable with that solution. In addition, your compliance officer has indicated that the new environment needs centralized, auditable configuration management for regulatory reasons. Which of the following AWS automation tools is most appropriate for this scenario?

OpsWorks for Chef Automate

Elastic Beanstalk

CloudFormation

OpsWorks stacks

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

23 / 75

As the Senior Architect assigned to your team, you must decide how to best maintain your application's availability and ensure optimum service as the level of customer activity changes. As your business has grown an increasing international presence, the previous methods for tracking activity are no longer working. However, reviewing performance logs for the past several days, you've noticed that users experience connectivity issues once the CPU utilization rate increases beyond 70 percent. You would like to maintain optimum performance, you need to ensure CPU utilization remains at 50 percent.

What choice below will best address the issue and help maintain optimum performance? (Choose 2 answers)

Create a CloudWatch Event to trigger a scaling activity once CPU utilization passes 50 percent

Enable CloudWatch monitoring for your EC2 auto scaling group with detailed monitoring

Create a Target Tracking policy using AWS EC2 Auto Scaling

Enable CloudWatch monitoring for your EC2 auto scaling group with basic monitoring

Explanation

With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value. The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the target value, a target tracking scaling policy also adjusts to the changes in the metric due to a changing load pattern.

Explanation

24 / 75

Your team is developing an application using Elastic Beanstalk and discussing the most appropriate environment for deployment. What two types of environments can be created when using Elastic Beanstalk? (Choose 2 answers)

Single-instance environment

Multi-region, multiple-instance environment

Web worker environment

Load-balancing and auto-scaling environment

Explanation

In Elastic Beanstalk, you can create a load-balancing, autoscaling environment or a single-instance environment. The type of environment that you require depends on the application that you deploy. For example, you can develop and test an application in a single-instance environment to save costs and then upgrade that environment to a load-balancing, autoscaling environment when the application is ready for production.

Explanation

25 / 75

You’ve designed a public portal (with a MySQL database) featuring popular scientific journals. Due to its popularity, users are complaining it takes much longer to review selected journals than in the past. In addition, the popularity of your site is worldwide.

What are the first steps that you should take to resolve your performance issues? (Choose 2 answers)

Place additional read replicas in AWS regions closer to your users

Redesign your database as a Multi-AZ solution

Create a read replica of your master database

Deploy ElasticSearch for faster searching of available scientific journals

Explanation

Read replicas of your master database allow you to increase performance. Placing your read replicas in different AWS regions closer to your users will maximize performance and increase the availability of your database.

Explanation

26 / 75

A client of yours has a huge amount of data stored on Amazon S3, but is concerned about someone stealing it while it is in transit. You know that all data is encrypted in transit on AWS, but which of the following is wrong when describing server-side encryption on AWS?

In server-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools.

Amazon S3 server-side encryption employs strong multi-factor encryption.

Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data

Server-side encryption is about data encryption at rest--that is, Amazon S3 encrypts your data as it writes it to disks.

Explanation

Amazon S3 encrypts your object before saving it on disks in its data centers and decrypts it when you download the objects. You have two options depending on how you choose to manage the encryption keys: Server-side encryption and client-side encryption. Server-side encryption is about data encryption at rest--that is, Amazon S3 encrypts your data as it writes it to disks inits data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects. In client-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools. Server-side encryption is an alternative to client-side encryption in which Amazon S3 manages the encryption of your data, freeing you from thetasks of managing encryption and encryption keys. Amazon S3 server-side encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a masterkey that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256- bit Advanced Encryption Standard (AES-256), to encrypt your data

Explanation

27 / 75

Idle Load Balancers

Underutilized Amazon EBS Volumes

Underutilized Amazon Redshift Clusters

EC2 Spot Instance Optimization

Explanation

28 / 75

You have an application that is generating a log file every 5 minutes and you need to store these log files appropriately. The requirements for storing the log files are:

They should be quickly retrievable when needed, as they may be required only for verification in case of some major issue.
The logs will need to be accessed frequently, as all log data is retrieved and compiled from the files into a bi-monthly report.
The logs are essential to quarterly audits, so the storage solution must offer a high level of durability.
Cost should also be minimized for the storage service as much as possible.

Which of the storage options below is the best choice to meet these requirements?

Amazon S3 OneZone-IA

Amazon S3 Glacier

Amazon S3 Standard - Infrequent Access (IA)

Amazon S3 Standard

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Standard is for Amazon S3 and provides very high durability. Standard - Infrequent Access is designed for with a minimum data amount required and paid storage for at least 30 days. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files.

S3 OneZone IA is a variation of Standard-IA, which offers data archival at a reduced price, but also with less durability because the data within this class is stored within a single availability zone rather than spread throughout all availability zones within the S3 buckets region, as it is with S3 Standard storage.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

29 / 75

Your company is migrating its infrastructure to AWS. When considering the migration level effort required, you determine there are a select number of VMs that fall under the “very low effort” category. After considering third-party migration options, you decide to utilize available AWS tools. What tools are available for migrating VMs to the AWS cloud? (Choose 2 answers)

AWS Snowball

AWS Snowmobile

AWS VM Import

AWS S3 Import

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

30 / 75

When changing the database storage type

When using CloudFront metrics

During the maintenance window for the database instances

Immediately, when choosing a larger instance size

Explanation

31 / 75

You are creating an application that stores extremely sensitive financial information. All information in the system must be encrypted at rest and in transit. Which of these is a violation of this policy?

ELB Using Proxy Protocol v1

CloudFront Viewer Protocol Policy set to HTTPS redirection

Elastic Load Balancer SSL termination.

Telling S3 to use AES-256 encryption on the server-side

Explanation

Terminating SSL terminates the security of a connection over HTTP, removing the S for "Secure" in HTTPS. This violates the "encryption in transit" requirement in the scenario.

Explanation

Terminating SSL terminates the security of a connection over HTTP, removing the S for "Secure" in HTTPS. This violates the "encryption in transit" requirement in the scenario.

32 / 75

In Elastic Load Balancing, what parameters determine the cost for the Application Load Balancer (ALB)? (Choose 2 answers)

Load Capacity Units (LCUs) used per hour

GB of data transferred

Only hours that an ELB is running and the amount of storage the instance takes

Each hour or partial hour that an ELB is running

Explanation

Application Load Balancer
You are charged for each hour or partial hour that an Application Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used per hour.

Network Load Balancer
You are charged for each hour or partial hour that a Network Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used by Network Load Balancer per hour.

Classic Load Balancer
You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.

Explanation

Application Load Balancer
You are charged for each hour or partial hour that an Application Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used per hour.

Classic Load Balancer
You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.

33 / 75

You are performing some testing of an application in development and wish to delete the parts of a multipart upload after a mistake is made with part numbering. Which command would you run to stop the upload and delete all the parts?

Remove multipart upload

Cancel multipart upload

Delete multipart upload

Abort multipart upload

Explanation

To delete the parts of a failed multipart upload so that you do not get charged for storage of those parts, you must use the command “Abort Multipart Upload” and provide the upload ID of upload you wish to abort. After aborting a multipart upload, you cannot upload any part using that upload ID again. All storage that any parts from the aborted multipart upload consumed is then freed.

Explanation

34 / 75

Your company decided to create AWS Account and start moving some workloads to the cloud. The security team would like to utilize the existing identity and access management system which is based on Active Directory to manage access to the new AWS Account. For that reason you decided to use SAML federation to allow users in local identity and access management system access to AWS Services.

Which of the following are primary components in SAML Federation configuration for the new AWS account? (Choose 2 answers)

IAM Roles matching Active Directory groups that you would like to allow access to AWS

SAML-Based identity provider has to be available to be used with company's identity store (Active Directory)

Direct Connect or VPN connectivity must be established between AWS and your company's data center

IAM trust policy that allows external identity store like Active Directory to be used as the primary IDP for this AWS account

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

1- Inside your organization's network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

3- You also need to create roles that will map to allowed groups in company's identity store, members of these groups will be presented with set of roles that map to their group membership to choose which role they would like to assume while logging in to AWS console

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

35 / 75

What is the network performance offered by the c4.8xlarge instance in Amazon EC2?

5 Gigabit

Very High but variable

10 Gigabit

20 Gigabit

Explanation

Networking performance offered by the c4.8xlarge instance is 10 Gigabit

Explanation

Networking performance offered by the c4.8xlarge instance is 10 Gigabit

36 / 75

Amount of data required for backup each day after on-premise data deduplication and compression

Amount of data required for backup each day before on-premise data deduplication and compression

Compute power of on-premises instances that need to be backed up

Net available bandwidth between on-premises and AWS over the public internet or Direct Connect line.

Explanation

37 / 75

Select the default security policy.

Enable SSL offload.

Select a client configuration preference option

Choose the server order preference option

Explanation

38 / 75

You are developing a new application in which you need to transfer files over long distances between client-side storage and an S3 bucket. You decide to try sending data to the S3 bucket using S3 Transfer Acceleration. What must you do to achieve this? (Choose 2 answers)

Use the CLI S3 accelerate upload commands.

Use the SDK S3 accelerate upload commands

Use the new accelerate endpoints to transfer your data to S3.

Turn on S3 Transfer Acceleration for the bucket.

Explanation

After you turn on S3 Transfer Acceleration for a bucket, two new endpoints are created for the bucket: one for IPv4 and one for IPv6. You can use either the accelerate endpoints or the standard endpoints if you choose not to use the accelerate feature.

Explanation

39 / 75

You have determined specific instances will need to be resized by either scaling the instance(s) up or down.

What basic rules apply when resizing EC2 instances? (Choose 2 answers

Instances need to have the same virtualization type

Instances with limited storage compatibility require migration instead of resizing

You can only resize spot or on-demand instances but not reserved instances

Instances need to be from the same AMI

Explanation

40 / 75

You are architecting for a hybrid cloud solution that will require continuous connectivity between on-premises servers and instances on AWS. You found that the connectivity between on-premises and AWS does not require high bandwidth for now so you decided to go with resilient VPN connectivity. Which of the following services are part of establishing a resilient VPN connection between on-premises networks and AWS? (Choose 3 answers)

Customer gateway

Public VIFs

Virtual private gateway

VPN connection

Explanation

A customer gateway CGW is the anchor on the customer side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway VGW. There are two lines between the customer gateway and virtual private gateway because the VPN connection consists of two tunnels in case of device failure. When you configure your customer gateway, it's important you configure both tunnels.

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

Explanation

The VPN connection will connect VGW attached to certain VPC and CGW on AWS.

Public and Private Virtual Interfaces VIFs are part of configuring a Direct Connect between on-premises and AWS

41 / 75

Your organization is migrating applications to AWS. Your new security policy mandates that all user accounts be created and managed through IAM. Currently, your corporation is using Active Directory as their on-premise LDAP service. Once applications go live at AWS, all users must access applications using temporary access credentials, and all IAM users must have passwords that are rotated on a set schedule. Which of the following actions will allow you to enforce this security policy? (Choose 3 answers)

Create required IAM user accounts

Disable the root account for your AWS account.

Create and enforce a password expiration policy option for all IAM users.

Deploy federation services that support the Security Token Service

Explanation

STS is the “glue” that supports temporary access credentials for federation. If you are running code, AWS CLI, or Tools for Windows PowerShell commands inside an EC2 instance, you can take advantage of roles for Amazon EC2. Otherwise, you can call an AWS STS API to get the temporary credentials, and then use them explicitly to make calls to AWS services.

Explanation

42 / 75

An organization has launched five instances: two for production and three for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often be deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, production, and testing will not change in the foreseeable future.

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Define the IAM policy that allows access based on the instance ID

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Launch the test and production instances in separate regions and allowing region wise access to the group

Explanation

AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parameters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.
"Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/InstanceType": "Production" } } } ]

Explanation

43 / 75

You configured a VPC with web servers hosted on EC2 instances in an EC2 Auto Scaling group in a public subnet. You then create a private subnet and deploy your Amazon RDS database servers in it.

You grant a database administrator access to the RDS database instance, but she is unable to connect to it.

What steps can you take to resolve the issue?

Use a different port for ingress.

Create a key pair for your database administrator to log in

Configure single sign-on for your database administrator.

Create a security group with specific ingress and egress rules for the DB instance

Explanation

When you are unable to connect to a new database, it is often because the DB instance creation is still in progress and is not available yet. A reasonable amount of time to wait (at most) is 20 to 30 minutes. Beyond that, there is likely a problem. A common pattern in DB implementation involves placing databases in private subnets for additional security. If you follow this practice, make sure that the Security Groups provide appropriate ingress and egress to the DB instance

Explanation

44 / 75

Which of the following is NOT a characteristic of Amazon Elastic Compute Cloud (Amazon EC2)?

It eliminates your need to invest in hardware up front, so you can develop and deploy applications faster.

It can be used to launch as many or as few virtual servers as you need.

It increases the need to forecast traffic by providing dynamic IP addresses for static cloud computing.

It offers scalable computing capacity in the Amazon Web Services (AWS) cloud.

Explanation

45 / 75

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Explanation

46 / 75

You are a DBA at a rapidly growing company and you want to shorten failover time for your Amazon RDS SQL Server database. Which strategies will shorten failover time? (Choose 2 answers)

Use larger transactions.

Configure the health check using shorter intervals.

Use smaller transactions

Ensure you have provisioned sufficient IOPS.

Explanation

Recovery takes IOPS; therefore, insufficient IOPS will slow down failover time. Database recovery relies on transactions; therefore, smaller transactions will shorten failover time.

Explanation

Recovery takes IOPS; therefore, insufficient IOPS will slow down failover time. Database recovery relies on transactions; therefore, smaller transactions will shorten failover time.

47 / 75

You are configuring your application's compute layer using AWS EC2 Auto Scaling. When configuring the group's capacity, you have set the auto scaling group's minimum capacity to four, the desired capacity to 8, and the maximum capacity to 16. When you deploy your auto scaling group, and the instances have completely deployed, how many instances will there be within your group?

Explanation

You configure the size of your Auto Scaling group by setting the minimum, maximum, and desired capacity. The minimum and maximum capacity are required to create an Auto Scaling group, while the desired capacity is optional. If you do not define your desired capacity upfront, it defaults to your minimum capacity.

By default, the minimum, maximum, and desired capacity are set to one instance when you create an Auto Scaling group from the console. If you change the desired capacity, the capacity that you specify will be the total number of instances launched right after creating your Auto Scaling group.

An Auto Scaling group is elastic as long as it has different values for minimum and maximum capacity. All requests to change the Auto Scaling group's desired capacity (either by manual scaling or automatic scaling) must fall within these limits.

If you choose to automatically scale your group, the maximum limit lets Amazon EC2 Auto Scaling scale out the number of instances as needed to handle an increase in demand. The minimum limit helps ensure that you always have a certain number of instances running at all times

Explanation

48 / 75

Your company wants to migrate an on-premises SQL Server DB to AWS RDS SQL Server. As the DBA, you have determined that your database can be offline while the backup is created, copied, and restored. You decide to use native backup and restore. Which steps are required during setup? (Choose 3 answers)

Create an AWS IAM role for access to the S3 bucket

Add the SQLSERVER_BACKUP_RESTORE option to an option group on your DB instance.

Turn on compression for your backup files by running “exec rdsadmin..rds_set_configuration ‘S3 backup compression’, ‘true.’”

Create an Amazon S3 bucket for your backup files

Explanation

There are three components you'll need to set up for native backup and restore: an Amazon S3 bucket to store your backup files; an AWS Identity and Access Management (IAM) role to access the bucket, and the SQLSERVER_BACKUP_RESTORE option added to an option group on your DB instance.

Explanation

49 / 75

Elastic Load Balancer

Elastic Network Interface

IPv6 address

MAC address

Explanation

50 / 75

Hardware MFA Device

SNS Notification Service

A software-based Virtual MFA device

AWS Security Token Service

Explanation

51 / 75

You have 4 Direct Connect (DX) connections to your VPC from your Chicago, Boston, Houston, and Orlando offices. Your VPC’s address range is 10.20.0.0/16. You are using BGP routing. You would like to ensure AWS uses the Chicago connection to reach the IP addresses ranging from 10.20.30.0-10.20.30.127 on your network. The other three locations are currently advertising the following routes:

Boston: 10.20.0.0/16 AS 65000

Houston: 10.20.30.0/24 AS 65000 65000

Orlando: 10.20.30.254/32 AS 65000 65000 65000

Which of the following routes could you advertise from your Chicago connection to ensure AWS uses it to access IP addresses ranging from 10.20.30.0-10.20.30.127?

10.20.128.0/17 AS 65000

10.20.30.0/25 AS 65000 65000 65000

10.20.30.0/23 AS 65000 65000

10.20.30.128/26 AS 65000

Explanation

AWS will choose the most specific route first. If routes are equal after checking for the most specific routes, AWS will use AS path prepending to determine which route is preferred. In this example, 10.20.30.0/25 is more specific than 10.20.30.0/24 and 10.20.0.0/16, so AS path prepending will not matter. The other options are either outside of the address range in question (10.20.30.128/26 and 10.20.128.0/17) or less specific than the route advertised by Houston (10.20.30.0/23). The route advertised from Orlando, 10.20.30.254/32, identifies a single IPv4 address that is outside of the range in question

Explanation

52 / 75

Mappings

Conditions

Transform

Metadata

Explanation

53 / 75

Your organization is thinking of running parts of their workload on AWS while keeping the critical and sensitive servers on-premises with continuous connectivity between instances in AWS and corporate data center. In such a hybrid cloud environment what are the minimum requirements to maintain resilient continuous connectivity between AWS and corporate data center?

A primary and a backup direct connect line connected to the primary router in the corporate data center

A primary direct connect line connected to at least two routers in the corporate data center

A primary direct connect line and a VPN connection for backup connected to the corporate primary router

A primary and a backup direct connect line and at least two routers in the corporate data center

Explanation

In Hybrid cloud environment where connectivity between AWS and Corporate datacenter is critical, redundant active/active or active/passive configurations should be implemented for connectivity resources. redundancy has to be on both sides (AWS and On-premises) hence the minimum requirements to implement this architecture is two direct connect lines and two customer devices (ideally in two different data centers)

Explanation

54 / 75

Your on-premise bare-metal servers are over five years old. You’re considering moving to AWS. The offerings of virtual instances far surpass what you can access on-premises. Before you choose your test instance at AWS, what questions should you ask? (Choose 3 answers)

How much network bandwidth do you need?

What is the average server utilization?

What is the cost of over-provisioning?

When peak load occurs, how much over-provisioning is required?

Explanation

On-premises data centers have costs associated with the servers, storage, networking, power, cooling, physical space, and IT labor required to support applications and services running in the production environment. For servers, these questions are most applicable: What is your average server utilization? How much do you overprovision for peak load? What is the cost of over-provisioning?

Explanation

55 / 75

You are looking for a simple way to configure high availability for your EC2 instances. You need to create a plan for replacing unhealthy or failed instances. It is acceptable to have a short amount of downtime to keep costs down. Which process is appropriate for achieving this?

Create a custom AMI of your EC2 instances. Use the custom AMI to create a new EC2 instance if there are issues with a current EC2 instance, and move the EIP to the new instance.

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Recover this instance.”

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Reboot this instance.”

Create a custom AMI and use it to create an Auto Scaling Launch Configuration; then create a “Steady State” auto scaling policy using a minimum of 2 instances and a maximum of 2 instances.

Explanation

Creating a custom AMI of the instance for which you are trying to provide HA allows you to bring the instance online quickly with no build time. Moving the EIP from the instance, you are replacing to the new instance will send all traffic to the new instance without any change to DNS, which would take time to propagate. Using the AutoRecover option will not replace the unhealthy or failing instance. It will only try to restart it on another host. Creating a “Steady State” Auto Scaling Group would also be a good solution, although using two as a minimum would have a higher cost.

Explanation

56 / 75

You are responsible for a web application where the web server instances are hosted in auto-scaling group. You discover the following after monitoring your application workload for the past year:

You need a minimum of nine EC2 instances to handle the lowest levels of activity during non-business hours.
During local business hours, you require between 12-16 instances.
Roughly 35 percent of non-business workload involves backend data processing and analysis.

With this information, what recommendations would you make to minimize operating costs while providing the required availability?

Explanation

57 / 75

A bucket owner from Account Red allows Account Blue's IAM users to upload and access objects in his bucket.

One of Account Blue's IAM users tries to access an object in the bucket. The object is owned by an IAM user from Account Red who is not the bucket owner.

How will Amazon S3 process this request?

Amazon S3 verifies permissions granted by Account Blue's IAM administrator, by the bucket owner, and by the object owner.

Amazon S3 only verifies permissions granted by the bucket owner

Amazon S3 only verifies permissions granted by the bucket owner and object owner

Amazon S3 only verifies permissions granted by the object owne

Explanation

If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

Explanation

58 / 75

You are creating a custom Virtual Private Cloud (VPC) which will host a mix of public and private instances. An EC2 instance has been deployed to one of the public subnets in this VPC. What are the configurations that have to be implemented to make this instance accessible from the internet? (Choose 3 answers)

Create a new record set and custom domain name for the new instance in Route 53

Edit security group to allow traffic to and from the internet on required ports

Make sure the instance has a public IP address

Attach an Internet gateway to the VPC and add a default route to the IGW in public subnet's route table

Explanation

Public and private subnets, except for the default VPC, do not automatically have Internet access enabled. To enable access to or from the Internet for instances in a VPC subnet, you must do the following:

Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance

Explanation

Attach an Internet gateway to your VPC.
Ensure that your subnet's route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance

59 / 75

A web application hosted on 40 EC2 instances allows traffic on port 80. The 40 EC2 instances are assigned to the same security group, and located in different subnets within the same VPC. The organization is planning to use one of these 40 instances for testing an application running on port 8080. You have created a new security group that allows inbound and outbound traffic on port 8080.

What additional steps can allow you to test the new application with minimal additional cost or disruption to your current infrastructure? (Choose 2 answers)

Attach an ENI with port 8080 opened to an existing instance.

Assign the new security group to the newly attached ENI.

Assign the instance's primary network interface to the new security group.

Launch an instance in a new subnet.

Explanation

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.

The ENI allows the user to change the security group of a running instance. Thus, in the present scenario when the organization wants to have a separate security group for one of the instances, it should change the security group of that ENI. This avoids the cost and time of deploying a new instance or configuring a new subnet, or changing the configuration of an existing security group.

Explanation

60 / 75

Your new client is a federal agency utilizing a hybrid cloud environment. The agency distributes large amounts of sensitive data throughout the world. Your task is to ensure that the data is secure using various encryption techniques as well as security groups and access control lists.

One of the requirements is to distribute content utilizing CloudFront for optimal performance but to completely restrict access from within certain blacklisted countries. What service can you use with CloudFront to fulfill this requirement?

Server-side encryption

firewall rules

IAM roles

Geo-restriction

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

61 / 75

Simple Monthly Calculator

TCO Calculator

Cost Explorer

Detailed Billing Reports

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

62 / 75

Amazon S3 allows you to set per-file permissions to grant read and/or write access. However, you have decided that you want an entire bucket with 100 files already in it to be accessible to the public. You don't want to go through 100 files individually and set permissions. What would be the best way to do this?

Use Amazon EBS instead of S3

Move the files to a new bucket.

Add a bucket policy to the bucket.

Move the bucket to a new region

Explanation

Amazon S3 supports several mechanisms that give you flexibility to control who can access your data as well as how, when, and where they can access it. Amazon S3 provides four different access control mechanisms: AWS Identity and Access Management (IAM) policies, Access Control Lists (ACLs), bucket policies, and query string authentication. IAM enables organizationsto create and manage multiple users under a single AWS account. With IAM policies, you can grant IAM users fine-grained control to your Amazon S3 bucket or objects. You can use ACLs to selectively add (grant) certain permissions on individual objects. Amazon S3 bucket policies can be used to add or deny permissions across some or all of the objects within a single bucket. With Query string authentication, you have the ability to share Amazon S3 objects through URLs that are valid for a specified period of time.

Explanation

63 / 75

Use multiple workstations to run the client software to expedite the transfer.

Use the latest Mac or Linux Snowball client.

When testing data transfer, avoid long test commands in favor of short ones

Use a single workstation to avoid redundant data transfers to the same Snowball appliance

Explanation

64 / 75

You are managing cloud storage for your company, which wants the technical staff to have some latitude in managing the buckets under your supervision. In an effort to increase visibility and accountability on bucket management, you'd like to know who is accessing the buckets and to be notified of delete actions.

What features can provide this information for S3 buckets? (Choose 2 answers)

View the S3 event logs

Enable S3 Server Access Logs on the buckets

Turn on S3 Event Notifications for delete actions

Enable CloudWatch Logs

Explanation

S3 Event Notifications can be set up on objects stored in S3. An event could be set up to notify when a delete is performed. Logging is turned off by default but can be enabled. When enabled, they can track requests to your S3 bucket.

S3 Server Access Logging tracks detailed information not currently available with CloudWatch metrics or CloudTrail logs. To track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Explanation

65 / 75

You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

Amazon SQS is for single-threaded sending or receiving speeds.

Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds

Amazon SQS is a non-distributed queuing system.

Explanation

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to a queue is available to be received.

Explanation

66 / 75

You have begun your migration into Amazon Web Services using the AWS Database Migration Service. You are pleased that there are no errors; however, the migration tasks are running slowly. You review the resources that have been assigned to the AWS DMS replication instance, and they seem to be adequate. Which other task could you perform to help speed up the initial migration tasks?

Enable multi-availability zones on the target database instance.

Increase the IOPs on the replication instance.

Turn off all logging on the target database

Reduce the frequency of automatic backups.

Explanation

Turning off automatic backups or logging on the target database during the migration will help increase the speed of the initial migration load.

Explanation

Turning off automatic backups or logging on the target database during the migration will help increase the speed of the initial migration load.

67 / 75

You are the DevOps engineer at a mid-sized technology firm, responsible for the automated disaster recovery of your company’s AWS infrastructure. Your supervisor has recently learned about the EC2 Auto Recovery feature, and she has asked you to evaluate whether or not it would be a good fit for your environment. She is particularly interested in the types of failures it can detect. Which conditions would be detectable by EC2 Auto Recovery? (Choose 3 answers)

Loss of network connectivity

Software or hardware issues on the physical host (hypervisor)

Application errors or crashes

Loss of system power

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

Explanation

EC2 Auto Recovery can detect any condition that will cause a system status check to fail, including hypervisor problems or loss of power/network connectivity.

68 / 75

Your company is considering migrating to AWS, but they are concerned about the initial and mid- to short-term costs due to the complexity of the migration cycle. To effectively calculate the total cost of ownership, certain costs must be understood and planned for.

What costs should be primary considerations? (Choose 3 answers)

The cost of running duplicate environments

The cost of using a Direct Link connection

The cost of outside consulting services

The cost of running migration tools

Explanation

Failing to accurately estimate your costs before migration and during the migration process is a recipe for disaster. To build a migration model for optimal efficiency, it is important to accurately understand the current costs of running on-premises applications, as well as the interim costs incurred during the transition

Explanation

69 / 75

You are placed in charge of a client's existing AWS cloud environment. They have several web servers in a public subnet and three database servers in a private subnet. The database is an RDS solution using SQL Server. AWS limits the types of changes the customer can make to the underlying infrastructure. What change will you be responsible for when administering this RDS database?

Setting up database accounts and privileges for non-admin

Patching the database instance operating system

Performing daily database backups

Deploying virtual infrastructure

Explanation

Amazon RDS manages the work involved in setting up a relational database: from provisioning the infrastructure capacity you request to installing the database software. Once your database is up and running, Amazon RDS automates common administrative tasks such as performing backups and patching the software that powers your database. With optional multi-AZ deployments, Amazon RDS also manages synchronous data replication across Availability Zones with automatic failover.

Since Amazon RDS provides native database access, you interact with the relational database software as you normally would. This means you're still responsible for managing the database settings that are specific to your application. You'll need to build the relational schema that best fits your use case and are responsible for any performance tuning to optimize your database for your application’s workflow.

Explanation

70 / 75

A non-root EC2 instance store volume is added to an EBS-backed EC2 instance. Then the instance is somehow accidentally terminated or failed. What happened to the data on the non-root EC2 instance store volume?

The data is automatically copied to another instance store volume

The volume data is saved in S3

The data is deleted

The data persists.

Explanation

EC2 instance store volumes can be added as additional volumes to certain EBS-backed EC2 Instance types. Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues).

Explanation

71 / 75

A user is currently building a website which will require a large number of instances in six months, when a demonstration of the new site will be given upon launch. Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the demonstration?

Procure all the instances as reserved instances beforehand.

Ask AWS now to procure the dedicated instances in 6 months.

Pre-warm all the instances one month prior to ensure resource availability.

Launch all the instances as part of the cluster group to ensure resource availability.

Explanation

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Explanation

72 / 75

A national auto parts chain contracted your firm to design and implement their AWS environment. It is a very large-scale system that handles order processing, accounting, stocking, and logistics. This system spans multiple availability zones and requires a multi-AZ environment for high availability. The system has been implemented and you need to test the database failover mechanism. It is imperative that the failover occurs within the specified RTO. How can you consistently test database failover?

Contact Amazon to conduct a failover test.

Amazon has thoroughly tested failover and customers can not test failover.

Backup then delete the primary database instance

Reboot the primary database instance

Explanation

If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. Multi-AZ deployments utilize synchronous replication, making database writes concurrently on both the primary and standby so that the standby will be up-to-date in the event a failover occurs.

Explanation

73 / 75

Your company uses an on-premise identity system such as Active Directory to authenticate users locally. You would like to grant the same users access into the AWS console without requiring them to authenticate again. What possible solution below can be used to provide this type of access:

If your company's identity system is compatible with OpenID Connect (OIDC), establish trust between your company's identity system and AWS

If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS

If your company's identity system is compatible with OAuth 2.0, establish trust between your company's identity system and AWS

If your company's identity system is compatible with Kerberos, establish trust between your company's identity system and AWS

Explanation

Answer “If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS” is correct. AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS API operations without you having to create an IAM user for everyone in your organization.

Explanation

74 / 75

What does Amazon DynamoDB provide?

A fast, highly scalable managed NoSQL database service

A standalone Cassandra database, managed by Amazon Web Services

A predictable and scalable MySQL database

A fast and reliable PL/SQL database cluster

Explanation

Amazon DynamoDB is a managed NoSQL database service offered by Amazon. It automatically manages tasks like scalability for you while it provides high availability and durability for your data, allowing you to concentrate in other aspects of your application

Explanation

75 / 75

Volume Queue Length

Disk Performance (Read and Write OPS)

Memory Utilization

CPU Utilization

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

Your score is

The average score is 16%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Professional – Free Practice Tests

AWS Certified Solutions Architect Professional – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Professional – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation