AWS Certified Solutions Architect Professional - Free Practice Tests

This AWS practice test helps you to pass the following AWS exams and can also helps you to revise the AWS concepts if you are preparing for AWS interviews.

AWS Certified Solutions Architect Professional
AWS Certified Solutions Architect Associate
AWS Certified Cloud Practitioner

Below AWS practice tests has two different Modes

Learning Mode: 25 questions per test with answers and explanation, no time limit, repeat tests
Exam Mode: 75 questions per test (similar to real AWS exam), 180 minutes, repeat tests

AWS Certified Solutions Architect Professional – Learning Mode

/25

1 votes, 5 avg

AWS Certified Solutions Architect Professional - Learning Mode

1 / 25

An organization has launched five instances: two for production and three for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often be deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, production, and testing will not change in the foreseeable future.

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Define the IAM policy that allows access based on the instance ID

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Launch the test and production instances in separate regions and allowing region wise access to the group

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Explanation

AWS Identity and Access Management is a web service that allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on various parameters. If the organization wants the user to access only specific instances, he should define proper tags and add to the IAM policy condition. The sample policy is shown below.
"Statement": [ { "Action": "ec2:*", "Effect": "Allow", "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/InstanceType": "Production" } } } ]

Explanation

2 / 25

Your company has decided to use cloud methods for disaster recovery. The company is most concerned with RTO and RPO and is willing to accept the extra cost of Warm Standby over Pilot Light. When a disaster occurs, your top priority is to increase the processing capacity of your scaled-down environment. Once that is accomplished, you can then increase the environment's resilience and self-management capabilities.

What steps will help you accomplish your top priority when a disaster occurs? (Choose 2 answers)

Re-size the small capacity servers to run on larger EC2 instances

Modify your Amazon RDS servers to a multi-AZ deployment

Extend your auto scaling group across multiple availability zones

Explanation

The Warm Standby scenario uses a scaled-down version of a fully functional environment that is always running. Business-critical applications can always be running in the cloud. When a DR scenario comes about, the servers can be quickly scaled up, scaled out or both, but horizontal scaling is preferred over vertical scaling.

The two incorrect choices will increase your environment's resilience by adding availability

Explanation

The two incorrect choices will increase your environment's resilience by adding availability

3 / 25

A company needs to maintain system access logs for a minimum of 2 years due to financial compliance policies. Logs are rarely accessed, and access must be requested at least 12 hours in advance. What is the most cost-effective method to store logs that satisfies the compliance requirement, and delivers logs as requested in a timely manner?

Store the logs in Amazon S3 in the Intelligent-Tiering storage class. Configure a lifecycle policy to delete the logs after 2 years.

Store the logs in CloudWatch logs and configure a 2 years retention period.

Store the logs in Amazon S3 in the S3 Glacier Deep Archive storage class. Configure a lifecycle policy that deletes the logs after 2 years.

Store the logs in Amazon S3 in the S3 One Zone-IA storage class. Configure a lifecycle policy to delete the logs after 2 years.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

The other options offer some cost savings compared to Amazon S3 Standard storage class, but Intelligent tiering would not cycle the files to an archive storage class for roughly 120 days, and the One Zone-IA storage class would provide some cost savings, but offers less durable storage, so the likelihood of losing logs is higher.

Explanation

Amazon S3 Glacier Deep Archive storage class is the cheapest storage class in AWS, and the information can be retrieved within 12 hours.

4 / 25

You are asked to add an application to an EC2 instance within your company's VPC. Because it is a Windows 2012 instance, you will RDP into it. When you attempt to connect via RDP, you receive the following message: Error connecting to your instance: Connection timed out.

How could you fix this issue? (Choose 3 answers)

Add a security group rule to allow inbound traffic from your public IPv4 address on port 3389.

Make sure network ACLs allow inbound/outbound traffic from your local IP address on port 3389.

Add a route to your Internet gateway for the VPC

Disable the source/destination check on your Internet gateway.

Explanation

Check the network access control list (ACL) for the subnet. The network ACLs must allow inbound and outbound traffic from your local IP address on the proper port. The default network ACL allows all inbound and outbound traffic. To enable Internet access for the EC2 instances in a VPC, you must create an Internet Gateway as well as a route to it in the router table.

Explanation

5 / 25

You are developing a static website using S3 for your company’s clients. Your team is configuring the site and has granted public read access. What other steps must they take? (Choose 2 answers)

Enable static website hosting.

Specify a default index document

Create a website page hierarchy

Enable server-side scripting

Explanation

To configure a bucket for static website hosting, you add a website configuration to your bucket. The configuration includes an index document, error documents, redirects of all requests that are intended for the index page, and any conditional redirects. Amazon S3 does not support server-side scripting.

Explanation

6 / 25

You are responsible for maintaining an RDS database deployed in a Multi-AZ deployment architecture. What would be the downtime and/or failover cycle associated with maintenance events on your database? (Choose 2 answers)

Standby instance will become the new primary after maintenance

Maintenance will be applied to the primary instance first

The old primary will be promoted back to the new primary after maintenance

Maintenance will be applied to standby instance first.

Explanation

Running a DB Instance as a Multi-AZ deployment can further reduce the impact of a maintenance event because Amazon RDS will conduct maintenance by following these steps: Perform maintenance on the standby.

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

7 / 25

You are configuring Amazon Route 53 to route traffic destined for yourwebsite.com to an Application Load Balancer that is configured to distribute traffic in two availability zones in the same AWS region. Which record set should you edit to point traffic for yourwebsite.com to your Application Load Balancer? Select the answer that is the most cost-effective and scalable.

Alias

CNAME

Explanation

yourwebsite.com is a zone apex. Alias record sets can be used to set a zone apex, but CNAME records cannot. Additionally, queries to Alias records that are mapped to an ELB are free. A records are used to map IPv4 addresses to FQDNs, the IP address of the ELB may change. MX records are used for email servers.

Explanation

8 / 25

You have been contracted to start building the latest and greatest mobile chat app. The schedule for this development and delivery is time critical. What correct mix of AWS services and components should you consider to ensure that your mobile chat app can be produced on time, ensuring that the mobile chat app can authenticate and authorize users?

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Create an auto scaling group of EC2 instances with SAML 2.0 service endpoint, setup and install a custom LDAP directory, configure SSO within the mobile app to use the SAML 2.0 service endpoint to perform user authentication and authorization

Explanation

Answer “Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization” is correct. The question highlights that the “development and delivery is time critical” - therefore the best approach time wise is to use the fit for purpose managed services provided by AWS - in this case, Amazon Cognito, IAM Roles and Policies, and the AWS Mobile SDK.

Explanation

9 / 25

Your database is very frequently receiving more read and write requests than it can handle. To process the higher loads more effectively you’ve decided to vertically scale your RDS database instance. You’ve confirmed that your licensing can handle the increased scale; next, you must determine when the changes will be applied. When can you apply the changes? (Choose 2 answers)

Immediately, when choosing a larger instance size

During the maintenance window for the database instances

When changing the database storage type

When using CloudFront metrics

Explanation

When scaling an RDS instance, changes can be applied immediately or during the maintenance window specified. It is also recommended that you before you scale, make sure you have the correct licensing in place for commercial engines (SQL Server, Oracle) especially if you Bring Your Own License (BYOL). One important thing to call out is that for commercial engines, you are restricted by the license, which is usually tied to the CPU sockets or cores.

Explanation

10 / 25

Your company is planning to deploy a hybrid environment linking their on-premise database to an application hosted at AWS. When considering performance rather than security, what are key concerns when designing a network between AWS and the on-site database? (Choose 2 answers)

Control of data resources

Private network access

Network bandwidth

Network latency

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

11 / 25

You work for a company that automatically tags photographs using artificial neural networks (ANNs), which run on GPUs using C++. You receive millions of images in one batch, with an average of 3 batches per day. These images are loaded into an Amazon S3 bucket you control for you in a batch, and then the customer publishes a JSON-formatted manifest into another S3 bucket you control as well. Each image takes 10 milliseconds to process using a full GPU. Your neural network software requires 5 minutes to bootstrap. Image tags are JSON objects, and you must publish them to an S3 bucket.

Which of these is the best system architectures for this system?

Create an OpsWorks Stack with two Layers. The first contains lifecycle scripts for launching and bootstrapping an HTTP API on G2 instances for ANN image processing, and the second has an always-on instance which monitors the S3 manifest bucket for new files. When a new file is detected, request instances to boot on the ANN layer. When the instances are booted and the HTTP APIs are up, submit processing requests to individual instances

Deploy your ANN code to AWS Lambda as a bundled binary for the C++ extension. Make an S3 notification configuration on the manifest, which publishes to another AWS Lambda running controller code. This controller code publishes all the images in the manifest to AWS Kinesis. Your ANN code Lambda Function uses the Kinesis as an Event Source. The system automatically scales when the stream contains image events

Create an Auto Scaling, Load Balanced Elastic Beanstalk worker tier Application, and Environment. Deploy the ANN code to G2 instances in this tier. Set the desired capacity to 1. Make the code periodically check S3 for new manifests. When a new manifest is detected, push all of the images in the manifest into the SQS queue associated with the Elastic Beanstalk worker tier.

Make an S3 notification configuration which publishes to AWS Lambda on the manifest bucket. Make the Lambda create a CloudFormation Stack which contains the logic to construct an autoscaling worker tier of EC2 G2 instances with the ANN code on each instance. Create an SQS queue of the images in the manifest. Tear the stack down when the queue is empty.

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

Explanation

The Elastic Beanstalk option is incorrect because it requires a constantly-polling instance, which may break and costs money.

The Lambda fleet option is incorrect because AWS Lambda does not support GPU usage.

The OpsWorks stack option both requires a constantly-polling instance, and also requires complex timing and capacity planning logic.

The CloudFormation option requires no polling, has no always-on instances, and allows arbitrarily fast processing by simply setting the instance count as high as needed.

12 / 25

You have created an S3 bucket where project managers can upload their projects' files. Project files change frequently, so retaining multiple copies of files when changes occur is essential. Each project is also considered confidential, each project file must be encrypted at rest when stored in S3.

How could you meet these requirements for your bucket and contents?

Enable versioning for the S3 bucket, and encrypt project files using client-side or server-side encryption

Delete all prior versions after a certain timestamp alert is met

Server-side encryption should be enabled on the S3 bucket

Each PM should compress project files and assign a password for compressed files, and encryption needs to be enabled on the bucket

Explanation

Versioning provides redundancy as it keeps multiple variants of an object in the same bucket. You can use versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With versioning, you can easily recover from both unintended user actions and application failures.

Explanation

13 / 25

Your team is setting up DynamoDB for a client. You need to explain to them how DynamoDB tables are partitioned. Which calculations are used to determine the number of partitions that will be created? (Choose 2 answers)

The total table size divided by 10 GB

The total RCU divided by 3000 + total WCU divided by 1000

The total table size divided by 40 GB

The total RCU divided by 5000 + total WCU divided by 1000

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results

14 / 25

You have 4 Direct Connect (DX) connections to your VPC from your Chicago, Boston, Houston, and Orlando offices. Your VPC’s address range is 10.20.0.0/16. You are using BGP routing. You would like to ensure AWS uses the Chicago connection to reach the IP addresses ranging from 10.20.30.0-10.20.30.127 on your network. The other three locations are currently advertising the following routes:

Boston: 10.20.0.0/16 AS 65000

Houston: 10.20.30.0/24 AS 65000 65000

Orlando: 10.20.30.254/32 AS 65000 65000 65000

Which of the following routes could you advertise from your Chicago connection to ensure AWS uses it to access IP addresses ranging from 10.20.30.0-10.20.30.127?

10.20.30.0/25 AS 65000 65000 65000

10.20.30.128/26 AS 65000

10.20.128.0/17 AS 65000

10.20.30.0/23 AS 65000 65000

Explanation

AWS will choose the most specific route first. If routes are equal after checking for the most specific routes, AWS will use AS path prepending to determine which route is preferred. In this example, 10.20.30.0/25 is more specific than 10.20.30.0/24 and 10.20.0.0/16, so AS path prepending will not matter. The other options are either outside of the address range in question (10.20.30.128/26 and 10.20.128.0/17) or less specific than the route advertised by Houston (10.20.30.0/23). The route advertised from Orlando, 10.20.30.254/32, identifies a single IPv4 address that is outside of the range in question

Explanation

15 / 25

You are an AWS Solutions Architect helping a client plan a migration to the AWS Cloud. The client has provided you with a detailed inventory of their current on-premises compute infrastructure, including metrics related to storage and bandwidth. What tool would you use to estimate the amount of money they will save by migrating to the AWS Cloud?

Trusted Advisor

Cost Explorer

Detailed Billing Reports

TCO Calculator

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

16 / 25

Which choice correctly describes the differences between security groups and Network Access Control Lists (NACLs)? (Choose 2 answers)

Security Groups operate at the subnet level, and they support allow rules only

Security Groups operate at the instance level and support allow rules only.

NACLs operate at the subnet level and support allow and deny rules

NACLs operate at the subnet level and support deny rules only.

Explanation

You can secure your VPC instances using only security groups; however, you can add NACLs as a second layer of defense. Security groups — Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level . Network access control lists (NACLs) — Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level . Security Groups supports allow rules only while Network Access Control Lists support allow and deny rules.

Explanation

17 / 25

You are managing cloud storage for your company, which wants the technical staff to have some latitude in managing the buckets under your supervision. In an effort to increase visibility and accountability on bucket management, you'd like to know who is accessing the buckets and to be notified of delete actions.

What features can provide this information for S3 buckets? (Choose 2 answers)

View the S3 event logs

Enable CloudWatch Logs

Enable S3 Server Access Logs on the buckets

Turn on S3 Event Notifications for delete actions

Explanation

S3 Event Notifications can be set up on objects stored in S3. An event could be set up to notify when a delete is performed. Logging is turned off by default but can be enabled. When enabled, they can track requests to your S3 bucket.

S3 Server Access Logging tracks detailed information not currently available with CloudWatch metrics or CloudTrail logs. To track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

Explanation

18 / 25

A web application hosted on 40 EC2 instances allows traffic on port 80. The 40 EC2 instances are assigned to the same security group, and located in different subnets within the same VPC. The organization is planning to use one of these 40 instances for testing an application running on port 8080. You have created a new security group that allows inbound and outbound traffic on port 8080.

What additional steps can allow you to test the new application with minimal additional cost or disruption to your current infrastructure? (Choose 2 answers)

Attach an ENI with port 8080 opened to an existing instance.

Assign the instance's primary network interface to the new security group.

Launch an instance in a new subnet.

Assign the new security group to the newly attached ENI.

Explanation

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.

The ENI allows the user to change the security group of a running instance. Thus, in the present scenario when the organization wants to have a separate security group for one of the instances, it should change the security group of that ENI. This avoids the cost and time of deploying a new instance or configuring a new subnet, or changing the configuration of an existing security group.

Explanation

19 / 25

The total RCU divided by 3000 + total WCU divided by 1000

The total table size divided by 10 GB

The total table size divided by 40 GB

The total RCU divided by 5000 + total WCU divided by 1000

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

20 / 25

While monitoring your application servers hosted behind an elastic load balancer, you discover that the servers always operate at between 75 and 80% of their capacity after five minutes of operation. Also, there is a constant number of servers being marked as unhealthy very early in their initial lifecycle. Upon further analysis, you also discover that your servers are taking between three and four minutes to become operational after launch. What two tasks should you complete as soon as possible? (Choose 2 answers)

Decrease the length of your scaling cool down period

Increase the maximum number of instances in your auto-scaling group

Increase the length of your scaling cool down period

Increase the size of instances in your launch configuration.

Explanation

A prolonged grace period and a larger number of instances will solve these issues. You can use scaling policies to increase or decrease the number of running EC2 instances in your group automatically to meet changing conditions. When the scaling policy is in effect, the Auto Scaling group adjusts the desired capacity of the group and launches or terminates the instances as needed. If you manually scale or scale on a schedule, you must adjust the desired capacity of the group for the changes to take effect.

Explanation

21 / 25

You are an AWS Solutions Architect helping a client plan a migration to the AWS cloud. The client is very cost-conscious and needs to understand the budget implications of any design decisions prior to signing off. Now that you’ve identified the resources that must be created in the AWS environment to support the migration, what tool could you use to help project future costs given this information?

TCO Calculator

Cost Explorer

Simple Monthly Calculator

Detailed Billing Reports

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

22 / 25

You have an application that is generating a log file every 5 minutes and you need to store these log files appropriately. The requirements for storing the log files are:

They should be quickly retrievable when needed, as they may be required only for verification in case of some major issue.
The logs will need to be accessed frequently, as all log data is retrieved and compiled from the files into a bi-monthly report.
The logs are essential to quarterly audits, so the storage solution must offer a high level of durability.
Cost should also be minimized for the storage service as much as possible.

Which of the storage options below is the best choice to meet these requirements?

Amazon S3 Standard

Amazon S3 OneZone-IA

Amazon S3 Standard - Infrequent Access (IA)

Amazon S3 Glacier

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

Standard is for Amazon S3 and provides very high durability. Standard - Infrequent Access is designed for with a minimum data amount required and paid storage for at least 30 days. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files.

S3 OneZone IA is a variation of Standard-IA, which offers data archival at a reduced price, but also with less durability because the data within this class is stored within a single availability zone rather than spread throughout all availability zones within the S3 buckets region, as it is with S3 Standard storage.

Explanation

Amazon S3 stores objects according to their storage class. There are technically four major storage classes: Standard, Standard - Infrequent Access, Reduced Redundancy Storage (RRS) and Glacier.

23 / 25

A user is planning to launch a scalable web application. Which of the below mentioned options will not affect the latency of the application?

Availability Zone.

Provisioned IOPS.

Instance size.

Region.

Explanation

In AWS, the instance size decides the I/O characteristics. The provisioned IOPS ensures higher throughput, and lower latency. The region does affect the latency, latency will always be less when the instance is near to the end user. Within a region the user uses any AZ and this does not affect the latency. The AZ is mainly for fault toleration or HA

Explanation

24 / 25

An organization is planning to implement a scalable web application with Amazon EC2. The organization is planning to achieve high availability with Multi-AZ features. A single deployment of your application requires 8 vCPUs and 16 GiB total memory. The application workload is very stable, and does not experience spikes in activity. It is possible to divide the workload across separate instances.

Which configuration is the best choice for high availability, disaster recovery, and cost-effectiveness in this scenario?

Launch four instances with 8 vCPUs and 16 GiB memory each. Associate all four instances with one auto scaling group, and deploy them into two separate availability zones. Finally, load balancer them with an elastic load balancer.

Launch eight instances with 4 vCPUs and 8 GiB memory each. Divide the instances into separate availability zones, and also divide the instances into two separate auto scaling groups across the two availability zones. Deploy a separate load balancer for each group of instances within an availability zone

Launch four instances with 4 vCPUs and 8 GiB memory each. Associated all four instances with one auto scaling group, and deploy the instances into two separate availability zones, and then load balance them with an elastic load balancer

Launch two instances with 8 vCPUs and 16 GiB memory each. Associate both instances with one auto scaling group, and deploy them in separate availability zones. Finally, load balance them with an elastic load balancer

Explanation

The organization can always launch multiple EC2 instances in the same region across multiple availability zones for high availability and disaster recovery. It is recommended that the application should be load balanced for better load distribution. When the organization must support a workload that could be met with a small number of large instances, it is recommended to distribute the load by creating four small instances across availability zones. The two large instances give only 50% redundancy while the four small instances give 75% redundancy. As for cost, both the scenarios are the same it is recommended to run four small instances across availability zones

Explanation

25 / 25

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. As the environment and number of active resources continue to grow, your finance team is having a difficult time attributing your AWS costs to the various business units. How can you help the finance team assign costs to the correct business units? (Choose 2 answers)

Give them access to TCO calculator.

Tag all resources with the appropriate business unit.

Set up consolidated billing

Enable Cost and Usage reports.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Your score is

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

AWS Certified Solutions Architect Professional – Exam Mode

/75

0 votes, 0 avg

Click Start button to start exam !

Time Out !

1 / 75

Under the shared responsibility model, which aspects of security in the AWS cloud are the responsibility of the user rather than AWS? (Choose 3 answers)

Data encryption

Installation of EC2 security patches

EC2 instance security

Network hardware maintenance

Explanation

AWS is responsible for the security of the cloud in general, in areas such data security and protection against IP spoofing. The customer is responsible for security in the cloud in areas such as data encryption, installing security patches on EC2 instances, and IAM best practices. It is very important to understand this concept to avoid any lapses in your security measures.

Explanation

2 / 75

You are developing a new application in which you need to transfer files over long distances between client-side storage and an S3 bucket. You decide to try sending data to the S3 bucket using S3 Transfer Acceleration. What must you do to achieve this? (Choose 2 answers)

Turn on S3 Transfer Acceleration for the bucket.

Use the new accelerate endpoints to transfer your data to S3.

Use the SDK S3 accelerate upload commands

Use the CLI S3 accelerate upload commands.

Explanation

After you turn on S3 Transfer Acceleration for a bucket, two new endpoints are created for the bucket: one for IPv4 and one for IPv6. You can use either the accelerate endpoints or the standard endpoints if you choose not to use the accelerate feature.

Explanation

3 / 75

You are performing some testing of an application in development and wish to delete the parts of a multipart upload after a mistake is made with part numbering. Which command would you run to stop the upload and delete all the parts?

Remove multipart upload

Delete multipart upload

Abort multipart upload

Cancel multipart upload

Explanation

To delete the parts of a failed multipart upload so that you do not get charged for storage of those parts, you must use the command “Abort Multipart Upload” and provide the upload ID of upload you wish to abort. After aborting a multipart upload, you cannot upload any part using that upload ID again. All storage that any parts from the aborted multipart upload consumed is then freed.

Explanation

4 / 75

You have been charged with investigating cloud security options for your company in light of recent suspected threats. You are aware that certain AWS services can help mitigate DDoS attacks, and you are specifically looking for a service that provides protection from counterfeit requests (Layer 7) or SYN floods (Layer 4). Which services provide this protection? (Choose 2 answers)

Route 53

VPC Security Groups

Amazon API Gateway

CloudFront with AWS Shield

Explanation

Amazon API Gateway automatically protects your backend systems from distributed denial-of-service (DDoS) attacks, whether attacked with counterfeit requests (Layer 7) or SYN floods (Layer 3). Additional reading is available here (https://aws.amazon.com/api-gateway/faqs/).

AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for the network layer (layer 3) and transport layer (layer 4) attacks but also for application layer (layer 7) attacks.

NACLs do not provide DDoS mitigation. They are used to control ingress and egress into a subnet based on port and source IP range. Route 53 can protect against DNS based DDoS attacks but does not protect entire layers. Elastic Load Balancing can protect EC2 instances specifically, but not other AWS resources.

Explanation

5 / 75

You are developing a static website using S3 for your company’s clients. Your team is configuring the site and has granted public read access. What other steps must they take? (Choose 2 answers)

Specify a default index document

Enable static website hosting.

Enable server-side scripting

Create a website page hierarchy

Explanation

6 / 75

You are designing monitoring and operation management for your environment on AWS and in the process of deciding which metrics to start with for your monitoring. Which of the following metrics should be included in your initial monitoring plan at a minimum? (Choose 3 answers)

CPU Utilization

Memory Utilization

Disk Performance (Read and Write OPS)

Volume Queue Length

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

Explanation

To establish a baseline you should, at a minimum, monitor the following items:

CPU Utilization
Memory Utilization
Network Utilization
Disk Performance
Disk Space.

7 / 75

A user is currently building a website which will require a large number of instances in six months, when a demonstration of the new site will be given upon launch. Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the demonstration?

Pre-warm all the instances one month prior to ensure resource availability.

Ask AWS now to procure the dedicated instances in 6 months.

Procure all the instances as reserved instances beforehand.

Launch all the instances as part of the cluster group to ensure resource availability.

Explanation

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Explanation

8 / 75

To provide adequate computer resources for your company portal during busy sales cycles, you have your instances assigned to an EC2 auto scaling group associated with an application load balancer. You are now configuring the health checks for the auto scaling group.

What statement regarding health check configuration options for your auto scaling group is correct?

You can only use EC2 Instance Status Checks as a health check for your auto scaling group

You can only use ALB health checks as a health check for your auto scaling group

You can use both EC2 Instance Status Checks and ALB health checks simultaneously for your auto scaling group

You can use either EC2 Instance Status Checks or ALB health checks for your auto scaling group., but not both simultaneously

Explanation

Both instance status checks and health checks must be enabled before unhealthy instances will be terminated. It is critical that you test not only the saturation and breaking points but also the "normal" traffic profile you expect

Explanation

9 / 75

Your on-premise bare-metal servers are over five years old. You’re considering moving to AWS. The offerings of virtual instances far surpass what you can access on-premises. Before you choose your test instance at AWS, what questions should you ask? (Choose 3 answers)

When peak load occurs, how much over-provisioning is required?

What is the average server utilization?

What is the cost of over-provisioning?

How much network bandwidth do you need?

Explanation

On-premises data centers have costs associated with the servers, storage, networking, power, cooling, physical space, and IT labor required to support applications and services running in the production environment. For servers, these questions are most applicable: What is your average server utilization? How much do you overprovision for peak load? What is the cost of over-provisioning?

Explanation

10 / 75

You are in the process of planning your backup strategy between an on-premises data center and AWS cloud. You are considering Storage Gateway technology for backup and restore in your hybrid environment. What are the primary factors that affect Backup and Recovery times when using Storage Gateways? (Choose 2 answers)

Net available bandwidth between on-premises and AWS over the public internet or Direct Connect line.

Amount of data required for backup each day before on-premise data deduplication and compression

Compute power of on-premises instances that need to be backed up

Amount of data required for backup each day after on-premise data deduplication and compression

Explanation

Storage gateways interact with AWS over the public Internet or direct connect. You will need to know the amount of data per day that needs to be transferred to Amazon S3 and the net available bandwidth of your network connection. Storage Gateway is capable of running data compression, and comparison so only changed data is being backed up.

Explanation

11 / 75

After monitoring your online sales application for the last two weeks of holiday sales, it is apparent that your database tier’s current architectural design is not sufficient. Your database is currently managed within Amazon RDS. The decision is made to scale your instance to a greater size based on database recommendations from the vendor. Your current database storage type is magnetic, and storage usage is currently at 70%.

Which modifications could potentially improve the performance of your database? (Choose 2 answers)

Decrease the currently allocated storage space

Change the storage type to general-purpose SSD.

Increase the number of read replicas.

Increase the currently allocated storage space

Explanation

When scaling a database, you can increase the storage capacity of a DB Instance up to a maximum of 64 terabytes (TiB). Please note that scaling the storage allocation with Amazon RDS does not incur a database outage. The performance will be increased as well.

Explanation

12 / 75

Your company is migrating into Amazon Web Services and has selected the US East region in which to operate. The majority of your work involves interfacing with government departments in the United States and Germany. Your company expects the deployment into the cloud to be up and running in a minimum of time. Before deploying any resources in the European region, what should be your first consideration?

Industry rules and standards

The pre-warming storage and load balancers

European privacy laws

The number of web servers to deploy

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

Explanation

Privacy laws in foreign countries will dictate compliance rules and regulations. AWS customers remain responsible for complying with applicable compliance laws and regulations.

13 / 75

TCO Calculator

Detailed Billing Reports

Simple Monthly Calculator

Cost Explorer

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

Explanation

The Simple Monthly Calculator is used to calculate projected costs, assuming you know what AWS resources you’ll be consuming.

14 / 75

Due to compliance rules and regulations, your company's workload has to run on dedicated instances. How can you make sure that all EC2 instances created for your workload now and in the future are dedicated instances? (Choose 2 answers)

Create a golden AMI of the dedicated instance and enforce this AMI as the base for any new instance in your environment. This guarantees that all instances created based on the AMI will be dedicated

Create a dedicated Placement Group and associate all new instances with this placement group at launch time. All instances launched in a dedicated placement group will be dedicated

Create a CloudFormation template that has the EC2 Instance Tenancy attribute as dedicated and always use it to launch any new instance

Create your VPCs with instance tenancy of dedicated. This will ensure that all instances launched in VPC are dedicated

Explanation

You can create a VPC with an instance tenancy of dedicated to ensure that all instances launched into the VPC are dedicated instances. Alternatively, you can specify the tenancy of the instance during launch

Explanation

15 / 75

Your account has 3 VPCs deployed in the same region.

The IPv4 address ranges of the VPCs are:

VPC A 172.22.0.0/16

VPC B 10.3.0.0/16

VPC C 10.4.0.0/16

VPC B and VPC C are already connected through VPC peering connection (PCX) named pcx-abcxyz. VPC A has resources that VPC B and VPC C must access. Which of the options below best achieves the objective of allowing VPC B and VPC C to access VPC A?

Connect VPC A to VPC B using VPC Peering and allow VPC C to access VPC A through VPC B

Connect VPC A to pcx-abcxyz

Create separate VPC Peering connections between VPC A & VPC B and VPC A & VPC C

Add static routes to VPC A with Targets of 10.3.0.0/16 and 10.4.0.0/16 and a Destination of pcx-abcxyz

Explanation

Creating separate VPC Peering connections between each VPC is required for Peering 3 VPCs together. Transitive routing is not supported in VPC Peering so VPC C could not reach VPC A through VPC B. A new VPC Peering connection is required for connecting additional VPCs, so connecting VPC A to pcx-abcxyz is not a viable option. Adding a static route to VPC A that points to pcx-abcxyz would not work as pcx-abcxyz is not connected to VPC A.

Explanation

16 / 75

Immediately, when choosing a larger instance size

During the maintenance window for the database instances

When changing the database storage type

When using CloudFront metrics

Explanation

17 / 75

Your company uses an on-premise identity system such as Active Directory to authenticate users locally. You would like to grant the same users access into the AWS console without requiring them to authenticate again. What possible solution below can be used to provide this type of access:

If your company's identity system is compatible with OpenID Connect (OIDC), establish trust between your company's identity system and AWS

If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS

If your company's identity system is compatible with Kerberos, establish trust between your company's identity system and AWS

If your company's identity system is compatible with OAuth 2.0, establish trust between your company's identity system and AWS

Explanation

Answer “If your company's identity system is compatible with SAML 2.0, establish trust between your company's identity system and AWS” is correct. AWS supports identity federation with SAML 2.0 (Security Assertion Markup Language 2.0), an open standard that many identity providers (IdPs) use. This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS API operations without you having to create an IAM user for everyone in your organization.

Explanation

18 / 75

Your developers have created a sales application that works in tandem with the no SQL database. To ensure the fastest response for the application in production, the developers wish to remove the need to wait for acknowledgments from the database to the application after data have been sent. The acknowledgments can be stored and accessed asynchronously. Which managed application would be the best choice for their design?

CloudWatch Logs

Simple Workflow Service

AWS Config

Simple Queue Service

Explanation

SQS allows you to quickly build hosted and scalable message queuing applications that can run on any computer. SQS stores messages in transit between diverse, distributed application components without losing messages and without requiring each component to be always available

Explanation

19 / 75

Maintenance will be applied to the primary instance first

Maintenance will be applied to standby instance first.

Standby instance will become the new primary after maintenance

The old primary will be promoted back to the new primary after maintenance

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

Explanation

Perform maintenance on the standby.
Promote the standby to primary.
Perform maintenance on the old primary, which becomes the new standby.

20 / 75

You’ve been contracted by a client to improve the resiliency of their VPC in preparation for increased Disaster Recovery requirements with shorter RTO and RPOs. One thing you’d like to improve upon is resource and application monitoring. Which services used together will allow for the monitoring of application logs on EC2, notification of users managing the services, and the overall health of AWS resources? (Choose 2 answers)

CloudFront

Cloudwatch

Trusted Advisor

SNS

Explanation

Amazon SNS and CloudWatch are integrated so you can collect, view, and analyze metrics for every active Amazon SNS notification. By configuring CloudWatch for Amazon SNS, you can gain better insight into the performance of your Amazon SNS topics, push notifications, and SMS deliveries.

Explanation

21 / 75

Select a true statement about Amazon EC2 Security Groups (EC2-Classic).

After you launch an instance in EC2-Classic, you can only add rules to a security group.

After you launch an instance in EC2-Classic, you cannot add or remove rules from a security group.

After you launch an instance in EC2-Classic, you can't change its security groups.

After you launch an instance in EC2-Classic, you can change its security groups only once.

Explanation

After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group

Explanation

22 / 75

Your company decided to create AWS Account and start moving some workloads to the cloud. The security team would like to utilize the existing identity and access management system which is based on Active Directory to manage access to the new AWS Account. For that reason you decided to use SAML federation to allow users in local identity and access management system access to AWS Services.

Which of the following are primary components in SAML Federation configuration for the new AWS account? (Choose 2 answers)

IAM trust policy that allows external identity store like Active Directory to be used as the primary IDP for this AWS account

SAML-Based identity provider has to be available to be used with company's identity store (Active Directory)

IAM Roles matching Active Directory groups that you would like to allow access to AWS

Direct Connect or VPN connectivity must be established between AWS and your company's data center

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

1- Inside your organization's network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

3- You also need to create roles that will map to allowed groups in company's identity store, members of these groups will be presented with set of roles that map to their group membership to choose which role they would like to assume while logging in to AWS console

Explanation

To enable SAML-Based federation for AWS Account, the following actions are required

2- In IAM, create a new SAML provider, which is an entity in IAM that holds information about your organization's identity provider.

23 / 75

Your company is migrating their environment to AWS. The legacy environment relied on Chef for automation, and your engineers are comfortable with that solution. In addition, your compliance officer has indicated that the new environment needs centralized, auditable configuration management for regulatory reasons. Which of the following AWS automation tools is most appropriate for this scenario?

OpsWorks stacks

Elastic Beanstalk

CloudFormation

OpsWorks for Chef Automate

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

Explanation

OpsWorks stacks will let you utilize your existing Chef recipes, but only OpsWorks for Chef Automate will provide you with centralized, continuous configuration management.

24 / 75

You are leading the design of an AWS RDS database for a client's cloud environment. You have detailed the benefits of a multi-AZ configuration for high availability. You begin discussing scalability options. You again stress the importance of multi-AZ for a highly available, scalable environment. How does a multi-AZ configuration indirectly benefit scaling operations?

Read traffic can be offloaded to the multi-AZ standby instance.

There is minimal downtime when scaling up multi-AZ databases.

The standby instance can quickly be converted to a read replica.

Total IOPS is the sum of IOPS for the primary and standby servers

Explanation

To handle a higher load in your database, you can vertically scale up your master database with a simple push of a button. There are currently over 18 instance sizes that you can choose from when resizing your RDS MySQL, PostgreSQL, MariaDB, Oracle, or Microsoft SQL Server instance. For Amazon Aurora, you have 5 memory-optimized instance sizes to choose from. There is minimal downtime when you are scaling up on a Multi-AZ environment because the standby database gets upgraded first, then failover will occur to the newly sized database. A Single-AZ instance will be unavailable during the scale operation

Explanation

25 / 75

Enable Cost and Usage reports.

Set up consolidated billing

Tag all resources with the appropriate business unit.

Give them access to TCO calculator.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

Explanation

By tagging all resources with the business unit and enabling detailed billing reports, you would enable the finance team to run cost reports by business unit.

26 / 75

You are designing an AWS cloud environment for a new client. You will be responsible for designing and implementing the solution while also training their IT personnel to eventually take over administration of the environment. a major part of your task will be educating them on IAM and how to administer IAM moving forward. Which action can be authorized by IAM and is something for which you will have to prepare training material?

Querying a DynamoDB database

Launching an EC2 instance

Querying a SQL Server database

Connecting to on-premises Active Directory

Explanation

If an IAM user wants to launch an EC2 instance, you need to grant the EC2 RunInstance permission to that user. If the EC2 instance should include an instance profile—that is, if applications in the EC2 instance will be able to get temporary security credentials via an IAM role—the user who launches the EC2 instance must also have the IAM PassRole permission. Not only that, but the user might need PassRole permission to associate a specific role with the EC2 instance.

Explanation

27 / 75

You have been assigned to work with a manufacturing company that wants to migrate to a Virtual Private Cloud. Their technical lead is very proactive and and would like to use EC2 Spot instances wherever possible for cost efficiency. He also wants to use Instance Stored volumes where possible. You need to educate the technical lead about EBS backed volumes versus Instance Stored volumes. What are some of the advantages of EBS volumes? (Choose 3 answers)

EBS volumes are more cost-effective

If the instance is terminated, your data is not lost.

EBS based instances can be stopped and restarted.

EBS instances boot faster

Explanation

An EBS volume is off-instance storage that can persist independently from the life of an instance. You continue to pay for the volume usage as long as the data persists. EBS instances can be stopped and re-started. And EBS volumes boot faster than instance store volumes often by an order of magnitude

Explanation

28 / 75

You’ve designed a public portal (with a MySQL database) featuring popular scientific journals. Due to its popularity, users are complaining it takes much longer to review selected journals than in the past. In addition, the popularity of your site is worldwide.

What are the first steps that you should take to resolve your performance issues? (Choose 2 answers)

Redesign your database as a Multi-AZ solution

Place additional read replicas in AWS regions closer to your users

Create a read replica of your master database

Deploy ElasticSearch for faster searching of available scientific journals

Explanation

Read replicas of your master database allow you to increase performance. Placing your read replicas in different AWS regions closer to your users will maximize performance and increase the availability of your database.

Explanation

29 / 75

A customer has a website which shows all the sales available in leading online and brick-and-mortar stores.

Currently, the website's web, application, and database tiers are hosted on five large, on-demand EC2 instances to manage day-to-day traffic. However, from late November through the end of December, the website traffic quadruples the normal rate for various periods, sometimes a few minutes, and sometimes a few hours. During the peaks in activity, the website requires up to 20 large instances.

The level of activity is not predictable. It is also prone to large, sudden spikes at random times based on when various temporary sales are available. The site's traffic can quadruple in a matter of minutes.

Which option is the most cost-effective and achieves better performance to handle these peaks in traffic reliably?

Purchase 5 Scheduled reserved instances immediately. Add 15 on-demand instances to run continuously from late November through the end of December.

Purchase 5 Standard reserved instances immediately. Add ten on-demand instances to run continuously from late November through the end of December. Create an auto scaling group to scale out an additional five instances based on the workload metrics as needed.

Purchase 5 Standard reserved instances immediately. Add five on-demand instances during the from late November through the end of December, and create an auto scaling group to scale out an additional ten instances based on the workload metrics as needed.

Launch ten on-demand instances running continuously, and manually launch ten instances every day during office hours based on workload metrics as needed.

Explanation

AWS provides an on-demand, scalable infrastructure. Amazon EC2 allows the user to launch On-Demand instances and the organization should create an AMI of the running instance. When the organization is experiencing varying loads and the time of the load is not known but it is higher than the routine traffic it is recommended that the organization launches a few instances beforehand and then setups AutoScaling with policies which scale up and down as per the EC2 metrics, such as Network I/O or CPU utilization.

If the organization keeps all ten additional instances as a part of the AutoScaling policy sometimes during a sudden higher load, it may take time to launch instances and may not give optimal performance. This is the reason it is recommended that the organization keeps an additional five instances running and the next five instances scheduled as per the AutoScaling policy for cost-effectiveness.

Additionally, the website has established a baseline of normal workload outside of the peak season, so they can invest in Standard reserved instances to manage this workload and save dramatically on compute resource costs.

Explanation

30 / 75

You need to provide a small group of users in one AWS account access to another AWS account. How would you enable this access to a second AWS account?

Federation

Multiple account access

Cross-account trust

Secondary account access

Explanation

You can use AWS Identity and Access Management (IAM) roles and AWS Security and Token Service (STS) to set up cross-account access between AWS accounts. When you assume an IAM role in another AWS account to obtain cross-account access to services and resources in that account, AWS Cloudtrail logs the cross-account activity.

Explanation

31 / 75

A national auto parts chain contracted your firm to design and implement their AWS environment. It is a very large-scale system that handles order processing, accounting, stocking, and logistics. This system spans multiple availability zones and requires a multi-AZ environment for high availability. The system has been implemented and you need to test the database failover mechanism. It is imperative that the failover occurs within the specified RTO. How can you consistently test database failover?

Reboot the primary database instance

Backup then delete the primary database instance

Amazon has thoroughly tested failover and customers can not test failover.

Contact Amazon to conduct a failover test.

Explanation

If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. When you create or modify your DB instance to run as a Multi-AZ deployment, Amazon RDS will automatically provision and manage a “standby” replica in a different Availability Zone (independent infrastructure in a physically separate location). In the event of planned database maintenance, DB instance failure, or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention. Multi-AZ deployments utilize synchronous replication, making database writes concurrently on both the primary and standby so that the standby will be up-to-date in the event a failover occurs.

Explanation

32 / 75

You are designing a AWS cloud environment for a client who has a contract with a federal government agency. The cloud environment will have multiple VPCs and be in multiple regions. The government agency wants to whitelist only a handful of instances in your organization. This will dictate that these instances have static IP addresses. Elastic ip addresses can be used to keep a fixed set of IP addresses. How can the Elastic IP addresses (EIP) be used in this environment?

EIPs can be moved from one instance to another within the same Availability Zone

EIPs are attached to an instance and exist only for the life of that instance

EIPs can be moved from one instance to another in multiple VPCs within the same region

EIPs can be moved from one instance to another in multiple VPCs and multiple regions

Explanation

An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. You can disassociate an Elastic IP address from a resource, and reassociate it with a different resource. A disassociated Elastic IP address remains allocated to your account until you explicitly release it. An Elastic IP address is for use in a specific region only.

Explanation

33 / 75

Your organization is migrating applications to AWS. Your new security policy mandates that all user accounts be created and managed through IAM. Currently, your corporation is using Active Directory as their on-premise LDAP service. Once applications go live at AWS, all users must access applications using temporary access credentials, and all IAM users must have passwords that are rotated on a set schedule. Which of the following actions will allow you to enforce this security policy? (Choose 3 answers)

Create and enforce a password expiration policy option for all IAM users.

Disable the root account for your AWS account.

Deploy federation services that support the Security Token Service

Create required IAM user accounts

Explanation

STS is the “glue” that supports temporary access credentials for federation. If you are running code, AWS CLI, or Tools for Windows PowerShell commands inside an EC2 instance, you can take advantage of roles for Amazon EC2. Otherwise, you can call an AWS STS API to get the temporary credentials, and then use them explicitly to make calls to AWS services.

Explanation

34 / 75

You are looking for a simple way to configure high availability for your EC2 instances. You need to create a plan for replacing unhealthy or failed instances. It is acceptable to have a short amount of downtime to keep costs down. Which process is appropriate for achieving this?

Create a custom AMI and use it to create an Auto Scaling Launch Configuration; then create a “Steady State” auto scaling policy using a minimum of 2 instances and a maximum of 2 instances.

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Recover this instance.”

Create a custom AMI of your EC2 instance, and configure a CloudWatch alarm based on StatusCheckFailed_Instance with an EC2 action of “Reboot this instance.”

Create a custom AMI of your EC2 instances. Use the custom AMI to create a new EC2 instance if there are issues with a current EC2 instance, and move the EIP to the new instance.

Explanation

Creating a custom AMI of the instance for which you are trying to provide HA allows you to bring the instance online quickly with no build time. Moving the EIP from the instance, you are replacing to the new instance will send all traffic to the new instance without any change to DNS, which would take time to propagate. Using the AutoRecover option will not replace the unhealthy or failing instance. It will only try to restart it on another host. Creating a “Steady State” Auto Scaling Group would also be a good solution, although using two as a minimum would have a higher cost.

Explanation

35 / 75

You are leading a design meeting in your company to create an autoscaling group of EC2 instances behind an Application Load Balancer in your VPC. There are very specific requirements coming about based on traffic and cost. Your management wants to scale out when necessary and scale in when instances are no longer needed to save on cost and maintain optimum system performance based on CPU utilization.

What step can most effectively meet these requirements?

Create a target tracking scaling policy with Amazon EC2 Auto Scaling based on CPU utilization

Create a scheduled scaling policy with Amazon EC2 Auto Scaling that scales out and in predefined patterns during normal business hours.

Create a scaling policy based on the Elastic Load Balancer latency metric

Create a simple scaling policy with Amazon Application Auto Scaling that scales at different rates based on CPU utilization.

Explanation

You can associate more than one scaling policy with an autoscaling group. Having one policy to scale out and one policy to scale in is a viable option. Scaling out during business hours and scaling in during off hours could be fairly effective for performance and cost. But scaling out and in using CloudWatch metrics for CPU utilization would be much more precise for both performance and cost considerations.

Explanation

36 / 75

You've been assigned to a client that has an auto scaling group behind an Application Load Balancer. The autoscaling group is handling traffic spikes well, but the client is concerned about cost. After reviewing statistics, you find that a large number of instances are being launched for just a short time period (15 - 30 minutes) and you know that Amazon charges per second for the time these instances are running.

You're concerned that when these bursts occur, instances that scale out in a larger number than required and actually outlive the short bursts of increased workload.

What steps can you take to maintain performance but reduce costs? (Choose 2 answers)

Use Trusted Advisor to terminate instances immediately when no longer needed.

Create scheduled scaling events instead of using your simply scaling policy.

Create a step scaling policy for improved scale-out events

Create a cool down period for your auto scaling group

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you've selected.

Adjusting the cooldown period also minimizes the likelihood of scaling out again before the instances that were deployed in a previous scale out event have had time to warm up and handle requests to their full capability.

Explanation

To better control scale-out events, you can create a step scaling policy that dictates different levels of scaling based on different utilization levels of a metric you've selected.

37 / 75

You are leading a design meeting for a new client that is migrating their compute environment to the cloud. One of the first design meetings involves Identity and Access Management (IAM). You are giving them an explanation of concept of principals, which is an entity that is allowed to interact with AWS resources. Which is not a type of principal?

IAM users

Roles/temporary security tokens

Root users

Encryption keys

Explanation

A principal is an IAM entity that is allowed to interact with AWS resources. The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. The Principal element is relevant only in a bucket policy; you don't specify it in a user policy because you attach user policy directly to a specific user.

Explanation

38 / 75

You wish to perform detailed monitoring on servers that are marked as unhealthy before they are terminated. After researching the issue, you find that lifecycle hooks can be deployed as necessary. Which strategies could you use to perform detailed monitoring? (Choose 2 answers)

Define a notification target for the lifecycle hook

Query 160.254.169.254 when instances are first marked as unhealthy

Create a longer cooldown period in the launch configuration

Use a CloudWatch event to invoke a Lambda function

Explanation

Lifecycle hooks allow customization of existing auto-scaling groups

Explanation

Lifecycle hooks allow customization of existing auto-scaling groups

39 / 75

Configure Amazon Cognito together with IAM Roles and Policies, leverage the AWS Mobile SDK within the mobile chat app to perform user authentication and authorization

Configure Amazon CloudFront in association with AWS WAF to perform user authentication and authorization

Create an auto scaling group of EC2 instances with custom and specialized authentication and authorization logic using SSL and JWT tokens to perform user authentication and authorization.

Explanation

40 / 75

A legacy application in your company has been deployed in a single availability zone. It is used only sporadically but must be available nevertheless. Due to your heavy administrative workload, you wish to automate a process that will rebuild the application automatically if it fails. What action should you take?

Configure the server in an auto scaling group with a minimum and maximum size of one

Add an additional availability zone and a load balancer.

Perform snapshots of EBS volumes on a set schedule.

Monitor the server availability using Cloud Watch metrics to receive alerts of health check failures.

Explanation

Auto scaling provides redundancy for a single server with the option of launching a configuration using the attributes from a running instance. When you use this option, auto scaling copies the attributes from the specified instance into a template from which you can launch one or more auto scaling groups.

Note that if the specified instance has properties that are not currently supported by auto scaling, instances launched by auto scaling using the launch configuration created from the identified instance might not be identical to the identified instance.

Explanation

41 / 75

Your new client is a federal agency utilizing a hybrid cloud environment. The agency distributes large amounts of sensitive data throughout the world. Your task is to ensure that the data is secure using various encryption techniques as well as security groups and access control lists.

One of the requirements is to distribute content utilizing CloudFront for optimal performance but to completely restrict access from within certain blacklisted countries. What service can you use with CloudFront to fulfill this requirement?

Geo-restriction

firewall rules

IAM roles

Server-side encryption

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

Explanation

You can use geo restriction, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

To use geo restriction, you have two options:

Use the CloudFront geo restriction feature. Use this option to restrict access to all of the files that are associated with a distribution and to restrict access at the country level.
Use a third-party geolocation service. Use this option to restrict access to a subset of the files that are associated with a distribution or to restrict access at a finer granularity than the country level

42 / 75

A MySQL database currently contains 2 million records. Approximately 2000 new records are added every day, with an average of 80 queries per second. The database is running on a 4 core, 4 GB dedicated system in the local data center. Once a week, on average, the system has issues and resets. It is next on the list to be moved to the cloud. What step should be taken first before it is migrated?

Order an on-demand instance matching the on-premises architecture.

Fix all MySQL issues in the local data center.

Use the AWS server migration service to migrate existing records

Export all database records to S3.

Explanation

Issues that are not first solved locally will not be solved by moving to the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems in the existing architecture there is no guarantee that they will be solved by moving to the cloud. Try to resolve any issues locally before migrating your architecture (and its existing issues) to the cloud.

Explanation

43 / 75

Network bandwidth

Network latency

Control of data resources

Private network access

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

Explanation

Since the database is not located in the same location as the application servers, network latency and bandwidth could potentially be an issue

44 / 75

Your web-based application has been launched publicly. Your design has implemented auto scaling and classic load balancing and your design is responding to the changes in demand as expected. Over the next few months, during the holiday season, demand is expected to be quite robust. You estimate that 100 EC2 instances will be required to meet your customers’ demand. How should you plan properly for growth? (Choose 2 answers)

Add a second load balancer for additional redundancy

Use AWS Trusted Advisor to analyze your workload requirements

Contact Amazon to pre-warm your elastic load balancer to match the expected demands.

Change your auto scaling configuration, setting a desired maximum capacity of 100 instances. Verify your limits allow for this capacity

Explanation

In certain scenarios, such as when flash traffic is expected, or in the case where a load test cannot be configured to gradually increase traffic, AWS recommends that you have your load balancer "pre-warmed". They will configure the load balancer to have the appropriate level of capacity based on the traffic that you expect. They also need to know the start and end dates of your tests or expected flash traffic, the expected request rate per second and the total size of the typical request/response that you will be testing

Explanation

45 / 75

Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? (Choose 2 answers)

Define the IAM policy that allows access based on the instance ID

Add a condition to the IAM policy that allows access to the configured tags for the ‘test’ environment

Configure tags on the instances in each environment defining which are ‘test’ and which are ‘production’

Launch the test and production instances in separate regions and allowing region wise access to the group

Explanation

46 / 75

You are helping a client design a static website which will potentially grow exponentially in the first few years of existence. In addition, the website will serve end users in multiple regions throughout the world. You propose using S3 to house this website. What benefits of S3 can you outline in handling a fast growing load as well as multi-region clients? (Choose 2 answers)

S3 can scale to handle virtually any load given

S3 can be integrated with CloudTrail to deliver content throughout the world

S3 can utilize cross-region replication to serve content.

S3 can be integrated with CloudFront to deliver content throughout the world

Explanation

You can store your content in an Amazon S3 bucket and use CloudFront to distribute the content.

If you store your objects in an Amazon S3 bucket, you can either have your users get your objects directly from S3, or you can configure CloudFront to get your objects from S3 and distribute them to your users.

Using CloudFront can be more cost effective if your users access your objects frequently because, at higher usage, the price for CloudFront data transfer is lower than the price for Amazon S3 data transfer. In addition, downloads are faster with CloudFront than with Amazon S3 alone because your objects are stored closer to your users.

Explanation

You can store your content in an Amazon S3 bucket and use CloudFront to distribute the content.

47 / 75

One of your customers is a large multi-national company whose infrastructure on AWS has grown significantly over the past year. The CIO has come to you asking how the huge amount of data that is being generated can be accessed in real-time which would give them a significant edge over all of their competitors. You know that AWS can provide a range of analytics but which of the following would be best to try and accomplish this?

AWS Data Pipeline

Amazon Elasticsearch

Amazon Kinesis

Amazon EMR

Explanation

Amazon Kinesis is a fully managed service for real-time processing of streaming data at massive scale. Amazon Kinesis can continuously capture and store terabytes of data per hour from hundreds of thousands of sources such as website clickstreams, financial transactions, social media feeds, IT logs, and location-tracking events. With Amazon Kinesis Client Library (KCL), you can build Amazon Kinesis Applications and use streaming data to power real-time dashboards, generate alerts, implement dynamic pricing and advertising, and more.

Explanation

48 / 75

Your team has found that a client's load balancer needs to be configured with support for SSL offload using the default security policy. When negotiating the SSL connections between the client and the load balancer, you want the load balancer to determine which cipher is used for the SSL connection. Which actions perform this process on the load balancer? (Choose 3 answers)

Select a client configuration preference option

Enable SSL offload.

Select the default security policy.

Choose the server order preference option

Explanation

Elastic Load Balancing uses a Secure Socket Layer (SSL) negotiation configuration, known as a security policy, to negotiate SSL connections between a client and the load balancer. A security policy is a combination of SSL protocols, SSL ciphers, and the Server Order Preference option.

Explanation

49 / 75

One of your developers is creating an application that must upload large files to an S3 bucket. You suggest that they use the multipart upload feature. Which actions are required from the developer to complete a multipart upload? (Choose 2 answers)

Send a request to initiate a multipart upload

Create ordered ETag values to label each part.

Construct the final object from the parts.

Upload each part with an upload ID and a part number.

Explanation

When you send a request to initiate a multipart upload, Amazon S3 returns a response with an upload ID, which is a unique identifier for your multipart upload. You must include this upload ID whenever you upload parts, list the parts, complete an upload, or abort an upload. When uploading a part, in addition to the upload ID, you must specify a part number that uniquely identifies a part and its position in the object you are uploading. Amazon S3 returns an ETag header in its response. For each part upload, you must record the part number and the ETag value for use in each subsequent request.

Explanation

50 / 75

Which configuration is the best choice for high availability, disaster recovery, and cost-effectiveness in this scenario?

Explanation

51 / 75

A user is implementing resources for a group of separate batch processes to be completed during non-business hours. The process is predicted to take 6 hours to complete. This group of batch processing will require a compute-optimized instance, which is a different instance family than any deployed within your production environment. Which option is the right instance type and purchase option in this case, assuming the user performs the same task for the next twelve months?

A convertible reserved instance

An instance on an EC2 instance savings plan

An instance on a compute savings plan

A spot instance

Explanation

A spot instance is not the right instance type for this scenario. Spot instances would very likely be interrupted before a 6 hour job would be complete.

A convertible instance and a compute savings plan both offer up to 66 percent off, but an EC2 instance savings plan offers up to 72 percent discount.

Explanation

A spot instance is not the right instance type for this scenario. Spot instances would very likely be interrupted before a 6 hour job would be complete.

A convertible instance and a compute savings plan both offer up to 66 percent off, but an EC2 instance savings plan offers up to 72 percent discount.

52 / 75

Your team is developing an application using Elastic Beanstalk and discussing the most appropriate environment for deployment. What two types of environments can be created when using Elastic Beanstalk? (Choose 2 answers)

Load-balancing and auto-scaling environment

Multi-region, multiple-instance environment

Web worker environment

Single-instance environment

Explanation

In Elastic Beanstalk, you can create a load-balancing, autoscaling environment or a single-instance environment. The type of environment that you require depends on the application that you deploy. For example, you can develop and test an application in a single-instance environment to save costs and then upgrade that environment to a load-balancing, autoscaling environment when the application is ready for production.

Explanation

53 / 75

Your business is slowly migrating to the AWS cloud, but must continue to support its on-premises servers and networks while extending to the cloud. As a result, you are looking for every possible way to optimize costs while ensuring resources remain secure. In order to provide an extra layer of security, you would like for your servers hosted within your VPCs to communicate with other AWS services without leaving your VPC network. You would also like your on-premises servers to be able to connect to these same AWS services through your VPC instead of sending and receiving requests over the public internet. Which AWS networking service or component would satisfy these requirements?

VPC Gateway Endpoints

VPC Virtual Private Gateways

VPC Interface Endpoints

VPC Peering Connections

Explanation

With VPC Interface Endpoints, it is possible to connect to a number of AWS services both from resources within your Amazon VPC and from resources in your on-premises environment. This is not possible with VPC Gateway Endpoints.

Explanation

54 / 75

Your company is migrating its infrastructure to AWS. When considering the migration level effort required, you determine there are a select number of VMs that fall under the “very low effort” category. After considering third-party migration options, you decide to utilize available AWS tools. What tools are available for migrating VMs to the AWS cloud? (Choose 2 answers)

AWS Snowmobile

AWS S3 Import

AWS Snowball

AWS VM Import

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

Explanation

Both Snowball and VM Import can be used to migrate VMs. Snowball mitigates any bandwidth issues that may occur when using VM Import with standard Internet connections.

55 / 75

Having set up a website to automatically be redirected to a backup website if it fails, you realize that there are different types of failovers that are possible. You need all your resources to be available the majority of the time. Using Amazon Route 53 which configuration would best suit this requirement?

Active-passive failover

Active-active-passive and other mixed configurations.

None. Route 53 can't failover.

Active-active failover.

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets. Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries. Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If allof the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries. Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

56 / 75

You are a DBA at a rapidly growing company and you want to shorten failover time for your Amazon RDS SQL Server database. Which strategies will shorten failover time? (Choose 2 answers)

Ensure you have provisioned sufficient IOPS.

Configure the health check using shorter intervals.

Use smaller transactions

Use larger transactions.

Explanation

Recovery takes IOPS; therefore, insufficient IOPS will slow down failover time. Database recovery relies on transactions; therefore, smaller transactions will shorten failover time.

Explanation

Recovery takes IOPS; therefore, insufficient IOPS will slow down failover time. Database recovery relies on transactions; therefore, smaller transactions will shorten failover time.

57 / 75

You need to change a deployed Elastic Beanstalk environment to provide additional performance for EC2 instances that a client is currently running on their application. To change your instance count for Elastic Beanstalk, select the necessary steps (in any order). (Choose 3 answers)

Change the Minimum Instance Count and then Apply

Open a command prompt window and execute the command change-elastic-beanstock -env.

Choose Configuration and then choose Scaling.

Open the Elastic Beanstalk console and navigate to the management page

Explanation

Elastic Beanstalk environments can be changed after creation. For example, if you have a compute-intensive application, you can change the type of Amazon EC2 instance that is running your application. To do this, you use the Scaling option in the management page of the Elastic Beanstalk console and change the minimum instance count.

Explanation

58 / 75

None. Route 53 can't failover

Active-active failover

Active-active-passive and other mixed configurations

Active-passive failover

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets.

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

Explanation

You can set up a variety of failover configurations using Amazon Route 53 alias: weighted, latency, geolocation routing, and failover resource record sets.

Active-active failover: Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Amazon Route 53 can detect that it's unhealthy and stop including it when responding to queries.
Active-passive failover: Use this failover configuration when you want a primary group of resources to be available the majority of the time and you want a secondary group of resources to be on standby in case all of the primary resources become unavailable. When responding to queries, Amazon Route 53 includes only the healthy primary resources. If all of the primary resources are unhealthy, Amazon Route 53 begins to include only the healthy secondary resources in response to DNS queries.
Active-active-passive and other mixed configurations: You can combine alias and non-alias resource record sets to produce a variety of Amazon Route 53 behaviors.

59 / 75

You have successfully created your first WordPress blog that is hosted on an Amazon EC2 instance. You’ve noticed that when the public DNS address for your instance changes, it breaks your installation. What could you do to prevent this? (Choose 3 answers)

If you have a domain name, update the DNS record for the domain name to point to your Elastic IP address

Allocate an Elastic IP address for your Amazon instance

If you don’t have a domain name, create one using Amazon Route 53 and associate your instance’s Elastic IP address with the new domain name.

Allocate an EC2 instance

Explanation

To prevent the public DNS address for your instance from changing and breaking your installation, you can associate an Elastic IP address (EIP) to the instance you are using. You need to allocate an Elastic IP address for that instance (the first association is free). If you own a domain name and you want to use it for your blog, you can update the DNS record for the domain name to point to your EIP address. If you don't already have a domain name for your blog, you can register a domain name with Amazon Route 53 and associate your instance's EIP address with your domain name.

Explanation

60 / 75

You have configured an AWS cloud environment for an ecommerce company. This environment is heavily reliant upon being highly available as downtime will lose the company a great deal of money. You monitor this environment very closely with numerous CloudWatch alarms. Recently you are seeing 'InsufficientInstanceCapacity' errors during auto scaling attempts during peak hours from 4:00 - 9:00 pm EST. This is causing costly downtime. Which option will best handle this situation?

Scale up your RDS instance for more capacity

Increase the maximum size of you auto scaling group to add more capacity

Use spot instances in place of on-demand instances

Purchase Scheduled Reserved Instances for peak hours

Explanation

If you get an InsufficientInstanceCapacity error when you try to launch an instance or start a stopped instance, AWS does not currently have enough available capacity to service your request. In this situation, reserved instances offer the required reliability to avoid outages and loss of money. Reserved Instances are a long-term capacity reservation, and you will not have to rely on Amazon having enough on-demand capacity. Usually these capacity issues are short term, but due to the nature of the company even short outages can be very costly.

Explanation

61 / 75

After reviewing the reports from AWS Trusted Advisor, your company has decided to enable multi-factor authentication for IAM users and the root account. Which of the following MFA options can be used for both account types? (Choose 2 answers)

SNS Notification Service

A software-based Virtual MFA device

Hardware MFA Device

AWS Security Token Service

Explanation

For increased security, AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources. MFA adds extra security because it requires users to enter a unique authentication code from an approved authentication device or SMS text message when they access AWS websites or services. This type of MFA requires you to assign an MFA device (hardware or virtual) to the IAM user or the AWS root account.

Explanation

62 / 75

Your client has contacted you about an existing AWS cloud environment that they have. They have a large number of T2 large instances in a VPC but have statistics indicating they may need larger instances soon. Another consideration is the company's limited budget to add new instances and/or upgrade its current instances. However, they need to do something and are relying on you to provide a solution. This company has used its existing instances for over 3 years and expects a similar lifespan for any new solution.

What changes would best address the issues with their compute resources? (Choose 2 answers)

Upgrade to Enhanced Networking instances.

Use spot instances to supplement the existing instances.

Replace T2 large instances with large general purpose instances.

Upgrade to standard reserved instances

Explanation

T2 instances are Burstable Performance Instances that provide a baseline level of CPU performance with the ability to burst above the baseline. The baseline performance and ability to burst are governed by CPU Credits. M4 instances are the latest generation of General Purpose Instances. This family provides a balance of compute, memory, and network resources, and it is a good choice for many applications. In this instance, the only option which provides for growth while keeping costs in check is to upgrade to reserved M4 instances on a long term 3 year contract.

Explanation

63 / 75

You are working for a rapidly growing company that is using EC2 instances to process customer requests. There have been many instances of latency related to the high demand for specific EC2 instances. You are designing changes to the environment, including an Application Load Balancer to manage traffic demands. What ELB characteristics and best practices should you keep in mind? (Choose 2 answers)

It is recommended to reference an ELB by its DNS name instead of its IP address

Note that ELB in a VPC supports both IPv4 and IPv6.

For instances behind an ELB, do not bind an application to the instances IP address

It is recommended to reference an ELB by its MAC address instead of its DNS address.

Explanation

The IP address for a load balancer can frequently change as the service scales up and down in a process managed by the service. What this means is that the IP address you reference may change as the service scales - the hardware technically behind the load balancing service may have been reallocated. By using the DNS name, ELB can reference and translate that to the current load balancer's IP address.

The same goes for the binding the application to an instance's IP address - the actual instances handling requests can change at a moment's notice in the cloud, so rather than tying requests to a specific IP address, reference a DNS name and this will be translated to the current instance IP address.

Explanation

64 / 75

Your client wants to implement scalable but cost-effective storage while maintaining data security. You recommend using AWS Storage Gateway and set up an instance as a cached volume gateway for low latency. You immediately realize that you need to access the storage on the gateway. Which method would you use?

CIFS

iSCSI

Fibre

NFS

Explanation

AWS Storage Gateway enables applications that are clustered using Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access a gateway's volumes. However, connecting multiple hosts to the same iSCSI target is not supported. When using Red Hat Enterprise Linux (RHEL), you use the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets (volumes or VTL devices).

Explanation

65 / 75

You decide that you need to create a number of Auto Scaling groups to try and save some money as you have noticed that at certain times most of your EC2 instances are not being used. By default, what is the maximum number of Auto Scaling groups that AWS will allow you to create?

Unlimited

Explanation

Auto Scaling is an AWS service that allows you to increase or decrease the number of EC2 instances within your application's architecture. With Auto Scaling, you create collections of EC2 instances, called Auto Scaling groups. You can create these groups from scratch, or from existing EC2 instances that are already in production

Explanation

66 / 75

You are responsible for a web application where the web server instances are hosted in auto-scaling group. You discover the following after monitoring your application workload for the past year:

You need a minimum of nine EC2 instances to handle the lowest levels of activity during non-business hours.
During local business hours, you require between 12-16 instances.
Roughly 35 percent of non-business workload involves backend data processing and analysis.

With this information, what recommendations would you make to minimize operating costs while providing the required availability?

Purchase nine standard reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during non-business hours. Purchase spot instances to handle additional capacity needs

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 scheduled reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase spot instances to handle the data processing workload.

Purchase 6 standard reserved instances to handle minimum workload. Purchase 6 convertible reserved instances to run during local business hours, and on-demand instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Purchase nine convertible reserved instances to handle the minimum workload. Purchase three scheduled reserved instances to run during local business hours. Purchase spot instances to handle additional capacity needs. Purchase scheduled reserved instances to handle the data processing workload

Explanation

The spot instances are ideal for the data processing workload during non-business hours, and deducting those instances from your minimum workload requirements leaves roughly six instances that are running all day. Purchase six standard reserved instances to meet this need with the greatest discount. You can then schedule reserved instances to run during business hours to meet the increase, and on-demand instances to scale as needed while providing necessary availability.

Explanation

67 / 75

You are an engineer at a large bank, responsible for managing your firm’s AWS infrastructure. Your finance team has approached you, indicating their concern over the growing EC2 budget. They have asked you to identify strategies to reduce the EC2 spend by at least 25% before the next monthly billing cycle. How choices below could assist in accomplishing this? (Choose 3 answers)

Consolidate AWS accounts for billing.

Reduce or eliminate over-provisioned or unused instances.

Look for opportunities to use dedicated instances.

Look for opportunities to use reserved or spot instances.

Explanation

You can reduce EC2 spend by migrating to reserved/spot instances, eliminating/shrinking unused resources, or consolidating AWS accounts (to qualify for volume discounts). The paying account's use of consolidated billing can benefit from volume pricing discounts gained thru aggregate account usage.

Explanation

68 / 75

The total table size divided by 40 GB

The total RCU divided by 3000 + total WCU divided by 1000

The total RCU divided by 5000 + total WCU divided by 1000

The total table size divided by 10 GB

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

Explanation

DynamoDB tables are portioned based on the following: First, calculate total RCU/3000 + total WCU/1000. Then calculate the total size/10 GB. Then round up the higher of the two results.

69 / 75

TCO Calculator

Detailed Billing Reports

Cost Explorer

Trusted Advisor

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

Explanation

The TCO (Total Cost of Ownership) Calculator is used to calculate savings given information about the user’s current environment.

70 / 75

Your company allows technical personnel to manage their own S3 buckets. But there have been too many instances of users deleting important project related data. What additional steps can you take to prevent accidental deletion or overwriting of data? (Choose 3 answers)

Create read replicas.

Add MFA Delete

Add versioning

Add cross-region replication

Explanation

Amazon S3 storage offers very high durability, but it is still a best practice to protect against user level deletion or overwriting of data using versioning, cross-region replication, and MFA Delete.

Explanation

71 / 75

Your company wants to migrate an on-premises SQL Server DB to AWS RDS SQL Server. As the DBA, you have determined that your database can be offline while the backup is created, copied, and restored. You decide to use native backup and restore. Which steps are required during setup? (Choose 3 answers)

Add the SQLSERVER_BACKUP_RESTORE option to an option group on your DB instance.

Turn on compression for your backup files by running “exec rdsadmin..rds_set_configuration ‘S3 backup compression’, ‘true.’”

Create an Amazon S3 bucket for your backup files

Create an AWS IAM role for access to the S3 bucket

Explanation

There are three components you'll need to set up for native backup and restore: an Amazon S3 bucket to store your backup files; an AWS Identity and Access Management (IAM) role to access the bucket, and the SQLSERVER_BACKUP_RESTORE option added to an option group on your DB instance.

Explanation

72 / 75

Increase the size of instances in your launch configuration.

Decrease the length of your scaling cool down period

Increase the maximum number of instances in your auto-scaling group

Increase the length of your scaling cool down period

Explanation

73 / 75

In Elastic Load Balancing, what parameters determine the cost for the Application Load Balancer (ALB)? (Choose 2 answers)

Load Capacity Units (LCUs) used per hour

Only hours that an ELB is running and the amount of storage the instance takes

Each hour or partial hour that an ELB is running

GB of data transferred

Explanation

Application Load Balancer
You are charged for each hour or partial hour that an Application Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used per hour.

Network Load Balancer
You are charged for each hour or partial hour that a Network Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used by Network Load Balancer per hour.

Classic Load Balancer
You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.

Explanation

Application Load Balancer
You are charged for each hour or partial hour that an Application Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used per hour.

Classic Load Balancer
You are charged for each hour or partial hour that a Classic Load Balancer is running and for each GB of data transferred through your load balancer.

74 / 75

You are migrating your Oracle database using the AWS Database Migration Service. Due to a large amount of data being replicated, you need the replication process to be continuous. What must be changed on your replication instance to use ongoing replication?

Enable the Multi-AZ option on the replication instance.

Increase the number of tables that are cached in RAM.

Disable Multi-AZ on the target instance

Disable backups on the target instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

Explanation

Enabling the Multi-AZ option provides high availability and failover support for the replication instance

75 / 75

You are building a system to distribute confidential documents to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publically accessible from S3 directly?

Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.

Add the CloudFront account security group "amazon-cf/amazon-cf-sg" to the appropriate S3 bucket policy.

Create an Identity and Access Management (IAM) User for CloudFront and grant access to the objects in your S3 bucket to that IAM User.

Create a S3 bucket policy that lists the CloudFront distribution ID as the Principal and the target bucket as the Amazon Resource Name (ARN).

Explanation

You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. When your users access your Amazon S3 objects using CloudFront URLs, the CloudFront origin access identity gets the objects on your users' behalf. If your users try to access objects using Amazon S3 URLs, they're denied access. The origin access identity has permission to access objects in your Amazon S3 bucket, but users don't.

Explanation

Your score is

The average score is 14%

LinkedIn Facebook Twitter

Please rate your experience to help us improve !

Follow Us

Basic & Fundamentals

Recent Posts

Most Read

AWS Certified Solutions Architect Professional – Free Practice Tests

AWS Certified Solutions Architect Professional – Learning Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

AWS Certified Solutions Architect Professional – Exam Mode

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation

Explanation