An organization has configured a VPC with an Internet Gateway (IGW). pairs of public and private subnets (each with one subnet per Availability Zone), and an Elastic Load Balancer (ELB) configured to use the public subnets. The application s web tier leverages the ELB. Auto Scaling and a mum-AZ RDS database instance The organization would like to eliminate any potential single points ft failure in this design.
What step should you take to achieve this organization's objective? Nothing, there are no single points of failure in this architecture. Create and attach a second IGW to provide redundant internet connectivity. Create and configure a second Elastic Load Balancer to provide a redundant load balancer. Create a second multi-AZ RDS instance in another Availability Zone and configure replication to provide a redundant database.
When attached to an Amazon VPC, which two components provide connectivity with external networks? (Choose two.) Elastic IPS (EIP) NAT Gateway (NAT) Internet Gateway {IGW) Virtual Private Gateway (VGW).
Which of the following are characteristics of Amazon VPC subnets? (Choose two.) Each subnet maps to a single Availability Zone A CIDR block mask of /25 is the smallest range supported Instances in a private subnet can communicate with the internet only if they have an Elastic IP. By default, all subnets can route between each other, whether they are private or public V Each subnet spans at least 2 Availability zones to provide a high-availability environment.
You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch. Which method would be the best way to authenticate your CloudWatch PUT request? Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed.
You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours.
Which of the following is the best method to quickly and temporarily deny access from the specified IP address block Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block.
You have a web application leveraging an Elastic Load Balancer (ELB) In front of the web servers deployed using an Auto Scaling Group Your database is running on Relational Database Service (RDS) The application serves out technical articles and responses to them in general there are more views of an article than there are responses to the article. On occasion, an article on the site becomes extremely popular resulting in significant traffic Increases that causes the site to go down.
What could you do to help alleviate the pressure on the infrastructure while maintaining availability during these
events? (Choose three.) Leverage CloudFront for the delivery of the articles. Add RDS read-replicas for the read traffic going to your relational database Leverage ElastiCache for caching the most frequently used data. Use SOS to queue up the requests for the technical posts and deliver them out of the queue. Use Route53 health checks to fail over to an S3 bucket for an error page.
You need to design a VPC for a web-application consisting of an Elastic Load Balancer (ELB). a fleet of web/ application servers, and an RDS database. The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the database is not available from the Internet? One public subnet for ELB one public subnet for the web-servers, and one private subnet for the database One public subnet for ELB two private subnets for the web-servers, two private subnets for RDS Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS Two public subnets for ELB two public subnets for the web-servers, and two public subnets for RDS.
An application that you are managing has EC2 instances & Dynamo OB tables deployed to several AWS Regions in order to monitor the performance of the application globally, you would like to see two graphs:
1) Avg CPU Utilization across all EC2 instances
2) Number of Throttled Requests for all DynamoDB tables.
How can you accomplish this? Tag your resources with the application name, and select the tag name as the dimension in the Cloudwatch Management console to view the respective graphs Use the Cloud Watch CLI tools to pull the respective metrics from each regional endpoint Aggregate the data offline & store it for graphing in CloudWatch. Add SNMP traps to each instance and DynamoDB table Leverage a central monitoring server to capture data from each instance and table Put the aggregate data into Cloud Watch for graphing. Add a CloudWatch agent to each instance and attach one to each DynamoDB table. When configuring the agent set the appropriate application name & view the graphs in CloudWatch.
When assessing an organization s use of AWS API access credentials which of the following three credentials should be evaluated? (Choose three.) Key pairs Console passwords Access keys Signing certificates Security Group memberships.
Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? (Choose two.) Amazon Elastic Map Reduce Elastic Load Balancing AWS Elastic Beanstalk Amazon Elasticache Amazon Relational Database service.
You have a web-style application with a stateless but CPU and memory-intensive web tier running on a cc2 8xlarge EC2 instance inside of a VPC The instance when under load is having problems returning requests within the SLA as defined by your business The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast.
How can you best resolve the issue of the application responses not meeting your SLA?https://www.daypo.com/images/diskette.png Add another cc2 8xlarge application instance, and put both behind an Elastic Load Balancer Move the cc2 8xlarge to the same Availability Zone as the DynamoDB table Cache the database responses in ElastiCache for more rapid access Move the database from DynamoDB to RDS MySQL in scale-out read-replica configuration.
You are managing a legacy application Inside VPC with hard coded IP addresses in its configuration. Which two mechanisms will allow the application to failover to new instances without the need for reconfiguration? (Choose two.) Create an ELB to reroute traffic to a failover instance Create a secondary ENI that can be moved to a failover instance Use Route53 health checks to fail traffic over to a failover instance Assign a secondary private IP address to the primary ENIO that can be moved to a failover instance.
Which of the following statements about this S3 bucket policy is true? Denies the server with the IP address 192 168 100 0 full access to the "mybucket" bucket Denies the server with the IP address 192 168 100 188 full access to the "mybucket" bucket Grants all the servers within the 192 168 100 0/24 subnet full access to the "mybucket" bucket Grants all the servers within the 192 168 100 0/24 subnet full access to the "mybucket" bucket.
Which of the following requires a custom CloudWatch metric to monitor? Data transfer of an EC2 instance Disk usage activity of an EC2 instance Memory Utilization of an EC2 instance CPU Utilization of an EC2 instance.
You run a web application where web servers on EC2 Instances are in an Auto Scaling group. Monitoring over the last 6 months shows that 6 web servers are necessary to handle the minimum load During the day up to 12 servers are needed five to six days per year, the number of web servers required might go up to 15.
What would you recommend to minimize costs while being able to provide hill availability? 6 Reserved instances (heavy utilization).
6 Reserved instances {medium utilization), rest covered by On-Demand instances 6 Reserved instances (heavy utilization).
6 On-Demand instances, rest covered by Spot Instances 6 Reserved instances (heavy utilization)
6 Spot instances, rest covered by On-Demand instances 6 Reserved instances (heavy utilization)
6 Reserved instances (medium utilization) rest covered by Spot instances.
When creation of an EBS snapshot Is initiated but not completed the EBS volume? Cannot De detached or attached to an EC2 instance until me snapshot completes Can be used in read-only mode while me snapshot is in progress Can be used while me snapshot Is in progress Cannot be used until the snapshot completes.
You are using ElastiCache Memcached to store session state and cache database queries in your infrastructure. You notice in CloudWatch that Evictions and GetMisses are Doth very high.
What two actions could you take to rectify this? (Choose two.)
Increase the number of nodes in your cluster Tweak the max_item_size parameter Shrink the number of nodes in your cluster Increase the size of the nodes in the duster.
You are running a database on an EC2 instance, with the data stored on Elastic Block Store (EBS) for persistence. At times throughout the day, you are seeing large variance in the response times of the database queries Looking into the instance with the isolate command you see a lot of wait time on the disk volume that the database's data is stored on.
What two ways can you improve the performance of the database's storage while maintaining the current persistence of the data? (Choose two.) Move to an SSD backed instance Move the database to an EBS-Optimized Instance T Use Provisioned IOPs EBS Use the ephemeral storage on an m2 4xiarge Instance Instead.
You have decided to change the Instance type for instances running in your application tier that are using Auto Scaling.
In which area below would you change the instance type definition? Auto Scaling launch configuration Auto Scaling group Auto Scaling policy Auto Scaling tags.
You have been asked to automate many routine systems administrator backup and recovery activities. Your current plan is to leverage AWS-managed solutions as much as possible and automate the rest with the AWS CLI and scripts.
Which task would be best accomplished with a script? Creating daily EBS snapshots with a monthly rotation of snapshots Creating daily RDS snapshots with a monthly rotation of snapshots Automatically detect and stop unused or underutilized EC2 instances Automatically add Auto Scaled EC2 instances to an Amazon Elastic Load Balancer.
Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users? (Choose two.) Configure multi-factor authentication for privileged 1AM users Create 1AM users for privileged accounts Implement identity federation between your organization's Identity provider leveraging the 1AM Security Token Service Enable the 1AM single-use password policy option for privileged users.
A media company produces new video files on-premises every day with a total size of around 100 GBS after compression All files have a size of 1 -2 GB and need to be uploaded to Amazon S3 every night in a fixed time window between 3am and 5am Current upload takes almost 3 hours, although less than half of the available bandwidth is used.
What step(s) would ensure that the file uploads are able to complete in the allotted time window? Increase your network bandwidth to provide faster throughput to S3 Upload the files in parallel to S3 Pack all files into a single archive, upload it to S3, then extract the files in AWS Use AWS Import/Export to transfer the video files.
You use S3 to store critical data for your company Several users within your group currently have lull permissions to your S3 buckets You need to come up with a solution mat does not impact your users and also protect against the accidental deletion of objects.
Which two options will address this issue? (Choose two.) Enable versioning on your S3 Buckets Configure your S3 Buckets with MFA delete Create a Bucket policy and only allow read only permissions to all users at the bucket level Enable object life cycle policies and configure the data older than 3 months to be archived in Glacier.
An organization's security policy requires multiple copies of all critical data to be replicated across at least a primary and backup data center. The organization has decided to store some critical data on Amazon S3. Which option should you implement to ensure this requirement is met? Use the S3 copy API to replicate data between two S3 buckets in different regions You do not need to implement anything since S3 data is automatically replicated between regions Use the S3 copy API to replicate data between two S3 buckets in different facilities within an AWS Region You do not need to implement anything since S3 data is automatically replicated between multiple facilities within an AWS Region.
When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes? Data will be deleted and win no longer be accessible Data is automatically saved in an EBS volume. Data is automatically saved as an EBS snapshot Data is unavailable until the instance is restarted.
Your team Is excited about the use of AWS because now they have access to programmable Infrastructure" You have been asked to manage your AWS infrastructure in a manner similar to the way you might manage application code You want to be able to deploy exact copies of different versions of your infrastructure, stage changes into different environments, revert back to previous versions, and identify what versions are running at any particular time (development test QA. production).
Which approach addresses this requirement? Use cost allocation reports and AWS Opsworks to deploy and manage your infrastructure. Use AWS CloudWatch metrics and alerts along with resource tagging to deploy and manage your infrastructure. Use AWS Beanstalk and a version control system like GIT to deploy and manage your infrastructure. Use AWS CloudFormation and a version control system like GIT to deploy and manage your infrastructure.
You have a server with a 5O0GB Amazon EBS data volume. The volume is 80% full. You need to back up the volume at regular intervals and be able to re-create the volume in a new Availability Zone in the shortest time possible. All applications using the volume can be paused for a period of a few minutes with no discernible user impact.
Which of the following backup methods will best fulfill your requirements? Take periodic snapshots of the EBS volume Use a third party Incremental backup application to back up to Amazon Glacier Periodically back up all data to a single compressed archive and archive to Amazon S3 using a parallelized multi-part upload Create another EBS volume in the second Availability Zone attach it to the Amazon EC2 instance, and use a disk manager to mirror me two disks.
Your company Is moving towards tracking web page users with a small tracking Image loaded on each page Currently you are serving this image out of US-East, but are starting to get concerned about the time It takes to load the image for users on the west coast.
What are the two best ways to speed up serving this image? (Choose two.) Use Route 53's Latency Based Routing and serve the image out of US-West-2 as well as US-East-1 Serve the image out through CloudFront Serve the image out of S3 so that it isn't being served oft of your web application tier Use EBS PIOPs to serve the image faster out of your EC2 instances.
A customer has a web application that uses cookie Based sessions to track logged in users. It is deployed on AWS using ELB and Auto Scaling. The customer observes that when load increases. Auto Scaling launches new Instances but the load on the easting Instances does not decrease, causing all existing users have a sluggish experience.
Which two answer choices independently describe a behavior that could be the cause of the sluggish user experience? (Choose two.) ELB's normal behavior sends requests from the same user to the same backend instance ELB's behavior when sticky sessions are enabled causes ELB to send requests in the same session to the ame backend instance A faulty browser is not honoring the TTL of the ELB DNS name The web application uses long polling such as comet or websockets. Thereby keeping a connection open to a web server tor a long time.
How can the domain's zone apex for example "myzoneapexdomain com" be pointed towards an Elastic Load Balancer? By using an AAAA record By using an A record By using an Amazon Route 53 CNAME record By using an Amazon Route 53 Alias record.
An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this? The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias The organization should create each user in a separate region so that they have their own URL to login It is not possible to have the same login ID for multiple IAM users of the same account The organization should create various groups and add each user with the same login ID to different groups. The user can login with their own group ID.
A user is planning to evaluate AWS for their internal use. The user does not want to incur any charge on his account during the evaluation. Which of the below mentioned AWS services would incur a charge if used? AWS S3 with 1 GB of storage AWS micro instance running 24 hours daily AWS ELB running 24 hours a day AWS PIOPS volume of 10 GB size.
A user has recently started using EC2. The user launched one EC2 instance in the default subnet in EC2-VPC Which of the below mentioned options is not attached or available with the EC2 instance when it is launched? Public IP address Internet gateway Elastic IP Private IP address.
A user has launched an EC2 instance. The user is planning to setup the CloudWatch alarm. Which of the below mentioned actions is not supported by the CloudWatch alarm? Notify the Auto Scaling launch config to scale up Send an SMS using SNS Notify the Auto Scaling group to scale down Stop the EC2 instance.
A user has setup a billing alarm using CloudWatch for $200. The usage of AWS exceeded $200 after some days. The user wants to increase the limit from $200 to $400? What should the user do? Create a new alarm of $400 and link it with the first alarm It is not possible to modify the alarm once it has crossed the usage limit Update the alarm to set the limit at $400 instead of $200 Create a new alarm for the additional $200 amount.
A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg. The aws.jpg is inside a bucket named cloudacademy. What does this policy define? It is not possible to define a policy at the object level It will make all the objects of the bucket cloudacademy as public It will make the bucket cloudacademy as public the aws.jpg object as public.
A user is trying to aggregate all the CloudWatch metric data of the last 1 week. Which of the below mentioned statistics is not available for the user as a part of data aggregation? Aggregate Sum Sample data Average.
A user has created a subnet with VPC and launched an EC2 instance in that subnet with only default settings. Which of the below mentioned options is ready to use on the EC2 instance as soon as it is launched? Elastic IP Private IP Public IP Internet gateway.
An adminis planning to monitor the ELB. Which of the below mentioned services does no thelptheadmin
capture the monitoring information about the ELB activity? ELB Access logs ELB health check CloudWatch metrics ELB API calls with CloudTrail.
A user is trying to understand AWS SNS. To which of the below mentioned end points is SNS unable to send a notification? Email JSON HTTP AWS SQS AWS SES.
A system admin is planning to setup event notifications on RDS. Which of the below mentioned services will help the admin setup notifications? AWS SES AWS Cloudtrail AWS Cloudwatch AWS SNS.
An organization wants to move to Cloud. They are looking for a secure encrypted database storage option. Which of the below mentioned AWS functionalities helps them to achieve this? AWS MFA with EBS AWS EBS encryption Multi-tier encryption with Redshift AWS S3 server side storage.
A user wants to disable connection draining on an existing ELB. Which of the below mentioned statements helps the user disable connection draining on the ELB? The user can only disable connection draining from CLI It is not possible to disable the connection draining feature once enabled The user can disable the connection draining feature from EC2 -> ELB console or from CLI The user needs to stop all instances before disabling connection draining.
A user has created an S3 bucket which is not publicly accessible. The bucket is having thirty objects which are also private. If the user wants to make the objects public, how can he configure this with minimal efforts? The user should select all objects from the console and apply a single policy to mark them public The user can write a program which programmatically makes all objects public using S3 SDK Set the AWS bucket policy which marks all objects as public Make the bucket ACL as public so it will also mark all objects as public.
An organization, which has the AWS account ID as 999988887777, has created 50 IAM users. All the users are added to the same group cloudacademy. If the organization has enabled that each IAM user can login with the AWS console, which AWS login URL will the IAM users use? https:// 999988887777.signin.aws.amazon.com/console/ https:// signin.aws.amazon.com/cloudacademy/ https:// cloudacademy.signin.aws.amazon.com/999988887777/console/ https:// 999988887777.aws.amazon.com/ cloudacademy/.
A user has setup connection draining with ELB to allow in-flight requests to continue while the instance is being deregistered through Auto Scaling. If the user has not specified the draining time, how long will ELB allow inflight requests traffic to continue? 600 seconds 3600 seconds 300 seconds 0 seconds.
A sys admin has created a shopping cart application and hosted it on EC2. The EC2 instances are running behind ELB. The admin wants to ensure that the end user request will always go to the EC2 instance where the user session has been created. How can the admin configure this? Enable ELB cross zone load balancing Enable ELB cookie setup Enable ELB sticky session Enable ELB connection draining.
A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB? Route 53 AWS Mechanical Turk Auto Scaling AWS EMR.
An organization is using AWS since a few months. The finance team wants to visualize the pattern of AWS spending. Which of the below AWS tool will help for this requirement? AWS Cost Manager AWS Cost Explorer AWS CloudWatch AWS Consolidated Billing.
A user has launched an ELB which has 5 instances registered with it. The user deletes the ELB by mistake. What will happen to the instances? ELB will ask the user whether to delete the instances or not Instances will be terminated ELB cannot be deleted if it has running instances registered with it Instances will keep running.
A user has configured the AWS CloudWatch alarm for estimated usage charges in the US East region. Which of the below mentioned statements is not true with respect to the estimated charges? It will store the estimated charges data of the last 14 days It will include the estimated charges of every AWS service The metric data will represent the data of all the regions The metric data will show data specific to that region.
An organization is generating digital policy files which are required by the admins for verification. Once the files are verified they may not be required in the future unless there is some compliance issue. If the organization wants to save them in a cost effective way, which is the best possible solution? AWS RRS AWS S3 AWS RDS AWS Glacier.
An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch? The user can enable logging with CloudWatch which logs all the activities Use CloudTrail to monitor the API calls Create an IAM user and allow each user to log the data using the S3 bucket Enable detailed monitoring with CloudWatch.
A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR. for that instance by creating another small instance in Europe. How can the user achieve DR? Copy the running instance using the “Instance Copy” command to the EU region Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI Copy the instance from the US East region to the EU region Use the “Launch more like this” option to copy the instance from one region to another.
A user has created numerous EBS volumes. What is the general limit for each AWS account for the maximum number of EBS volumes that can be created? 10000 5000 100 1000.
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24. and VPN only subnets CIDR (20.0.1.0/24. along with the VPN gateway (vgw-12345. to connect to the user’s data center. Which of the below mentioned options is a valid entry for the main route table in this scenario? Destination: 20.0.0.0/24 and Target: vgw-12345 Destination: 20.0.0.0/16 and Target: ALL Destination: 20.0.1.0/16 and Target: vgw-12345 Destination: 0.0.0.0/0 and Target: vgw-12345.
A user has enabled the Multi AZ feature with the MS SQL RDS database server. Which of the below mentioned statements will help the user understand the Multi AZ feature better? In a Multi AZ, AWS runs two DBs in parallel and copies the data asynchronously to the replica copy In a Multi AZ, AWS runs two DBs in parallel and copies the data synchronously to the replica copy In a Multi AZ, AWS runs just one DB but copies the data synchronously to the standby replica AWS MS SQL does not support the Multi AZ feature.
An organization is using cost allocation tags to find the cost distribution of different departments and projects. One of the instances has two separate tags with the key/ value as “InstanceName/HR”, “CostCenter/HR”. What will AWS do in this case? InstanceName is a reserved tag for AWS. Thus, AWS will not allow this tag AWS will not allow the tags as the value is the same for different keys AWS will allow tags but will not show correctly in the cost allocation report due to the same value of the two separate keys AWS will allow both the tags and show properly in the cost distribution report.
A user is publishing custom metrics to CloudWatch. Which of the below mentioned statements will help the user understand the functionality better? The user can use the CloudWatch Import tool The user should be able to see the data in the console after around 15 minutes If the user is uploading the custom data, the user must supply the namespace, timezone, and metric name as part of the command The user can view as well as upload data using the console, CLI and APIs.
A user is launching an EC2 instance in the US East region. Which of the below mentioned options is recommended by AWS with respect to the selection of the availability zone? Always select the US-East-1-a zone for HA Do not select the AZ; instead let AWS select the AZ The user can never select the availability zone while launching an instance Always select the AZ while launching an instance.
A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH? Allow Inbound traffic on port 22 from the user’s network The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP The user can connect to a instance in a private subnet using the NAT instance Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet.
A user has created an ELB with the availability zone US-East-1.
The user wants to add more zones to ELB to achieve High Availability. How can the user add more zones to the existing ELB? It is not possible to add more zones to the existing ELB The only option is to launch instances in different zones and add to ELB The user should stop the ELB and add zones and instances as required The user can add zones on the fly from the AWS console.
A user has setup Auto Scaling with ELB on the EC2 instances. The user wants to configure that whenever the CPU utilization is below 10%, Auto Scaling should remove one instance. How can the user configure this? The user can get an email using SNS when the CPU utilization is less than 10%. The user can use the desired capacity of Auto Scaling to remove the instance Use CloudWatch to monitor the data and Auto Scaling to remove the instances using scheduled actions Configure CloudWatch to send a notification to Auto Scaling Launch configuration when the CPU utilization is less than 10% and configure the Auto Scaling policy to remove the instance Configure CloudWatch to send a notification to the Auto Scaling group when the CPU Utilization is less than 10% and configure the Auto Scaling policy to remove the instance.
A user has enabled detailed CloudWatch metric monitoring on an Auto Scaling group. Which of the below mentioned metrics will help the user identify the total number of instances in an Auto Scaling group including pending, terminating and running instances? GroupTotalInstances GroupSumInstances It is not possible to get a count of all the three metrics together. The user has to find the individual number of running, terminating and pending instances and sum it GroupInstancesCount.
A user is trying to configure the CloudWatch billing alarm. Which of the below mentioned steps should be performed by the user for the first time alarm creation in the AWS Account Management section? Enable Receiving Billing Reports Enable Receiving Billing Alerts Enable AWS billing utility Enable CloudWatch Billing Threshold.
A user is checking the CloudWatch metrics from the AWS console. The user notices that the CloudWatch data is coming in UTC. The user wants to convert the data to a local time zone. How can the user perform this? In the CloudWatch dashboard the user should set the local time zone so that CloudWatch shows the data only in the local time zone In the CloudWatch console select the local time zone under the Time Range tab to view the data as per the local timezone The CloudWatch data is always in UTC; the user has to manually convert the data The user should have send the local time zone while uploading the data so that CloudWatch will show the data only in the local time zone.
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a connection time out error. Which of the below mentioned options is not a possible reason for rejection? The access key to connect to the instance is wrong The security group is not configured properly The private key used to launch the instance is not correct The instance CPU is heavily loaded.
A user has configured Elastic Load Balancing by enabling a Secure Socket Layer (SSL) negotiation configuration known as a Security Policy. Which of the below mentioned options is not part of this secure policy while negotiating the SSL connection between the user and the client? SSL Protocols Client Order Preference SSL Ciphers Server Order Preference.
A user has configured CloudWatch monitoring on an EBS backed EC2 instance. If the user has not attached any additional device, which of the below mentioned metrics will always show a 0 value? DiskReadBytes NetworkIn NetworkOut CPUUtilization.
A user has created a queue named “myqueue” in US-East region with AWS SQS. The user’s AWS account ID is 123456789012. If the user wants to perform some action on this queue, which of the below Queue URL should he use? http://sqs.us-east-1.amazonaws.com/123456789012/myqueue http://sqs.amazonaws.com/123456789012/myqueue http://sqs. 123456789012.us-east-1.amazonaws.com/myqueue http:// 123456789012.sqs. us-east-1.amazonaws.com/myqueue.
A sys admin is trying to understand EBS snapshots. Which of the below mentioned statements will not be useful to the admin to understand the concepts about a snapshot? The snapshot is synchronous It is recommended to stop the instance before taking a snapshot for consistent data The snapshot is incremental The snapshot captures the data that has been written to the hard disk when the snapshot command was executed.
A root account owner has created an S3 bucket testmycloud. The account owner wants to allow everyone to upload the objects as well as enforce that the person who uploaded the object should manage the permission of those objects. Which is the easiest way to achieve this? The root account owner should create a bucket policy which allows the IAM users to upload the object The root account owner should create the bucket policy which allows the other account owners to set the object policy of that bucket The root account should use ACL with the bucket to allow everyone to upload the object The root account should create the IAM users and provide them the permission to upload content to the bucket.
An organization has setup consolidated billing with 3 different AWS accounts. Which of the below mentioned advantages will organization receive in terms of the AWS pricing? The consolidated billing does not bring any cost advantage for the organization All AWS accounts will be charged for S3 storage by combining the total storage of each account The EC2 instances of each account will receive a total of 750*3 micro instance hours free The free usage tier for all the 3 accounts will be 3 years and not a single year.
A user has setup an EBS backed instance and a CloudWatch alarm when the CPU utilization is more than 65%. The user has setup the alarm to watch it for 5 periods of 5 minutes each. The CPU utilization is 60% between 9 AM to 6 PM. The user has stopped the EC2 instance for 15 minutes between 11 AM to 11:15 AM. What will be the status of the alarm at 11:30 AM? Alarm OK Insufficient Data Error.
A user is running one instance for only 3 hours every day. The user wants to save some cost with the instance. Which of the below mentioned Reserved Instance categories is advised in this case? The user should not use RI; instead only go with the on-demand pricing The user should use the AWS high utilized RI The user should use the AWS medium utilized RI The user should use the AWS low utilized RI.
A user is trying to setup a recurring Auto Scaling process. The user has setup one process to scale up every day at 8 am and scale down at 7 PM. The user is trying to setup another recurring process which scales up on the 1st of every month at 8 AM and scales down the same day at 7 PM. What will Auto Scaling do in this scenario? Auto Scaling will execute both processes but will add just one instance on the 1st Auto Scaling will add two instances on the 1st of the month Auto Scaling will schedule both the processes but execute only one process randomly Auto Scaling will throw an error since there is a conflict in the schedule of two separate Auto Scaling Processes.
A user is planning to setup infrastructure on AWS for the Christmas sales. The user is planning to use Auto Scaling based on the schedule for proactive scaling. What advice would you give to the user? It is good to schedule now because if the user forgets later on it will not scale up The scaling should be setup only one week before Christmas Wait till end of November before scheduling the activity It is not advisable to use scheduled based scaling.
A user has created an ELB with Auto Scaling. Which of the below mentioned offerings from ELB helps the user to stop sending new requests traffic from the load balancer to the EC2 instance when the instance is being deregistered while continuing in-flight requests? ELB sticky session ELB deregistration check ELB connection draining ELB auto registration Off.
You are managing the AWS account of a big organization. The organization has more than 1000+ employees and they want to provide access to the various services to most of the employees. Which of the below mentioned options is the best possible solution in this case? The user should create a separate IAM user for each employee and provide access to them as per the policy The user should create an IAM role and attach STS with the role. The user should attach that role to the EC2 instance and setup AWS authentication on that server The user should create IAM groups as per the organization’s departments and add each user to the group for better access control Attach an IAM role with the organization’s authentication service to authorize each user for various AWS services.
A user has configured a VPC with a new subnet. The user has created a security group. The user wants to configure that instances of the same subnet communicate with each other. How can the user configure this with the security group? There is no need for a security group modification as all the instances can communicate with each other inside the same subnet Configure the subnet as the source in the security group and allow traffic on all the protocols and ports Configure the security group itself as the source and allow traffic on all the protocols and ports The user has to use VPC peering to configure this.
A user is launching an instance. He is on the “Tag the instance” screen. Which of the below mentioned information will not help the user understand the functionality of an AWS tag? Each tag will have a key and value The user can apply tags to the S3 bucket The maximum value of the tag key length is 64 unicode characters AWS tags are used to find the cost distribution of various resources.
A user has setup a web application on EC2. The user is generating a log of the application performance at every second. There are multiple entries for each second. If the user wants to send that data to CloudWatch every minute, what should he do? The user should send only the data of the 60th second as CloudWatch will map the receive data timezone with the sent data timezone It is not possible to send the custom metric to CloudWatch every minute Give CloudWatch the Min, Max, Sum, and SampleCount of a number of every minute Calculate the average of one minute and send the data to CloudWatch.
An AWS root account owner is trying to create a policy to access RDS. Which of the below mentioned statements is true with respect to the above information? Create a policy which allows the users to access RDS and apply it to the RDS instances The user cannot access the RDS database if he is not assigned the correct IAM policy The root account owner should create a policy for the IAM user and give him access to the RDS services The policy should be created for the user and provide access for RDS.
A user is using a small MySQL RDS DB. The user is experiencing high latency due to the Multi AZ feature. Which of the below mentioned options may not help the user in this situation? Schedule the automated back up in non-working hours Use a large or higher size instance Use PIOPS Take a snapshot from standby Replica.
A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned credentials is not required while creating the AMI? AWS account ID X.509 certificate and private key AWS login ID to login to the console Access key and secret access key.
A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario? It will not allow to delete the VPC as it has subnets with route tables It will not allow to delete the VPC since it has a running route instance It will terminate the VPC along with all the instances launched by the wizard It will not allow to delete the VPC since it has a running NAT instance.
An organization is measuring the latency of an application every minute and storing data inside a file in the JSON format. The organization wants to send all latency data to AWS CloudWatch. How can the organization achieve this? The user has to parse the file before uploading data to CloudWatch It is not possible to upload the custom data to CloudWatch The user can supply the file as an input to the CloudWatch command The user can use the CloudWatch Import command to import data from the file to CloudWatch.
A user has launched an RDS postgreSQL DB with AWS. The user did not specify the maintenance window during creation. The user has configured RDS to update the DB instance type from micro to large. If the user wants to have it during the maintenance window, what will AWS do? AWS will not allow to update the DB until the maintenance window is configured AWS will select the default maintenance window if the user has not provided it AWS will ask the user to specify the maintenance window during the update It is not possible to change the DB size from micro to large with RDS.
A user has created a VPC with CIDR 20.0.0.0/16 using VPC Wizard. The user has created a public CIDR (20.0.0.0/24) and a VPN only subnet CIDR (20.0.1.0/24) along with the hardware VPN access to connect to the user’s data center. Which of the below mentioned components is not present when the VPC is setup with the wizard? Main route table attached with a VPN only subnet A NAT instance configured to allow the VPN subnet instances to connect with the internet Custom route table attached with a public subnet An internet gateway for a public subnet.
A user has setup an Auto Scaling group. The group has failed to launch a single instance for more than 24 hours. What will happen to Auto Scaling in this condition? Auto Scaling will keep trying to launch the instance for 72 hours Auto Scaling will suspend the scaling process Auto Scaling will start an instance in a separate region The Auto Scaling group will be terminated automatically.
A user is planning to set up the Multi AZ feature of RDS. Which of the below mentioned conditions won't take advantage of the Multi AZ feature? Availability zone outage A manual failover of the DB instance using Reboot with failover option Region outage When the user changes the DB instance’s server type.
A user is using Cloudformation to launch an EC2 instance and then configure an application after the instance is launched. The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly. How can the user configure this? It is not possible that the stack creation will wait until one service is created and launched The user can use the HoldCondition resource to wait for the creation of the other dependent resources The user can use the DependentCondition resource to hold the creation of the other dependent resources The user can use the WaitCondition resource to hold the creation of the other dependent resources.
An organization has configured two single availability zones. The Auto Scaling groups are configured in separate zones. The user wants to merge the groups such that one group spans across multiple zones. How can the user configure this? Run the command as-join-auto-scaling-group to join the two groups Run the command as-update-auto-scaling-group to configure one group to span across zones and delete the other group Run the command as-copy-auto-scaling-group to join the two groups Run the command as-merge-auto-scaling-group to merge the groups.
An AWS account wants to be part of the consolidated billing of his organization’s payee account. How can the owner of that account achieve this? The payee account has to request AWS support to link the other accounts with his account The owner of the linked account should add the payee account to his master account list from the billing console The payee account will send a request to the linked account to be a part of consolidated billing The owner of the linked account requests the payee account to add his account to consolidated billing.
A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. What does this policy define? It will make the cloudacademy bucket as well as all its objects as public It will allow everyone to view the ACL of the bucket It will give an error as no object is defined as part of the policy while the action defines the rule about the object It will make the cloudacademy bucket as public.
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it? The zone can only be modified using the AWS CLI Create an AMI of the running instance and launch the instance in a separate AZ Stop one of the instances and change the availability zone From the AWS EC2 console, select the Actions - > Change zones and specify the new zone.
An organization (account ID 123412341234) has configured the IAM policy to allow the user to modify his credentials. What will the below mentioned statement allow the user to perform? The IAM policy will throw an error due to an invalid resource name The IAM policy will allow the user to subscribe to any IAM group Allow the IAM user to update the membership of the group called TestingGroup Allow the IAM user to delete the TestingGroup.
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection? The user has provided the wrong user name for the OS login The instance CPU is heavily loaded The security group is not configured properly The access key to connect to the instance is wrong.
A user has hosted an application on EC2 instances. The EC2 instances are configured with ELB and Auto Scaling. The application server session time out is 2 hours. The user wants to configure connection draining to ensure that all in-flight requests are supported by ELB even though the instance is being deregistered. What time out period should the user specify for connection draining? 5 minutes 1 hour 30 minutes 2 hours.
A user is using the AWS EC2. The user wants to make so that when there is an issue in the EC2 server, such as instance status failed, it should start a new instance in the user’s private cloud. Which AWS service helps to achieve this automation? AWS CloudWatch + Cloudformation AWS CloudWatch + AWS AutoScaling + AWS ELB AWS CloudWatch + AWS VPC AWS CloudWatch + AWS SNS.
A sys admin has enabled logging on ELB. Which of the below mentioned fields will not be a part of the log file name? Load Balancer IP EC2 instance IP S3 bucket name Random string.
A user has created a queue named “awsmodule” with SQS. One of the consumers of queue is down for 3 days and then becomes available. Will that component receive message from queue? Yes, since SQS by default stores message for 4 days No, since SQS by default stores message for 1 day only No, since SQS sends message to consumers who are available that time Yes, since SQS will not delete message until it is delivered to all consumers.
An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this? Create an IAM policy with the security group and use that security group for AWS console login Create an IAM policy with a condition which denies access when the IP address range is not from the organization Configure the EC2 instance security group which allows traffic only from the organization’s IP range Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console.
A user has enabled session stickiness with ELB. The user does not want ELB to manage the cookie; instead he wants the application to manage the cookie. What will happen when the server instance, which is bound to a cookie, crashes? The response will have a cookie but stickiness will be deleted The session will not be sticky until a new cookie is inserted ELB will throw an error due to cookie unavailability The session will be sticky and ELB will route requests to another server as ELB keeps replicating the Cookie.
A user has created an Auto Scaling group with default configurations from CLI. The user wants to setup the CloudWatch alarm on the EC2 instances, which are launched by the Auto Scaling group. The user has setup an alarm to monitor the CPU utilization every minute. Which of the below mentioned statements is true? It will fetch the data at every minute but the four data points [corresponding to 4 minutes] will not have value since the EC2 basic monitoring metrics are collected every five minutes It will fetch the data at every minute as detailed monitoring on EC2 will be enabled by the default launch configuration of Auto Scaling The alarm creation will fail since the user has not enabled detailed monitoring on the EC2 instances The user has to first enable detailed monitoring on the EC2 instances to support alarm monitoring at every minute.
An organization has applied the below mentioned policy on an IAM group which has selected the IAM users. What entitlements do the IAM users avail with this policy? The policy is not created correctly. It will throw an error for wrong resource name The policy is for the group. Thus, the IAM user cannot have any entitlement to this It allows full access to all AWS services for the IAM users who are a part of this group If this policy is applied to the EC2 resource, the users of the group will have full access to the EC2 Resources.
A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The Internet gateway has also been created. What can be the reason for the error? The internet gateway is not configured with the route table The private IP is not present The outbound traffic on the security group is disabled The internet gateway is not configured with the security group.
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AlarmNotification which notifies Auto Scaling for CloudWatch alarms. process for a while. What will Auto Scaling do during this period? AWS will not receive the alarms from CloudWatch AWS will receive the alarms but will not execute the Auto Scaling policy Auto Scaling will execute the policy but it will not launch the instances until the process is resumed It is not possible to suspend the AlarmNotification process.
A user has setup a CloudWatch alarm on the EC2 instance for CPU utilization. The user has setup to receive a notification on email when the CPU utilization is higher than 60%. The user is running a virus scan on the same instance at a particular time. The user wants to avoid receiving an email at this time. What should the user do? Remove the alarm Disable the alarm for a while using CLI Modify the CPU utilization by removing the email alert Disable the alarm for a while using the console.
A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. Which of the below mentioned SSL protocols is not supported by the security policy? TLS 1.3 TLS 1.2 SSL 2.0 SSL 3.0.
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s data center. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC? Yes, the console will delete all the setups and also delete the virtual private gateway No, the console will ask the user to manually detach the virtual private gateway first and then allow deleting the VPC Yes, the console will delete all the setups and detach the virtual private gateway No, since the NAT instance is running.
A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this? The ratio between IOPS and the EBS volume is higher than 30 The maximum IOPS supported by EBS is 3000 The ratio between IOPS and the EBS volume is lower than 50 PIOPS is supported for EBS higher than 500 GB size.
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true? The user should use the same encryption key for all versions of the same object It is possible to have different encryption keys for different versions of the same object AWS S3 does not allow the user to upload his own keys for server side encryption The SSE-C does not work when versioning is enabled.
A root account owner is trying to understand the S3 bucket ACL. Which of the below mentioned options cannot be used to grant ACL on the object using the authorized predefined group? Authenticated user group All users group Log Delivery Group Canonical user group.
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data center. The user’s data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario? Destination: 20.0.1.0/24 and Target: i-12345 Destination: 0.0.0.0/0 and Target: i-12345 Destination: 172.28.0.0/12 and Target: vgw-12345 Destination: 20.0.0.0/16 and Target: local.
A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet? Destination: 0.0.0.0/0 and Target: i-a12345 Destination: 20.0.0.0/0 and Target: 80 Destination: 20.0.0.0/0 and Target: i-a12345 Destination: 20.0.0.0/24 and Target: i-a12345.
A root account owner has given full access of his S3 bucket to one of the IAM users using the bucket ACL. When the IAM user logs in to the S3 console, which actions can he perform? He can just view the content of the bucket He can do all the operations on the bucket It is not possible to give access to an IAM user using ACL The IAM user can perform all operations on the bucket using only API/SDK.
An organization has configured Auto Scaling with ELB. There is a memory issue in the application which is causing CPU utilization to go above 90%. The higher CPU usage triggers an event for Auto Scaling as per the scaling policy. If the user wants to find the root cause inside the application without triggering a scaling activity, how can he achieve this? Stop the scaling process until research is completed It is not possible to find the root cause from that instance without triggering scaling Delete Auto Scaling until research is completed Suspend the scaling process until research is completed.
A sys admin is planning to subscribe to the RDS event notifications. For which of the below mentioned source categories the subscription cannot be configured? DB security group DB snapshot DB options group DB parameter group.
A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24. and a public subnet (20.0.0.0/24.. The user’s data center has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data center, what will happen? It will allow traffic communication on both the CIDRs of the data center It will not allow traffic with data center on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24 It will not allow traffic communication on any of the data center CIDRs It will allow traffic with data center on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24.
A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch? The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests.
An AWS account owner has setup multiple IAM users. One IAM user only has CloudWatch access. He has setup the alarm action which stops the EC2 instances when the CPU utilization is below the threshold limit. What will happen in this case? It is not possible to stop the instance using the CloudWatch alarm CloudWatch will stop the instance when the action is executed The user cannot set an alarm on EC2 since he does not have the permission The user can setup the action but it will not be executed if the user does not have EC2 rights.
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process only for a while. What will happen to the availability zone rebalancing process (AZRebalance. during this period? Auto Scaling will not launch or terminate any instances Auto Scaling will allow the instances to grow more than the maximum size Auto Scaling will keep launching instances till the maximum instance size It is not possible to suspend the terminate process while keeping the launch active.
A user has created a mobile application which makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK and root account access/secret access key to connect to DynamoDB from mobile.
Which of the below mentioned statements is true with respect to the best practice for security in this scenario? The user should create a separate IAM user for each mobile application and provide DynamoDB access with it The user should create an IAM role with DynamoDB and EC2 access. Attach the role with EC2 and route all calls from the mobile through EC2 The application should use an IAM role with web identity federation which validates calls to DynamoDB with identity providers, such as Google, Amazon, and Facebook Create an IAM Role with DynamoDB access and attach it with the mobile application.
A user is configuring the Multi AZ feature of an RDS DB. The user came to know that this RDS DB does not use the AWS technology, but uses server mirroring to achieve HA. Which DB is the user using right now? My SQL Oracle MS SQL PostgreSQL.
A user is receiving a notification from the RDS DB whenever there is a change in the DB security group. The user does not want to receive these notifications for only a month. Thus, he does not want to delete the notification.
How can the user configure this? Change the Disable button for notification to “Yes” in the RDS console Set the send mail flag to false in the DB event notification console The only option is to delete the notification from the console Change the Enable button for notification to “No” in the RDS console.
A system admin is planning to encrypt all objects being uploaded to S3 from an application. The system admin does not want to implement his own encryption algorithm; instead he is planning to use server side encryption by supplying his own key (SSE-C). Which parameter is not required while making a call for SSE-C? x-amz-server-side-encryption-customer-key-AES-256 x-amz-server-side-encryption-customer-key x-amz-server-side-encryption-customer-algorithm x-amz-server-side-encryption-customer-key-MD5.
A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services provides detailed monitoring with CloudWatch without charging the user extra? AWS Auto Scaling AWS Route 53 AWS EMR AWS SNS.
A user is using the AWS SQS to decouple the services. Which of the below mentioned operations is not supported by SQS? SendMessageBatch DeleteMessageBatch CreateQueue DeleteMessageQueue.
A user has configured Auto Scaling with 3 instances. The user had created a new AMI after updating one of the instances. If the user wants to terminate two specific instances to ensure that Auto Scaling launches an instances with the new launch configuration, which command should he run? as-delete-instance-in-auto-scaling-group <Instance ID> --no-decrement-desired-capacity as-terminate-instance-in-auto-scaling-group <Instance ID> --update-desired-capacity as-terminate-instance-in-auto-scaling-group <Instance ID> --decrement-desired-capacity as-terminate-instance-in-auto-scaling-group <Instance ID> --no-decrement-desired-capacity.
A user has launched an EC2 instance from an instance store backed AMI. If the user restarts the instance, what will happen to the ephermal storage data? All the data will be erased but the ephermal storage will stay connected All data will be erased and the ephermal storage is released It is not possible to restart an instance launched from an instance store backed AMI The data is preserved.
A user has configured an ELB to distribute the traffic among multiple instances. The user instances are facing some issues due to the back-end servers. Which of the below mentioned CloudWatch metrics helps the user understand the issue with the instances? HTTPCode_Backend_3XX HTTPCode_Backend_4XX HTTPCode_Backend_2XX HTTPCode_Backend_5XX.
A user has launched an EC2 instance store backed instance in the US-East-1a zone. The user created AMI #1 and copied it to the Europe region. After that, the user made a few updates to the application running in the US- East-1a zone. The user makes an AMI#2 after the changes. If the user launches a new instance in Europe from the AMI #1 copy, which of the below mentioned statements is true? The new instance will have the changes made after the AMI copy as AWS just copies the reference of the original AMI during the copying. Thus, the copied AMI will have all the updated data The new instance will have the changes made after the AMI copy since AWS keeps updating the AMI It is not possible to copy the instance store backed AMI from one region to another The new instance in the EU region will not have the changes made after the AMI copy.
A user runs the command “dd if=/dev/zero of=/dev/xvdfbs=1M” on a fresh blank EBS volume attached to a Linux instance. Which of the below mentioned activities is the user performing with the command given above? Creating a file system on the EBS volume Mounting the device to the instance Pre warming the EBS volume Formatting the EBS volume.
A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. The ELB security policy supports various ciphers. Which of the below mentioned options helps identify the matching cipher at the client side to the ELB cipher list when client is requesting ELB DNS over SSL? Cipher Protocol Client Configuration Preference Server Order Preference Load Balancer Preference.
A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario? The user should attach an IAM role with DynamoDB access to the EC2 instance The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB The user should create an IAM role, which has EC2 access so that it will allow deploying the application The user should create an IAM user with DynamoDB and EC2 access. Attach the user with the application so that it does not use the root account credentials.
An organization (Account ID 123412341234) has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform? The policy allows the IAM user to modify all IAM user’s credentials using the console, SDK, CLI or APIs The policy will give an invalid resource error The policy allows the IAM user to modify all credentials using only the console The policy allows the user to modify all IAM user’s password, sign in certificates and access keys using only CLI, SDK or APIs.
An organization has configured Auto Scaling for hosting their application. The system admin wants to understand the Auto Scaling health check process. If the instance is unhealthy, Auto Scaling launches an instance and terminates the unhealthy instance. What is the order execution? Auto Scaling launches a new instance first and then terminates the unhealthy instance Auto Scaling performs the launch and terminate processes in a random order Auto Scaling launches and terminates the instances simultaneously Auto Scaling terminates the instance first and then launches a new instance.
A user is trying to connect to a running EC2 instance using SSH. However, the user gets an Unprotected Private Key File error. Which of the below mentioned options can be a possible reason for rejection? The private key file has the wrong file permission The ppk file used for SSH is read only The public key file has the wrong permission The user has provided the wrong user name for the OS login.
A user has provisioned 2000 IOPS to the EBS volume. The application hosted on that EBS is experiencing less IOPS than provisioned. Which of the below mentioned options does not affect the IOPS of the volume? The application does not have enough IO for the volume The instance is EBS optimized The EC2 instance has 10 Gigabit Network connectivity The volume size is too large.
A storage admin wants to encrypt all the objects stored in S3 using server side encryption. The user does not want to use the AES 256 encryption key provided by S3. How can the user achieve this? The admin should upload his secret key to the AWS console and let S3 decrypt the objects The admin should use CLI or API to upload the encryption key to the S3 bucket. When making a call to the S3 API mention the encryption key URL in each request S3 does not support client supplied encryption keys for server side encryption The admin should send the keys and encryption algorithm with each API call.
A user is trying to create a PIOPS EBS volume with 8 GB size and 200 IOPS. Will AWS create the volume? Yes, since the ratio between EBS and IOPS is less than 30 No, since the PIOPS and EBS size ratio is less than 30 No, the EBS size is less than 10 GB Yes, since PIOPS is higher than 100.
A user has scheduled the maintenance window of an RDS DB on Monday at 3 AM. Which of the below mentioned events may force to take the DB instance offline during the maintenance window? Enabling Read Replica Making the DB Multi AZ DB password change Security patching.
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants that one particular group of IAM users should only access the test instances and not the production ones. How can the organization set that as a part of the policy? Launch the test and production instances in separate regions and allow region wise access to the group Define the IAM policy which allows access based on the instance ID Create an IAM policy with a condition which allows access to only small instances Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags.
An organization is trying to create various IAM users. Which of the below mentioned options is not a valid IAM username? John.cloud john@cloud John=cloud john#cloud.
A user is sending the data to CloudWatch using the CloudWatch API. The user is sending data 90 minutes in the future. What will CloudWatch do in this case? CloudWatch will accept the data It is not possible to send data of the future It is not possible to send the data manually to CloudWatch The user cannot send data for more than 60 minutes in the future.
A user wants to upload a complete folder to AWS S3 using the S3 Management console. How can the user perform this activity? Just drag and drop the folder using the flash tool provided by S3 Use the Enable Enhanced Folder option from the S3 console while uploading objects The user cannot upload the whole folder in one go with the S3 management console Use the Enable Enhanced Uploader option from the S3 console while uploading objects.
Which of the below mentioned AWS RDS logs cannot be viewed from the console for MySQL? Error Log Slow Query Log Transaction Log General Log.
A user has launched an EBS backed EC2 instance in the US-East-1a region. The user stopped the instance and started it back after 20 days. AWS throws up an ‘InsufficientInstanceCapacity’ error. What can be the possible reason for this? AWS does not have sufficient capacity in that availability zone AWS zone mapping is changed for that user account There is some issue with the host capacity on which the instance is launched The user account has reached the maximum EC2 instance limit.
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario? The AWS VPC will automatically create a NAT instance with the micro size VPC bounds the main route table with a private subnet and a custom route table with a public subnet The user has to manually create a NAT instance VPC bounds the main route table with a public subnet and a custom route table with a private subnet.
An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DyanmoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this? Define the group policy and add a condition which allows the access based on the IAM name Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables.
A user has two EC2 instances running in two separate regions. The user is running an internal memory management tool, which captures the data and sends it to CloudWatch in US East, using a CLI with the same namespace and metric. Which of the below mentioned options is true with respect to the above statement? The setup will not work as CloudWatch cannot receive data across regions CloudWatch will receive and aggregate the data based on the namespace and metric CloudWatch will give an error since the data will conflict due to two sources CloudWatch will take the data of the server, which sends the data first.
An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM? One IAM user can be a part of a maximum of 5 groups The organization can create 100 groups per AWS account One AWS account can have a maximum of 5000 IAM users One AWS account can have 250 roles.
A user has configured an EC2 instance in the US-East-1a zone. The user has enabled detailed monitoring of the instance. The user is trying to get the data from CloudWatch using a CLI. Which of the below mentioned CloudWatch endpoint URLs should the user use? monitoring.us-east-1.amazonaws.com monitoring.us-east-1-a.amazonaws.com monitoring.us-east-1a.amazonaws.com cloudwatch.us-east-1a.amazonaws.com.
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at rest. If the user is supplying his own keys for encryption (SSE-C), what is recommended to the user for the purpose of security? The user should not use his own security key as it is not secure Configure S3 to rotate the user’s encryption key at regular intervals Configure S3 to store the user’s keys securely with SSL Keep rotating the encryption key manually at the client side.
A user runs the command “dd if=/dev/xvdf of=/dev/null bs=1M” on an EBS volume created from a snapshot and attached to a Linux instance. Which of the below mentioned activities is the user performing with the step given above? Pre warming the EBS volume Initiating the device to mount on the EBS volume Formatting the volume Copying the data from a snapshot to the device.
A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. The bucket has both AWS.jpg and index.html objects. What does this policy define? It will make all the objects as well as the bucket public It will throw an error for the wrong action and does not allow to save the policy It will make the AWS.jpg object as public It will make the AWS.jpg as well as the cloudacademy bucket as public.
A user has created a launch configuration for Auto Scaling where CloudWatch detailed monitoring is disabled. The user wants to now enable detailed monitoring. How can the user achieve this? Update the Launch config with CLI to set InstanceMonitoringDisabled = false The user should change the Auto Scaling group from the AWS console to enable detailed monitoring Update the Launch config with CLI to set InstanceMonitoring.Enabled = true Create a new Launch Config with detail monitoring enabled and update the Auto Scaling group.
A user is trying to pre-warm a blank EBS volume attached to a Linux instance. Which of the below mentioned steps should be performed by the user? There is no need to pre-warm an EBS volume Contact AWS support to pre-warm Unmount the volume before pre-warming Format the device.
Which of the following statements about this S3 bucket policy is true? Denies the server with the IP address 192.166 100.0 full access to the "mybucket" bucket Denies the server with the IP address 192.166 100.188 full access to the "mybucket bucket Grants all the servers within the 192 168 100 0/24 subnet full access to the "mybucket" bucket Grants all the servers within the 192 168 100 188/32 subnet full access to the "mybucket" bucket.
How can you secure data at rest on an EBS volume? Encrypt the volume using the S3 server-side encryption service. Attach the volume to an instance using EC2's SSL interface. Create an IAM policy that restricts read and write access to the volume. Write the data randomly instead of sequentially. Use an encrypted file system m top of the EBS volume.
You have a proprietary data store on-premises that must be backed up daily by dumping the data store contents to a single compressed 50GB file and sending the file to AWS. Your SLAs state that any dump file backed up within the past 7 days can be retrieved within 2 hours. Your compliance department has stated that all data must be held indefinitely. The time required to restore the data store from a backup is approximately 1 hour. Your on- premise network connection is capable of sustaining 1gbps to AWS.
Which backup methods to AWS would be most cost-effective while still meeting all of your requirements? Send the daily backup files to Glacier immediately after being generated Transfer the daily backup files to an EBS volume in AWS and take daily snapshots of the volume Transfer the daily backup files to S3 and use appropriate bucket lifecycle policies to send to Glacier Host the backup files on a Storage Gateway with Gateway-Cached Volumes and take daily snapshots.
Which method can be used to prevent an IP address block from accessing public objects in an S3 bucket? Create a bucket policy and apply it to the bucket Create a NACL and attach it to the VPC of the bucket Create an ACL and apply it to all objects in the bucket Modify the IAM policies of any users that would access the bucket.
Your organization is preparing for a security assessment of your use of AWS.
In preparation for this assessment, which two IAM best practices should you consider implementing? (Choose two.) Create individual IAM users for everyone in your organization Configure MFA on the root account and for privileged IAM users Assign IAM users and groups configured with policies granting least privilege access Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate.
What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails? The IP of the primary DB Instance is switched to the standby DB Instance. A new DB instance is created in the standby availability zone. The canonical name record (CNAME) is changed from primary to standby. The RDS (Relational Database Service) DB instance reboots.
How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another? Simply create a new volume in the other AZ and specify the original volume as the source. Detach the volume, then use the ec2-migrate-volume command to move it to another AZ. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ. Detach the volume and attach it to another EC2 instance in the other AZ.
How can software determine the public and private IP addresses of the Amazon EC2 instance that it is running on? Query the local instance metadata. Query the appropriate Amazon CloudWatch metric. Query the local instance userdata. Use ipconfig or ifconfig command.
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database.
Which configuration will allow you to securely serve private content to your users? Generate pre-signed URLs for each user as they request access to protected S3 content Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user Create an S3 bucket policy that limits access to your private content to only your subscribed users' credentials Create a CloudFront Origin Identity user for your subscribed users and assign the GetObject permission to this user.
In AWS, which security aspects are the customer’s responsibility? (Choose four.) Controlling physical access to compute resources Patch management on the EC2 instance s operating system Encryption of EBS (Elastic Block Storage) volumes Life-cycle management of IAM credentials Decommissioning storage devices Security Group and ACL (Access Control List) settings.
An application you maintain consists of multiple EC2 instances in a default tenancy VPC. This application has undergone an internal audit and has been determined to require dedicated hardware for one instance. Your compliance team has given you a week to move this instance to single-tenant hardware.
Which process will have minimal impact on your application while complying with this requirement? Create a new VPC with tenancy=dedicated and migrate to the new VPC Use ec2-reboot-instances command line and set the parameter "dedicated=true" Right click on the instance, select properties and check the box for dedicated tenancy Stop the instance, create an AMI, launch a new instance with tenancy=dedicated, and terminate the old instance.
Your mission is to create a lights-out datacenter environment, and you plan to use AWS OpsWorks to accomplish this. First you created a stack and added an App Server layer with an instance running in it. Next you added an application to the instance, and now you need to deploy a MySQL RDS database instance.
Which of the following answers accurately describe how to add a backend database server to an OpsWorks stack? (Choose three.) Add a new database layer and then add recipes to the deploy actions of the database and App Server layers. Use OpsWorks' "Clone Stack" feature to create a second RDS stack in another Availability Zone for redundancy in the event of a failure in the Primary AZ. To switch to the secondary RDS instance, set the [:database] attributes to values that are appropriate for your server which you can do by using custom JSON. The variables that characterize the RDS database connection—host, user, and so on—are set using the corresponding values from the deploy JSON's [:depioy][:app_name][:database] attributes. Cookbook attributes are stored in a repository, so OpsWorks requires that the "password": "your_password" attribute for the RDS instance must be encrypted using at least a 256-bit key. Set up the connection between the app server and the RDS layer by using a custom recipe. The recipe configures the app server as required, typically by creating a configuration file. The recipe gets the connection data such as the host and database name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance.
A corporate website is hosted on several Amazon EC2 instances across multiple regions around the globe.
How should an Administrator configure the website to maintain high availability with minimal downtime if one of the regions has network connectivity congestion for an extended period of time? Create an Elastic Load Balancer in front of all the Amazon EC2 instances. Create an Elastic Load Balancer that fails over to the secondary site when the primary site is not reachable. Create an Amazon Route 53 Latency Based Routing Record Set that resolves to an Elastic Load Balancer in each region. Set an appropriate health check on each ELB. Create an Amazon Route 53 latency Based Routing Record Set that resolves to Elastic Load Balancers I each region and has the Evaluate Target Health flag set to “true”.
.
A database running on Amazon EC2 requires sustained IOPS performance.
Which kind of Amazon EBS volume should an Administrator choose for this solution? Cloud HDD General Purpose SSD Provisioned IOPS SSD Throughput Optimized HDD.
What does the “configure” command allow an Administrator to do when setting up the AWS CLI? (Select TWO.) Decide which VPC to create instances in. Designate the format of the response to CLI commands. Choose the default EC2 instance. Encrypt the CLI commands. Designate the default region.
An Administrator has an Amazon EC2 instance with an IPv6 address. The Administrator needs to prevent direct access to this instance from the Internet.
The Administrator should place the EC2 instance in a: Private Subnet with an egress-only Internet Gateway attached to the subnet and placed in the subnet Route Table. Public subnet with an egress-only Internet Gateway attached to the VPC and placed in the VPC Route Table. Private subnet with an egress-only Internet Gateway attached to the VPC and placed in the subnet Route Table. Public subnet and a security group that blocks inbound IPv6 traffic attached to the interface.
As part of an operational audit, an Administrator is tasked with showing that all security responsibilities under the customer’s control are properly executed.
Which of the following items is the customer responsible for providing to the auditor? (Select TWO.) Physical data center access logs AWS CloudTrail logs showing API calls Amazon EC2 instance system logs Storage device destruction records Xen Hypervisor system logs.
A colleague is attempting to launch several new CloudFormation stacks, and receives the following error response:
What should be done to address the error? Add a Pause to the CloudFormation templates. Add an exponential backoff between CreateStack API calls. Run the CloudFormation API calls from a larger Amazon EC2 instance. Combine stack templates into one, and retry the CreateStack API call.
A security policy allows instances in the Production and Development accounts to write application logs to an Amazon S3 bucket belonging to the Security team’s account. Only the Security team should be allowed to delete logs from the S3 bucket.
Using the “myAppRole” EC2 role, the production and development teams report that the application servers are not able to write to the S3 bucket.
Which changes need to be made to the policy to allow the application logs to be written to the S3 bucket? Production Account: 111111111111
Dev Account: 222222222222
Security Account: 555555555555 Change the order of the statements in the bucket policy, moving the Deny policy above the Allow policy. Update the Action for the Allow policy from “s3:*” to “s3:PutObject” Update the Action for the Deny policy from “s3:*” to “s3: Delete*”. Remove the bucket policy, because the default security behavior will not allow objects to be deleted by non bucket owners.
A company is auditing their infrastructure to obtain a compliance certification.
Which of the following options are the company’s responsibility within the Shared Responsibility Model? (Select two.) AWS API endpoint SSL Certificates EC2 Instance Operating System updates EBS Encryption-at-result algorithms IAM user password policies AWS Hypervisor software updates.
Which instance characteristics are required if an Administrator wants to ensure use of the Amazon EC2 auto- recovery option? (Select two.) The instance only has EBS volumes. The instance has EC2 Instance Store root volumes. The tenancy attribute is set to “default” (shred tenancy). The tenancy attribute is set to “Dedicated”. The instance type belongs to the d2, i2 or i3 instance type.
A company has a fleet of EC2 instances, and needs to remotely execute scripts for all of the instances.
Which Amazon EC2 Systems Manager feature allows this? System Manager Automation System Manager Run Command System Manager Parameter Store System Manager Inventory.
What can an Administrator do to monitor whether an organization’s instances are compliant with corporate
policies and guidelines? Check the instances’ metadata to determine what software is running. Use AWS CloudTrail logs to identify the applications running on the instances. Set CloudWatch alarms that are triggered with any software change on the instances. Using Config Rules in the AWS Config service to check the instance’s configuration and applications.
Elastic Load Balancing automatically distributes incoming traffic across multiple______instances. EC2 RDS M3 DB.
A block device is a storage device that moves data in sequences. How many types of block devices does Amazon EC2 support? 2 -instance store volumes and EBS volumes 5 -General Purpose SSD, Provisioned IOPS SSD, Throughput Optimized HDD, Cold HDD, and Magnetic 3 -SSD, HDD, and Magnetic 1 -instance store volumes.
Do Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? No, they are dependent. No, you cannot attach EBS volumes to an instance. Yes, they do but only if they are detached from the instance. Yes, they do, if the Delete on termination flag is unset.
Is it possible to access S3 objects from the Internet? Yes, but it has to pass through EC2. Yes, it is possible if proper public readable accesses and ACLs are set. No, there is no way to access any S3 objects from the Internet. No, only a general overview of S3 objects can be read from the Internet.
What does Amazon Route53 provide? A global Content Delivery Network A scalable DNS web service An SSH endpoint for Amazon EC2 None of these.
When an instance terminates, Amazon EC2 uses the value of the_______attribute for each attached Amazon EBS volume to determine whether to preserve or delete the volume. InstanceInitiatedShutdownBehavior DeleteOnTermination EC2ModifyInstance DisableApiTermination.
______is a fast, flexible, fully managed pub/sub messaging service. Amazon SQS Amazon SES Amazon FPS Amazon SNS.
Does AWS offer any web-based graphic user interface to access and manage EC2 instances? Yes, the AWS Application Clusters. No, you can only use the available software development kits. Yes, the AWS Management Console. No, you can only use the command line interface.
Which of the following size ranges is true of Individual Amazon S3 objects? 5 gigabytes to 5 terabytes 0 bytes to 5 terabytes 100 megabytes to 5 gigabytes 1 byte to 5 gigabytes.
EBS (Elastic Block Store) can be best described as: persistent internet storage. persistent block storage. transient instance storage. transient block storage.
In Amazon RDS, which of the following provides enhanced availability and durability for Database (DB) Instances, making them to be a natural fit for production database workloads? Placement Groups Multi-Option Group deployment Multi-AZ deployment Multi-VPC deployment.
The Amazon Linux AMI is: a simple OS installation media. an instance package provided by the AWS. a refined, easy-to-use, up-to-date Linux desktop distribution. a supported and maintained Linux image provided by AWS.
______ is a fully managed service for real-time processing of streaming data at massive scale. AWS Data Pipeline Amazon Kinesis AWS CloudHSM Amazon Elastic Compute Cloud.
Where is an object stored in Amazon S3? in a Bucket in a Collector in an Archive in a Vault.
Which AWS service offers cost optimization by launching instances automatically only when need-ed? Elastic Load Balancing Elastic Compute Cloud Auto Scaling Relational Database Service.
What does Amazon SWF stand for? Simple Waveflow Service Simple WebFactor Service Simple Workflow Service Simple WebForm Service.
Spot instances are ideally designed for which purpose below? Running database instances that can scale up and down based on a specific workload. Running long duration and highly transactional applications. For building distributed fault tolerant databases under a tight deadline. Taking advantage of excess EC2 capacity at prices below standard on-demand rates, for short duration jobs.
What is the main use of EMR? Data-sensitive storage Encryption Data-intensive processing tasks authentication.
A user is launching an instance with EC2. Which options below should the user consider before launching an instance? Select the region where the instance is being launched. All choices are correct. Select the instance type. Select the OS of the AMI.
In regard to AWS CloudFormation, to pass values to your template at runtime you should use____________ parameters conditions resources mapping.
What does Amazon SES provide? A managed EmailServer A scalable anti-spamservice A scalable email sending and receiving service A managed drag-and-drop interface with the AWS CloudFormation Designer.
Pricing is _______consumed for EC2 instances. per instance-houronly per instance-minute orinstance-hour per instance-second or perinstance-hour per instance-minuteonly.
What does Amazon SES stand for? Simple Elastic Server Software Email Solution Software Enabled Server Simple Email Service.
A user has launched five instances and have registered them with an ELB. How can the user add the sixth EC2 instance to the ELB? The user must stop the ELB and add the sixth instance. The user can add the sixth instance on the fly through API, CLI or the AWS Management Con-sole. The user can add the instance and change the ELB config file. The ELB can only have a maximum of five instances.
Which of the following programming languages is not supported by Amazon's Elastic Beanstalk? Ruby Java Node.js Perl.
Amazon CloudFront is a ____________. persistent block level storage volume content delivery network service fully managed desktop computing service in the cloud task coordination and state management service for cloud applications.
In EC2, what happens to the data in an instance store if an instance reboots (either intentionally or unintentionally)? Data is partially present in the instance store. Data persists in the instance store. Data is deleted from the instance store for security reasons. Data in the instance store will be lost.
What does RRS stand, in the context of S3 services? Regional RightsStorage Relational RightsStorage Regional RightsStandard Reduced RedundancyStorage.
Amazon EC2 provides virtual computing environments known as ______. instances volumes microsystems servers.
Which of the following services is offered by CloudWatch? Fixing broken links on the client's instances Creating IAM users for all services inAWS Monitoring estimated AWS charges Balancing the request load between various instances.
The fastest way to load 300 TB of data to AWS is___________ . to directly upload all data to S3 over a dedicated 100 Mbps connection to use AWS Import/Export Snowball to use VM Import/Export to zip all the data and then upload to S3.
What does the AWS Storage Gateway provide? It provides data security features by enabling an encrypted data storage on Amazon S3. It provides an encrypted SSL endpoint for backups in the cloud. It provides seamless integration with data security features between your on-premises IT envi-ronment and the Amazon Web Services (AWS) storage infrastructure. It provides a backup solution to on-premises Cloud storage.
By default, how many Elastic IP addresses can you have per region for your EC2 instances? 10 2 20 5.
Elasticity is one of the benefits of using Elastic Beanstalk. Which of the following best describes the concept of elasticity? It is the ability for counting the number of architectural design considerations that are required to develop a console. It is the streamlining of resource acquisition and release, so that your infrastructure can rapidly scale in and scale out as demand fluctuates. It is the process of examining the amount of security credentials required to access a data vol-ume. It is the procedure of estimating the resource cost, so that you can run a specific project on AWS.
What is an Auto Scaling group? It is a group of ELBs that are used to add instances from various regions. It is a logical grouping of EC2 instances that share similar characteristics for scaling and man-agement. It is a collection of EC2 instance launch parameters with different characteristics for scaling and management. It is a group of launch configurations for Elastic load balancers in the same region.
Which service is offered by Auto Scaling? Automatic scaling storage Automatic scale EC2capacity Automatic scale ECS capacity Automatic scale elastic IP.
A user has set the Alarm for the CPU utilization > 50%. Due to an internal process, the current CPU utilization will be 80% for 6 hours. How can the user ensure that the CloudWatch alarm does not perform any action? The user can disable the alarm using the DisableAlarmActions API. The user can set CloudWatch in a sleep state using the CLI mon-sleep-alarm-action. The user can pause the alarm from the console. The user cannot stop the alarm from performing an action unless the alarm is deleted.
What does enabling a sticky session with ELB do? Routes all the requests to a single DNS Ensures that all requests from the user's session are sent to multiple instances Binds the user session with a specific instance Provides a single ELB DNS for each IP address.
Which of the following statements is true of an Auto Scaling group? An Auto Scaling group cannot span multiple regions. An Auto Scaling group delivers log files within 30 minutes of an API call. Auto Scaling publishes new log files about every 15 minutes. An Auto Scaling group cannot be configured to scale automatically.
You are setting up a VPC and you need to set up a public subnet within that VPC. Which following requirement must be met for this subnet to be considered a public subnet? Subnet's traffic is not routed to an internet gateway but has its traffic routed to a virtual private gateway. Subnet's traffic is routed to an internet gateway. Subnet's traffic is not routed to an internet gateway. None of these answers can be considered a public subnet.
Which of the following services can receive an alert from CloudWatch? AWS Elastic BlockStore AWS Relational DatabaseService AWS AutoScaling AWS Elastic LoadBalancing.
In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send minute metrics to Amazon CloudWatch. 4 2 1 5.
What is the minimum duration when setting an alarm on a detailed monitoring metric in Cloud-Watch? 1 minute 1 day 5 minutes 30 seconds.
In the AWS Storage Gateway, using the______, you can cost-effectively and durably ar-chive backup data in Amazon Glacier. Gateway-virtual tape library (Gateway-VTL) Gateway-stored volume Gateway-cached volume Volume gateway.
What are the benefits of CloudTrail integration with CloudWatch Logs? It delivers API activity captured by CloudTrail to an S3 bucket. It doesn't exist It delivers SDK activity captured by CloudTrail to a CloudWatch Logs log stream. It delivers API activity captured by CloudTrail to a CloudWatch Logs log stream.
Network ACLs are _________ . stateful stateless asynchronous synchronous.
Is it possible to publish your own metrics to CloudWatch? Yes, but only if the data is aggregated. No, it is not possible. No, metrics are in-built and cannot be defined explicitly. Yes, it can be done by using the put-metric-data command.
Can you use CloudWatch to monitor memory and disk utilization usage for your Amazon EC2 Linux instances? CloudWatch can only measure memory usage. CloudWatch can only collect memory and disk usage metrics when an instance is running. It is possible only on Linux EC2 instances using the CloudWatch Monitoring scripts for Linux. CloudWatch can only measure disk usage.
An Auto Scaling group is running at the desired capacity of 5 instances and receives a trigger from the Cloudwatch Alarm to increase the capacity by 1. The cool down period is 5 minutes. Cloudwatch sends another trigger after 2 minutes to decrease the desired capacity by 1. What will be the count of instances at the end of 4 minutes?
7 6 4 5.
Which of the following statements describes launch configuration in Auto Scaling? A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. A launch configuration is a template that an Auto Scaling group uses to define the max/minimum of instances. A launch configuration is a template that an Auto Scaling group uses to schedule the scaling ac-tivity. A launch configuration is a template that an Auto Scaling group uses to define the instance count.
A user is collecting 1000 records per second. The user wants to send the data to CloudWatch using a custom namespace. Which of the below mentioned options is recommended for this activi-ty? Create one csv file of all the data and send a single file to CloudWatch Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically.
Amazon RDS provides Amazon CloudWatch metrics for your DB Instance deployments at no ad-ditional charge. You can use the AWS Management Console to view key operational metrics for your DB Instance deployments, including . I/O activity, DB Instance connections, and number of users DB Engine Version Management username, I/O activity, and DB Instance connections compute/memory/storage capacity utilization, I/O activity, and DB Instance connections.
A custom network ACL that you create until you add rules, and is not associated with a sub-net until you explicitly associate it with one. blocks only inbound traffic by default allows outbound traffic by default allows all inbound and outbound traffic by default blocks all inbound and outbound traffic by default.
In AWS Storage Gateway, Gateway-cached volumes allow you to retain ______. a durable and inexpensive offsite backup that you can recover locally your primary data locally, and asynchronously back up point-in-time snapshots of this data to Amazon S3 your backup application with online access to virtual tapes low-latency access to your frequently accessed data.
How often is metric data is sent to CloudWatch when detailed monitoring is enabled on an Amazon EC2 instance? Every 30 seconds Every 5 minutes Every 15 minutes Every minute.
Which of the following statements is NOT true of CloudWatch? CloudWatch can be accessed using the AWS SDKS. CloudWatch can be accessed using the AWS console. CloudWatch can be accessed using CloudWatch API. CloudWatch can be accessed using the CloudWatch CLI for iOS.
Which of the following terms is NOT a key CloudWatch concept? Namespaces Units TimeStamps Indexes.
Network ACLs in a VPC operate at the_________ . TCP level instance level subnet level gateway level.
In which screen does a user select the Availability Zones while configuring Auto Scaling? Auto Scaling Group Creation Auto Scaling Instance Creation Auto Scaling Launch config Creation Auto Scaling Policy Creation.
Which of the CloudWatch services mentioned below is NOT a part of the AWS free tier? 10 alarms/month 1 million API request/month 10 metrics/month 15 detailed monitoring metrics.
In the context of sending metrics to CloudWatch using Amazon Kinesis, which of the following statements best describes the metric "PutRecord.Latency"? It is the time taken per PutRecord operation, measured over the specified time period. It is the number of successful records in a PutRecords operation per Amazon Kinesis stream, measured over the specified time period. It is the time taken per PutRecords operation to calculate the statistics of the PutRecords opera-tions. It is the number of successful PutRecord operations per Amazon Kinesis stream, measured over the specified time period.
A placement group in Amazon EC2 can place high memory instances in one logical group. logically name and tag different tiers of the system (DB, application, business logic etc). isolate any instance-type physically so that groups access local resources. reduce network latency and increase network throughput.
If you specify only the general endpoint (autoscaling.amazonaws.com), Auto Scaling directs your request to the: us-west-2 endpoint. eu-central-1. eu-west-1 endpoint. us-east-1 endpoint.
What is Amazon CloudFront? A global Content Delivery Network An encrypted endpoint to upload files to the Cloud A web service to schedule regular data movement A development front-end to Amazon Web Services.
You can create a CloudWatch alarm that watches a single metric. The alarm performs one or more actions based on the value of the metric relative to a threshold over a number of time periods. Which of the following states is possible for the CloudWatch alarm? OK ALERT THRESHOLD ERROR.
In IAM, a policy has to include the information about who (user) is allowed to access the resource, known as the_____. permission role license principal.
In AWS KMS, which of the following is NOT a mode of server-side encryption that you can use to protect data at rest in Amazon S3? SSE-S3 SSE-K SSE-C SSE-KMS.
AWS Cloud Hardware Security Modules (HSMs) are designed to_________. store your AWS keys safely provide another level of login security specifically for LDAP allow AWS to audit your infrastructure securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
Could you use IAM to grant access to Amazon DynamoDB resources and API actions? In DynamoDB there is no need to grant access Depended to the type of access No Yes.
A user is planning to schedule a backup for an existing EBS volume. The user wants the backup to be created through snapshot, and for it to be encrypted. How can the user achieve data encryption with a snapshot? Encrypt the existing EBS volumes so that the snapshot will be encrypted by AWS when it is cre-ated By default the snapshot is encrypted by AWS While creating a snapshot select the snapshot with encryption Enable server side encryption for the snapshot using S3.
You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: Security groups and network access control lists (ACLs). You start to look into security groups first. Which statement below is incorrect in relation to security groups? Are stateful: Return traffic is automatically allowed, regardless of any rules. Support addition of individual allow and deny rules in both inbound and outbound. Security Groups can be added or removed from EC2 instances in a VPC at any time. Evaluate all rules before deciding whether to allow traffic.
Can you use the AWS Identity and Access Management (IAM) to assign permissions determining who can manage or modify RDS resources? No, AWS IAM is used only to assign IDs to AWS users. No, this permission cannot be assigned by AWS IAM. Yes, you can. No, AWS IAM is used only to assign activities.
Your customers are concerned about the security of their sensitive data and their inquiry asks about what happens to old storage devices on AWS. What would be the best answer to this question? AWS uses a 3rd party security organization to destroy data as part of the decommissioning pro-cess. AWS uses the techniques detailed in DoD 5220.22-M to destroy data as part of the decommis-sioning process. AWS reformats the disks and uses them again. AWS uses their own proprietary software to destroy data as part of the decommissioning pro-cess.
In AWS Identity and Access Management (IAM), you can make use of the APIs to grant users temporary access to your resources. AWS Security Transport Service (STS) AWS Security Tree Service (STS) AWS Security Task Service (STS) AWS Security Token Service (STS).
An organization has launched 5 instances: 2 for production and 3 for testing. The organization wants a particular group of IAM users to access only the test instances and not the production ones. They want to deploy the instances in various locations based on the factors that will change from time to time, especially in the test group. They expect instances will often need to be churned, i.e. deleted and replaced, especially in the testing group. This means the five instances they have created now will soon be replaced by a different set of five instances. The members of each group, produc-tion and testing, will not change in the foreseeable future. Given the situation, what choice below is the most efficient and time-saving strategy to define the IAM policy? By creating an IAM policy with a condition that allows access to only small instances By defining the IAM policy that allows access based on the instance ID By launching the test and production instances in separate regions and allowing region wise ac-cess to the group By defining the tags on the test and production team members IAM user IDs, and adding a con-dition to the IAM policy that allows access to specific tags.
For IAM user, a virtual Multi-Factor Authentication (MFA) device uses an application that gener-ates -digit authentication codes that are compatible with the time-based one-time password (TOTP) standard. three four six five.
The_____IAM policy element describes the specific action or actions that will be allowed or de-nied. Principal Action Vendor Not Principal.
A company wants to review the security requirements of Glacier. Which of the below mentioned statements is true with respect to the AWS Glacier data security? The user can set the serverside encryption flag to encrypt the data stored on Glacier. All data stored on Glacier is protected with AES-256 server-side encryption. All data stored on Glacier is protected with AES-128 server-side encryption. The data stored on Glacier is not encrypted by default.
Is it possible to create an S3 bucket accessible only by a certain IAM user using policies in a Cloud-Formation template? Yes, all these resources can be created using a CloudFormation template S3 is not supported by CloudFormation. No, you can only create the S3 bucket but not the IAM user. No, in the same template you can only create the S3 bucket and the relative policy.
Amazon Cognito supports web identity federation through ______. custom sign-in code or own user identities Facebook, Google, and Amazon a configuration check for rules that deny access to specific ports an AWS user group.
You are setting up security groups for both incoming traffic and outgoing traffic in your VPC net-work on the AWS CLI. Which of the following AWS CLI commands would you use for adding one or more incoming traffic rules to a security group? authorize-security-group-egress authorize-security-group-ingress Grant-EC2SecurityGroupOutgress Get-EC2SecurityGroup.
Bob is an IAM user who has access to the EC2 services. Admin is an IAM user who has access to all the AWS services including IAM. Can Bob change his own password? No, the IAM user can never change the password Yes, only from AWS CLI Yes, only from the AWS console Yes, provided Admin has given Bob access to change his own password.
ABC has three AWS accounts. They have created separate IAM users within each account.
ABC wants a single IAM login URL such as https://abc.signin.aws.amazon.com/console/ for use by IAM users in all three accounts.
How can this be achieved? Merge all the accounts with consolidated billing Create the S3 bucket with an alias name and use the redirect rule to forward requests to various accounts Create the same account alias with each account ID It is not possible to have the same IAM account login URL for separate AWS accounts.
In the context of AWS Security Best Practices for RDS, if you require encryption or data integrity authentication of data at rest for compliance or other purposes, you can add protection at the using SQL cryptographic functions. physical layer security layer application layer data-link layer.
An IAM group is a: group of EC2 machines that gain the permissions specified in the group. collection of IAM users. guide for IAM users. collection of AWS accounts.
A group in IAM can contain many users. Can a user belong to multiple groups? Yes, a user can be a member of up to 150 groups. Yes, a user can be a member of up to 50 groups. Yes, a user can be a member of up to 100 groups. Yes, a user can be a member of up to 10 groups.
Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you______ . can specify allow rules as well as deny rules can neither specify allow rules nor deny rules can specify allow rules, but not deny rules can specify deny rules, but not allow rules.
Can you change the security groups associated with the primary network interface (eth0) of an EC2 instance running inside a VPC? Yes Only if the instance is stopped Only when the instance is launched No.
The information within an IAM policy is described through a series of ______. elements macros classes namespaces.
In Amazon VPC, the________encryption function is used to ensure privacy among both IKE and IPsec Security Associations. AES 192-bit AES 256-bit SHA 180-bit SHA 2-bit.
In IAM, can you attach more than one inline policy to a particular entity such a user, role, or group? No Yes Yes, you can but only if you attach the policy within a VPC. Yes, you can but only if you attach the policy within the GovCloud.
In AWS Identity and Access Management, roles can be used by an external user authenticated by an external identity provider (IdP) service that is compatible with______. BNML (Business Narrative Markup Language) CFML (ColdFusion Markup Language) SAML 2.0 (Security Assertion Markup Language 2.0) BPML (Business Process Modeling Language).
The SysOps Administrator must integrate an existing on-premises asymmetrical key management system into an AWS services platform.
How can the Administrator meet this requirement? Implement AWS KMS and integrate with the existing on-premises asymmetrical key management system Implement AWS CloudHSM and integrate it with the existing key management infrastructure Deploy an Amazon EC2 instance and choose an AMI from an AWS partner in the AWS Marketplace Create a master key in AWS KMS, and export that key to the existing on-premises asymmetrical key management system.
A Systems Administrator is planning to deploy multiple EC2 instances within two separate Availability Zones in the same AwS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic between one another. The data does not need to be encrypted.
What solution meets these requirements while maintaining the lowest cost? Create two private subnets within the same VPC. Communicate between instances using their private IP addresses Create 2 public subnets within the same VPC. Communicate between instances using their public IP addresses Create 2 separate VPCs, one for each Availability Zone. Create a private subnet within each VPC. Create a static route table pointing the destination CIDR to the other VPC Create 2 separate VPCs, one for each Availability Zone and create a public subnet in each. Deploy a VPN appliance within each VPC and establish a VPN tunnel between them. Communicate between instances by routing traffic through the VPN appliances.
A company website hosts patches for software that is sold globally. The website runs in AWS and performs well until a large software patch is released. The flood of downloads puts a strain on the web servers and leads to a poor customer experience.
What can the SysOps Administrator propose to enhance customer experience, create a more available web platform, and keep costs low? Use an Amazon CloudFront distribution to cache static content, including software patches Increase the size of the NAT instance to improve throughput Scale out of web servers in advance of patch releases to reduce Auto Scaling delays Move the content to IO1 and provision additional IOPS to the volume that contains the software patches.
An organization has developed a new memory-intensive application that is deployed to a large Amazon EG2 Linux fleet. There is concern about potential memory exhaustion, so the Development team wants to monitor memory usage by using Amazon CloudWatch.
What is the MOST efficient way to accomplish this goal? Deploy the solution to memory-optimized EC2 instances, and use the CloudWatch MemoryUtilization metric Enable the Memory Monitoring option by using AWS Config Install the AWS Systems Manager agent on the applicable EC2 instances to monitor memory Monitor memory by using a script within the instance, and send it to CloudWatch as a custom metric.
A SysOps Administrator is running Amazon EC2 instances in multiple AWS Regions. The Administrator wants to aggregate the CPU utilization for all instances onto an Amazon CloudWatch dashboard. Each region should be present on the dashboard and represented by a single graph that contains the CPU utilization for all instances in that region.
How can the Administrator meet these requirements? Create a cross-region dashboard using AWS Lambda and distribute it to all regions Create a custom CloudWatch dashboard and add a widget for each region in the AWS Management Console Enable cross-region dashboards under the CloudWatch section of the AWS Management Console Switch from basic monitoring to detailed monitoring on all instances.
A mobile application must allow users to securely access their own content stored in a shared Amazon S3 bucket.
Which AWS services should be used to enable this access? (Choose two.) AWS Directory Service AWS Shield IAM roles Amazon Cognito AWS Organizations.
A web-based application is running in AWS. The application is using a MySQL Amazon RDS database instance for persistence. The application stores transactional data and is read-heavy. The RDS instance gets busy during the peak usage, which shows the overall application response times.
The SysOps Administrator is asked to improve the read queries performance using a scalable solution. Which options will meet these requirements? (Choose two.) Scale up the RDS instance to a larger instance size Enable the RDS database Multi-AZ option Create a read replica of the RDS instance Use Amazon DynamoDB instead of RDS Use Amazon ElastiCache to cache read queries.
A SysOps Administrator has received a request from the Compliance Department to enforce encryption on all objects uploaded to the corp-compliance bucket.
How can the Administrator enforce encryption on all objects uploaded to the bucket?
A B C D.
An errant process is known to use an entire processor and run at 100%. A SysOps Administrator wants to automate restarting the instance once the problem occurs for more than 2 minutes.
How can this be accomplished? Create an Amazon CloudWatch alarm for the EC2 instance with basic monitoring. Enable an action to restart the instance. Create a CloudWatch alarm for the EC2 instance with detailed monitoring. Enable an action to restart the instance. Create an AWS Lambda function to restart the EC2 instance, triggered on a scheduled basis every 2 minutes. Create a Lambda function to restart the EC2 instance, triggered by EC2 health checks.
A SysOps Administrator needs to report on Amazon EC2 instance cost by both project and environment (production, staging, development).
Which action would impact the operations team the LEAST? For each project and environment, create a new AWS account and link them to the master payer for unified management and billing Use AWS Organizations to create a new organization for each project, then for each environment use a separate linked AWS account Implement cost allocation tagging in the Billing and Cost Management console to implement tags to identify resources by project and environment Add the project and environment information to the instance metadata so that the values can be queried and rolled up into reports.
A web application’s performance has been degrading. Historically, the application has had highly-variable workloads, but lately, there has been a steady growth in traffic as the result of a new product launch. After reviewing several Amazon CloudWatch metrics, it is discovered that over the last two weeks the balance of CPU credits has dropped to zero several times.
Which solutions will improve performance? (Choose two.) Begin using the T2 instance type Purchase more CPU credits for the existing instance Increase the size of the current instance type Configure a CloudWatch alarm on the CPU credits metric.
An AWS CloudFormation template creates an Amazon RDS instance. This template is used to build up development environments as needed and then delete the stack when the environment is no longer required. The RDS-persisted data must be retained for further use, even after the CloudFormation stack is deleted.
How can this be achieved in a reliable and efficient way? Write a script to continue backing up the RDS instance every five minutes Create an AWS Lambda function to take a snapshot of the RDS instance, and manually execute the function before deleting the stack Use the Snapshot Deletion Policy in the CloudFormation template definition of the RDS instance Create a new CloudFormation template to perform backups of the RDS instance, and run this template before deleting the stack.
A company has a web application that runs both on-premises and on Amazon EC2 instances. Over time, both the on-premises servers and EC2 instances begin crashing. A SysOps Administrator suspects a memory leak in the application and wants a unified method to monitor memory utilization over time. Write a script or use a third-party application to report memory utilization for both EC2 instances and on- premises servers. Use Amazon CloudWatch agent for both Amazon EC2 instances and on-premises servers to report MemoryUtilization metrics to CloudWatch and set a CloudWatch alarm for notifications. Use CloudWatch agent for Amazon EC2 instances to report memory utilization to CloudWatch, and set CloudWatch alarms for notifications. Use a third-party application for the on-premises servers. Configure a load balancer to route traffic to both on-premises servers and EC2 instances, then use CloudWatch as the unified view of the metrics for the load balancer.
An organization with a large IT department has decided to migrate to AWS. With different job functions in the IT department, it is not desirable to give all users access to all AWS resources. Currently the organization handles access via LDAP credentials? Create an AWS Directory Service Simple AD. Replicate the on-premises LDAP directory to Simple AD. Create a Lambda function to read LDAP groups and automate the creation of IAM users. Use AWS CloudFormation to create IAM roles. Deploy Direct Connect to allow access to the on-premises LDAP server. Federate the LDAP directory with IAM using SAML. Create different IAM roles to correspond to different LDAP groups to limit permissions.
A new application is being tested for deployment on an Amazon EC2 instance that requires greater IOPS than currently provided by the single 4TB General Purpose SSD (gp2) volume.
Which actions should be taken to provide additional Amazon EBS IOPS for the application? (Choose two.) Increase the size of the General Purpose (gp2) volume Use RAID 0 to distribute I/O across multiple volumes Migrate to a Provisioned IOPS SSD (io1) volume Enable MAX I/O performance mode on the General Purpose (gp2) volume Use RAID 1 to distribute I/O across multiple volumes.
While creating the wait condition resource in AWS CloudFormation, a SysOps Administrator receives the error “received 0 signals out of the 1 expected from the EC2 instance”.
What steps should be taken to troubleshoot this issue? (Choose two.) Confirm from the cfn logs that the cfn-signal command was successfully run on the instance. Try to re-create the stack with a different IAM user. Check that the instance has a route to the Internet through a NAT device. Update the AWS CloudFormation stack service role to have iam:PassRole permission. Delete the existing stack and attempt to create a new once.
An existing, deployed solution uses Amazon EC2 instances with Amazon EBS General Purpose SSD volumes, am Amazon RDS PostgreSQL database, an Amazon EFS file system, and static objects stored in an Amazon S3 bucket. The Security team now mandates that at-rest encryption be turned on immediately for all aspects of the application, without creating new resources and without any downtime.
To satisfy the requirements, which one of these services can the SysOps Administrator enable at-rest encryption on? EBS General Purpose SSD volumes RDS PostgreSQL database Amazon EFS file systems S3 objects within a bucket.
A SysOps Administrator noticed that a large number of Elastic IP addresses are being created on the company’s AWS account., but they are not being associated with Amazon EC2 instances, and are incurring Elastic IP address charges in the monthly bill.
How can the Administrator identify who is creating the Elastic IP address? Attach a cost-allocation tag to each requested Elastic IP address with the IAM user name of the Developer who creates it. Query AWS CloudTrail logs by using Amazon Athena to search for Elastic IP address events. Create a CloudWatch alarm on the EIPCreated metric and send an Amazon SNS notification when the alarm triggers. Use Amazon Inspector to get a report of all Elastic IP addresses created in the last 30 days.
An application running by a SysOps Administrator is under repeated, large-scale distributed denial of service (DDoS) attacks. Each time an attack occurs, multiple customers reach out to the Support team to report outages. The Administrator wants to minimize potential downtime from the DDoS attacks. The company requires 24/7 support.
Which AWS service should be set up to protect the application? AWS Trusted Advisor AWS Shield Advanced Amazon Cognito Amazon Inspector.
A SysOps Administrator needs Amazon EC2 instances in two different VPCs in private subnets to be able to communicate. A peering connection between the two VPCs has been created using the AWS Management Console and shows a status of Active. The instances are still unable to send traffic to each other.
Why are the EC2 instances unable to communicate? One or both of the VPCs do not have an Internet Gateway attached The route tables have not been updated The peering connection has not been properly tagged One or both of the instances do not have an Elastic IP address assigned.
A SysOps Administrator has implemented an Auto Scaling group with a step scaling policy. The Administrator notices that the additional instances have not been included in the aggregated metrics.
Why are the additional instances missing from the aggregated metrics? The warm-up period has not expired The instances are still in the boot process The instances have not been attached to the Auto Scaling group The instances are included in a different set of metrics.
Recently several critical files were mistakenly deleted from a shared Amazon S3 bucket. A SysOps Administrator needs to prevent accidental deletions from occurring in the future by enabling MFA Delete.
Once enabled, which bucket activities will require MFA authentication? (Choose two.) Permanently removing an object version from the bucket Disabling default object encryption for the bucket Listing all versions of deleted objects in the bucket Suspending versioning on the bucket Enabling MFA Add on the bucket.
A SysOps Administrator is managing an application that runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS MySQL DB instance. The Administrator must ensure that that application stays available if the database becomes unresponsive.
How can these requirements be met? Create read replicas for the RDS database and use them in case of a database failure Create a new RDS instance from the snapshot of the original RDS instance if a failure occurs Keep a separate RDS database running and switch the endpoint in the web application if a failure occurs Modify the RDS instance to be a Multi-AZ deployment.
A company has an asynchronous nightly process that feeds the results to a data warehouse system for weekly and monthly reporting. The process is running on a fleet of Amazon EC2 instances. A SysOps Administrator has been asked to identify ways to reduce the cost of running this process.
What is the MOST cost-effective solution? Use On-Demand EC2 instances in an Auto Scaling group Use Spot Instances to bid for the EC2 instances Use Reserved Instances to ensure the capacity Put the EC2 instances in a placement group.
A sys admin is maintaining an application on AWS. The application is installed on EC2 and user has configured ELB and Auto Scaling. Considering future load increase, the user is planning to launch new servers proactively so that they get registered with ELB. How can the user add these instances with Auto Scaling? Increase the desired capacity of the Auto Scaling group Increase the maximum limit of the Auto Scaling group Launch an instance manually and register it with ELB on the fly Decrease the minimum limit of the Auto Scaling group.
A SysOps Administrator has an AWS Direct Connect connection in place in region us-east-1, between an AWS account and a data center. The Administrator is now required to connect the data to a VPC in another AWS Region, us-west-2, which must have consistent network performance and low-latency.
What is the MOST efficient and quickest way to establish this connectivity? Create an AWS VPN CloudHub architecture, and use software VPN to connect to the VPC in region us-west- 2. Create a new Direct Connect connection between the data center and region us-west-2. Create a VPC peering connection between the VPC in region us-east-1 and us-west-2, and access the VPC in us-west-2 from the data center. Use Direct Connect gateway with the existing Direct Connect connection to connect to the Virtual Private Gateway of the VPC in region us-west-2.
A new website will run on Amazon EC2 instances behind an Application Load Balancer. Amazon Route 53 will be used to manage DNS records.
What type of record should be set in Route 53 to point the website’s apex domain name (for example, “company.com”) to the Application Load Balancer? CNAME SOA TXT ALIAS.
An application running on Amazon EC2 allows users to launch batch jobs for data analysis. The jobs are run asynchronously, and the user is notified when they are complete. While multiple jobs can run concurrently, a user’s request need not be fulfilled for up to 24 hours. To run a job, the application launches an additional EC2 instance that performs all the analytics calculations. A job takes between 75 and 110 minutes to complete and cannot be interrupted.
What is the MOST cost-effective way to run this workload? Run the application on On-Demand EC2 instances. Run the jobs on Spot Instances with a specified duration. Run the application on Reserved Instance EC2 instances. Run the jobs on AWS Lambda. Run the application on On-Demand EC2 instances. Run the jobs on On-Demand EC2 instances. Run the application on Reserved instance EC2 instances. Run the jobs on Spot Instances with a specified duration.
A developer deploys an application running on Amazon EC2 by using an AWS CloudFormation template. The developer launches the stack from the console logged in as an AWS Identity and Access Management (IAM) user. When a SysOps Administrator attempts to run the same AWS CloudFormation template in the same AWS account from the console, it fails and returns the error:
“The image id ‘[ami-2a69aa47]’ does not exist”
What is the MOST likely cause of the failure? The Administrator does not have the same IAM permissions as the developer. The Administrator used a different SSH key from that of the developer. The Administrator is running the template in a different region. The Administrator’s Amazon EC2 service limits have been exceeded.
A company has configured a library of IAM roles that grant access to various AWS resources. Each employee has an AWS IAM user, some of which have the permission to launch Amazon EC2 instances. The SysOps Administrator has attached the following policy to those users:
What would be the result of this policy? Users are able to switch only to a role name that begins with “InfraTeam” followed by any other combination of characters. Users with the role of InfraTeamLinux are able to launch an EC2 instance and attach that role to it. “InfraTeam” role is being passed to a user who has full EC2 access. EC2 instances that are launched by these users have full AWS permissions.
Application developers are reporting Access Denied errors when trying to list the contents of an Amazon S3 bucket by using the IAM user “ arn:aws:iam::111111111111:user/application ”. The following S3 bucket policy is in use:
How should a SysOps Administrator modify the S3 bucket policy to fix the issue? Change the “ Effect ” from “ Allow ” to “Deny ” Change the “ Action ” from “ s3:List* ” to “s3:ListBucket ” Change the “ Resource ” from “ arn:aws:s3:::bucketname/* ” to “arn:aws:s3:::bucketname ” Change the “ Principal ” from “ arn:aws:iam::111111111111:user/application ” to “ arn:aws:iam::111111111111: role/application ”.
A SysOps Administrator wants to automate the process of configuration, deployment, and management of Amazon EC2 instances using Chef or Puppet.
Which AWS service will satisfy the requirement? AWS Elastic Beanstalk AWS CloudFormation AWS OpsWorks AWS Config.
A photo-sharing site delivers content worldwide from a library on Amazon S3 using Amazon CloudFront. Users are trying to access photos that either do not exist or they are not authorized to view.
What should be monitored to better understand the extent of this issue? GetRequests S3 metric on Amazon CloudWatch 4XXErrorRate CloudFront metric on CloudWatch 5XXErrorRate CloudFront metric on CloudWatch PostRequests S3 metric on CloudWatch.
A company must share monthly report files that are uploaded to Amazon S3 with a third party. The third-party user list is dynamic, is distributed, and changes frequently. The least amount of access must be granted to the third party. Administrative overhead must be low for the internal teams who manage the process.
How can this be accomplished while providing the LEAST amount of access to the third party? Allow only specified IP addresses to access the S3 buckets which will host files that need to be provided to the third party. Create an IAM role with the appropriate access to the S3 bucket, and grant login permissions to the console for the third party to access the S3 bucket. Create a pre-signed URL that can be distributed by email to the third party, allowing it to download specific S3 filed. Have the third party sign up for an AWS account, and grant it cross-account access to the appropriate S3 bucket in the source account.
A SysOps Administrator is reviewing AWS Trusted Advisor warnings and encounters a warning for an S3 bucket policy that has open access permissions. While discussing the issue the bucket owner, the Administrator realizes the S3 bucket is an origin for an Amazon CloudFront web distribution.
Which action should the Administrator take to ensure that users access objects in Amazon S3 by using only CloudFront URLs? Encrypt the S3 bucket content with Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) Create an origin access identity and grant it permissions to read objects in the S3 bucket Assign an IAM user to the CoudFront distribution and whitelist the IAM user in the S3 bucket policy Assign an IAM role to the CloudFront Distribution and whitelist the IAM role in the S3 bucket policy.
A SysOps Administrator is creating an Amazon EC2 instance and has received an
InsufficientInstanceCapacity error.
What is the cause of the error and how can it be corrected? AWS does not currently have enough capacity to service the request for that instance type. A different Availability Zone or instance type must be used. The account has reached its concurrent running instance limit. An EC2 limit increase request must be filed with AWS Support. The APIs that service the EC2 requests have received too many requests and capacity has been reached. The request should be attempted again in a few minutes. The Administrator did not specify the correct size of the instance to support the capacity requirements of the workload. Select a bigger instance.
A web application runs on Amazon EC2 instances with public IPs assigned behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon RDS Multi-AZ DB instance. The Application Load Balancer, EC2 instances, and RDS DB instance all run in separate sets of subnets. The EC2 instances can communicate with the DB instance, but cannot connect with external services.
What is the MOST likely solution? Assign a public IP address to the database server and restart the database engine. Create and attach an Internet gateway to the VPC. Create a route table for the EC2 instance’s subnets that sends Internet traffic to the gateway. Create and attach a virtual private gateway to the VPC. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the gateway. Create a VPC peering connection to a VPC that has an Internet gateway attached. Create a route table for the EC2 instances’ subnets that sends Internet traffic to the peered VPC.
InfoSec is concerned that an employee may expose sensitive data in an Amazon S3 bucket. How can this concern be addressed without putting undue restrictions on users? Apply an IAM policy on all users that denies the action s3:PutBucketPolicy Restrict S3 bucket access to specific IAM roles managed using federated access Activate an AWS Config rule to identify public buckets and alert InfoSec using Amazon SNS Email the findings of AWS Personal Health Dashboard to InfoSec daily.
A SysOps Administrator discovers the organization’s tape archival system is no longer functioning in its on- premises data center.
What AWS service can be used to create a virtual tape interface to replace the physical tape system? AWS Snowball AWS SMS Amazon Glacier AWS Storage Gateway.
A SysOps Administrator must evaluate storage solutions to replace a company’s current user-shared drives infrastructure. Any solution must support security controls that enable Portable Operating System Interface (POSIX) permissions and Network File System protocols. Additionally, any solution must be accessible from multiple Amazon EC2 instances and on-premises servers connected to the Amazon VPC.
Which AWS service meets the user drive requirements? Amazon S3 Amazon EFS Amazon EBS Amazon SQS.
A company’s Auditor implemented a compliance requirement that all Amazon S3 buckets must have logging enabled.
How should the SysOps Administrator ensure this compliance requirement is met, while still permitting Developers to create and use new S3 buckets? Add AWS CloudTrail logging for the S3 buckets. Implement IAM policies to allow only the Storage team to create S3 buckets. Add the AWS Config managed rule S3_BUCKET_LOGGING_ENABLED. Create an AWS Lambda function to delete the S3 buckets if logging is not turned on.
An organization is running multiple applications for their customers. Each application is deployed by running a base AWS CloudFormation template that configures a new VPC. All applications are run in the same AWS account and AWS Region. A SysOps Administrator has noticed that when trying to deploy the same AWS CloudFormation stack, it fails to deploy.
What is likely to be the problem? The Amazon Machine image used is not available in that region. The AWS CloudFormation template needs to be updated to the latest version. The VPC configuration parameters have changed and must be updated in the template. The account has reached the default limit for VPCs allowed.
Based on the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer for an Aurora database? Performing underlying OS updates Provisioning of storage for database Scheduling maintenance, patches, and other updates Executing maintenance, patches, and other updates.
A web-commerce application stores its data in an Amazon Aurora DB cluster with an Aurora replica. The application displays shopping cart information by reading data from the reader endpoint. When monitoring the Aurora database, the SysOps Administrator sees the AuroraReplicaLagMaximum metric for a single replica is high.
What behavior is the application MOST likely exhibiting to users? Users cannot add any items to the shopping cart. Users intermittently notice that the cart is not updated correctly. Users cannot remove any items from the shopping cart. Users cannot use the application because it is falling back to an error page.
A company would like to review each change in the infrastructure before deploying updates in its AWS CloudFormation stacks.
Which action will allow an Administrator to understand the impact of these changes before implementation? Implement a blue/green strategy using AWS Elastic Beanstalk. Perform a canary deployment using Application Load Balancers and target groups. Create a change set for the running stack. Submit the update using the UpdateStack API call.
A Systems Administrator is responsible for maintaining custom, approved AMIs for a company. These AMIs must be shared with each of the company’s AWS accounts.
How can the Administrator address this issue? Contact AWS Support for sharing AMIs with other AWS accounts. Modify the permissions on the AMIs so that they are publicly accessible. Modify the permissions on the IAM role that are associated with the AMI. Share the AMIs with each AWS account using the console or CLI.
A SysOps Administrator must devise a strategy for enforcing tagging of all EC2 instances and Amazon Elastic Block Store (Amazon EBS) volumes.
What action can the Administrator take to implement this for real-time enforcement? Use the AWS Tag Editor to manually search for untagged resources and then tag them properly in the editor. Set up AWS Service Catalog with the TagOptions Library rule that enforces a tagging taxonomy proactively when instances and volumes are launched. In a PowerShell or shell script, check for untagged items by using the resource tagging GetResources API action, and then manually tag the reported items. Launch items by using the AWS API. Use the TagResources API action to apply the required tags when the instances and volumes are launched.
During a security investigation, it is determined that there is a coordinated attack on the web applications deployed on Amazon EC2. The attack is performed through malformed HTTP headers.
What AWS service of feature would prevent this traffic from reaching the EC2 instances? Amazon Inspector Amazon Security Groups AWS WAF Application Load Balancer (ALB).
A company is deploying a legacy web application on Amazon EC2 instances behind an ELB Application Load Balancer. The application worked well in the test environment. However, in production, users report that they are prompted to log in to the system several times an hour.
Which troubleshooting step should be taken to help resolve the problem reported by users? Confirm that the Application Load Balancer is in a multi-AZ configuration. Enable health checks on the Application Load Balancer. Ensure that port 80 is configured on the security group. Enable sticky sessions on the Application Load Balancer.
A company has mandated the use of multi-factor authentication (MFA) for all IAM users, and requires users to make all API-calls using the CLI. However, users are not prompted to enter MFA tokens, and are able to run CLI commands without MFA. In an attempt to enforce MFA, the company attached an IAM policy to all users that denies API calls that have not been authenticated with MFA.
What additional step must be taken to ensure that API calls are authenticated using MFA? Enable MFA on IAM roles, and require IAM users to use role credentials to sign API calls. Ask the IAM users to log into the AWS Management Console with MFA before making API calls using the CLI. Restrict the IAM users to use of the console, as MFA is not supported for CLI use. Require users to use temporary credentials from the get-session token command to sign API calls.
An application is being developed that will be served across a fleet of Amazon EC2 instances, which require a consistent view of persistent data. Items stored vary in size from 1KB to 300MB; the items are read frequently, created occasionally, and often require partial changes without conflict. The data store is not expected to grow beyond 2TB, and items will be expired according to age and content type.
Which AWS service solution meets these requirements? Amazon S3 buckets with lifecycle policies to delete old objects. Amazon RDS PostgreSQL and a job that deletes rows based on age and file type columns. Amazon EFS and a scheduled process to delete files based on age and extension. An EC2 instance store synced on boot from a central Amazon EBS-backed instance.
A recent organizational audit uncovered an existing Amazon RDS database that is not currently configured for high availability. Given the critical nature of this database, it must be configured for high availability as soon as possible.
How can this requirement be met? Switch to an active/passive database pair using the create-db-instance-read-replica with the - - availability-zone flag. Specify high availability when creating a new RDS instance, and live-migrate the data. Modify the RDS instance using the console to include the Multi-AZ option. Use the modify-db-instance command with the - -ha flag.
When the AWS Cloud infrastructure experiences an event that may impact an organization, which AWS service can be used to see which of the organization’s resources are affected? AWS Service Health Dashboard AWS Trusted Advisor AWS Personal Health Dashboard AWS Systems Manager.
A SysOps Administrator has written an AWS Lambda function to launch new Amazon EC2 instances and deployed it in the us-east-1 region. The Administrator tested it by launching a new t2 nano instance in the us-east- 1 region and it performed as expected. However, when the region name was updated in the Lambda function to launch an EC2 instance in the us-west-1 region, it failed.
What is causing this error? The AMI ID must be updated for the us-west-1 region in the Lambda function as well. The Lambda function can only launch EC2 instances in the same region where it is deployed. The Lambda function does not have the necessary IAM permission to launch more than one EC2 instance. The instance type defined in the Lambda function is not available in the us-west-1 region.
A SysOps Administrator must find a way to set up alerts when Amazon EC2 service limits are close to being reached.
How can the Administrator achieve this requirement? Use Amazon Inspector and Amazon CloudWatch Events. Use AWS Trusted Advisor and Amazon CloudWatch Events. Use the Personal Health Dashboard and CloudWatch Events. Use AWS CloudTrail and CloudWatch Events.
A web application accepts orders from online users and places the orders into an Amazon SQS queue. Amazon EC2 instances in an EC2 Auto Scaling group read the messages from the queue, process the orders, and email order confirmations to the users. The Auto Scaling group scales up and down based on the queue depth. At the beginning of each business day, users report confirmation emails are delayed.
What action will address this issue? Create a scheduled scaling action to scale up in anticipation of the traffic. Change the Auto Scaling group to scale up and down based on CPU utilization. Change the launch configuration to launch larger EC2 instance types. Modify the scaling policy to deploy more EC2 instances when scaling up.
A SysOps Administrator must take a team’s single existing AWS CloudFormation template and split it into smaller, service-specific templates. All of the services in the template reference a single, shared Amazon S3 bucket.
What should the Administrator do to ensure that this S3 bucket can be referenced by all the service templates? Include the S3 bucket as a mapping in each template. Add the S3 bucket as a resource in each template. Create the S3 bucket in its own template and export it. Generate the S3 bucket using StackSets.
After installing and configuring the Amazon CloudWatch agent on an EC2 instance, the anticipated system logs are not being received by CloudWatch Logs.
Which of the following are likely to be the cause of this problem? (Select TWO.) A custom of third-party solution for logs is being used. The IAM role attached to the EC2 instance does not have the proper permissions. The CloudWatch agent does not support the operating system used. A billing constraint is limiting the number of CloudWatch Logs within this account. The EC2 instance is in a private subnet, and the VPC does not have a NAT gateway.
A SysOps Administrator found that a newly-deployed Amazon EC2 application server is unable to connect to an existing Amazon RDS database. After enabling VPC Flow Logs and confirming that the flow log is active on the console, the log group cannot be located in Amazon CloudWatch.
What are the MOST likely reasons for this situation? (Select TWO.) The Administrator must configure the VPC Flow Logs to have them sent to AWS CloudTrail. The Administrator has waited less than ten minutes for the log group to be created in CloudWatch. The account VPC Flow Logs have been disabled by using a service control policy. No relevant traffic has been sent since the VPC Flow Logs were created The account has Amazon GuardDuty enabled.
An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet.
What additional step should be taken? Add a rule to the security group allowing outbound traffic on port 80. Add a rule to the network ACL allowing outbound traffic on port 80. Add a rule to the security group allowing outbound traffic on ports 1024 through 65535. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
A company has an application that is running on an EC2 instance in one Availability Zone. A SysOps Administrator has been tasked with making the application highly available. The Administrator created a launch
configuration from the running EC2 instance. The Administrator also properly configured a load balancer. What step should the Administrator complete next to make the application highly available? Create an Auto Scaling group by using the launch configuration across at least 2 Availability Zones with a minimum size of 1, desired capacity of 1, and a maximum size of 1. Create an Auto Scaling group by using the launch configuration across at least 3 Availability Zones with a minimum size of 2, desired capacity of 2, and a maximum of 2. Create an Auto Scaling group by using the launch configuration across at least 2 regions with a minimum size of 1, desired capacity of 1, and a maximum size of 1. Create an Auto Scaling group by using the launch configuration across at least 3 regions with a minimum size of 2, desired capacity of 2, and a maximum size of 2.
An Applications team has successfully deployed an AWS CloudFormation stack consisting of 30 t2-medium Amazon EC2 instances in the us-west-2 Region. When using the same template to launch a stack in us-east-2, the launch failed and rolled back after launching only 10 EC2 instances.
What is a possible cause of this failure? The IAM user did not have privileges to launch the CloudFormation template. The t2 medium EC2 instance service limit was reached. An AWS Budgets threshold was breached. The application’s Amazon Machine Image (AMI) is not available in us-east-2.
A SysOps Administrator stores crash dump files in Amazon S3. New security and privacy measures require that crash dumps older than 6 months be deleted.
Which approach meets this requirement? Use Amazon CloudWatch Events to delete objects older than 6 months. Implement lifecycle policies to delete objects older than 6 months. Use the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class to automatically delete objects older than 6 months. Create versioning rules to delete objects older than 6 months.
The Accounting department would like to receive billing updates more than once a month. They would like the updates to be in a format that can easily be viewed with a spreadsheet application.
How can this request be fulfilled? Use Amazon CloudWatch Events to schedule a billing inquiry on a bi-weekly basis. Use AWS Glue to convert the output to CSV. Set AWS Cost and Usage Reports to publish bills daily to an Amazon S3 bucket in CSV format. Use the AWS CLI to output billing data as JSON. Use Amazon SES to email bills on a daily basis. Use AWS Lambda, triggered by CloudWatch, to query billing data and push to Amazon RDS.
A SysOps Administrator is troubleshooting an AWS CloudFormation template whereby multiple Amazon EC2 instances are being created. The template is working in us-east-1, but it is failing in us-west-2 with the error code:
AMI [ami-12345678] does not exist.
How should the Administrator ensure that the AWS CloudFormation template is working in every region? Copy the source region’s Amazon Machine Image (AMI) to the destination region and assign it the same ID. Edit the AWS CloudFormation template to specify the region code as part of the fully qualified AMI ID. Edit the AWS CloudFormation template to offer a drop-down list of all AMIs to the user by using the AWS: :EC2: :AMI: :ImageID control. Modify the AWS CloudFormation template by including the AMI IDs in the “Mappings” section. Refer to the proper mapping within the template for the proper AMI ID.
A SysOps Administrator needs to confirm that security best practices are being followed with the AWS account root user.
How should the Administrator ensure that this is done? Change the root user password by using the AWS CLI routinely. Periodically use the AWS CLI to rotate access keys and secret keys for the root user. Use AWS Trusted Advisor security checks to review the configuration of the root user. Periodically distribute the AWS compliance document from AWS Artifact that governs the root user configuration.
The networking team has created a VPC in an AWS account. The application team has asked for access to resources in another VPC in the same AWS account. The SysOps Administrator has created the VPC peering connection between both the accounts, but the resources in one VPC cannot communicate with the resources in the other VPC.
What could be causing this issue? One of the VPCs is not sized correctly for peering. There is no public subnet in one of the VPCs. The route tables have not been updated. One VPC has disabled the peering flag.
A SysOps Administrator is implementing SSL for a domain of an internet-facing application running behind an Application Load Balancer (ALB). The Administrator decides to use an SSL certificate from Amazon Certificate Manager (ACM) to secure it.
Upon creating a request for the ALB fully qualified domain name (FQDN), it fails, and the error message “Domain Not Allowed” is displayed.
How can the Administrator fix this issue? Contact the domain registrar and ask them to provide the verification required by AWS. Place a new request with the proper domain name instead of the ALB FQDN Select the certificate request in the ACM console and resend the validation email. Contact AWS Support and verify the request by answering security challenge questions.
After a particularly high AWS bill, an organization wants to review the use of AWS services.
What AWS service will allow the SysOps Administrator to quickly view this information to share it, and will also forecast expenses for the current billing period? AWS Trusted Advisor Amazon QuickSight AWS Cost and Usage Report AWS Cost Explorer.
A company has adopted a security policy that requires all customer data to be encrypted at rest. Currently, customer data is stored on a central Amazon EFS file system and accessed by a number of different applications from Amazon EC2 instances.
How can the SysOps Administrator ensure that all customer data stored on the EFS file system meets the new requirement? Update the EFS file system settings to enable server-side encryption using AES-256. Create a new encrypted EFS file system and copy the data from the unencrypted EFS file system to the new encrypted EFS file system. Use AWS CloudHSM to encrypt the files directly before storing them in the EFS file system. Modify the EFS file system mount options to enable Transport Layer Security (TLS) on each of the EC2 instances.
The Database Administration team is interested in performing manual backups of an Amazon RDS Oracle DB instance.
What steps should be taken to perform the backups? Attach an Amazon EBS volume with Oracle RMAN installed to the RDS instance. Take a snapshot of the EBS volume that is attached to the DB instance. Install Oracle Secure Backup on the RDS instance and back up the Oracle database to Amazon S3. Take a snapshot of the DB instance.
In configuring an Amazon Route 53 health check, a SysOps Administrator selects ‘Yes’ to the String Matching option in the Advanced Configuration section. In the Search String box, the Administrator types the following text: /html.
This is to ensure that the entire page is loading during the health check. Within 5 minutes of enabling the health check, the Administrator receives an alert stating that the check failed. However, when the Administrator navigates to the page, it loads successfully.
What is the MOST likely cause of this false alarm? The search string is not HTML-encoded. The search string must be put in quotes. The search string must be escaped with a backslash (\) before the forward slash (/). The search string is not in the first 5120 bytes of the tested page.
Company A purchases company B and inherits three new AWS accounts. Company A would like to centralize billing and reserved instance benefits but wants to keep all other resources separate.
How can this be accomplished? Implement AWS Organizations and create a service control policy that defines the billing relationship with the new master account. Configure AWS Organizations Consolidated Billing and provide the finance team with IAM access to the billing console. Send Cost and Usage Reports files to a central Amazon S3 bucket and load the data into Amazon Redshift. Use Amazon QuickSight to provide visualizations to the finance team. Link the Reserved Instances to the master payer account and use Amazon Redshift Spectrum to query Detailed Billing Report data across all accounts.
A company has multiple web applications running on Amazon EC2 instances in private subnets. The EC2 instances require connectivity to the internet for patching purposes, but cannot be publicly accessible.
Which step will meet these requirements? Add an internet gateway and update the route tables. Add a NAT gateway to the VPC and update the route tables. Add an interface endpoint and update the route tables. Add a virtual gateway to the VPC and update the route tables.
A company wants to ensure that each department operates within their own isolated environment, and they are only able to use pre-approved services.
How can this requirement be met? Set up an AWS Organization to create accounts for each department, and apply service control policies to control access to AWS services. Create IAM roles for each department, and set policies that grant access to specific AWS services. use the AWS Service Catalog to create catalogs of AWS services that are approved for use by each department. Request that each department create and manage its own AWS account and the resources within it.
A company is using AWS Organizations to manage all their accounts. The Chief Technology Officer wants to prevent certain services from being used within production accounts until the services have been internally certified. They are willing to allow developers to experiment with these uncertified services in development accounts but need a way to ensure that these services are not used within production accounts.
Which option ensures that services are not allowed within the production accounts, yet are allowed in separate development accounts within the LEAST administrative overhead? Use AWS Config to shut down non-compliant services found within the production accounts on a periodic basis, while allowing these same services to run in the development accounts. Apply service control policies to the AWS Organizational Unit (OU) containing the production accounts to whitelist certified services. Apply a less restrictive policy to the OUs containing the development accounts. Use IAM policies applied to the combination of user and account to prevent developers from using these services within the production accounts. Allow the services to run in development accounts. Use Amazon CloudWatch to report on the use of non-certified services within any account, triggering an AWS Lambda function to terminate only those non-certified services when found in a production account.
A SysOps Administrator has configured health checks on a load balancer. An Amazon EC2 instance attached to this load balancer fails the health check.
What will happen next? (Choose two.) The load balancer will continue to perform the health check on the EC2 instance. The EC2 instance will be terminated based on the health check failure. The EC2 instance will be rebooted. The load balancer will stop sending traffic to the EC2 instance. A new EC2 instance will be deployed to replace the unhealthy instance.
An Application performs read-heavy operations on an Amazon Aurora DB instance. The SysOps Administrator monitors the CPUUtilization CloudWatch metric and has recently seen it increase to 90%. The Administrator would like to understand what is driving the CPU surge.
Which of the following should be Administrator additionally monitor to understand the CPU surge? FreeableMemory and DatabaseConnections to understand the amount of available RAM and number of connections to DB instance. FreeableMemory and EngineUptime to understand the amount of available RAM and the amount of time the instance has been up and running. DatabaseConnections and AuroraReplicaLag for the number of connections to the DB instance and the amount of lag when replicating updates from the primary instance. DatabaseConnections and InsertLatency for the number of connections to the DB instance and latency for insert queries.
A SysOps Administrator must use a bastion host to administera fleet of Amazon EC2 instances. All access to the
bastion host is managed by the Security team.
What is the MOST secure way for the Security team to provide the SysOps Administrator access to the bastion
host? Assign the same IAM role to the Administrator that is assigned to the bastion host. Provide the Administrator with the SSH key that was used for the bastion host when it was originally
launched. Create a new IAM role with the same permissions as the Security team, and assign it to the Administrator Create a new administrative account on the bastion host,and provide those credentials to the Administrator
using AWS Secrets Manager.
An Amazon EC2 instance is unable to connect an SMTP server in a different subnet. Other instances are successfully communicating with the SMTP server, however VPC Flow Logs have been enabled on the SMTP server’s network interface and show the following information:
2 223342798652 eni-abe77dab 10.1.1.200 10.100.1.10 1123 25 17 70 48252 1515534437 1515535037 REJECT OK
What can be done to correct this problem? Add the instance to the security group for the SMTP server and ensure that is permitted to communicate over TCP port 25. Disable the iptables service on the SMTP server so that the instance can properly communicate over the network. Install an email client on the instance to ensure that it communicates correctly on TCP port 25 to the SMTP server. Add a rule to the security group for the instance to explicitly permit TCP port 25 outbound to any address.
A workload has been moved from a data center to AWS. Previously, vulnerability scans were performed nightly by an external testing company. There is a mandate to continue the vulnerability scans in the AWS environment with third-party testing occurring at least once each month.
What solution allows the vulnerability scans to continue without violating the AWS Acceptable Use Policy? The existing nightly scan can continue with a few changes. The external testing company must be notified of the new IP address of the workload and the security group of the workload must be modified to allow scans from the external company’s IP range. If the external company is a vendor in the AWS Marketplace, notify them of the new IP address of the workload. Submit a penetration testing request every 90 days and have the external company test externally when the request is approved. AWS performs vulnerability testing behind the scenes daily and patches instances as needed. If a vulnerability cannot be automatically addressed, a notification email is distributed.
An organization would like to set up an option for its Developers to receive an email whenever production Amazon EC2 instances are running over 80% CPU utilization.
How can this be accomplished using an Amazon CloudWatch alarm? Configure the alarm to send emails to subscribes using Amazon SES. Configure the alarm to send emails to subscribes using Amazon SNS. Configure the alarm to send emails to subscribes using Amazon Inspector. Configure the alarm to send emails to subscribes using Amazon Cognito.
A SysOps Administrator is responsible for a large fleet of EC2 instances and must know whether any instances will be affected by upcoming hardware maintenance.
Which option would provide this information with the LEAST administrative overhead? Monitor AWS CloudTrail for StopInstances API calls related to upcoming maintenance. Review the Personal Health Dashboard for any scheduled maintenance. From the AWS Management Console, list any instances with failed system status checks. Deploy a third-party monitoring solution to provide real-time EC2 instance monitoring.
Which of the following steps are required to configure SAML 2.0 for federated access to AWS? (Choose two.) Create IAM users for each identity provider (IdP) user to allow access to the AWS environment. Define assertions that map the company’s identity provider (IdP) users to IAM roles. Create IAM roles with a trust policy that lists the SAML provider as the principal. Create IAM users, place them in a group named SAML, and grant them necessary IAM permissions. Grant identity provider (IdP) users the necessary IAM permissions to be able to log in to the AWS environment.
An e-commerce company wants to lower costs on its nightly jobs that aggregate the current day’s sales and store the results in Amazon S3. The jobs are currently run using multiple on-demand instances and the job take just under 2 hours to complete. If a job fails for any reason, it needs to be restarted from the beginning.
What method is the MOST cost effective based on these requirements? Use a mixture of On-Demand and Spot Instances for job execution. Submit a request for a Spot block to be used for job execution. Purchase Reserved Instances to be used for job execution. Submit a request for a one-time Spot Instance for job execution.
A SysOps Administrator manages an application that stores object metadata in Amazon S3. There is a requirement to have S2 server-side encryption enabled on all new objects in the bucket.
How can the Administrator ensure that all new objects to the bucket satisfy this requirement? Create an S3 lifecycle rule to automatically encrypt all new objects. Enable default bucket encryption to ensure that all new objects are encrypted. Use put-object-acl to allow objects to be encrypted with S2 server-side encryption. Apply the authorization header to S3 requests for S3 server-side encryption.
A SysOps Administrator is managing a large organization with multiple accounts on the Business Support plan all linked to a single payer account. The Administrator wants to be notified automatically of AWS Personal Health Dashboard events.
In the main payer account, the Administrator configures Amazon CloudWatch Events triggered by AWS Health events to issue notifications using Amazon SNS, but alerts in the linked accounts failed to trigger.
Why did the alerts fail? Amazon SNS cannot be triggered from the AWS Personal Health Dashboard. The AWS Personal Health Dashboard only reports events from one account, not linked accounts. The AWS Personal Health Dashboard must be configured from the payer account only; all events will then roll up into the payer account. AWS Organizations must be used to monitor linked accounts.
A SysOps Administrator has configured a CloudWatch agent to send custom metrics to Amazon CloudWatch and is now assembling a CloudWatch dashboard to display these metrics.
What steps should be the Administrator take to complete this task? Select the AWS Namespace, filter by metric name, then add to the dashboard. Add a text widget, select the appropriate metric from the custom namespace, then add to the dashboard. Select the appropriate widget and metrics from the custom namespace, then add to the dashboard. Open the CloudWatch console, from the CloudWatch Events, add all custom metrics.
An application is running on multiple EC2 instances. As part of an initiative to improve overall infrastructure security, the EC2 instances were moved to a private subnet. However, since moving, the EC2 instances have not been able to automatically update, and a SysOps Administrator has not been able to SSH into them remotely.
Which two actions could the Administrator take to securely resolve these issues? (Choose two.) Set up a bastion host in a public subnet, and configure security groups and route tables accordingly. Set up a bastion host in the private subnet, and configure security groups accordingly. Configure a load balancer in a public subnet, and configure the route tables accordingly. Set up a NAT gateway in a public subnet, and change the private subnet route tables accordingly. Set up a NAT gateway in a private subnet, and ensure that the route tables are configured accordingly.
A company has Sales department and Marketing department. The company uses one AWS account. There is a need to determine what charges are incurred on the AWS platform by each department. There is also a need to receive notifications when a specified cost level is approached or exceeded.
Which two actions must a SysOps Administrator take to achieve both requirements with the LEAST amount of administrative overhead? (Choose two.) Use AWS Trusted Advisor to obtain a report containing the checked items in the Cost Optimization pillar. Download the detailed billing report, upload it to a database, and match the line items with a list of known resources by department. Create a script by using the AWS CLI to automatically apply tags to existing resources to each department. Schedule the script to run weekly. Use AWS Organizations to create a department Organizational Unit and allow only authorized personnel in each department to create resources. Create a Budget from the Billing and Cost Management console. Specify the budget type a Cost, assign tags for each department, define notifications, and specify any other options as required.
A company has two AWS accounts: development and production. All applications send logs to a specific Amazon S3 bucket for each account, and the Developers are requesting access to the production account S3 buckets to view the logs.
Which is the MOST efficient way to provide the Developers with access? Create an AWS Lambda function with an IAM role attached to it that has access to both accounts’ S3 buckets. Pull the logs from the production S3 bucket to the development S3 bucket. Create IAM users for each Developer on the production account, and add the Developers to an IAM group that provides read-only access to the S3 log bucket. Create an Amazon EC2 bastion host with an IAM role attached to it that has access to the production S3 log bucket, and then provision access for the Developers on the host. Create a resource-based policy for the S3 bucket on the production account that grants access to the development account, and then delegate access in the development account.
A company backs up data from its data center using a tape gateway on AWS Storage Gateway. The SysOps Administrator needs to reboot the virtual machine running Storage Gateway.
What process will protect data integrity? Stop Storage Gateway and reboot the virtual machine, then restart Storage Gateway. Reboot the virtual machine, then restart Storage Gateway. Reboot the virtual machine. Shut down the virtual machine and stop Storage Gateway, then turn on the virtual machine.
A fleet of servers must send local logs to Amazon CloudWatch. How should the servers be configured to meet this requirement? Configure AWS Config to forward events to CloudWatch. Configure a Simple Network Management Protocol (SNMP) agent to forward events to CloudWatch. Install and configure the unified CloudWatch agent. Install and configure the Amazon Inspector agent.
After launching a new Amazon EC2 instance from a Microsoft Windows 2012 Amazon Machine Image (AMI), the SysOps Administrator is unable to connect to the instance using Remote Desktop Protocol (RDP). The instance is also unreachable. As part of troubleshooting, the Administrator deploys a second instance from a different AMI using the same configuration and is able to connect to the instance.
What should be the next logical step in troubleshooting the first instance? Use AWS Trusted Advisor to gather operating system log files for analysis. Use VPC Flow Logs to gather operating system log files for analysis. Use EC2Rescue to gather operating system log files for analysis. Use Amazon Inspector to gather operating system log files for analysis.
A sysadmin has enabled logging on ELB.
Which of the below mentioned fields will not be a part of the log file name? Load Balancer IP EC2 instance IP S3 bucket name Random string.
A system admin is trying to understand the Auto Scaling activities. Which of the below mentioned processes is not performed by Auto Scaling? Reboot Instance Schedule Actions Replace Unhealthy Availability Zone Balancing.
A user had aggregated the CloudWatch metric data on the AMI ID. The user observed some abnormal behaviour of the CPU utilization metric while viewing the last 2 weeks of data. The user wants to share that data with his manager. How can the user achieve this easily with the AWS console? The user can use the copy URL functionality of CloudWatch to share the exact details The user can use the export data option from the CloudWatch console to export the current data point The user has to find the period and data and provide all the aggregation information to the manager The user can use the CloudWatch data copy functionality to copy the current data points.
A user has configured a Cloudwatch alarm for RDS in order to receive a notification whenever the CPU utilization of RDS is higher than 50%. But, the user would like to receive notification if the RDS instance is in unknown or unavailable state. How can this be achieved? Setup the notification when the CPU is more than 75% on RDS Setup the notification when the state is Insufficient Data Setup the notification when the CPU utilization is less than 10% It is not possible to setup the alarm on RDS.
A user has configured a SSL listener at ELB as well as on the back-end instances. Which of the below mentioned statement is correct with regard to ELB and SSL integration? It is not possible to have the SSL listener both at ELB and back-end instances ELB will modify headers to add requestor details ELB will intercept the request to add the cookie details if sticky session is enabled ELB will not modify the headers.
A user has created a Cloudformation stack. The stack creates AWS services, such as EC2 instances, ELB, AutoScaling, and RDS. While creating the stack it created EC2, ELB and AutoScaling but failed to create RDS. What will Cloudformation do in this scenario? CloudFormation can never throw an error after launching a few services since it verifies all the steps before launching It will warn the user about the error and ask the user to manually create RDS Rollback all the changes and terminate all the created services It will wait for the user’s input about the error and correct the mistake after the input.
A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario? It will delete the subnet and make the EC2 instance as a part of the default subnet It will not allow the user to delete the subnet until the instances are terminated It will delete the subnet as well as terminate the instances The subnet can never be deleted independently, but the user has to delete the VPC first.
A user has created a subnet in VPC and launched an EC2 instance within it. The user is not able to access the instance through the internet. Which of the below mentioned statements is true and best with respect to this scenario? The instance will always have a public DNS attached to the instance by default The user can directly attach an elastic IP to the instance The instance will never launch if the public IP is not assigned The user would need to create an internet gateway and then attach an elastic IP to the instance to
connect from internet.
A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP. assigned to an instance in the public or private subnet? 20.0.0.255 20.0.0.132 20.0.0.122 20.0.0.55.
A user has created a VPC with public and private subnets using the VPC wizard with NAT instance. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario? It will not allow to delete the VPC as it has subnets with route tables It will not allow to delete the VPC since it has a running route instance It will terminate the VPC along with all the instances launched by the wizard It will not allow to delete the VPC since it has a running NAT instance.
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario? The VPC will create a routing instance and attach it with a public subnet The VPC will create two subnets The VPC will create one internet Gateway and attach it to VPC The VPC will launch one NAT instance with an elastic IP.
A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created? It can connect to the AWS services, such as S3 and RDS by default It will have all the inbound traffic by default It will have all the outbound traffic by default It will by default allow traffic to the internet gateway.
A user has launched an EBS backed EC2 instance. The user has rebooted the instance. Which of the below mentioned statements is not true with respect to the reboot action? The private and public address remains the same The Elastic IP remains associated with the instance The volume is preserved The instance runs on a new host computer.
A user has launched an EC2 instance from an instance store backed AMI. The infrastructure team wants to create an AMI from the running instance. Which of the below mentioned steps will not be performed while creating the AMI? Define the AMI launch permissions Upload the bundled volume Register the AMI Bundle the volume.
A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution? The user should download the activity report of the EC2 services as it has theinstance ID wise data It is not possible to get the AWS cost usage data of single region instances separately The user should use Cost Distribution Metadata and AWS detailed billing The user should use Cost Allocation Tags and AWS billing reports.
A user has setup an RDS DB with Oracle. The user wants to get notifications when someone modifies the security group of that DB. How can the user configure that? It is not possible to get the notifications on a change in the security group Configure SNS to monitor security group changes Configure event notification on the DB security group Configure the CloudWatch alarm on the DB for a change in the security group.
A user is displaying the CPU utilization, and Network in and Network out CloudWatch metrics data of a single instance on the same graph. The graph uses one Y-axis for CPU utilization and Network in and another Y-axis for Network out. Since Network in is too high, the CPU utilization data is not visible clearly on graph to the user. How can the data be viewed better on the same graph? It is not possible to show multiple metrics with the different units on the same graph Add third Y-axis with the console to show all the data in proportion Change the axis of Network by using the Switch command from the graph Change the units of CPU utilization so it can be shown in proportion with Network.
A user is launching an instance, he is prompted to add 'Tags' to the instance. Which of the following option is not true about the 'tags'? Each tag will have a key and value. The user can apply tags to the S3 bucket. The maximum value of the tag key length is 64 unicode characters. AWS tags are used to find the cost distribution of various resources.
A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch? The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse The user can zoom a particular period by double clicking on that period with the mouse The user can zoom a particular period by specifying the aggregation data for that period The user can zoom a particular period by specifying the period in the Time Range.
A user is planning to setup infrastructure on AWS for the Christmas sales. The user is planning to use Auto Scaling based on the schedule for proactive scaling. What advice would you give to the user? It is not possible to schedule the auto-scaling group in advance. The scaling only can be setup 7 days in advance. You may schedule the auto scaling group anytime and it will only take effect on the specified time range It is not advisable to use schedule scaling.
A user is planning to use AWS services for his web application. If the user is trying to set up his own billing management system for AWS, how can he configure it? Set up programmatic billing access. Download and parse the bill as per the requirement It is not possible for the user to create his own billing management service with AWS Enable the AWS CloudWatch alarm which will provide APIs to download the alarm data Use AWS billing APIs to download the usage report of each service from the AWS billing console.
A user is trying to setup a security policy for ELB. The user wants ELB to meet the cipher supported by the client by configuring the server order preference in ELB security policy. Which of the below mentioned preconfigured policies supports this feature? ELBSecurity Policy-2016-08 ELBSecurity Policy-2011-08 ELBDefault Negotiation Policy ELBSample- OpenSSLDefault Cipher Policy.
A user is trying to understand the ACL and policy for an S3 bucket. Which of the below mentioned policy permissions is equivalent to the WRITE ACL on a bucket? s3:GetObjectAcl s3:GetObjectVersion s3:ListBucketVersions s3:DeleteObject.
A user would like to be notified if the CPU utilization of his EC2 instances exceed 90%. Which of the following option would be able to address his concerns? AWS CloudWatch + AWS SES AWS CloudWatch + AWS SNS None. It is not possible to configure the light with AWS infrastructure services AWS CloudWatch and a dedicated software turning on the light.
An organization has added 3 of his AWS accounts to consolidated billing. One of the AWS accounts has purchased a Reserved Instance (RI. of a small instance size in the US-East-1a zone. All other AWS accounts are running instances of a small size in the same zone. What will happen in this case for the RI pricing? Only the account that has purchased the RI will get the advantage of RI pricing One instance of a small size and running in the US-East-1a zone of each AWS account will get the benefit of RI pricing Any single instance from all the three accounts can get the benefit of AWS RI pricing if they are
running in the same zone and are of the same size If there are more than one instances of a small size running across multiple accounts in the same
zone no one will get the benefit of RI.
An organization has configured Auto Scaling with ELB. One of the instance health check returns the status as Impaired to Auto Scaling. What will Auto Scaling do in this scenario? Perform a health check until cool down before declaring that the instance has failed Terminate the instance and launch a new instance Notify the user using SNS for the failed state Notify ELB to stop sending traffic to the impaired instance.
An organization has created one IAM user and applied the below mentioned policy to the user. What entitlements do the IAM users avail with this policy?
1. {
2. “Version”: “2012-10-17”,
3. “Statement”: [
4. {
5. “Effect”: “Allow”,
6. “Action”: “ec2:Describe*”,
7. “Resource”: “*”
8. },
9. {
10. “Effect”: “Allow”
11. “Action”: [
12. “cloudwatch:ListMetrics”,
13. “cloudwatch:GetMetricStatistics”,
14. “cloudwatch:Describe*”
15. ],
16. “Resource”: “*”
17. },
18. {
19. “Effect”: “Allow”,
20. “Action”: “autoscaling:Describe*”,
21. “Resource”: “*”
22. }]} The policy will allow the user to perform all read only activities on the EC2 services The policy will allow the user to list all the EC2 resources except EBS The policy will allow the user to perform all read and write activities on the EC2 services The policy will allow the user to perform all read only activities on the EC2 services except load Balancing.
George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George’s account from the US West region? No, copy AMI does not copy the permission It is not possible to share the AMI with a specific account Yes, since copy AMI copies all private account sharing permissions Yes, since copy AMI copies all the permissions attached with the AMI.
Is the following statement true – “Any AWS customer can use IAM” True False.
Server Order Preference is supported with the Security policy ELBSecurity Policy-2011-08 security policy with regards to ELB. True False.
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection? The user has provided the wrong user name for the OS login The instance CPU is heavily loaded The security group is not configured properly The access key to connect to the instance is wrong.
A system admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?
supplied key. The server side encryption with the user supplied key works when versioning is enabled The user can use the AWS console, SDK and APIs to encrypt or decrypt the content for server side encryption with the user The user must send an AES-128 encrypted key The user can upload his own encryption key to the S3 console.
A user has a weighing plant. The user measures the weight of some goods every 5 minutes and sends data to AWS CloudWatch for monitoring and tracking. Which of the below mentioned parameters is mandatory for the user to include in the request list? Value Namespace Metric Name Timezone.
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario? By default ELB will select the first version of the security policy By default ELB will select the latest version of the policy ELB creation will fail without a security policy It is not required to have a security policy since SSL is already installed.
A user has configured Auto Scaling with the minimum capacity as 2 and the desired capacity as 2. The user is trying to terminate one of the existing instance with the command: terminate-instance-in-auto-scaling-group<Instance ID> –decrement-desired-capacity What will Auto Scaling do in this scenario? Terminates the instance and does not launch a new instance Terminates the instance and updates the desired capacity to 1 Terminates the instance and updates the desired capacity and minimum size to 1 Throws an error.
A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. Which of the below mentioned security policies is supported by ELB? Dynamic Security Policy All the other options Predefined Security Policy Default Security Policy.
A user has created a VPC with a public subnet. The user has terminated all the instances which are part of the subnet. Which of the below mentioned statements is true with respect to this scenario? The user cannot delete the VPC since the subnet is not deleted All network interface attached with the instances will be deleted When the user launches a new instance it cannot use the same subnet The subnet to which the instances were launched with will be deleted.
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.1.0/24. How can the user create the second subnet? There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet
based on the second subnet’s CIDR The user can modify the first subnet CIDR from the console It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created The user can modify the first subnet CIDR with AWS CLI.
A user has created a VPC with CIDR 20.0.0.0/24. The user has used all the IPs of CIDR and wants to increase the size of the VPC. The user has two subnets: public (20.0.0.0/28. and private (20.0.1.0/28). How can the user change the size of the VPC? The user can delete all the instances of the subnet. Change the size of the subnet to 20.0.0.0/32 and 20.0.1.0/32, respectively. Then the user can increase the size of the VPC using CLI. It is not possible to change the size of the VPC once it has been created. The user can add a subnet with a higer range so that it will automatically increase the size of the VPC. You can expand your existing VPC by adding four (4) secondary ipv4 IP ranges (CIDRs) to your VPC.
A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group? For Inbound allow Source: 20.0.1.0/24 on port 80 For Outbound allow Destination: 0.0.0.0/0 on port 80 For Inbound allow Source: 20.0.0.0/24 on port 80 For Outbound allow Destination: 0.0.0.0/0 on port 443.
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306. The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). which of the below mentioned entries is required in the private subnet database security group DBSecGrp? Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp) Allow Inbound on port 3306 from source 20.0.0.0/16 Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp) Allow Outbound on port 80 for Destination NAT Instance IP.
A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better? SNS will send data every minute after configuration There is no need to enable since SNS provides data every minute AWS CloudWatch does not support monitoring for SNS SNS cannot provide data every minute.
A user has launched an EC2 instance. However, due to some reason the instance was terminated. If the user wants to find out the reason for termination, where can he find the details? It is not possible to find the details after the instance is terminated The user can get information from the AWS console, by checking the Instance description under the State transition reason label The user can get information from the AWS console, by checking the Instance description under the Instance Status Change reason label The user can get information from the AWS console, by checking the Instance description under the Instance Termination reason label.
A user has launched an RDS MySQL DB with the Multi AZ feature. The user has scheduled the scaling of instance storage during maintenance window. What is the correct order of events during maintenance window?
1. Perform maintenance on standby
2.Promote standby to primary
3.Perform maintenance on original primary
4.Promote original master back as primary
1, 2, 3, 4 1, 2, 3 2, 3, 1, 4.
A user has setup a custom application which generates a number in decimals. The user wants to track that number and setup the alarm whenever the number is above a certain limit. The application is sending the data to CloudWatch at regular intervals for this purpose. Which of the below mentioned statements is not true with respect to the above scenario? The user can get the aggregate data of the numbers generated over a minute and send it to CloudWatch The user has to supply the timezone with each data point CloudWatch will not truncate the number until it has an exponent larger than 126 (i.e. (1 x 10^126. The user can create a file in the JSON format with the metric name and value and supply it to CloudWatch.
A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness. Which of the below mentioned options is a recommended option for this case? For the period when there is no data, the user should not send the data at all For the period when there is no data the user should send a blank value For the period when there is no data the user should send the value as 0 The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring.
A user is measuring the CPU utilization of a private data centre machine every minute. The machine provides the aggregate of data every hour, such as Sum of data”, “Min value”, “Max value, and “Number of Data points”. The user wants to send these values to CloudWatch. How can the user achieve this? Send the data using the put-metric-data command with the aggregate-values parameter Send the data using the put-metric-data command with the average-values parameter Send the data using the put-metric-data command with the statistic-values parameter Send the data using the put-metric-data command with the aggregate –data parameter.
A user is trying to create a PIOPS EBS volume with 5000 IOPS and 17000 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this? The ratio between IOPS and the EBS volume is higher than 30 The maximum IOPS supported by EBS is 3000 The ratio between IOPS and the EBS volume is lower than 50 PIOPS is supported for EBS higher than 500 GB size.
A user is trying to understand the CloudWatch metrics for the AWS services. It is required that the user should first understand the namespace for the AWS services. Which of the below mentioned is not a valid namespace for the AWS services? AWS/StorageGateway AWS/CloudTrail AWS/ElastiCache AWS/SWF.
A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch? AWS EMR AWS RDS AWS ELB AWS Route53.
A user runs the command "sudodd if=/dev/xvdf of=/dev/xvdf conv=notruncbs=1M" on a newly restored EBS volume from snapshot that is attached to a Linux instance. Which of the below mentioned activities is the user performing with the command given above? Creating a file system on EBS volume Mounting the device to the instance Initializing the EBS volume Formatting the EBS volume.
A user wants to find the particular error that occurred on a certain date in the AWS MySQL RDS DB. Which of the below mentioned activities may help the user to get the data easily? It is not possible to get the log files for MySQL RDS Find all the transaction logs and query on those records Direct the logs to the DB table and then query that table Download the log file to DynamoDB and search for the record.
In an IAM policy , there are the basic elements that make up the policy. Which in the below list does not come up in the IAM policy. Permission Actions Resources Effect.
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page? “Effect”: “Allow”, “Action”: [“Describe”], “Resource”: “Billing” “Effect”: “Allow”, “Action”: [“AccountUsage], “Resource”: “*” “Effect”: “Allow”, “Action”: [“aws-portal:ViewUsage”], “Resource”: “*” “Effect”: “Allow”, “Action”: [“aws-portal: ViewBilling”], “Resource”: “*”.
In Cloudwatch what are the different ALARM statuses. Choose 3 answers from the options below ALARM INSUFFICIENT OK SUFFICIENT.
In the event of an unplanned outage of your primary DB, AWS RDS automatically switches over to the secondary. In such a case which record in Route 53 is changed? Select one answer from the options given below DNAME CNAME TXT MX.
Is it possible to aggregate data before pushing it to Cloudwatch? True False.
Is it possible to disable a cloudwatch alarm at any time? True False.
Your RDS instance is consistently maxed out on its resource utilization. What are multiple ways to solve this issue? Choose three answers from the below options Increase RDS instance size Fire up ElastiCache cluster in front on your RDS instance Provision more RDS instance IOPS Offoad read-only activity to read recplica if the application is read-intensive.
Your supervisor is concerned about losing read access to your RDS database in the unlikely event of an AWS regional failure. You design a plan to create a read replica of the database in another region, but your supervisor sees a problem with this plan. What problem does he see? Choose the correct answer from the options below Your database is using the Oracle database engine and you would need to implement a third party replication solution such as Oracle Golden Gate Replication requires VPC peering between the regions, and you have overlapping CIDR block in the two VPCs AWS does not support RDS read replicas in different regions from the source database Synchronous replication between the two regions will suffer from high latency.
Is it possible to have other attributes attached to users in IAM? True False.
A colleague noticed that CloudWatch was reporting that there has not been any connections to one of your MySQL databases for several months. You decided to terminate the database. Two months after the database was terminated, you get a phone call from a very upset user who needs information from that database to run end-of-year reports. What can you do? Nothing since the 35-day maximum retention period for automated backups has expired. If you took a manual snapshot of the database, you can restore the database from that snapshot You can restore the database from the most recent automated backup of the database Nothing, since the 35-day maximum retention period form snapshots has expired.
A successful systems administrator does not need to create a script for ______. Choose the correct answer from the options below. Automating backups of EBS volumes Automating backups of RDS databases Downloading software and updates from a repository to an EC2 instance Creating OS-level metrics in CloudWactch.
For which of the following reasons would you not contact AWS? Inform them you would like to port scan instances in your VPC Request consolidated billing for multiple AWS accounts owned by your company Ask them to provide compliance documentation for AWS’s physical network to firm conducting a security audit of your environment Ask for an increase to the maximum number of DynamoBD tables form your account.
Given the following IAM policy:
{
"Version": "2014-19-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*", "s3:List*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:AWS:s3:::bucket_new/*"
}
]
}
What does the IAM policy allow? Choose the 2 correct answers: The user is allowed to read objets in the bucket named ‘bucket_new’ but not allowed to list the objets in the bucket The user is allowed to write objets into the bucket named ‘buket_new’ The user is allowed to change access right for the bucket named ‘bucket_new’ The user is allowed to read objets from the bucket named ‘bucket_new’.
How might you assign permissions to an EC2 instance so that the EC2 custom CloudWatch metric scripts can send the required data to Amazon CloudWatch? Choose the correct answer Assign an IAM role to the EC2 instance at the boot time with permissions to write to CloudWatch Assign an IAM role to the EC2 instance at creation time with permissions to write to CloudWatch Use API access keys to authenticate calls from the EC2 instance to write to CloudWatch You do not need to assign special permissions, just install the scripts.
A user has launched an EC2 instance. The instance got terminated as soon as it was launched. Which of the below mentioned options is not a possible reason for this? The user account has reached the maximum EC2 instance limit The snapshot is corrupt The AMI is missing. It is the required part The user account has reached the maximum volume limit.
A user has launched an EC2 Windows instance from an instance store backed AMI. The user has also set the Instance initiated shutdown behavior to stop. What will happen when the user shuts down the OS? It will not allow the user to shutdown the OS when the shutdown behaviour is set to Stop It is not possible to set the termination behavior to Stop for an Instance store backed AMI instance The instance will stay running but the OS will be shutdown The instance will be terminate.
If Multi-AZ is enabled and automated backups occur on your instance, you application will face a downtime caused by automated backup. True False.
In a Network ACL an explicit Deny always overrides an explicit Allow. True False.
In order for reserved instances to reduce the cost of running instances, those instances must match the exact specifications of the reserved instance including: Region, Availability Zone, and instance type. Choose the correct answer from the options below True False.
In your infrastructure, you are running a corporate application using a T2.Small instance. You are also using a NAT instance so that your private instances can reach out to the internet without being publicly available. What is one thing that we should do to speed up bandwidth and performance? Load balance your instance with an ELB Load balance your NAT instance with dual tunnels Increase your T2.Small instance to M3.Small or M3.Medium Move your infrastructure to a different region closer to the endpoint you are targeting.
In your LAMP application, you have some developers that say they would like access to your logs. However, since you are using an AWS Auto Scaling group, your instances are constantly being re-created. What would you do to make sure that these developers can access these log files? Choose the correct answer from the options below Give only the necessary access to the Apache servers so that the developers can gain access to the log files Give root access to your Apache servers to the developers Give read-only access to your developers to the Apache servers Set up a central logging server that you can use to archive your logs; archive these logs to an S3 bucket form developer-access.
Instance A and instance B are running in two different subnets, A and B, of a VPC. Instance A is not able to ping instance B. What are two possible reasons for this? Choose the 2 correct answers from the options below The NACL on the subnet B does not allow outbound ICMP traffic The security group attached to instance B does not allow inbound ICMP traffic The routing table of subnet A has no target route to subnet B The policy linked to the IAM role instance A is not configured correctly.
Rule 100 in a NACL associated with subnets A and B denies HTTP traffic from 0.0.0.0/0. Rule 105 in the same NACL allows HTTP traffic from 0.0.0.0/0. EC2 Instances in subnet A are associated with a security group that allows HTTP traffic from 192.168.0.0/24. EC2 Instances in subnet B are associated with a security group that denies HTTP traffic from 128.168.0.0/24. Which of the following statements are true? Choose the correct answer from the options given below. HTTP traffic from the internet will be denied to EC2 instances in both subnets due to the NACL rules HTTP traffic from 192.168.0.0/24 will be denied to EC2 instances in Subnet A because of the NACL rules HTTP traffic from the internet will be allowed to EC2 instances in Subnet B HTTP traffic from 192.168.0.0/24 will be allowed to EC2 instances in Subnet A.
Read replicas can be created from a read replica of another read replica. Choose the correct answer. True False.
We are preparing for our regularly scheduled security assessment. What two configuration management practices should our organization have implemented? Choose the 2 correct answers from the options below Determine that our remote administrative access is performed securely We will make sure that unnecessary users and services have been identified on all published AMIs Make sure that S3 bucket and ACLs correctly implement our security policies Be sure that our AWS Trusted Advisor has identified and disabled unnecessary users and services on our EC2 instances.
We have a customer with a web application that uses cookie-based sessions to see if users are logged in. This uses the Amazon Elastic Load Balancer and Auto Scaling. When the load on the application increases, Auto Scaling launches new instances so that the load on the other instances does not increase too much. However, all of the existing users still experience slow response time. What could be the cause of this? The new instances are not being added to the ELB in the process of the Auto Scale cooldown period. The ELB is continuing to send the request to the web app with previously established connections in the same backend instances rather than spreading them to the new instances The TTL is set too high on our ELB DNS The web app is using dynamic content features in Amazon CloudFront which is keeping our connections alive on the ELB.
We have a two-tiered application with the following components. We have an ELB, three web and application servers on EC2, and one MySQL RDS database. When our load grows, the database queries take longer and slow down the overall response time for the user request. Which three options would we choose to speed up performance? Choose the 3 correct answers from the options below. We can shard the database and distribute the load between shards We can create an RDS read-replica and redirect half of the database read requests to it We can cache our database queries with ElastiCache We can use Amazon our CloudFront to cache database queries.
We have developed a mobile application that gets downloaded several hundred times a week. What authentication method should we enable for the mobile clients to access images that are stored in an AWS S3 bucket that provides us with the highest flexibility and rotates credentials? Choose the correct answer from the options below Use ACLs to restrict access to the selects AWS accounts IAM user per every registered client with an IAM policy that grants S3 access to the respective bucket Set up S3 bucket policies with a conditional statement restricting IP address Identify Federation based on Aws STS using an AWS IAM policy for the respective S# bucket.
What are some steps you can take to optimize costs on AWS? Choose the 3 correct answers. Detach underutilized EBS volumes and take a snapshot of the EBS volume and then delete the EBS volume AWS is already optimized in cost Purchase reserved instances For RDS DB instances that consistently have 0 connections, take a snapshot of the instance and terminate the instance.
What is the result of the following bucket policy?
{
"Statement":[
{
"Sid":"SID1",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":"s3:*",
"Resource":"arn:AWS:s3:::mybucket/*",
"Condition":{
"IpAddress":{
"AWS:SourceIp":"50.97.0.0/32"
}
}
}
]
}
Choose the correct answer: It will allow all access to the bucket mybucket It will allow the user mark from AWS account number 111111111 all access to the bucket but deny everyone else all to the bucket It will deny all access to the bucket mybucket None of these.
What is the result of the following bucket policy?
{
"Statement":[
{
"Sid":"SID1",
"Effect":"Allow",
"Principal":{
"AWS":"*"
},
"Action":"s3:*",
"Resource":"arn:AWS:s3:::mybucket/*",
"Condition":{
"IpAddress":{
"AWS:SourceIp":"50.97.0.0/32"
}
}
}
]
}
Choose the correct answer from the options below It will deny all access all incoming S3 action requests It will deny all access to the S3 mybucket bucket except for requests coming the IP 50.97.0.0 It will deny all access to the S3 mybucket bucket except for requests coming from the IP range 50.97.0.* It will allow access to all requests and actions to the mybucket bucket except for requests coming from the IP 50.97.0.0/32.
What might be the cause of an EC2 instance not launching in an auto-scaling group? Choose the 3 correct answers from the options below Invalid EBS device mapping The Availability zone is no longer supported The key pair associated with EC2 instance does not exist Security group placement.
What sort of host might you set up in your AWS environment that can be used as a way to “hop” into your environment to gain access to secure servers within a private subnet? Choose the correct answer: This is not possible Bastion host VPN Sneaker-net.
When managing our VPC in an AWS region, we want to give other teams access to create their own instances and modify the security groups inside subnets dedicated to their teams. We have to make sure the development team can NOT do anything in their subnets that could allow their instances to impact production instances in the production subnets. What can we do to separate out our VPC so that instances that the dev team can access can never interfere or interact with the ones within our production? Choose the correct answer from the options below We can create two subnets in CIDR blocks that are not close together We can make sure that the subnets are only allowing routing via our IGW and not the local router We can make sure that the dev team’s subnet are in one AZ and the production is in another We can create NACLs that which subnets can talk to each other.
Then taking a snapshot of an EBS volume there can be a performance issue: We might see a decrease in performance due to an increase in I/O operations. Choose the correct answer True False.
Which of the following can be overridden at the EC2 instance level? Choose the 2 correct answers from the options given below An IAM policy explicitly denying a user the right to terminate all EC2 instances The choice to not use dedicated tenancy at the VPC level An IAM policy explicitly allowing a user the right to terminate all EC2 instance The choice to use dedicated tenacy at the VPC level.
Which of the following could be a procedure for disaster recovery as it relates to RDS? Create a read replica in a different region. In the event of a failover, promote the read replica as the primary and change the DNS for your application to point to the new primary and then enable Multi AZ Enable multi regions for Multi Availability Zones Configure the read replica to a different region. In the event of failover, promote the read replica as the primary Configure the read replica to a different region in the event of a failover, promote the read replica as the primary and change the DNS form your application to point to the new primary.
Which of the following is a security best practice for an AWS environment? Choose the correct answer from the options below Enable MFA for all IAM user accounts that used to execute automated scheduled tasks from EC2 instances Use the default VPC provided by AWS for deploying your EC2 and RDS instances. Enable MFA on the root user for your AWS account and use IAM user rather than the root user for administrative tasks Only store IAM user credentials on private AMIs.
Which of the following statements is true? Choose the 2 correct answers: You can customize your AWS deployments using the Ruby programming language with OPsWorks templates You can customize your AWS deployments using JSON templates in OpsWorks You can customize your AWS deployments using JSON templates in CLoudFormation You can customize your AWS deployments using the Ruby programming language in CloudFromation.
Which of the following will cause a slight I/O delay to an AWS RDS environment ? Choose an answer from the options below Snapshot creation Read Replica Automated Backups All of these.
Which one of the below setups would need a custom CloudWatch metric in order to be able to monitor it? Choose the correct answer from the options below Our CPU utilization of an EC2 instance Network traffic from an EC2 instance Disk usage percentage of an Elastic Block Store volume Disk Reads in the EC2 Instance.
You are managing a large magazine application inside of Amazon Web Services. Your company posts an article that gets picked up internationally, causing millions of visitors to hit your application. Such a large increase in traffic causes strain on your DB server which is dynamically servicing the blog content. How might you quickly resolve this issue and make the blog post infinitely scalable? Enable ElastiCache caching to helps serve the Dynamic content Enable Auto Scaling on the EC2 instances Increse the RDS instance size and enable Multi-AZ failover Create a static HTM page using S3 and use Route 53 to point DNS to the static S3 bucket.
You are running an EC2 instance serving a website with an SSL certificate. Your CPU utilization is constantly high. How might you resolve this issue? Offoad the SSL cert to AWS ElastiCache Switch from Apache web serve to Nginx for better SSl performance Increase the instance size to have more CPU power Offoad the SSL cert from the EC2 instance and configure.
You have an Amazon VPC that has a private subnet and a public subnet in which you have a NAT instance server. You have created a group of EC2 instances that configure themselves at startup by downloading a bootstrapping script from S3 that deploys an application via GIT. Which one of the following setups would give us the highest level of security? EC2 instances in our public subnet, no EIPs, route outgoing traffic via the IGW EC2 instances in our public subnet, assigned EIPs, and route aoutgoing traffic via our IGW EC2 instances in our private subnet, assigned EIPs, and route our outgoing traffic via our IGW EC2 instances in our private subnet, no EIPs, route outgoing via NAT.
You have been asked to maintain a small AWS environment consisting of five on-demand EC2 web server instances. Traffic from the Internet is distributed to these servers via an Elastic Load Balancer. Your supervisor is not pleased with a recent AWS bill. Assuming a consistent, moderately high load on the web servers, what option should you recommend to reduce the cost of this environment without negatively affecting availability? Choose the correct answer from the options below. Use reserved EC2 instances rather than on-demand instances Create an Auto Scaling group to ensure that you are not paying for instances that are not needed Use spot instances rather than on-demand instances Remove the Elastic Load Balancer since the instances already have public IP addresses.
You have been tasked by your manager to build a tiered storage setup for database backups and their logs. These backups must be archived to a durable solution. After 10 days, the backups can then be archived to a lower priced storage tier. The data, however, must be retained for compliance policies. Which tiered storage solution would help you save cost, and still meet this compliance policy? Choose the correct answer from the options below. Set up an independent ESB volume where we can store daily backups and then copy these files over to S3, where we configure a bucket that a lifecycle policy to archive files older than 10 days to AWS Glacier Using AWS is already elastic and highly available. Therefore, the need to setup lifecycle policies is already low cost and plenty of room for growth for your organization. Backup your data every day, off-site from AWS, to your on-premise data center’s storage solution and manage the data backups with your existing backup solution. Create EC2 instance with attached EBS volumes that replicate file daily to multiple EBS volumes on other instances, then clean up files older than 10 days on the primary EBS volume.
You have been tasked with identifying an appropriate storage solution for a NoSQL database that requires random I/O reads of greater than 10,000 4kB IOPS. Which EC2 option will meet this requirement? Choose the 2 correct answers from the options below EBS optimized instances SSD instance store EBS provisioned IOPS High Storage instance configured in RAID 10.
You have created an application that utilizes Auto Scaling behind an Elastic Load Balancer. You notice that user's sessions are not evenly distributed on the newly spun up instances. What could be a reason that your users' web sessions are stuck on one instance and not using others? User are using a firewall that is keeping from initiating connections to the new instance which have different IP ddresses the ELB detects this and falls back to the instance that works You have not enabled the correct routing rules to allow new instances DNS at the ELB level isn’t updating to include the new instances Your ELB is sending all the sessions to the old instance that are spun up during Auto Scaling because of sticky session.
You have decided to extend your on-site data center to Amazon Web Services by creating a VPC. You already have multiple DNS servers on-premises. You are using these DNS servers to host DNS records for your internal applications. You have a corporate security network policy that says that a DNS name for an internal application can only be resolved internally and never publicly over the internet. Your existing on-premises data center is already connected to your VPC using IPSec VPN. You are deploying new applications within your AWS service that need to resolve these new application dns by name. How might you set up the scalable DNS architecture for existing infra by using AWS platform? Choose the correct answer from the options below. Created a new Route 53 hosted zone and forward your internal DNS queries out to the internet Create a DNS option set that includes both the DHCP options with domain-name-servers=AmazonProvidedDNS and your internal DNS server Using Route 53 hosted zones, you can use all internal domain names’ A record set Create secondary DNS server on Linux server and replicate from primary DNS servers on your on-premises.
You have enabled a CloudWatch metric on your MemcachedElastiCache cluster. Your alarm is triggered due to an increased amount of evictions. How might you go about solving the increased eviction errors from the ElastiCache cluster? Choose the 2 correct answers from the options given below Increase the provisioned IOPS on the ElastiCache Node Increase the node size Add a node to the cluster Reboot your MemCache cluster.
You have enabled a CloudWatch metric on your RedisElastiCache cluster. Your alarm is triggered due to an increased amount of evictions. How might you go about solving the increased eviction errors from the ElastiCache cluster?. Reboot your node If you exceed your chosen threshold, scale your cache cluster out and add read replicas Add a node to the cluster Increase the size of your node.
You maintain an application on AWS to provide development and test platforms for your developers. Currently both environments consists of t2.small EC2 instance. Your developers notice performance degradation as they increase network load in the test environment. How would you migrate these performance issues in the test environment? Choose the answer from the options below Upgrade the t2.small to a larger instance type Add an additional ENU to the test instance Use the EBS optimized option to offload EBS traffic Configure Amazon Cloudwatch to provision more network bandwidth when network utilization exceeds 80%.
You manage a social media website on EC2 instances in an Auto Scaling group. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU utilization is greater than 90% for 3 consecutive periods of 10 minutes. You notice that between 6:00 pm and 10:00 pm every night, you see a gradual increase in traffic to your website. Although Auto Scaling launches several new instances every night, some users complain they are seeing timeouts when trying to load the index page during those hours. What is the least cost-effective way to resolve this problem? Decrease the threshold CPU utilization percentage at which to deploy a new instance Decrease the collection period to five minutes Decrease the consecutive number of collection periods that must elapse before a new instance is deployed Increase the minimum number of instances in the AutoScaling group.
You manage EC2 instances in two different VPCs and you would like instances in both VPCs to be able to easily communicate with each other. You are considering using VPC peering. Will this work? Choose the 2 correct answers from the options given below Yes, as long as all EC2 instances have public IP. Yes, as long as the VPC’s are in the same region. Yes, as long as the VPCs’ CIDR blocks don’t overlap Yes, as long as the VPCs are in the same account.
You need to establish a secure backup and archiving solution for your company, using AWS. Documents should be immediately accessible for three months and available for five years for compliance reasons. Which AWS service fulfills these requirements in the most cost-effective way? Choose the correct answer: Use StorageGateway to store data to S3 and use life-cycle policies to move the data into Redshift for long-time archiving Use DirectConnect to upload data to S3 and use IAM policies to move the data into Glacier for longtime archiving Upload the data on EBS, use life-cycle policies to move EBS snapshots into S3 and later into Glacier for long-time archiving Upload data to S3 and use life-cycle policies to move the data into Glacier for long-time archiving.
You notice that several of your AWS environment’s CloudWatch metrics are hovering near a value of 100. Which of these are you least concerned about? Choose the correct answer from the options below Elastic Load Balancer SpilloverCount EBS VolumeThroughputPercentage ElastiCacheCurrConnections RDS CPU Utilization.
You notice that several of your AWS environment’s CloudWatch metrics consistently have a value of zero. Which of these are you most likely to be concerned about and take action on? RDS DatabaseConnections ElastiCacheSwapUsage ElastiCache Evictions Elasti Load Balancer SpiloverCount.
You patch the operating system on an EC2 instance and issue a reboot command from inside the instance’s OS. After disconnecting from the instance and waiting several minutes, you notice that you still cannot successfully ping the instance’s public IP address. What is the most likely reason for this? Choose the correct answer from the options below You were using EC2 Classic. The Instance’s EIP address was released at reboot There were peding security group rule changes that deny ICMP that could only take effect after the instance was rebooted You were using an EC2 instance with an instance store root volume so the instance terminated upon reboot Changes made during OS patching caused a problem with the instance’s NIC driver.
You see an increased load on an EC2 instance that is used as a web server. You decide to place the server behind an Elastic Load Balancer and deploying an additional instance to help meet this increased demand. You deploy the ELB, configure it to listen for traffic on port 80, bring up a second EC2 instance, move both instances behind the load balancer, and provide customers with the ELB’s URL - https://mywebapp-1234567890.us-west-2.elb.amazonaws.com. You immediately begin receiving complaints that customers cannot connect to the web application via the ELB’s URL. Why? You specified Https:// in the ELB’s URL, but the ELB is not configured to listen on port 443 The ELB’s URL is not publicly accessible. You need to create an Alias record in Route 53 for the ELb You specified https:// in the ELB’s URL, but the EC2 instances are not configured to listen on port 443 You specified https:// in the ELB’s URL, but the EC2 instance are not configured to listen on port 80.
You support a website that has a number of EC2 instances managed by ELB and Autoscaling. Currently the application has no way of managing the sessions and needs the ELB to manage the sessions. Which of the below options can assist with this configuration. Ensure that the Elastic Load Balancer is configured with Cookie Stickiness Setup up Route53 with weight routing policies Setup up Route53 with geo-location routing policies Change the application code to manage session.
Your applications in AWS need to authenticate against LDAP credentials that are in your on-premises data center. You need low latency between the AWS app authenticating and your credentials. How can you achieve this? If you don’t already have a secure tunnel, create a VPN between your on-permises data center and AWS. You can then spin up a secondary LDAP server that replicate from the on-premises LDAP server. You don´t LDAP to authenticate to your apps Create a Direct Connect tunnel which will decrease latency. Increase bandwidth, and authenticate faster Create a new LDAP server and authenticate to it.
Your AWS application is set up to use Auto Scaling with an ELB. To be sure that your application is performing its best and the page loads quickly, what, precisely, could you monitor in CloudWatch? Set up a third-party monitoring solution Monitor the CPU utilization Monitor your ELB latency using CloudWatch metrics Monitor the Hard Drive IOPS.
Your company is being audited by a third party IT auditing service; they have asked you for details about the physical network and virtualization infrastructure. What do you tell them? You direct the auditing service to an AWS representative The audit does not apply to our us since we do not have control over AWS You print off details about the AWS infrastructure provided by the AWS infrastructure website You go to your AWS representative and AWS will give that information to the third party in change of doing your audit.
Your company is ready to start migrating its application over to the cloud, but you cannot afford any downtime. Your manager asks you to come up with a plan of action. She also wants a solution that offers the flexibility to test the application on AWS with only a subset of users, but with the ability to increase the number of users over time. Which of these options are you most likely to recommend? Implement a Route53 weighted routing policy that distribute the traffic between your on-premises application and the AWS application depending on weight. Implement a Route53 failover routing policy that sends traffic back to the on-premises application if the AWS app doesn’t work. Configure an Elastic Load Balancer to distribute the traffic between the on-premises application and the AWS application. Create a VPN tunnel from your on-premises to the VPC on AWS that host your application’s resources and configure that at the VPC level.
Your company’s website is hosted on several EC2 instances behind an Elastic Load Balancer. Every time the development team deploys a new upgrade to the web application, the support desk begins receiving calls from customers being disconnected from their sessions. Customers’ session data is very important, as it contains their shopping cart information, and this information is lost when the customers’ sessions are disconnected. Which of the following steps can be taken to prevent customers’ shopping cart data from being lost without affecting website availability? (Choose Two) Enable connection draining and remove instances from the Elastic Load Balancer prior to upgrading the application on those instances. Increase the amount of time required for the Elastic Load Balancer to recognize an EC2 instance as unhealthy Post a notification on your site’s homepage that the some features will be unavailable during the upgrade Use ElastiCache to store session state.
Your EC2 instance has a system status check error with an error message of loss of network connectivity. What is the best way to attempt to resolve the EC2 instance status check error? Choose two answers from the options given below. Restart the instance Increase the size of your instance Attempt to change the physical host that the instance is on by stopping starting the instance Terminate the instance and build new one.
Your infrastructure does not have an Internet Gateway attached to any of the subnets. What might you do in order to SSH into your EC2 instances? All other configurations are correct. Create a VPN connection. Open up port 22 on your security groups. Open up port 22 on your NACL. Open up port 22 on your subnets.
Your RDS database is experiencing high levels of read requests during the business day and performance is slowing down. You have already verified that the source of the congestion is not from backups taking place during the business day, as automatic backups are not enabled. Which of the following is the first step you can take toward resolving the issue? Enable automated backups of the database. Pre-warm the database before gradual increases in read requests occur. Create a snapshot of the database and offload some of the read request to the snapshot. Create a read replica of the database and offload some of the read request to the read replica.
A .NET application that you manage is running in Elastic Beanstalk. Your developers tell you they will need access to application log files to debug issues that arise. The infrastructure will scale up and down. How can you ensure the developers will be able to access only the log files? Access the log files directly from Elastic Beanstalk Enable log file rotation to S3 within the Elastic Beanstalk configuration Ask your developers to enable log file rotation in the applications web.config file Connect to each Instance launched by Elastic Beanstalk and create a Windows Scheduled task to rotate the log files to S3.
A company has decided to deploy a “Pilot Light” AWS environment to keep minimal resources in AWS with the intention of rapidly expanding the environment in the event of a disaster in your on-premises Datacenter. Which of the following services will you likely not make use of? A gateway-Cache implementation of Storage Gateway for storing snapshot copies of on-premises data EC2 for storing updated AMI copies of on-premises VMs A Gateway-Stored implementation of Storage Gateway for storing snapshot copies of on-premises data RDS for replicating mission-critical database to AWS.
A company is very insistent on the fact they want to retain administrative privileges or the underlying EC2 instances? Choose 2 answers from the below options which allow this. Amazon Elastic Map Reduce AWS Elastic Beanstalk Amazon Elasticache Amazon Relational Database service.
A deny overrides an allow in which circumstances? Select 2 options. S3 bucket access is implicitly denied for all user and explicit allow set on an S3 bucket via S3 bucket policy. A NACL associated with subnet A defines two rules. Rule #100 explicitly denies TCP traffic on port 21 from 0.0.0.0/0 and rule #105 explicitly allow TCP traffic on port 21 from 0.0.0.0/0. An explicitly allow is set in an IAM policy governing S3 access and explicit deny is set on an S3 bucket via S3 bucket policy A NACL associated with subnet B defines two rules. Rule #105 explicitly denies TCP traffic on port 21 from 0.0.0.0/0 and rule #100 explicitly allows TCP traffic on port 21 from 0.0.0.0/0.
A system admin wants to add more availability zones to the existing ELB. The system admin wants to perform this activity from CLI. Which of the below mentioned command helps the system admin to add new zones to the existing ELB? elb-enable-zones-for-load-balancer elb-add-zones-for-load-balancer It is not possible to add more zones to the existing ELB elb-configure-zones-for-load-balancer.
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AddToLoadBalancer (which adds instances to the load balancer). process for a while. What will happen to the instances launched during the suspension period? The instances will not be registered with ELB and the user has to manually register when the process is resumed The instances will be registered with ELB only once the process has resumed Auto Scaling will not launch the instance during this period due to process suspension It is not possible to suspend only the AddToLoadBalancer process.
A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet? Use the internet gateway with a private IP Allow outbound traffic in the security group for 80 to allow internet updates The private subnet can never connect to the internet Use NAT with an elastic IP.
A user has deployed an application on his private cloud. The user is using his own monitoring tool. He wants to configure that whenever there is an error, the monitoring tool should notify him via SMS. Which of the below mentioned AWS services will help in this scenario? None because the user infrastructure is in the private cloud/ AWS SNS AWS SES AWS SMS.
A user has enabled termination protection on an EC2 instance. The user has also set Instance initiated shutdown behaviour to terminate. When the user shuts down the instance from the OS, what will happen? The OS will shutdown but the instance will not be terminated due to protection It will terminate the instance It will not allow the user to shutdown the instance from the OS It is not possible to set the termination protection when an Instance initiated shutdown is set to Terminate.
A user has launched 10 instances from the same AMI ID using Auto Scaling. The user is trying to see the average CPU utilization across all instances of the last 2 weeks under the CloudWatch console. How can the user achieve this? View the Auto Scaling CPU metrics Aggregate the data over the instance AMI ID The user has to use the CloudWatchanalyser to find the average data across instances It is not possible to see the average CPU utilization of the same AMI ID since the instance ID is different.
A user has launched a Windows based EC2 instance. However, the instance has some issues and the user wants to check the log. When the user checks the Instance console output from the AWS console, what will it display? All the event logs since instance boot The last 10 system event log error The Windows instance does not support the console output The last three system events’ log errors.
A user has launched an EC2 instance and deployed a production application in it. The user wants to prohibit any mistakes from the production team to avoid accidental termination. How can the user achieve this? The user can the set DisableApiTermination attribute to avoid accidental termination It is not possible to avoid accidental termination The user can set the Deletion termination flag to avoid accidental termination The user can set the InstanceInitiatedShutdownBehavior flag to avoid accidental termination.
A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data? Yes, the block device mapping will have information about the additional instance store volume No, since the instance store backed AMI can have only the root volume bundled It is not possible to attach an additional instance store volume to the existing instance store backed AMI instance No, since this is ephermal storage it will not be a part of the AMI.
A user has moved an object to Glacier using the life cycle rules. The user requests to restore the archive after 6 months. When the restore request is completed the user accesses that archive. Which of the below mentioned statements is not true in this condition? The archive will be available as an object for the duration specified by the user during the restoration request The restored object’s storage class will be RRS The user can modify the restoration period only by issuing a new restore request with the updatedperiod The user needs to pay storage for both RRS (restored. and Glacier (Archive. Rates.
A user has received a message from the support team that an issue occurred 1 week back between 3 AM to 4 AM and the EC2 server was not reachable. The user is checking the CloudWatch metrics of that instance. How can the user find the data easily using the CloudWatch console? The user can find the data by giving the exact values in the time Tab under CloudWatch metrics. The user can find the data by filtering values of the last 1 week for a 1 hour period in the Relative tab under CloudWatch metrics. It is not possible to find the exact time from the console. The user has to use CLI to provide the specific time. The user can find the data by giving the exact values in the Absolute tab under CloudWatch metrics.
Amazon EBS snapshots have which of the following two characteristics? Choose 2 answers EBS snapshots only save incremental changes from snapshot to snapshot EBS snapshots can be created in real-time without stopping an EC2 instance EBS snapshots can only be restored to an EBS volume of the same size or smaller EBS snapshots can only be restored and mounted to an instance in the same Availability Zone as the original EBS volume.
An application is generating a log file every 5 minutes. The log file is not critical but may be required only for verification in case of some major issue. The file should be accessible over the internet whenever required. Which of the below mentioned options is a best possible storage solution for it? AWS S3 AWS Glacier AWS RDS AWS RRS.
An organization has created a Queue named “modularqueue” with SQS. The organization is not performing any operations such as SendMessage, ReceiveMessage, DeleteMessage, GetQueueAttributes, SetQueueAttributes, AddPermission, and RemovePermission on the queue. What can happen in this scenario? AWS SQS sends notification after 15 days for inactivity on queue AWS SQS can delete queue after 30 days without notification AWS SQS marks queue inactive after 30 days AWS SQS notifies the user after 2 weeks and deletes the queue after 3 weeks.
An organization has setup Auto Scaling with ELB. Due to some manual error, one of the instances got rebooted. Thus, it failed the Auto Scaling health check. Auto Scaling has marked it for replacement. How can the system admin ensure that the instance does not get terminated? Update the Auto Scaling group to ignore the instance reboot event It is not possible to change the status once it is marked for replacement Manually add that instance to the Auto Scaling group after reboot to avoid replacement Change the health of the instance to healthy using the Auto Scaling commands.
An organization is planning to create a user with IAM. They are trying to understand the limitations of IAM so that they can plan accordingly. Which of the below mentioned statements is not true with respect to the limitations of IAM? One IAM user can be a part of a maximum of 5 groups The organization can create 100 groups per AWS account One AWS account can have a maximum of 5000 IAM users One AWS account can have 250 role.
Assuming you have kept the default settings and have taken manual snapshots, which of the following manual snapshots will be retained? Choose the 2 correct answers from the options given below. A snapshot of an instance store root volume when the EC2 instance is terminated A snapshot of instance store root volume when the EC2 instance is stopped A snapshot of an EBS root volume when the EC2 instance is terminated A snapshot of RDS database when the EDS instance is terminated.
AWS is solely responsible for the security on the guest operating system. Choose the correct answer from the options below True False.
In order to optimize performance for a compute cluster that requires low inter-node latency, which feature in the following list should you use? Multiple Availability Zones AWS Direct Connect EC2 Dedicated Instances Placement Groups VPC private subnets.
In the shared responsibility model at AWS, what two options are you responsible for in the case of an audit? Choose the 2 correct answers from the options below. The global infrastructure that hots the virtualization hypervisor Physical security to AWS data centers The operating systems’ administrators group An application that you have running within AWS EC2.
The compliance department within your multi-national organization requires that all data for your customers that reside in the European Union (EU) must not leave the EU and also data for customers that reside in the US must not leave the US without explicit authorization. What must you do to comply with this requirement for a web based profile management application running on EC2? Run EC2 instances in multiple AWS Availability Zones in single Region and leverage an Elastic Load Balancer with session stickiness to route traffic to the appropriate zone to create their profile Run EC2 instances in multiple Regions and leverage Route 53’s Latency Based Routing capabilities to route traffic to the appropriate region to create their profile Run EC2 instances in multiple Regions and leverage a third party data provider to determine if a user needs to be redirect to the appropriate region to create their profile Run EC2 instances in multiple AWS Availability Zones in a single Region and leverage a third party data provider to determine if a user needs to be redirect to the appropriate zone to create their profile.
We have terminated an instance which had a root EBS volume attached to it. What do we do now if we need to access the important data that was on this volume if we created this instance with the default storage options? We can restore the data from a snapshot which is automatically created on instance termination by default. If we did not be able to access the data after an instance termination because the volume was deleted. AWS has high availability so our data is still available. Create multiple EBS volumes and replicate the data between them.
We need to run a business intelligence application against our production database. This application requires near real time data from the database. How might we configure our RDS setup so that our application does not increase I/O load against our production database? Copy the production instance and create a cron that dumps the RDS data into the secondary instance Point the application to the Multi-AZ failover instance Create a read replica from the production instance and point the application to the read replica In order to receive real time information the application must query the primary database.
What is the best practice when it comes to pre-warming (also called initialization for EC2)? Elastic load balancer that recently experienced a large increase in traffic. EBS volumes that were created from scratch. Pre-warm using the read and then write back method EBS volumes newly created from snapshot. Pre-warm by accessing each block once. Elastic load balancers that you are expecting to experience a large increase in traffic. Pre-warm using the read and write back method.
What is the result of the following bucket policy? It allow all access objects in the accounts_bucket namespace It will allow all actions only against objects with the prefix accounts_ It will deny all actions if the object prefix is accounts_ It will allow all actions if the object is in the accounts subdirectory of mubucket.
What would we need to attach to a Bastion host or NAT host for high availability in the event that the primary host went down and that we needed to send traffic to a secondary host? Elastic IP Address Secondary route table Direct Connect connection Secondary Network Interface.
When an EC2 instance is backed by an S3-based AMI is terminated, what happens to the data on the root volume? Data is automatically saved as an EBS snapshot. Data is automatically saved as an EBS volume. Data is unavailable until the instance is restarted. Data is automatically deleted.
Which features can be used to restrict access to data in S3? Choose the 3 correct answers from the options below Set an S3 Bucket policy. Create CloudFront distribution the bucket Set an S3 ACl on the bucket or the object Enable IAM identity Federation.
You are uploading 3 gigabytes of data every night to S3 from your on-premises data center. It takes 3 hours to upload and you are uploading it to Amazon S3. You are only using half of your available bandwidth through your internet provider. How might you decrease the amount of time to back up that 3GB of data from your on-premises data center to S3? Choose the 2 correct answers from the options below You could establish a Direct Connect connection between your on-premises data center and AWS VPC Increase your provisioned IOPS Increase your instance size You can use multipart upload to speed up the upload process.
You can configure an internal elastic load balancer to load balance internal traffic True False.
You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers Configure web server VPC security groups to allow traffic from your customers’ IPs Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic.
You have set up Individual AWS accounts for each project. You have been asked to make sure your AWS Infrastructure costs do not exceed the budget set per project for each month. Which of the following approaches can help ensure that you do not exceed the budget each month? Consolidate your accounts so you have a single bill for all accounts and projects Set up auto scaling with CloudWatch alarms using SNS to notify you when you are running too many Instances in a given account Set up CloudWatch billing alerts for all AWS resources used by each project, with a notification occurring when the amount for each resource tagged to a particular project matches the budget allocated to the project. Set up CloudWatch billing alerts for all AWS resources used by each account, with email notifications when it hits 50%. 80% and 90% of its budgeted monthly spend.
Balancer, three Web/Application servers on EC2, and a MySQL RDS database with 5000 Provisioned IOPS. Average response time for users is increasing. Looking at CloudWatch, you observe 95% CPU usage on the Web/Application servers and 20% CPU usage on the database. The average number of database disk operations varies between 2000 and 2500. How would you improve performance? Choose the 2 correct answers from the options given below Use Auto Scaling to add additional Web/Aplicaction servers based on memory usage threshold Use Auto Scaling to add additional Web/application servers based on CPU load Threshold Choose a different EC2 instance type for the Web/application servers with a more appropriate CPU/Memory ratio Increase the number of open TCP connections allowed per web/application EC2 instance.
You run a web application where web servers on EC2 instances are in an Auto scaling group. After monitoring the system for the last 6 months , it is noticed that 6 web servers are necessary to handle the minimum load. During the day, it seems that 12 servers are needed. During 5 to 6 days in the year, the number of web servers need might go to 15. What would you recommend to minimize costs while being able to provide high availability. 6 Reserved instances, rest covered by ON-Demand instance. 6 Reserved instances, 6 On-Demand instances, rest covered by Spot Instances 6 Reserved instances, 6 Spot instances, rest covered by On-Demand instances 6 Reserved instances, rest covered by Spot instances.
You run a web application with the following components Elastic Load Balancer (EL8), 3 Web/Application servers, 1 MySQL RDS database with read replicas, and Amazon Simple Storage Service (Amazon S3) for static content. Average response time for users is increasing slowly. Which CloudWatch RDS metrics will not allow you to identify if the database is the bottleneck? The number of outstanding IOs waiting to access the disk. The amount of write latency. The amount of disk space occupied by binary logs on the master. The amount of time a Read Replica DB Instance lags behind the source DB Instance The average number of disk I/O operations per second.
Your application currently leverages AWS Auto Scaling to grow and shrink as load Increases/ decreases and has been performing well Your marketing team expects a steady ramp up in traffic to follow an upcoming campaign that will result in a 20x growth in traffic over 4 weeks Your forecast for the approximate number of Amazon EC2 instances necessary to meet the peak demand is 175. What should you do to avoid potential service disruptions during the ramp up in traffic? Ensure that you have pre-allocated 175 Elastic IP addresses so that each server will be able to obtain one as it launches Check the service limits in Trusted Advisor and adjust as necessary so the forecasted count remains within limits. Change your Auto Scaling configuration to set a desired capacity of 175 prior to the launch of the marketing campaign Pre-warm your Elastic Load Balancer to match the requests per second anticipated during peak demand prior to the marketing campaign.
Your business is building a new application that will store its entire customer database on a RDS MySQL database, and will have various applications and users that will query that data for different purposes. Large analytics jobs on the database are likely to cause other applications to not be able to get the query results they need to, before time out. Also, as your data grows, these analytics jobs will start to take more time, increasing the negative effect on the other applications. How do you solve the contention issues between these different workloads on the same data? Enable Multi-AZ mode on the RDS instance Use ElastiCache to offload the analytics job data Create RDS Read-Replicas for the analytics work Run the RDS instance on the largest size possible.
Your company is setting up an application that is used to share files. Because these files are important to the sales team, the application must be highly available. Which AWS-specific storage option would you set up for low cost, reliability, and security? Use Amazon S3, which can be accessed by end users with signed URLs. Spin up EC2 with ephemeral type storage to keep the cost down. Create a Dropbox account to share your files. Attach an EBS volume to each of the EC2 servers where the files could be uploaded.
Your entire AWS infrastructure lives inside of one Amazon VPC. You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running on AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application. Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else? If so, how? No two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e. broadcast) boundaries Yes Both the monitoring instance and the application instance have to be a part the same security group, and that security group needs to allow inbound ICMP Yes, the security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol.
Your website is hosted on 10 EC2 instances in five regions around the globe, with two instances per region. How could you configure your site to maintain availability with minimum downtime if one of the five regions was to lose network connectivity for an extended period? Establish VPN connections between the instances in each region. Rely on BGP to failover in the case of region-wide connectivity failure for an extended period. Create a Route 53 Latency Based Routing Record Set that resolves to an Elastic Load Balancer in each region and has the Evaluate Target Health flag set to true. Create a Route 53 Latency Based Routing Record Set that resolves to an Elastic Load Balancer in each region. Set an appropriate health check on each ELB Create a Elastic Load Balancer to place in front of the EC2 instances. Set an appropriate health check on each ELB.
Is it possible to share a graph in Cloudwatch? True False.
An SQS queue has been created with the default settings. There are 3 messages published and not been consumed since 3 days. Will the messages still be available for consumption? False True.
Which of the following functions are condition Intrinsic functions in Cloudformation? Choose 3 answers from the options below Fn::If FN::And Fn::Equals Fn::Xor.
Which of the below instances is normally used as a jump server to access EC2 instances in a private subnet in a VPC? Primary Host Secondary Backup Host Backup Host Bastion Host.
Which of the below alarm states corresponds to “metric is outside of the defined threshold”? ALARM OK INSUFICIENT_DATA None of the above.
Can you delete a subnet which has instances in it? Yes No.
Is the below cloudformation template a valid one? False True.
If there is a requirement to upload a 6GB file to S3 what is the best option to use from the below? Increase your network bandwidth to provide faster throughput to S3 Use Multipart upload feature of S3 and upload the parts in parallel Pack all files into a single archive, upload it to S3, and then extract the files in AWS Use AWS Import/Export to transfer the video files.
Which of the below services is used as infrastructure as a code in AWS? SES None of the above SNS CloudFormation.
Is it possible for a VPC to span multiple Availability zones? True False.
When you set up a static website in S3 what are the most important steps to carry out? Choose 3 correct answer from the options below Enable static website hosting in your S3 bucket properties Select the “Make Public” permission for your bucket’s objects Upload and index document to your S3 bucket Create an Alias in Route53.
In S3, when giving permissions via ACL what are the specific permissions that can be given via the console? Choose 3 answers from the options below Edit Permissions View Permissions List Full Control.
Which one of AWS RDS features listed below is supposed to allow 'a point in time restore' of your database? RDS read replicas AWS S3 RDS automated backup Multi-AZ RDS.
When accessing AWS web services from a mobile devices, what is the best option from the below that needs to be used? Active Directory AWS Credentials LDAP Web Identity Federation.
A user is trying to understand AWS SNS. To which of the below mentioned end points is SNS unable to send a notification? AWS Lambba Application AWS SES SQS.
Autoscaling be used to launch Spot Instances. Yes No.
Which of the below services is a fully managed MySQL Solution from AWS? Oracle Aurora SQLServer DynamoDB.
Which of the below is used to manage traffic in subnets? VPC Route table Network ACL SubnetID.
To store data in S3, what is the first thing you need to do? Create a bucket Mark the bucket as public Create EC2 instance.
When configuring an ELB what setting can be made to ensure that the user request always goes to the same EC2 instance? Enable ELB connection draining Enable ELB cross zone load balancing Enable ELB sticky session Enable ELB cookie setup.
In Autoscaling what are the different types of checks carried out on EC2 Instances? Choose 3 answers from the options below Health Checks Status check Random checks Custom checks.
What is state of the EC2 instance that makes it billable for EC2 instance hours? Terminated Stopped Running.
When EC2 instances are registered with an AWS ELB, they are registered in a group. What is that group called? Primary Group Target Group Secondary Group Placement Group.
A company is experiencing high latency due to the Multi AZ feature for their MySQL database. Which of the below mentioned options can help alleviate the situation? Select three options. Use PIOPS Use large or higher size instance Schedule the automated backup in non-working hours Take a snapshot from standby Replica.
Which of the following databases supports Multi-AZ deployments without any dependency? Choose 3 answers from the options below PostgreSQL Oracle MySQL MS SQL.
Is it possible to share an AMI between regions by default? True False.
How can you ensure maximum protection of preserved versions in S3? None of the above Encryption MFA Versioning.
In a subnet with CIDR block 10.0.0.0/24 , what are the IP Addresses reserved by AWS? Choose 3 answers from the options below 10.0.0.4 10.0.0.1 10.0.0.0 10.0.0.255.
What is the largest size of an object which can be uploaded by a PUT request in S3? 5 GB 1 TB 1 GB 100 MB.
Can you connect your corporate data center using a Hardware VPN connection to a VPC? No Yes.
In Autoscaling what are some of the error messages that can occur? Choose 3 answers from the options below AutoScalingGroup<Auto Scaling group name> not found. The requested configuration is currently not supported. The requested region is no longer supported. Please retry your request…… The requested Availability Zone is no longer supported. Please retry your request…..
What is the default limit for the number of VPC’s per region? There is no limit 5 100 10.
Which of the below API calls is used to add data points to CloudWatch? SetAlarmState ListMetrics putMetricAlarm PutMetricData.
What is the general AWS limit for number of EBS snapshots? 1000 5000 10000 100.
Which API call is used to describe the state of the specified instances with respect to the specified load balancer? DescribeLoadBalancerAttributes DescribeLoadBalancerPolicies DescribeInstanceHealth None of the above.
What is the state of any instance when it is fully configured and passes the Amazon EC2 health checks, it is attached to the Auto Scaling group? InService InState OutState OutService.
A user is trying to aggregate all the CloudWatch metric data of the last 1 week. Which of the below mentioned statistics is not available for the user as a part of data aggregation? Minimum Mean Maximum Average.
What is the range for CIDR blocks for subnets for IPv4? From /16 to /28 From /10 to /28 From /12 to /28 From /14 to /28.
Does your VPC come with a security group? Yes No.
Which of the below combination of services can be used in conjunction for continuous delivery to automatically build and test changes to your AWS CloudFormation templates before promoting them to production stacks? AWS CloudFormation and EC2 AWS Cludformation and SNS AWS Cloudformation and SES AWS Cloudformation and AWS CodePipeline.
In order to use Enhanced Networking for EC2 do you need to pay extra? False True.
At the moment what are the operating systems supported for EC2 instances. Choose 3 answers from the options below? Windows server Red Hat Enterprise Mac OS SUSE Linux Enterprise Server.
Is it possible to increase the limit of a billing alarm in cloudwatch? True False.
Which of the below instances are available as Spot Instances? Choose 3 answers from the options below Unix servers Windows Server with SQL Server Linux servers Windows servers.
Does VPC support multicast? Yes No.
What is the feature in S3 that helps replicates data across AWS regions? Primary region replication Cross site replication Secondary region replication Cross region replication.
A user is trying to understand the ACL and policy for an S3 bucket. Which of the below mentioned policy permissions is equivalent to the READ permission on a bucket object? S3:PutObject S3:DeleteObject S3:ReadObject S3:GetObject.
There is an S3 bucket which is private. There are also objects present in this bucket. Which of the below steps is the recommended one to make the objects in the bucket accessible to other users? The user should select all objects from the console and apply a single policy to mark them public Set the AWS bucket policy which marks all objects as public The user can write a program which programmatically makes all objects public using S3 SDK Make the bucket ACl as public so it will also mark all objects as public.
Can you change the size of a VPC once created? Yes No.
In Autoscaling what is the set of instructions that tells Auto Scaling how to respond to alarm messages? JSON Cloudformation Document Policy.
If data has to be transferred between EC2 instances in different regions, would the data rate transfer be charged at Internet Data transfer rates? False True.
Which of the following error codes relates to “A malformed or canceled request from the client”? HTTPCode_Backend_2XX HTTPCode_Backend_3XX HTTPCode_ELB_4XX HTTPCode_ELB_5XX.
A system admin is trying to understand the Auto Scaling activities. Which of the below mentioned processes is performed by Auto Scaling? Select 3 Options Reboot Instance Schedule Actions AddToloadBalancer HealthCheck.
Which of the following is the maximum allowable time for connection draining in AWS ELB? 600 seconds 300 seconds 0 seconds 3600 seconds.
What is the ideal step to enable disaster recovery for EC2 instances? Use the “Launch more like this” option to copy the instance from one region to another Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from EU AMI Copy the running instance using the “Instance Copy” command to the EU region Copy the instance from the US East region to EU region.
Does the Basic HTTP load balancer support the X-Forwarded-For header? No Yes.
A user is planning to evaluate AWS for their internal use. The user does not want to incur any charge on his account during the evaluation. Which of the below mentioned AWS services would incur a charge if used? 750 hours of ELB usage 30 GB of EBS 50GB of Amazon Cloudfront storage 1000 hours of RDS usage.
A user wants to ensure that whenever the CPU utilization of the AWS EC2 instance is above 90% he gets an email notification. Which of the below mentioned AWS services is helpful for this purpose? AWS CloudWactch + AWS SNS AWS CludWatch+ AWS SES AWS CloudWatch + AWS SWF AWS CludWatch + AWS SQS.
Which of the below AWS services is normally used in a decoupling scenario and controlling of EC2 instances in an Autoscaling group? S3 SQS SNS SES.
Which of the below CLI commands can be used to merge autoscaling groups into single multi-zone group? Crete-auto-scaling-group Describe-auto-scaling-groups Create-launch-configuration Update-auto-scaling-group.
When you define a security rule for EC2 instances, which of the below form part of the rule? Choose 3 answers form the options below. Rule ID Port Range Protocol Destination.
When preparing for a compliance assessment of your system built inside of AWS. what are three best-practices for you to prepare for an audit? Choose 3 answers Gather evidence of your IT operational controls Request and obtain applicable third-party audited AWS compliance reports and certifications Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system's Instances and endpoints Schedule meetings with AWS's third-party auditors to provide evidence of AWS compliance that maps to your control objectives.
You have started a new job and are reviewing your company's infrastructure on AWS You notice one web application where they have an Elastic Load Balancer (&B) in front of web instances in an Auto Scaling Group When you check the metrics for the ELB in CloudWatch you see four healthy instances In Availability Zone (AZ) A and zero in AZ B There are zero unhealthy instances.
What do you need to fix to balance the instances across AZs? Set the ELB to only be attached to another AZ Make sure Auto Scaling is configured to launch in both AZs Make sure your AMI is available in both AZs Make sure the maximum size of the Auto Scaling Group is greater than 4.
You have been asked to leverage Amazon VPC BC2 and SOS to implement an application that submits and receives millions of messages per second to a message queue. You want to ensure your application has sufficient bandwidth between your EC2 instances and SQS Which option will provide (he most scalable solution for communicating between the application and SOS? Ensure the application instances are properly configured with an Elastic Load Balancer Ensure the application instances are launched in private subnets with the EBS-optimized option enabled Ensure the application instances are launched in public subnets with the associate-public-IP-address=true option enabled Launch application instances in private subnets with an Auto Scaling group and Auto Scaling triggers configured to watch the SOS queue size.
You have identified network throughput as a bottleneck on your ml small EC2 instance when uploading data Into Amazon S3 In the same region. How do you remedy this situation? Add an additional ENI Change to a larger Instance Use DirectConnect between EC2 and S3 Use EBS PIOPS on the local volume.
You have an Auto Scaling group associated with an Elastic Load Balancer (ELB). You have noticed that instances launched via the Auto Scaling group are being marked unhealthy due to an ELB health check, but these unhealthy instances are not being terminated What do you need to do to ensure trial instances marked unhealthy by the ELB will be terminated and replaced? Change the thresholds set on the Auto Scaling group health check Add an Elastic Load Balancing health check to your Auto Scaling group Increase the value for the Health check interval set on the Elastic Load Balancer Change the health check set on the Elastic Load Balancer to use TCP rather than HTTP checks.
Which two AWS services provide out-of-the-box user configurable automatic backup-as-a-service and backup rotation options? Choose 2 answers Amazon S3 Amazon RDS Amazon EBS Amazon Red shift.
The majority of your Infrastructure is on premises and you have a small footprint on AWS Your company has decided to roll out a new application that is heavily dependent on low latency connectivity to LOAP for authentication Your security policy requires minimal changes to the company's existing application user management processes.
What option would you implement to successfully launch this application1? Create a second, independent LOAP server in AWS for your application to use for authentication Establish a VPN connection so your applications can authenticate against your existing on-premises LDAP servers Establish a VPN connection between your data center and AWS create a LDAP replica on AWS and configure your application to use the LDAP replica for authentication Create a second LDAP domain on AWS establish a VPN connection to establish a trust relationship between your new and existing domains and use the new domain for authentication.
You have a Linux EC2 web server instance running inside a VPC The instance is In a public subnet and has an EIP associated with it so you can connect to It over the Internet via HTTP or SSH The instance was also fully accessible when you last logged in via SSH. and was also serving web requests on port 80.
Now you are not able to SSH into the host nor does it respond to web requests on port 80 that were working fine last time you checked You have double-checked that all networking configuration parameters (security groups route tables. IGW'EIP. NACLs etc) are properly configured {and you haven’t made any changes to those anyway since you were last able to reach the Instance). You look at the EC2 console and notice that system status check shows "impaired."
Which should be your next step in troubleshooting and attempting to get the instance back to a healthy state so that you can log in again? Stop and start the instance so that it will be able to be redeployed on a healthy host system that most likely will fix the "impaired" system status Reboot your instance so that the operating system will have a chance to boot in a clean healthy state that most likely will fix the 'impaired" system status Add another dynamic private IP address to me instance and try to connect via mat new path, since the networking stack of the OS may be locked up causing the “impaired” system status. Add another Elastic Network Interface to the instance and try to connect via that new path since the networking stack of the OS may be locked up causing the "impaired" system status. un-map and then re-map the EIP to the instance, since the IGWVNAT gateway may not be working properly, causing the "impaired" system status.
What is a placement group? A collection of Auto Scaling groups in the same Region Feature that enables EC2 instances to interact with each other via nigh bandwidth, low latency connections A collection of Elastic Load Balancers in the same Region or Availability Zone A collection of authorized Cloud Front edge locations for a distribution.
You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets.One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly.
Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 answers A network ACL that allows communication between the two subnets. Both instances are the same instance class and using the same Key-pair. That the default route is set to a NAT instance or internet Gateway (IGW) for them to communicate. Security groups are set to allow the application host to talk to the database on the right port/protocol.
You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select? Run the bastion on two instances one in each AZ Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure Configure the up Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and maxsize of 1 Configure an ELB in front of the bastion instance.
You have been asked to propose a multi-region deployment of a web-facing application where a controlled portion of your traffic is being processed by an alternate region.
Which configuration would achieve that goal? Route53 record sets with weighted routing policy Route53 record sets with latency based routing policy Auto Scaling with scheduled scaling actions set Elastic Load Balancing with health checks enabled.
Your EC2-Based Multi-tier application includes a monitoring instance that periodically makes application -level read only requests of various application components and if any of those fail more than three times 30 seconds calls CloudWatch lo fire an alarm, and the alarm notifies your operations team by email and SMS of a possible application health problem. However, you also need to watch the watcher -the monitoring instance itself - and be notified if it becomes unhealthy.
Which of the following Is a simple way to achieve that goal? Run another monitoring instance that pings the monitoring instance and fires a could watch alarm mat notifies your operations teamshould the primary monitoring instance become unhealthy. Set a Cloud Watch alarm based on EC2 system and instance status checks and have the alarm notify your operations team of any detected problem with the monitoring instance. Set a Cloud Watch alarm based on the CPU utilization of the monitoring instance and nave the alarm notify your operations team if C r the CPU usage exceeds 50% few more than one minute: then have your monitoring application go into a CPU-bound loop should itDetect any application problems. Have the monitoring instances post messages to an SOS queue and then dequeue those messages on another instance should D c- the queue cease to have new messages, the second instance should first terminate the original monitoring instance start anotherbackup monitoring instance and assume (he role of the previous monitoring instance and beginning adding messages to the SOSqueue.
You are attempting to connect to an instance in Amazon VPC without success You have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place.
Which VPC component should you evaluate next? The configuration of a MAT instance The configuration of the Routing Table The configuration of the internet Gateway (IGW) The configuration of SRC'DST checking.
You are tasked with the migration of a highly trafficked Node JS application to AWS in order to comply with organizational standards Chef recipes must be used to configure the application servers that host this application and to support application lifecycle events.
Which deployment option meets these requirements while minimizing administrative burden? Create a new stack within Opsworks add the appropriate layers to the stack and deploy the application Create a new application within Elastic Beanstalk and deploy this application to a new environment Launch a Mode JS server from a community AMI and manually deploy the application to the launched EC2 instance Launch and configure Chef Server on an EC2 instance and leverage the AWS CLI to launch application.
What are characteristics of Amazon S3? Choose 2 answers Objects are directly accessible via a URL S3 should be used to host a relational database S3 allows you to store objects or virtually unlimited size S3 allows you to store virtually unlimited amounts of data S3 offers Provisioned IOPS.
You receive a frantic call from a new DBA who accidentally dropped a table containing all your customers.
Which Amazon RDS feature will allow you to reliably restore your database to within 5 minutes of when the mistake was made? Multi-AZ RDS RDS snapshots RDS read replicas RDS automated backup.
You are running a web-application on AWS consisting of the following components an Elastic Load Balancer (ELB) an Auto-Scaling Group of EC2 instances running Linux/PHP/Apache, and Relational DataBase Service (RDS) MySQL. Which security measures fall into AWS’s responsibility? Protect the EC2 instances against unsolicited access by enforcing the principle of least-privilege access Protect against IP spoofing or packet sniffing Assure all communication between EC2 instances and ELB is encrypted Install latest security patches on ELB. RDS and EC2 instances.
You are tasked with setting up a cluster of EC2 Instances for a NoSOL database The database requires random read 10 disk performance up to a 100.000 IOPS at 4KB block side per node Which of the following EC2 instances will perform the best for this workload? A High-Memory Quadruple Extra Large (m2 4xlarge) with EBS-Optimized set to true and a PIOPs EBS volume A Cluster Compute Eight Extra Large (cc2 8xlarge) using instance storage High I/O Quadruple Extra Large (hil 4xiarge) using instance storage A Cluster GPU Quadruple Extra Large (cg1 4xlarge) using four separate 4000 PIOPS EBS volumes in a RAID 0 configuration.
If you want to launch Amazon Elastic Compute Cloud (EC2) Instances and assign each Instance a predetermined private IP address you should: Assign a group or sequential Elastic IP address to the instances Launch the instances in a Placement Group Launch the instances in the Amazon virtual Private Cloud (VPC) Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already Launch the Instance from a private Amazon Machine image (AMI).
A user has developed an application which is required to send the data to a NoSQL database. The user wants to decouple the data sending such that the application keeps processing and sending data but does not wait for an acknowledgement of DB. Which of the below mentioned applications helps in this scenario? AWS Simple Notification Service AWS Simple Workflow AWS Simple Queue Service AWS Simple Query Service.
An organization has created 50 IAM users. The organization has introduced a new policy which will change the access of an IAM user. How can the organization implement this effectively so that there is no need to apply the policy at the individual user level? Use the IAM groups and add users as per their role to different groups and apply policy to group The user can create a policy and apply it to multiple users in a single go with the AWS CLI Add each user to the IAM role as per their organization role to achieve effective policy setup Use the IAM role and implement access at the role level.
A user is planning to use AWS Cloud formation for his automatic deployment requirements. Which of the below mentioned components are required as a part of the template? Parameters Outputs Template version Resources.
A user is trying to delete an Auto Scaling group from CLI. Which of the below mentioned steps are to be performed by the user? Terminate the instances with the ec2-terminate-instance command Terminate the Auto Scaling instances with the as-terminate-instance command Set the minimum size and desired capacity to 0 There is no need to change the capacity. Run the as-delete-group command and it will reset all values to 0.
An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the consolidated billing option. Which of the below mentioned statements is true with respect to the above information? Master (Payee. account will get only the total bill and cannot see the cost incurred by each account Master (Payee. account can view only the AWS billing details of the linked accounts It is not recommended to use consolidated billing since the payee account will have access to the linked accounts Each AWS account needs to create an AWS billing policy to provide permission to the payee account.
A user has created a web application with Auto Scaling. The user is regularly monitoring the application and he observed that the traffic is highest on Thursday and Friday between 8 AM to 6 PM. What is the best solution to handle scaling in this case? Add a new instance manually by 8 AM Thursday and terminate the same by 6 PM Friday Schedule Auto Scaling to scale up by 8 AM Thursday and scale down after 6 PM on Friday Schedule a policy which may scale up every day at 8 AM and scales down by 6 PM Configure a batch process to add a instance by 8 AM and remove it by Friday 6 PM.
A user has setup a CloudWatch alarm on an EC2 action when the CPU utilization is above 75%. The alarm sends a notification to SNS on the alarm state. If the user wants to simulate the alarm action how can he achieve this? Run activities on the CPU such that its utilization reaches above 75% From the AWS console change the state to ‘Alarm’ The user can set the alarm state to ‘Alarm’ using CLI Run the SNS action manually.
A user is trying to setup a scheduled scaling activity using Auto Scaling. The user wants to setup the recurring schedule. Which of the below mentioned parameters is not required in this case? Maximum size Auto Scaling group name End time Recurrence value.
A user is trying to save some cost on the AWS services. Which of the below mentioned options will not help him save cost? Delete the unutilized EBS volumes once the instance is terminated Delete the AutoScaling launch configuration after the instances are terminated Release the elastic IP if not required once the instance is terminated Delete the AWS ELB after the instances are terminated.
An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3 and setup the ELB. Which of the below mentioned AWS services meets the quirement for making an orderly deployment of the software? AWS Elastic Beanstalk AWS Cloudfront AWS Cloudformation AWS DevOps.
An organization is setting up programmatic billing access for their AWS account. Which of the below mentioned services is not required or enabled when the organization wants to use programmatic access? Programmatic access AWS bucket to hold the billing report AWS billing alerts Monthly Billing report.
A user has configured the Auto Scaling group with the minimum capacity as 3 and the maximum capacity as 5. When the user configures the AS group, how many instances will Auto Scaling launch? 3 0 5 2.
A user is planning to use AWS CloudFormation. Which of the below mentioned functionalities does not help him to correctly understand CloudFormation? CloudFormation follows the DevOps model for the creation of Dev & Test AWS CloudFormation does not charge the user for its service but only charges for the AWS resources created with it CloudFormation works with a wide variety of AWS services, such as EC2, EBS, VPC, IAM, S3, RDS, ELB, etc CloudFormation provides a set of application bootstrapping scripts which enables the user to install Software.
You are building an online store on AWS that uses SQS to process your customer orders. Your backend system needs those messages in the same sequence the customer orders have been put in. How can you achieve that? It is not possible to do this with SQS You can use sequencing information on each message You can do this with SQS but you also need to use SWF Messages will arrive in the same order by default.
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above? The user needs to use AWS CLI or API to upload the data The user can use the AWS Import Export facility to import data to CloudWatch The user will upload data from the AWS console The user cannot upload data to CloudWatch since it is not an AWS service metric.
A system admin is managing buckets, objects and folders with AWS S3. Which of the below mentioned statements is true and should be taken in consideration by the sysadmin? The folders support only ACL Both the object and bucket can have an Access Policy but folder cannot have policy Folders can have a policy Both the object and bucket can have ACL but folders cannot have ACL.
A user has created an ELB with three instances. How many security groups will ELB create by default? 3 5 2 1.
An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this? The organization has to create a special password policy and attach it to each user The root account owner has to use CLI which forces each IAM user to change their password on first login By default each IAM user can modify their passwords The root account owner can set the policy from the IAM console under the password policy screen.
A user has created a photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly.Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario? AWS Glacier AWS Elastic Transcoder AWS Simple Notification Service AWS Simple Queue Service.
A root AWS a S S3. Which of the below mentioned options is not the right option to grant permission for S3? User Access Policy S3 Object Access Policy S3 Bucket Access Policy S3 ACL.
A user is planning to setup notifications on the RDS DB for a snapshot. Which of the below mentioned event categories is not supported by RDS for this snapshot source type? Backup Creation Deletion Restoration.
A customer is using AWS for Dev and Test. The customer wants to setup the Dev environment with Cloudformation. Which of the below mentioned steps are not required while using Cloudformation? Create a stack Configure a service Create and upload the template Provide the parameters configured as part of the template.
A user is accessing RDS from an application. The user has enabled the Multi AZ feature with the MS SQL RDS DB. During a planned outage how will AWS ensure that a switch from DB to a standby replica will not affect access to the application? RDS will have an internal IP which will redirect all requests to the new DB RDS uses DNS to switch over to stand by replica for seamless transition The switch over changes Hardware so RDS does not need to worry about access RDS will have both the DBs running independently and the user has to manually switch over.
A user has launched an EBS backed instance. The user started the instance at 9 AM in the morning. Between 9 AM to 10 AM, the user is testing some script. Thus, he stopped the instance twice and restarted it. In the same hour the user rebooted the instance once. For how many instance hours will AWS charge the user? 3 hours 4 hours 2 hours 1 hour.
A user has created a queue named “myqueue” with SQS. There are four messages published to queue which are not received by the consumer yet. If the user tries to delete the queue, what will happen? A user can never delete a queue manually. AWS deletes it after 30 days of inactivity on queue It will delete the queue It will initiate the delete but wait for four days before deleting until all messages are deleted automatically. I t will ask user to delete the messages first.
A user has stored data on an encrypted EBS volume. The user wants to share the data with his friend’s AWS account. How can user achieve this? Create an AMI from the volume and share the AMI Copy the data to an unencrypted volume and then share Take a snapshot and share the snapshot with a friend If both the accounts are using the same encryption key then the user can share the volume directly.
A user has configured an Auto Scaling group with ELB. The user has enabled detailed CloudWatch monitoring on Elastic Load balancing. Which of the below mentioned statements will help the user understand this functionality better? ELB sends data to CloudWatch every minute only and does not charge the user ELB will send data every minute and will charge the user extra ELB is not supported by CloudWatch It is not possible to setup detailed monitoring for ELB.
A user has configured ELB with two EBS backed EC2 instances. The user is trying to understand the DNS access and IP support for ELB. Which of the below mentioned statements may not help the user understand the IP mechanism supported by ELB? The client can connect over IPV4 or IPV6 using Dualstack ELB DNS supports both IPV4 and IPV6 Communication between the load balancer and back-end instances is always through IPV4 The ELB supports either IPV4 or IPV6 but not both.
A user has launched an EBS backed EC2 instance. What will be the difference while performing the restart or stop/start options on that instance? For restart it does not charge for an extra hour, while every stop/start it will be charged as a separate hour Every restart is charged by AWS as a separate hour, while multiple start/stop actions during a single hour will be counted as a single hour For every restart or start/stop it will be charged as a separate hour For restart it charges extra only once, while for every stop/start it will be charged as a separate hour.
Which service enables AWS customers to manage users and permissions in AWS? AWS Access Control Service (ACS) AWS Identity and Access Management (IAM) AWS Identity Manager (AIM).
IAM provides several policy templates you can use to automatically assign permissions to the groups you create. The _____ policy template gives the Admins group permission to access all account resources, except your AWS account information Read Only Access Power User Access AWS Cloud Formation Read Only Access Administrator Access.
Every user you create in the IAM system starts with _________. Partial permissions Full permissions No permissions.
Groups can’t _____. be nested more than 3 levels be nested at all be nested more than 4 levels be nested more than 2 level.
The _____ service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console. Amazon RDS AWS Integrity Management AWS Identity and Access Management Amazon EMR.
You are setting up a blog on AWS. In which of the following scenarios will you need AWS credentials? (Choose 3) Sign in to the AWS management console to launch an Amazon EC2 instance Sign in to the running instance to instance some software Launch an Amazon RDS instance Log into your blog’s content management system to write a blog post Post pictures to your blog on Amazon S3.
An organization has 500 employees. The organization wants to set up AWS access for each department. Which of the below mentioned options is a possible solution? Create IAM roles based on the permission and assign users to each role Create IAM users and provide individual permission to each Create IAM groups based on the permission and assign IAM users to the groups It is not possible to manage more than 100 IAM users with AWS.
You run a web application with the following components Elastic Load Balancer (EL8), 3 Web/Application servers, 1 MySQL RDS database with read replicas, and Amazon Simple Storage Service (Amazon S3) for static content. Average response time for users is increasing slowly.
What three CloudWatch RDS metrics will allow you to identify if the database is the bottleneck? (Choose three.) The number of outstanding IOs waiting to access the disk. The amount of write latency. The amount of disk space occupied by binary logs on the master. The amount of time a Read Replica DB Instance lags behind the source DB Instance The average number of disk I/O operations per second.
A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization’s proxy policy. How can the user make this happen? Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT Setting up a proxy policy in the internet gateway connected with the public subnet It is not possible to setup the proxy policy for a public subnet Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway.
George has launched three EC2 instances inside the US-East-1a zone with his AWS account. Ray has launched two EC2 instances in the US-East-1a zone with his AWS account. Which of the below mentioned statements will help George and Ray understand the availability zone (AZ) concept better? The instances of George and Ray will be running in the same data center All the instances of George and Ray can communicate over a private IP with a minimal cost All the instances of George and Ray can communicate over a private IP without any cost The us-east-1a region of George and Ray can be different availability zones.
A user is planning to scale up an application by 8 AM and scale down by 7 PM daily using Auto Scaling. What should the user do in this case? Setup the scaling policy to scale up and down based on the CloudWatch alarms User should increase the desired capacity at 8 AM and decrease it by 7 PM manually User should setup a batch process which launches the EC2 instance at a specific time Setup scheduled actions to scale up or down at a specific time.
An organization is planning to use AWS for 5 different departments. The finance department is responsible to pay for all the accounts. However, they want the cost separation for each account to map with the right cost centre. How can the finance department achieve this? Create 5 separate accounts and make them a part of one consolidated billing Create 5 separate accounts and use the IAM cross account access with the roles for better management Create 5 separate IAM users and set a different policy for their access Create 5 separate IAM groups and add users as per the department’s employees.
A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. The user has 3 elastic IPs and is trying to assign one of the Elastic IPs to the VPC instance from the console. The console does not show any instance in the IP assignment screen. What is a possible reason that the instance is unavailable in the assigned IP console? The IP address may be attached to one of the instances The IP address belongs to a different zone than the subnet zone The user has not created an internet gateway The IP addresses belong to EC2 Classic; so they cannot be assigned to VPC.
A user has setup an EBS backed instance and attached 2 EBS volumes to it. The user has setup a CloudWatch alarm on each volume for the disk data. The user has stopped the EC2 instance and detached the EBS volumes. What will be the status of the alarms on the EBS volume? OK Insufficient Data Alarm The EBS cannot be detached until all the alarms are removed.
A user has deployed an application on an EBS backed EC2 instance. For a better performance of application, it requires dedicated EC2 to EBS traffic. How can the user achieve this? Launch the EC2 instance as EBS provisioned with PIOPS EBS Launch the EC2 instance as EBS enhanced with PIOPS EBS Launch the EC2 instance as EBS dedicated with PIOPS EBS Launch the EC2 instance as EBS optimized with PIOPS EBS.
A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet? Destination: 0.0.0.0/0 and Target: ALL Destination: 20.0.0.0/0 and Target: Local Destination: 20.0.0.0/0 and Target: ALL Destination: 20.0.0.0/24 and Target: Local.
A user has created an EBS volume of 10 GB and attached it to a running instance. The user is trying to access EBS for first time. Which of the below mentioned options is the correct statement with respect to a first time EBS access? The volume will show a size of 8 GB The volume will show a loss of the IOPS performance the first time The volume will be blank If the EBS is mounted it will ask the user to create a file system.
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it? The zone can only be modified using the AWS CLI It is not possible to change the zone of an instance after it is launched Stop one of the instances and change the availability zone From the AWS EC2 console, select the Actions - > Change zones and specify the new zone.
A user has launched an EBS backed instance with EC2-Classic. The user stops and starts the instance. Which of the below mentioned statements is not true with respect to the stop/start action? The instance gets new private and public IP addresses The volume is preserved The Elastic IP remains associated with the instance The instance may run on a a new host computer.
A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25.The user is trying to create the private subnet with CIDR 20.0.0.128/25. Which of the below mentionedstatements is true in this scenario? It will not allow the user to create the private subnet due to a CIDR overlap It will allow the user to create a private subnet with CIDR as 20.0.0.128/25 This statement is wrong as AWS does not allow CIDR 20.0.0.0/25 It will not allow the user to create a private subnet due to a wrong CIDR range.
A user is trying to create a PIOPS EBS volume with 3 GB size and 90 IOPS. Will AWS create the
volume? No, since the PIOPS and EBS size ratio is less than 30 Yes, since the ratio between EBS and IOPS is less than 30 No, the EBS size is less than 4GB Yes, since PIOPS is higher than 100.
A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS volume. How can the user encrypt the data at rest? Use AWS EBS encryption to encrypt the data at rest The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool The user has to select the encryption enabled flag while launching the EC2 instance Encryption of volume is not available as a part of the free usage tier.
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario? The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range It is not possible to create a subnet with the same CIDR as VPC The second subnet will be created It will throw a CIDR overlaps error.
A user has created an Auto Scaling group using CLI. The user wants to enable CloudWatch detailed monitoring for that group. How can the user configure this? When the user sets an alarm on the Auto Scaling group, it automatically enables detail monitoring By default detailed monitoring is enabled for Auto Scaling Auto Scaling does not support detailed monitoring Enable detail monitoring from the AWS console.
An organization has setup consolidated billing with 3 different AWS accounts. Which of the below mentioned advantages will organization receive in terms of the AWS pricing? The consolidated billing does not bring any cost advantage for the organization There is really no cost advantage with consolidated billing. The advantage is rather the convenience and simplicity of a single bill. The EC2 instances of each account will receive a total of 750*3 micro instance hours free The free usage tier for all the 3 accounts will be 3 years and not a single year.
A user is creating a Cloudformation stack. Which of the below mentioned limitations does not hold true for Cloudformation? One account by default is limited to 100 templates The user can use 60 parameters and 60 outputs in a single template The template, parameter, output, and resource description fields are limited to 4096 characters One account by default is limited to 20 stacks.
A user has configured ELB with a TCP listener at ELB as well as on the back-end instances. The user wants to enable a proxy protocol to capture the source and destination IP information in the header. Which of the below mentioned statements helps the user understand a proxy protocol with TCP configuration? If the end user is requesting behind a proxy server then the user should not enable a proxy protocol on ELB ELB does not support a proxy protocol when it is listening on both the load balancer and the back-end instances Whether the end user is requesting from a proxy server or directly, it does not make a difference for the proxy protocol If the end user is requesting behind the proxy then the user should add the “isproxy” flag to the ELB Configuration.
A user has launched an EC2 Windows instance from an instance store backed AMI. The user wants to convert the AMI to an EBS backed AMI. How can the user convert it? Attach an EBS volume to the instance and unbundle all the AMI bundled data inside the EBS A Windows based instance store backed AMI cannot be converted to an EBS backed AMI It is not possible to convert an instance store backed AMI to an EBS backed AMI Attach an EBS volume and use the copy command to copy all the ephermal content to the EBS Volume.
A user is running a batch process on EBS backed EC2 instances. The batch process starts a few instances to process Hadoop Map reduce jobs, which can run between 50 – 600 minutes or sometimes for more time. The user wants to configure that the instance gets terminated only when the process is completed. How can the user configure this with CloudWatch? Setup the CloudWatch action to terminate the instance when the CPU utilization is less than 5% Setup the CloudWatch with Auto Scaling to terminate all the instances Setup a job which terminates all instances after 600 minutes It is not possible to terminate instances automatically.
How would you restore an EBS snapshot to an EC2 instance? Create a new volume from the snapshot, attach the volume to EC2 instance, pre-warm thevolume and mount it to the device Attach the volume to EC2 instance, create a snapshot and clone the data Mount the device, create a volume from the snapshot, and mount the volume Clone the snapshot.
You are running a legacy application has a hard coded IP address in your application. how might you apply high availability to the instance running that application? Re-hard code the IP address in your application. Assign an elastic IP address to EC2 instance, have a backup instance running. In the event of failure, move Elastic IP from the primary instance to the backup instance. You can’t do this. None of these.
If we want to be able to monitor and cost metrics, what AWS services do we need to enable and use together? CloudFront Account Preferences Billing Alerts CloudFormation CloudWatch.
You have been tasked with identifying an appropriate storage solution for an NoSQL database that requires random I/O reads of greater than 10,000 4kb IOPS. Which EC2 option will meet this requirement? SSD instance store High Storage instance configured in RAID 10 EBS optimized instances EBS provisioned IOPS.
Which option bellow is part of a failover process for a Multi-AZ zone in an RDS instance? Our failed RDS database instance reboots The DNS for our primary DB instance is switched to the standby DB instance The new DB instance we create are in the standby zone Answer not provided.
You have multiple AWS users with access to an Amazon S3 bucket. These users have permission to add and delete objects. If you wanted to prevent accidental deletions, what might you do to prevent these users from performing accidental deletions of an object? Enable versioning on the bucket Creating a bucket policy that prevents accidental deletions Remove the ability for the user to delete You can use Amazon MFA for verification for deleting an object.
You maintain an application on AWS to provide development and test platforms for your developers. Currently, both environments consist of an m1.small EC2 instance. Your developers notice performance degradation as they increase network load in the test environment. How would you mitigate these performance issues in the test environment? Upgrade the m1.small to a larger instance type Add an additional ENI to the test instance Use the EBS optimized option to offload EBS traffic Configure Amazon Cloudwatch to provision more network bandwidth when network utilization exceeds 80%.
Your supervisor is concerned about losing read access to your RDS database in the unlikely event of an AWS regional failure. You design a plan to create a read replica of the database in another region, but your supervisor sees a problem with this plan. What problem does he see? Choose the correct answer from the options below Replication requires VPC peering between the regions, and you have overlapping CIDR block in the two VPCs AWS does not support RDS read replicas in different regions from the source database Your database is using PostgrestSQL, which does not support cross-region replication Synchronous replication between the two regions will suffer from high latency.
Which of the following CLoudWatch metrics require a custom monitoring scripts to populate the metric? Choose two CPU Utilization Available Disk Space Swap Usage CPU.
What AWS services allow you access to the underlying operating system?
Choose the 3 correct answers: EDS EC2 Hadoop Elastic BeanStalk.
Best practice is to pre-warm: Elastic load balancers that recently experienced in traffic Elastic load balancers that you are expecting will experience a large increase in traffic. Pre-warm using the read and write back method EBS volumes that were created from scratch. Pre-warm using the read and then write back method Newly created EBS volumes. Pre-warm using the read and then write back method.
Assuming you have kept the default settings and the automated backup services provided by AWS, which of the following will retain automated backups? None of these An instance store root volume when the EC2 instance is terminated An EBS root volume when the EC2 instance is terminated An RDS database when the RDS instance is terminated.
If you configure a VPC with an Internet gateway that has a private and a public subnet, is each in its own Availability Zone and is using a dual-tunnel VPN between the Virtual Private Gateway and the router in the private data center. You want to make sure that you do not have a potential single point of failure in this design. Which option would you get rid of to make sure we achieve this above environment? You create and then attach a second Virtual Private Gateway, providing redundant VPN connectivity. You create another Internet Gateway to provide redundant Internet connectivity. You set a secondary router in your private data center to establish dual-tunnel VPN concoction with a Virtual Private Gateway There is not a single point of failure with this architecture.
A deny overrides and allow in which circumstances? A NACL associated with subnet B defines two rules. Rule #105 explicitly denies TCP traffic on port 21 from 0.0.0.0/0 and rule #100 explicitly allows TCP traffic on port 21 from 0.0.0.0/0. A NACL associated with subnet A defines two rules. Rule #100 explicitly denies TCP traffic on port 21 from 0.0.0.0/0 and rule #105 explicitly allows TCP traffic on port 21 from 0.0.0.0/0. An explicit allow is set an IAM policy governing S3 access and explicit deny is set on an S3 bucket via an S3 bucket policy. S3 bucket is implicitly denied for all user and explicit allow is set on S3 bucket via an S3 bucket policy.
What is the most likely reason you are being chrged for an instance you launched from free-tier elegible AMI? You launched the instance from a cloud formation template Your account has passed the one-year trial period Your instance has a public IP address assigned to it You used an EBS-backed root volume.
When working with Amazon RDS, by default, AWS is responsible for implementing which two management-related activities? Select 2 answers If automated backups are enabled, creating and maintaining automated database backups with a point-in-time recovery of up to five minutes Importing data and optimizing queries Installing and periodically patching the database software Creating and maintaining automated database backups in compliance with regulatory long-term retention requirements.
What would be a reason you upgrade to Direct Connect instead of traditional VPN connection? Using Direct Connects is easier than setting up VPN connection Direct Connect is free You gain higher bandwidth and consistent network connectivity Direct Connect gives you greater connection speed.
Your supervisor sends you a list of several processes in your AWS environment that she would like you to automate via scripts. Which of the following list item should set as the highest priority? Identify and replace unhealthy EC2 instances Implement CloudWatch alerts for EC2 instances memory usage Identify and failover unhealthy RDS database to a second copy in a different Availability Zone Implement CloudWatch alerts for RDS instances free storage space .
We have a web application that us using Auto Scaling and ELB. We would like to monitor the application to make sure that it maintains a good quality of service for our customers, defined by the application’s page load time.
What metric within CloudWatch can we use for this? The latency that is reported by the ELB CPU utilization for our web application tier Networking for the web tier The ELB RequestCount.
By default is no route between the subnets in a VPC False True.
RDS Read Replicas are Synchronous in their replications. False True.
What is the result of these following bucket policy?
Choose the correct answer: None of these It will allow all access to the bucket my bucket It will deny all all access to the bucket mybucket It will allow the user jeff form AWS account number 5555555555 all access to the bucket but deny everyone else all access to the bucket.
You support website with a large user base concentrated on the east coast, but very few users outside of that region. Traffic load is much heavier on the site during business hours so you are planning to implement Auto Scaling to optimize the number of running EC2 instance to meet the traffic load throughout the day. You are also looking for a solution to distribute traffic evenly among those instances. Which of the following solutions will distribute traffic most evenly among the EC2 instances hosting this website in the US-East-1 region Place the instance behind an Elastic Load Balancer and enable Application Generated Cookie Stickiness. Place the instance behind an Elastic Load Balancer and enable Load Balancer Generated Cookie Stickiness. Set up latency-based routing in Route %3 to distribute the traffic between the EC2 instances. Place the instances behind an Elastic Load Balancer with stickiness disabled.
A colleague noticed that CloudWatch was reporting that there had not been any connections to one of your MySQL database for several months. You decided to terminate the database. Two months after the database was terminated, you get a phone call from a very upset user who needs information form that database to run end-of-year reports. You are hopeful that you can restore the database to full functionality from snapshot, but your database administrator is not quite as confident. Why? The MySQL database was not using a transactional database engine such as InnoDB and may nit restore properly. The snapshot was taken while the database was running. The 35-day maximum retention period for snapshots has expired. MySQL database do not support snapshots.
Per the AWS Acceptable Use Policy, penetration testing of EC2 instances: may be performed by the customer against their own instances with prior authorization form AWS may be performed by AWS, and is periodically performed by AWS are expressly prohibited under all circumstances can be freely performed without authorization.
Which of the following services have automated backups? Choose the 3 correct answers: ElasticCache EC2 Redshift RDS.
You want to run web application in which application servers on an instance of EC2 are in an Auto Scaling group spread across two Availability Zones. Monitoring over the last six month, we notice that only one of our web server is needed to handle our minimum load. During our core utilization hour (8-8 M-F), mostly five to six web server are needed to handle the minimum load. Four to five days a year, the number of web servers required can go up to 18 servers. Three Reserved Instances (heavy utilization), four Reserved instances (medium utilization), the most covered by on-demand instances. Five Reserved Instances (heavy utilization), the rest covered by on-demand instances Three Reserved Instances (heavy utilization), five on-demand instances, the rest covered by Spot Instances Five Reserved Instances (heavy utilization), the rest covered by Spot instances.
You manage a popular blog website on EC2 instances in Auto Scaling group. You notice that between 8:00 am and 8:00 pm, you see 50% increase in traffic to your website. In addition, there are occasional random 1- to 2-hour spikes. What is the least cost-effective want to manage this Auto Scaling group? Increase the maximum number of instances in the Auto Scaling group Use reserved instances for the instances needed to handle the load during traffic spikes Use reserved instances for the instances needed to handle the typical load during the night hours Use reserved instances for the instances needed to handle the load during the daytime hours.
You have an Elastic load Balancer with an Auto Scaling group application. You also have 4 running instances with Auto Scaling. All of these instances are running in the same Availability Zone. Some instances within the zone are not highly available. What could be cause? Select two The ELB isn’t configured for that Availability Zone The auto scaling group is not configured for more that one Availability Zone The auto scaling scaling policy is not configured for multiple Availability Zones The VPC is not configured for auto scaling in to multiple subnets.
A user is planning to schedule a backup for an EBS volume. The user wants security of the snapshot data.
How can the user achieve data encryption with a snapshot? Use encrypted EBS volumes so that the snapshot will be encrypted by AWS While creating a snapshot select the snapshot with encryption By default, the snapshot is encrypted by AWS Enable server side encryption for the snapshot using S3.
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better? There is no way to register the stopped instances with ELB The user cannot stop the instances if they are registered with ELB If the instances have the same Elastic IP assigned after reboot they will be registered with ELB The instances will automatically get registered with ELB.
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group (WebSecGrp)? Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound 80 for Destination 0.0.0.0/0 Outbound Configure port 3306 for source 20.0.0.0/24 InBound Configure port 80 InBound for source 20.0.0.0/16.
A sys admin is trying to understand the sticky session algorithm. Please select the correct sequence of steps, both when the cookie is present and when it is not, to help the admin understand the implementation of the sticky session:
1. ELB inserts the cookie in the response
2. ELB chooses the instance based on the load balancing algorithm
3. Check the cookie in the service request
4. The cookie is found in the request
5. The cookie is not found in the request 3,1,4,2 [Cookie is not Present] & 3,1,5,2 [Cookie is Present] 3,4,1,2 [Cookie is not Present] & 3,5,1,2 [Cookie is Present] 3,5,2,1 [Cookie is not Present] & 3,4,2,1 [Cookie is Present] 3,2,5,4 [Cookie is not Present] & 3,2,4,5 [Cookie is Present].
A user is trying to create an EBS volume with the highest PIOPS supported by EBS. What is the minimum size of EBS required to have the maximum IOPS? 124 150 134 128.
A sys admin has enabled a log on ELB. Which of the below mentioned activities are not captured by the log? Response processing time Front end processing time Backend processing time Request processing time.
When you put objects in Amazon 53, what is the indication that an object was successfully stored? A HTIP 200 result code and MDS checksum, taken together, indicate that the operation was successful. Amazon 53 is engineered for 99.999999999% durability. Therefore there is no need to confirm that data was inserted. A success code is inserted into the 53 object metadata. Each 53 account has a special bucket named _s3_1ogs. Success codes are written to this bucket with a timestamp and checksum.
A user needs to put sensitive data in an Amazon S3 bucket that can be accessed through an S3 VPC endpoint only. The user must ensure that resources in the VPC can only access the single S3 bucket.
Which combination of actions will meet the requirements? (select TWO.) Configure the bucket policy to only allow access through the S3 Private Endpoint. Modify the VPC endpoint policy on the bucket to only allow the VPC to access it. Modify the VPC peering configuration to only allow access to the S3 private Endpoint. Configure the VPC endpoint policy to only allow the VPC to access the specific S3 bucket. Configure the IAM policy attached to the S3 bucket to only allow access from the specific VPC.
Which two steps are required to generate a report detailing specific cost allocation tags when creating a Monthly Cost Allocation report (Select two.) Use AWS CloudTrail to export the events for the specified resources. Use an AWS Lambda function to read the resources metadata, and write the specified tags to a DynamoDB table. Activate the "requested" tags by clicking Manage report tags on the Billing Preferences page. Select the checkbox for Cost Allocation Report in the AWS account’s Billing Management Console. Create a new Budget using the Billing Management Console, use the "Include costs related to Tags".
A corporate policy requires all new infrastructure deployments to use scalable and reusable resources to improve resources delivery times. The policy also restricts resource configuration management to the systems operations team. The development team requests the ability to deploy resources on demand in an effort to streamline their software development lifecycle.
What can the systems operations team do to ensure company policy is followed while also meeting the development team-s requests? Create an AWS CloudFormation on template with the requested resources, and give it to the development team to adjust as needed. Provision the resources using the CLI, and create the necessary IAM permissions to allow the development team to modify them as needed. Create the AWS Service Catalog product and share with the development team through the Service Catalog. Grant the development team access to the AWS CloudFormation Design Template Editor to specify the needed resources and configurations. Once the templates are complete, the system operations team will launch the resources.
An application hosted on AWS is going through an external compliance assessment. An Administrator has been tasked with providing proof of physical security at the facilities that are hosting the application.
What should the Administrator do? Work with AWS support to schedule a tour for the auditors. Send a copy of the AWS Security whitepaper to the auditors. Obtain a relevant report from AWS Artifact and share it with the auditors. Find the address for the AWS Direct Connect facility on the AWS Website.
Which of the following are the customers responsibilities, according to the AWS Shared Responsibility Security Model? (Choose two.) Operating system, network, and firewall configuration Client-side data encryption and data integrity authentication AWS data center access logs Hypervisor updates and configuration Physical media destruction.
___________ is a task coordination and state management service for cloud applications. Amazon SWF Amazon FPS Amazon SES Amazon SNS.
_________ is a fast, reliable, scalable, fully managed message queuing service. AWS Data Pipeline Amazon SES Amazon SQS Amazon SNS.
What does Amazon VPC stand for? Amazon Virtual Private Cloud Amazon Variable Power Cluster Amazon Virtual Private Computer Amazon Virtual Public Cloud.
Which of the following does Amazon S3 provide? A virtual server in the cloud A highly-scalable cloud storage A highly encrypted virtual disk in the cloud A transient storage in the cloud.
The billing process for Amazon EC2 instances was updated as of October 2, 2017. Which of the following statements is true regarding how you pay for Amazon EC2 instances? (Choose two.) Payment does not vary based on the instance AMI's operating system. You can pay per hour or per second, depending on the instance AMI's operating system. You pay for compute capacity by the day; hours are billed in proportion. You can pay per hour or per second, depending on the instance type.
What does Amazon RDS perform? It tests the functionalities in websites. It blocks users from creating DB instances. It manages the work involved in setting up a relational database. It provides sensory feedback.
What was the recommended use case for S3 Reduced Redundancy storage before its deprecation was planned? It was used to reduce storage costs by providing 500 times the durability of a typical disk drive at lower levels of redundancy. It was used to reduce storage costs for noncritical data at lower levels of redundancy. It was used to reduce storage costs by allowing you to destroy any copy of your files outside a specific jurisdiction. It was used to reduce storage costs for reproducible data at high levels of redundancy in a single facility.
Amazon EBS provides the ability to create backups of any Amazon EC2 volume into what is known as _____. snapshots mirrors instance backups images.
What is a security group in Amazon AWS? A UNIX Group that gives permission to edit security settings An authorized group of instances that control access to other resources A virtual firewall that controls the traffic for one or more instances An Access Control List (ACL) for AWS resources.
What does Amazon EBS stand for? Elastic Business Server Elastic Basic Storage Elastic Blade Server Elastic Block Store.
In Amazon S3, what is the document that defines who can access a particular bucket or object called? Access Control Record Access Control Service Access Control List Access Control Server.
What does Amazon EMR stand for? Elastic Magnetic Resonance Encrypted Machine Reads Elastic MapReduce Encrypted Machine Rendering.
What cloud service does Amazon S3 offer? Atomic updates across keys over the Internet Messaging over the Internet Storage over the Internet Object locking over the Internet.
What does Amazon S3 stand for? Social Storage Service Simple Storage Service Secure Storage Service Standard Storage Service.
What is Amazon WorkSpaces? Amazon WorkSpaces is a fully managed desktop computing service in the cloud, allowing end-users to access the documents, applications, and resources they need with the device of their choice. Amazon WorkSpaces is a flexible application management solution with automation tools that enable you to model and control your applications and their supporting infrastructure. Amazon WorkSpaces is a fully redundant data storage infrastructure for storing and retrieving any amount of data, at any time, from anywhere on the web. Amazon WorkSpaces is a web service that enables businesses, researchers, data analysts, and de- velopers to easily and cost-effectively process vast amounts of data.
What does AMI stand for? Amazon Machine Image Advanced Machine Instance Amazon Micro Instance Advanced Machine Image.
Which of the following statements is true of tags and resource identifiers for EC2 instances? You can't select instances by their tags for stoppage, termination, or deletion You don't need to specify the resource identifier while terminating a resource. You don't need to specify the resource identifier while stopping a resource. You can select instances by their tags for stoppage, termination, or deletion.
What does Amazon RDS stand for? Amazon Regional Data Server Amazon Regional Database Service Amazon Relative Data Service Amazon Relational Database Service.
What is a "vault" in Amazon Glacier? A unique ID that maps an AWS Region, plus a specific Amazon S3 bucket A way to group archives together in Amazon Glacier A container for storing S3 buckets A free tier available for 12 months following your AWS sign-up date.
What does Amazon EC2 provide? A platform to run code (Java, PHP, Python), paying on an hourly basis A physical computing environment Virtual Server Hosting Domain Name System (DNS).
Which choice is a storage option supported by Amazon EC2? Amazon SNS store Amazon Instance Store Amazon AppStream store None of these.
AMIs can be ______________. only private unless created by Amazon created only by Amazon created only for Linux instances public or private.
A user is sending custom data metrics to CloudWatch. What is the allowed time stamp granularity for each data point published for the custom metric? 1 nanosecond 1 millisecond 1 minute 1 second.
When rebalancing, Auto Scaling launches new instances before terminating the old ones, so that re-balancing does not compromise the performance or availability of your application. Because Auto Scaling attempts to launch new instances before terminating the old ones, being at or near the speci-fied maximum capacity could impede or completely halt rebalancing activities. What does Auto Scaling do in order to avoid this problem? It can temporarily exceed the specified maximum capacity of a group by a 20 percent margin (or by a 2- instance margin, whichever is greater) during a rebalancing activity. It can add new reserved instances you have defined. It can temporarily exceed the specified maximum capacity of a group by a 10 percent margin (or by a 1- instance margin, whichever is greater) during a rebalancing activity. It can temporarily exceed the specified maximum capacity of a group by a 5 percent margin (or by a 1- instance margin, whichever is greater) during a rebalancing activity.
Which of the scaling options given below is not supported by Auto Scaling? All these options are supported by Auto Scaling Manual scaling Scaling based on CPU utilization Scaling based on time.
Security groups in Amazon VPC ______. control incoming traffic only control both inbound and outbound traffic control neither incoming nor outgoing traffic control outgoing traffic only.
_____ in VPC are stateful where return traffic is automatically allowed, regardless of any rules. Security groups Availability Zones Network ACLs Geo Redundant Servers.
What happens if the instance launched by Auto Scaling becomes unhealthy? Auto Scaling will terminate the instance and launch a new healthy instance. Auto Scaling will terminate the instance but not launch a new instance. The instance cannot become unhealthy. Auto Scaling will notify the user and the user can update the instance.
A user is sending a custom metric to CloudWatch. If the call to the CloudWatch APIs has different dimensions, but the same metric name, how will CloudWatch treat all the requests? It will treat each unique combination of dimensions as a separate metric. It will group all the calls into a single call. It will overwrite the previous dimension data with the new dimension data. It will reject the request as there cannot be a separate dimension for a single metric.
Which of the following activities is NOT performed by the Auto Scaling policy? Changing instance types Scaling up instance counts Maintaining current instance levels Scaling down instance counts.
Which of the following services is used to monitor the Amazon Web Services resources? AWS CloudWatch AWS Cloudfront AWS Monitor AWS EC2.
What is Amazon Import/Export? A properly configured service role and instance profile An international shipping division to help you enhance your sales reach A service that accelerates transferring large amounts of data into and out of AWS using physical storage appliances A software developed by Amazon to migrate the data from/to your datacenter to AWS.
Which of the choices below best describes what Auto Scaling is well suited for? only for applications that experience hourly, daily, or weekly variability in usage. Both for applications that have stable demand patterns and that experience hourly, daily, or weekly variability in usage. Both for applications that use frameworks and SDKs to enhance its customer relationship. only for applications with a stable usage pattern but extremely high workload.
Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services. False, you can only import an existing domain using Amazon Route 53. True, however, it only provides .com domains. FALSE TRUE.
Which of the following statements is true of Elastic Load Balancing? It distributes traffic only to instances across different Availability Zones. It distributes the outgoing traffic across multiple EC2 instances. It distributes incoming traffic across multiple EC2 instances. It distributes traffic only to instances across a single Availability Zone.
How many metrics are supported by CloudWatch for Auto Scaling? 8 metrics and 1 dimension 7 metrics and 5 dimension 5 metrics and 1 dimension 1 metric and 5 dimensions.
A user is aware that a huge download is occurring on his instance. He has already set the Auto Scal-ing policy to increase the instance count when the network I/O increases beyond a certain limit. How can the user ensure that this temporary event does not result in scaling? The policy cannot be set on the network I/O There is no way the user can stop scaling as it is already configured The network I/O are not affected during data download He can suspend scaling temporarily.
Which of the following is true of Amazon CloudWatch? Amazon CloudWatch monitors Amazon Web Services (AWS) resources and the applications that run on AWS in real-time. Amazon CloudWatch is a web service that gives businesses an easy and cost effective way to distribute content with low latency and high data transfer speeds. Amazon CloudWatch runs code without provisioning or managing servers. None of these are true.
Which of the following is an incorrect statement about Amazon CloudWatch? You can use CloudWatch to collect and track metrics, which are the variables you want to measure for your resources and applications. You can set CloudWatch alarms to send notifications or automatically make changes to the resources you are monitoring, based on rules that you define. You can control and monitor all Security Groups and their related rules. You gain system-wide visibility into resource utilization, application performance, and operation-al health.
Security groups in VPC operate at the ______. data transport layer level subnet level instance level gateway level.
Can a user depict CloudWatch metrics such as CPU utilization in % and Network I/O in bytes on a single graph? No, a user cannot graph two separate metrics on the same graph. Yes, a user can graph several metrics over time on a single graph. No, a user cannot plot several metrics on a single graph since the units are different. Yes, a user can graph multiple metrics on the same graph provided they are of the same instance in the same AZ.
Which of the following statements is true about Auto Scaling? You can only delete your Auto Scaling group but not your Auto Scaling setup. If the Auto Scaling infrastructure is being deleted, it is not mandatory to delete the launch con-figuration. You can only delete your Auto Scaling set up but not your Auto Scaling group. If the Auto Scaling infrastructure is being deleted, it is mandatory to delete the launch configura-tion.
In a hardware security module (HSM), what is the function of a Transparent Data Encryption (TDE)? To reduce the risk of confidential data theft To decrease latency To store SSL certificates To provide backup.
Which of the following statements is true of IAM? If you are configuring MFA for a user who will use a smartphone to generate an OTP, you must have the smartphone available in order to finish the wizard. If you are configuring MFA for a user who will use a smartphone to generate an OTP, the smartphone is not required in order to finish the wizard. If you are configuring MFA for a user who will use a smartphone to generate an OTP, you can finish the wizard on any device and later use the smartphone for authentication. None of these are correct.
You have been asked to design a layered security solution for protecting your organization's net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology? Intrusion prevention systems Third-party firewall devices installed on Amazon EC2 instances Data loss management gateways Augmented security groups with Network ACL.
You need to determine what encryption operations were taken with which key in AWS KMS to ei-ther encrypt or decrypt data in the AWS CodeCommit repository. Which of the following actions will best help you accomplish this? Searching for the AWS CodeCommit repository ID in AWS CloudTrail logs Searching for the encryption key ID in AWS CloudTrail logs Searching for the AWS CodeCommit repository ID in AWS CloudWatch Searching for the encryption key ID in AWS CloudWatch.
The AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with oth-er AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Ama-zon WorkMail, and Amazon RDS to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. Which of the following types of cryptog-raphy keys is supported by AWS KMS currently? Private ephemeral key agreement cryptography Symmetric and asymmetric random number generation key cryptography Asymmetric key cryptography and symmetric key cryptography Only symmetric key cryptography.
An IAM user has two conflicting policies as part of two separate groups. One policy allows him to access an S3 bucket, while another policy denies him the access. Can the user access that bucket? Yes, always No Yes, provided he accesses with the group which has S3 access Yes, but just read only access of the bucket.
A user has configured two security groups which allow traffic as given below:
1: SecGrp1:
Inbound on port 80 for 0.0.0.0/0
Inbound on port 22 for 0.0.0.0/0
2: SecGrp2:
Inbound on port 22 for 10.10.10.1/32
If both the security groups are associated with the same instance, which of the below mentioned statements is true? It is not possible to have more than one security group assigned to a single instance It allows inbound traffic for everyone on both ports 22 and 80 It is not possible to create the security group with conflicting rules. AWS will reject the request It allows inbound traffic on port 22 for IP 10.10.10.1 and for everyone else on port 80.
A user has created an application which will be hosted on EC2. The application makes API calls to DynamoDB to fetch certain data. The application running on this instance is using the SDK for making these calls to DynamoDB. Which of the below mentioned statements is true with respect to the best practice for security in this scenario? The user should create an IAM user with permissions to access DynamoDB and use its creden-tials within the application for connecting to DynamoDB The user should create an IAM user with DynamoDB and EC2 permissions. Attach the user with the application so that it does not use the root account credentials The user should attach an IAM role to the EC2 instance with necessary permissions for making API calls to DynamoDB. The user should create an IAM role with EC2 permissions to deploy the application.
A user is trying to create a list of IAM users with the AWS console. When the IAM users are creat-ed which of the below mentioned credentials will be enabled by default for the user? IAM X.509 certificates Nothing. Everything is disabled by default IAM passwords IAM access key and secret access key.
The IAM entity "AWS Account" is similar to: The Unix concept of root or superuser The Unix concept of a non privilege user The Unix concept of guest user The primary billing entity.
AWS KMS (Key Management Service) uses symmetric key cryptography to perform encryption and decryption. Symmetric key cryptography uses the same algorithm and key to both encrypt and de-crypt digital data. The unencrypted data is typically called plaintext whether it is text or not, and the encrypted data is typically called _____. ciphertext symtext encryptext cryptext.
Which of the following Identity and Access Management (IAM) policy keys of AWS Direct Con-nect is used for date/time conditions? aws:CurrentTime aws:UserAgent aws:SourceIp aws:SecureTransport.
A root AWS account owner has created three IAM users: Bob, John and Michael. Michael is the IAM administrator. Bob and John are not the super users, but users with some pre-defined policies. John does not have access to modify his password. Thus, he asks Bob to change his password. How can Bob change John's password? This statement is false. Only Michael can change the password for John This is possible if Michael can add Bob to a group which has permissions to modify the IAM passwords It is not possible for John to modify his password Provided Bob is the manager of John.
You know that AWS Billing and Cost Management integrates with the AWS Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the AWS Billing and Cost Management console. Which of the following items can you control access to in AWS Billing and Cost Management? You can control access to payment methods only. You can control access to invoices only. You can control access to invoices and detailed information about charges and account activity, budgets, payment methods, and credits. You can control access to detailed information about charges and account activity only.
What does Amazon IAM provide? A mechanism to authorize Internet Access Modularity (IAM) A mechanism to authenticate users when accessing Amazon Web Services A mechanism to integrate on-premises authentication protocols with the Cloud None of the above.
You can configure Amazon CloudFront to deliver access logs per ________ to an Amazon S3 bucket of your choice. Edge location Distribution Geo restriction Request.
AWS IAM permissions can be assigned in two ways: as role-based or as resource-based. as identity-based or as resource-based. as security group-based or as key-based. as user-based or as key-based.
Amazon Relational Database Service integrates with _____, a service that lets your organization create users and groups under your organization's AWS account and assign unique security creden-tials to each user. Amazon RDS tags AWS IAM AWS Lambda Amazon EMR.
A customer enquires about whether all his data is secure on AWS, and is especially concerned about Elastic Map Reduce (EMR). You need to inform him of some of the security features in place for AWS. Which of the below statements is incorrect regarding EMR or S3? Every packet sent in the AWS network uses Internet Protocol Security (IPsec). Amazon S3 provides authentication mechanisms to ensure that stored data is secured against un-authorized access. Customers may encrypt the input data before they upload it to Amazon S3. Amazon EMR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure.
If an IAM policy has multiple conditions, or if a condition has multiple keys, its boolean outcome will be calculated using a logical ______ operation. NAND OR AND None of these.
You have set up an IAM policy for your users to access Elastic Load Balancers and you know that an IAM policy is a JSON document that consists of one or more statements. Which of the following elements is not a part of the statement in an IAM policy document? Action Resource Effect Key.
Which of the below mentioned options is not a best practice to securely manage the AWS access credentials? Keep rotating your secure access credentials at regular intervals Create individual IAM users Create strong access key and secret access key and attach to the root account Enable MFA for privileged users.
The amount of data a company must back up has been increasing, and storage space is quickly running out. There is no budget to purchase new backup software that is capable of backing up data directly to the cloud. What is the MOST cost-effective way to make storage available to the companys legacy backup system? Launch an Amazon EC2 instance, add large Amazon EBS volumes, and connect using VPN Ship backup tapes to AWS for storage in secure AWS Availability Zones Use AWS Snowball on a weekly basis to transfer data to Amazon Glacier Use AWS Storage Gateway to present a VTL using iSCSI to the legacy application.
A Development team has an application stack consisting of many OS dependencies and language runtime dependencies. When deploying the application to production, the most important factor is how quickly the instance is operational. What deployment methodology should be used to update the running environments to meet the requirement? Use fully baked AMIs ("golden images") created after each successful build, creating a new Auto Scaling group, and blue/green deployments with rollbacks. Use user-data scripts to configure the instance correctly on boot by installing all dependencies when needed. Use an AWS Lambda function to only update the application locally on each instance, then re-attach it to the load balancer when the process complete. Use AWS OpsWorks scripts to execute on reboot of each instance to install all known dependencies, then re-attach the instances to the load balancer.
A Content Processing team has notified a SysOps Administrator that their content is sometimes taking a long time to process, whereas other times it processes quickly. The Content Processing submits messages to an Amazon Simple Queue Service (Amazon SQS) queue, which details the files that need to be processed. An Amazon EC2 instance polls the queue to determine which file to process next. How could the Administrator maintain a fast but cost-effective processing time? Attach an Auto Scaling policy to the Amazon SQS queue to increase the number of EC2 instances based on the depth of the SQS queue Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on MaxVisibility Timeout Attach an Auto Scaling policy to the SQS queue to scale instances based on the depth of the dead-letter queue Create an Auto Scaling policy to increase the number of EC2 instances polling the queue and a CloudWatch alarm to scale based on ApproximateNumberOfMessagesVisible.
A SysOps Administrator receives reports of an Auto Scaling group failing to scale when the nodes running Amazon Linux in the cluster are constrained by high memory utilization. What should the Administrator do to enable scaling to better adapt to the high memory utilization? Create a custom script that pipes memory utilization to Amazon S3, then, scale with an AWS Lambda- powered event Install the Amazon CloudWatch memory monitoring scripts, and create a custom metric based on the scripts results Increase the minimum size of the cluster to meet memory and application load demands Deploy an Application Load Balancer to more evenly distribute traffic among nodes.
An Amazon EC2 instance is in a private subnet. To SSH to the instance, it is required to use a bastion host that has an IP address of 10.0.0.5. SSH logs on the EC2 instance in the private subnet show that connections are being made over SSH from several other IP addresses. The EC2 instance currently has the following inbound security group rules applied:
Protocol: TCP - Port: 22 -Source: 10.0.0.5/32
Protocol: TCP - Port: 22 - Source: sg-xxxxxxxx -
Protocol: TCP - Port: 389 -Source: 0.0.0.0/0 -
What is the MOST likely reason that another IP addresses is able to SSH to the EC2 instance? The rule with 0.0.0.0/0 means SSH is open for any client to connect The rule with /32 is not limiting to a single IP address Any instance belonging to sg-xxxxxxxx is allowed to connect There is an outbound rule allowing SSH traffic.
A companys IT Security team is performing an audit of the AWS environment to determine which servers need to be patched and where additional security controls need to be added.
The company is responsible for which of the following? (Choose two.) Patching the OS on Amazon RDS instances Patching the OS on Amazon EC2 instances Enabling server-side encryption with Amazon S3-Managed Keys (SSE-S3) on S3 objects Patching the database engine on RDS instances Patching PHP in an AWS Elastic Beanstalk managed EC2 application.
The InfoSec team has asked the SysOps Administrator to perform some hardening on the company Amazon
RDS database instances.
Based on this requirement, what actions should be recommended for the start of the security review? (Choose two.) Use Amazon Inspector to present a detailed report of security vulnerabilities across the RDS database fleet Review the security group’s inbound access rules for least privilege Export AWS CloudTrail entries detailing all SSH activity on the RDS instances Use the cat command to enumerate the allowed SSH keys in ~/.ssh on each RDS instance Report on the Parameter Group settings and ensure that encrypted connections are enforced.
Big Data consulting company wants to separate its customers workloads for billing and security reasons.
The company would like to maintain billing and security controls on these workloads.
According to best practices, how can the workloads be separated if no shared resources are needed? Require each customer to create their own account. Contact AWS Support to receive a consolidated bill. Create customer accounts within AWS Organizations specifying consolidated billing features. Create a separate VPC for each customer. Use security groups to isolate traffic. Dedicate an AWS Region to each customer. Ensure that each entry in Amazon Route 53 is unique.
An organization stores files on Amazon S3. Employees download the files, edit them with the same file name to the same folder on Amazon S3. Occasionally the files are unintentionally modified or deleted. What is the MOST cost-effective way to ensure that these files can be recovered to their correct state? Enable cross-region replication on the Amazon S3 bucket Enable versioning on the Amazon S3 bucket Use Lifecycle Management to move the files to Amazon Glacier Copy the edited files to Amazon Elastic File System.
A web service runs on Amazon EC2 instances behind an Elastic Load Balancing (ELB) load balancer. External clients must whitelist specific public IP addresses in their firewalls to access the service.
What load balancer or ELB feature should be used for this application? Network Load Balancer Application Load Balancer Classic Load Balancer Load balancer target groups.
An application is running on Amazon EC2 instances behind a Classic Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. Occasionally multiple incoming requests will receive a 5xx HTTP response when making a request to the Classic Load Balancer. From the Amazon CloudWatch metrics, a SysOps Administrator observes the Elastic Load Balancing (ELB) SpillOverCount metric to be greater than zero during these occasions. These errors can be avoided by triggering scaling actions on which ELB metric? HealthyHostCount BackendConnectionErrors SurgeQueueLength UnHealthyHostCount.
Malicious traffic is reaching company web servers from a single IP address located in another country. The SysOps Administrator is tasked with blocking this IP address. How should the Administrator implement the restriction? Edit the security group for the web servers and add a deny entry for the IP address Edit the network access control list for the web server subnet and add a deny entry for the IP address Edit the VPC route table to route the malicious IP address to a black hole Use Amazon CloudFront’s geo restriction feature to block traffic from the IP address.
A SysOps Administrator must ensure that AWS CloudFormation deployment changes are properly tracked for governance.
Which AWS service should be used to accomplish this? AWS Artifact AWS Config Amazon Inspector AWS Trusted Advisor.
With the threat of ransomware viruses encrypting and holding company data hostage, which action should be taken to protect an Amazon S3 bucket? Deny Post, Put, and Delete on the bucket Enable server-side encryption on the bucket Enable Amazon S3 versioning on the bucket Enable snapshots on the bucket.
A SysOps Administrator has an AWS Lambda function that stops all Amazon EC2 instances in a test environment at night and on the weekend. Stopping instances causes some servers to become corrupt due to the nature of the applications running on them.
What can the SysOps Administrator use to identify these EC2 instances? AWS Config Amazon EC2 termination protection Resource tagging Amazon CloudWatch.
A company has Amazon EC2 instances that serve web content behind an Elastic Load Balancing (ELB) load balancer. The ELB Amazon CloudWatch metrics from a few hours ago indicate a significant number of 4XX errors. The EC2 instances from the time of these errors have been deleted. At the time of the 4XX errors, how can an Administrator obtain information about who originated these requests? If ELB access logs have been enabled, the information can be retrieved from the S3 bucket Contact AWS Support to obtain application logs from the deleted instances Amazon S3 always keeps a backup of application logs from EC2 instances. Retrieve these logs for analysis Use AWS Trusted Advisor to obtain ELB access logs.
An organization has hired an external firm to audit unauthorized changes on the companys AWS environment, the external auditor needs appropriate access.
How can this be accomplished? Create an IAM user and assign them a new policy with GetResources access on AWS Artifact Create an IAM user and add them to the existing "Administrator" IAM group Create an IAM user and assign them a new IAM policy with read access to the AWS CloudTrail logs in Amazon S3 Create an IAM user and assign them a new policy with ListFindings access on Amazon Inspector.
An administrator is responding to an alarm that reports increased application latency. Upon review, the
Administrator notices that the Amazon RDS Aurora database frequently runs at 100% CPU utilization. The application is read heavy and does frequent lookups of a product table.
What should the Administrator do to reduce the application latency? Move the product table to Amazon Redshift and use an interleaved sort key Add Aurora Replicas and use a Reader Endpoint for product table lookups Move the product table to Amazon CloudFront and set the cache-control headers to public Use Auto Scaling to add extra Aurora nodes and set a trigger based on CPU utilization.
A company is running a new promotion that will result in a massive spike in traffic for a single application. The SysOps Administrator must prepare the application and ensure that the customers have a great experience. The application is heavy on memory and is running behind an AWS Application Load Balancer (ALB). The ALB has been pre-warmed, and the application is in an Auto Scaling group.
What built-in metric should be used to control the Auto Scaling groups scaling policy? RejectedConnection Count Request CountPerTarget CPUUtilization MemoryUtilization.
An e-commerce company hosts its website on the AWS us-west-1 region. It plans to create a special site for a promotion that should be visible only to shoppers from Canada.
What change should the SysOps Administrator make to the companys existing AWS setup to achieve this result? Update the Amazon Route 53 record set to use a latency routing policy for the new site Update the Application Load Balancer with a new host-based routing rule for the new site Update the Amazon Route 53 record set to use a geolocation routing policy for the new site Update the Application Load Balancer with a new path-based routing rule for the new site.
An organization stores sensitive customer information in S3 buckets protected by bucket policies. Recently, there have been reports that unauthorized entities within the company have been trying to access the data on those S3 buckets. The Chief Information Security Officer (CISO) would like to know which buckets are being targeted and determine who is responsible for trying to access that information. Which steps should a SysOps Administrator take to meet the CISO’s requirement? (Choose two.) Enable Amazon S3 Analytics on all affected S3 buckets to obtain a report of which buckets are being accessed without authorization. Enable Amazon S3 Server Access Logging on all affected S3 buckets and have the logs stored in a bucket dedicated for logs. Use Amazon Athena to query S3 Analytics reports for HTTP 403 errors, and determine the IAM user or role making the requests. Use Amazon Athena to query the S3 Server Access Logs for HTTP 403 errors, and determine the IAM user or role making the requests. Use Amazon Athena to query the S3 Server Access Logs for HTTP 503 errors, and determine the IAM user or role making the requests.
A company has deployed a new application running on Amazon EC2 instances. The application team must verify for the Security team that all common vulnerabilities and exposures have been addressed, both now and regularly throughout the applications lifespan.
How can the Application team satisfy the Security teams requirement? Perform regular assessments with Amazon Inspector Perform regular assessments with AWS Trusted Advisor Integrate AWS Personal Health Dashboard with Amazon CloudWatch events to get security notifications Grant the Administrator and Security team access to AWS Artifact.
A SysOps Administrator is using AWS CloudFormation to deploy resources but would like to manually address any issues that the template encounters.
What should the Administrator add to the template to support the requirement? Enable Termination Protection on the stack Set the OnFailure parameter to "DO_NOTHING" Restrict the IAM permissions for CloudFormation to delete resources Set the DeleteStack API action to "No".
A new application runs on Amazon EC2 instances and accesses data in an Amazon RDS database instance. When fully deployed in production, the application fails. The database can be queried from a console on a bastion host. When looking at the web server logs, the following error is repeated multiple times:
*** Error Establishing a Database Connection.
Which of the following may be causes of the connectivity problems? (Choose two.) The security group for the database does not have the appropriate egress rule from the database to the web server. The certificate used by the web server is not trusted by the RDS instance. The security group for the database does not have the appropriate ingress rule from the web server to the database. The database is still being created and is not available for connectivity.
A recent audit found that most resources belonging to the Development team were in violation of patch compliance standards. The resources were properly tagged.
Which service should be used to quickly remediate the issue and bring the resources back into compliance? AWS Config Amazon Inspector AWS Trusted Advisor AWS Systems Manager.
An Amazon EBS volume attached to an EC2 instance was recently modified. Part of the modification included increasing the storage capacity. The SysOps
Administrator notices that the increased storage capacity is not reflected in the file system.
Which step should the Administrator complete to use the increased storage capacity? Restart the EC2 instance. Extend the volume’s file system. Detach the EBS volume, resize it, and attach it. Take an EBS snapshot and restore it to the bigger volume.
A SysOps Administrator is creating additional Amazon EC2 instances and receives an InstanceLimitExceeded error.
What is the cause of the issue and how can it be resolved? The Administrator has requested too many instances at once and must request fewer instances in batches. The concurrent running instance limit has been reached, and an EC2 limit increase request must be filed with AWS Support. AWS does not currently have enough available capacity and a different instance type must be used. The Administrator must specify the maximum number of instances to be created while provisioning EC2 instances.
A SysOps Administrator is troubleshooting Amazon EC2 connectivity issues to the internet. The EC2 instance is in a private subnet. Below is the route table that is applied to the subnet of the EC2 instance.
Destination â€" 10.2.0.0/16 -
Target â€" local -
Status â€" Active -
Propagated â€" No -
Destination â€" 0.0.0.0/0 -
Target â€" nat-xxxxxxx -
Status â€" Blackhole -
Propagated â€" No -
What has caused the connectivity issue? The NAT gateway no longer exists There is no route to the internet gateway. The routes are no longer propagating. There is no route rule with a destination for the internet.
Malicious traffic is reaching company web servers. A SysOps Administrator is tasked with blocking this traffic. The malicious traffic is distributed over many IP addresses and represents much higher traffic than is typically seen from legitimate users.
How should the Administrator protect the web servers? Create a security group for the web servers and add deny rules for malicious sources. Set the network access control list for the web servers’ subnet and add deny entries. Place web servers behind AWS WAF and establish the rate limit to create a blacklist. Use Amazon CloudFront to cache all pages and remove the traffic from the web servers.
A Developer created an AWS Lambda function and has asked the SysOps Administrator to make this function run every 15 minutes.
What is the MOST efficient way to accomplish this request? Create an Amazon EC2 instance and schedule a cron to invoke the Lambda function. Create a Repeat Time variable inside the Lambda function to invoke the Lamdba function. Create a second Lambda function to monitor and invoke the first Lamdba function. Create an Amazon CloudWatch scheduled event to invoke the Lambda function.
An organization is concerned that its Amazon RDS databases are not protected. The solution to address this issue must be low cost, protect against table corruption that could be overlooked for several days, and must offer a 30-day window of protection.
How can these requirements be met? Enable Multi-AZ on the RDS instance to maintain the data in a second Availability Zone. Create a read replica of the RDS instance to maintain the data in a second region. Ensure that automated backups are enabled and set the appropriate retention period. Enable versioning in RDS to recover altered table data when needed.
A company’s data retention policy dictates that backups be stored for exactly two years. After that time, the data must be deleted.
How can Amazon EBS snapshots be managed to conform to this data retention policy?
Use an Amazon S3 lifecycle policy to delete snapshots older than two years. Configure Amazon Inspector to find and delete old EBS snapshots. Schedule an AWS Lambda function using Amazon CloudWatch Events to periodically run a script to delete old snapshots. Configure an Amazon CloudWatch alarm to trigger the launch of an AWS CloudFormation template that will clean the older snapshots.
A SysOps Administrator created an Amazon VPC with an IPv6 CIDR block, which requires access to the internet. However, access from the internet towards the
VPC is prohibited. After adding and configuring the required components to the VPC, the Administrator is unable to connect to any of the domains that reside on the internet.
What additional route destination rule should the Administrator add to the route tables? Route ::/0 traffic to a NAT gateway Route ::/0 traffic to an internet gateway Route 0.0.0.0/0 traffic to an egress-only internet gateway Route ::/0 traffic to an egress-only internet gateway.
A company must ensure that any objects uploaded to an S3 bucket are encrypted.
Which of the following actions will meet this requirement? (Select TWO.) Implement AWS Shield to protect against unencrypted objects stored in S3 buckets. Implement Object access control list (ACL) to deny unencrypted objects from being uploaded to the S3 bucket. Implement Amazon S3 default encryption to make sure that any object being uploaded is encrypted before it is stored. Implement Amazon Inspector to inspect objects uploaded to the S3 bucket to make sure that they are encrypted. Implement S3 bucket policies to deny unencrypted objects from being uploaded to the buckets.
A company’s static website hosted on Amazon S3 was launched recently, and is being used by tens of thousands of users. Subsequently, website users are experiencing 503 service unavailable errors.
Why are these errors occurring? The request rate to Amazon S3 is too high. There is an error with the Amazon RDS database. The requests to Amazon S3 do not have the proper permissions. The users are in different geographical region and Amazon Route 53 is restricting access.
An organization has two AWS accounts: Development and Production. A SysOps Administrator manages access of IAM users to both accounts. Some IAM users in Development should have access to certain resources in Production.
How can this be accomplished? Create an IAM role in the Production account with the Development account as a trusted entity and then allow those users from the Development account to assume the Production account IAM role. Create a group of IAM users in the Development account, and add Production account service ARNs as resources in the IAM policy. Establish a federation between the two accounts using the on-premises Microsoft Active Directory, and allow the Development account to access the Production account through this federation. Establish an Amazon Cognito Federated Identity between the two accounts, and allow the Development account to access the Production account through this federation.
A SysOps Administrator is responsible for managing a set of 12.micro Amazon EC2 instances. The Administrator wants to automatically reboot any instance that exceeds 80% CPU utilization.
Which of these solutions would meet the requirements? Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a terminate alarm action. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a reboot alarm action. Create an Amazon CloudWatch alarm on the CPUCreditBalance metric and specify a reboot alarm action. Create an Amazon CloudWatch alarm on the CPUUtilization metric and specify a terminate alarm action.
A company’s customers are reporting increased latency while accessing static web content from Amazon S3. A SysOps Administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket? Migrate the S3 bucket to a region that is closer to end users geographic locations. Use cross-regions replication to replicate all of the data to another region. Create an Amazon CloudFront distribution with the S3 bucket as the origin. Use Amazon ElasticCache to cache data being served from Amazon S3.
A company requires that all access from on-premises applications to AWS services go over its AWS Direct Connect connection rather than the public internet.
How would a SysOps Administrator implement this requirement? Implement an IAM policy that uses the aws:sourceConnection condition to allow access for the AWS Direct Connect connection ID only Set up a public virtual interface on the AWS Direct Connect connection Configure AWS Shield to protect the AWS Management Console from being accessed by IP addresses other than those within the data center ranges Update all the VPC network ACLs to allow access from the data center IP ranges.
A company creates custom AMI images by launching new Amazon EC2 instances from an AWS CloudFormation template. It installs and configures necessary software through AWS OpsWorks, and takes images of each EC2 instance. The process of installing and configuring software can take between 2 to 3 hours, but at times, the process stalls due to installation errors.
The SysOps Administrator must modify the CloudFormation template so if the process stalls, the entire stack will fail and roll back.
Based on these requirements, what should be added to the template? Conditions with a timeout set to 4 hours. CreationPolicy with a timeout set to 4 hours. DependsOn with a timeout set to 4 hours. Metadata with a timeout set to 4 hours.
An organization has been running their website on several m2 Linux instances behind a Classic Load Balancer for more than two years. Traffic and utilization have been constant and predictable.
What should the organization do to reduce costs? Purchase Reserved Instances for the specific m2 instances. Change the m2 instances to equivalent m5 types, and purchase Reserved Instances for the specific m5 instances. Change the Classic Load Balancer to an Application Load Balancer, and purchase Reserved Instances for the specific m2 instances. Purchase Spot Instances for the specific m2 instances.
A company is storing monthly reports on Amazon S3. The company’s security requirement states that traffic from the client VPC to Amazon S3 cannot traverse the internet.
What should the SysOps Administrator do to meet this requirement? Use AWS Direct Connect and a public virtual interface to connect to Amazon S3. Use a managed NAT gateway to connect to Amazon S3. Deploy a VPC endpoint to connect to Amazon S3. Deploy an internet gateway to connect to Amazon S3.
An application resides on multiple EC2 instances in public subnets in two Availability Zones. To improve security, the Information Security team has deployed an
Application Load Balancer (ALB) in separate subnets and pointed the DNS at the ALB instead of the EC2 instances.
After the change, traffic is not reaching the instances, and an error is being returned from the ALB.
What steps must a SysOps Administrator take to resolve this issue and improve the security of the application? (Select TWO.) Add the EC2 instances to the ALB target group, configure the health check, and ensure that the instances report healthy. Add the EC2 instances to an Auto Scaling group, configure the health check to ensure that the instances report healthy, and remove the public IPs from the instances. Create a new subnet in which EC2 instances and ALB will reside to ensure that they can communicate, and remove the public IPs from the instances. Change the security group for the EC2 instances to allow access from only the ALB security group, and remove the public IPs from the instances. Change the security group to allow access from 0.0.0.0/0, which permits access from the ALB.
A SysOps Administrator runs a web application that is using a microservices approach whereby different responsibilities of the application have been divided in a separate microservice running on a different Amazon EC2 instance. The Administrator has been tasked with reconfiguring the infrastructure to support this approach.
How can the Administrator accomplish this with the LEAST administrative overhead? Use Amazon CloudFront to log the URL and forward the request. Use Amazon CloudFront to rewrite the header based on the microservice and forward the request. Use an Application Load Balancer (ALB) and do path-based routing. Use a Network Load Balancer (NLB) and do path-based routing.
A company is running a popular social media site on EC2 instances. The application stores data in an Amazon RDS for MySQL DB instance and has implemented read caching by using an ElastiCache for Redis (cluster mode enabled) cluster to improve read times. A social event is happening over the weekend, and the SysOps Administrator expects website traffic to triple.
What can a SysOps Administrator do to ensure improved read times for users during the social event? Use Amazon RDS Multi-AZ. Add shards to the existing Redis cluster. Offload static data to Amazon S3. Launch a second Multi-AZ Redis cluster.
An Auto Scaling group scales up and down based on Average CPU Utilization. The alarm is set to trigger a scaling event when the Average CPU Utilization exceeds 80% for 5 minutes. Currently, the Average CPU has been 95% for over two hours and new instances are not being added.
What could be the issue? A scheduled scaling action has not been defined. In the field Suspend Process, ReplacesUnhealthy has been selected. The maximum size of the Auto Scaling group is below or at the current group size. The Health Check Grace Period is set to less than 300 seconds.
An application running on Amazon EC2 instances needs to write files to an Amazon S3 bucket.
What is the MOST secure way to grant the application access to the S3 bucket? Create an IAM user with the necessary privileges. Generate an access key and embed the key in the code running on the EC2 instances. Install secure FTP (SFTP) software on the EC2 instances. Use an AWS Lambda function to copy the files from the EC2 instances to Amazon S3 using SFTP. Create an IAM role with the necessary privileges. Associate the role with the EC2 instances at launch. Use rsync and cron to set up the transfer of files from the EC2 instances to the S3 bucket. Enable AWS Shield to protect the data.
A company has created a separate AWS account for all development work to protect the production environment. In this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers are blocked from accessing some services.
What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies? Create a service control policy in AWS Organizations and apply it to the development account. Create a customer managed policy in IAM and apply it to all users within the development account. Create a job function policy in IAM and apply it to all users within the development account. Create an IAM policy and apply it in API Gateway to restrict the development account.
While setting up an AWS managed VPN connection, a SysOPs Administrator creates a customer gateway resource in AWS. The customer gateway device resides in a data center with a NAT gateway in front of it.
What address should be used to create the customer gateway resource? The private IP address of the customer gateway device The MAC address of the NAT device in front of the customer gateway device The public IP address of the customer gateway device The public IP address of the NAT device in front of the customer gateway device.
SysOps Administrator attempting to delete an Amazon S3 bucket ran the following command: aws s3 rb s3://my bucket The command failed and bucket still exists. The administrator validated that no files existed in the bucket by running aws s3 1s s3://mybucket and getting an empty response.
Why is the Administrator unable to delete the bucket, and what must be done to accomplish this task? The bucket has MFA Delete enabled, and the Administrator must turn it off The bucket has versioning enabled, and the Administrator must permanently delete the objects delete markers. The bucket is storing files in Amazon Glacier, and the Administrator must wait 3-5 hours for the files to delete. The bucket has server-side encryption enabled, and the Administrator must run the aws s3 rb s3://my bucket -- sse command.
A company has 50 AWS accounts and wants to create an identical Amazon VPC in each account. Any changes the company makes to the VPCs in the future must be implemented on every VPC.
What is the SIMPLEST method to deploy and update the VPCs in each account? Create an AWS CloudFormation template defines the VPC. Log in to the AWS Management Console under each account and create a stack from the template. Create a shell script that configures the VPC using the AWS CLI. Provide a list of accounts to the script from a text file, then create the VPC in every account in the list. Create an AWS Lambda function that configures the VPC. Store the account information in Amazon DynamoDB, grant Lambda access to the DynamoDB table, then create the VPC in every account in the list. Create an AWS CloudFormation template that defines the VPC. Create an AWS CloudFormation StackSet based on the template, then deploy the template to all accounts using the stack set.
after a network change, application servers cannot connect to the corresponding Amazon RDS MySQL database.
What should the SysOps Administrator analyze? VPC Flow Logs Elastic Load Balancing logs Amazon CloudFront logs Amazon RDS MySQL error logs.
A SysOps Administrator is receiving multiple reports from customers that they are unable to connect to the company’s website. which is being served through
Amazon CloudFront. Customers are receiving HTTP response codes for both 4XX and 5XX errors.
Which metric can the Administrator use to monitor the elevated error rates in CloudFront? TotalErrorRate RejectedConnectionCount NetworkTransmitThroughput HealthyHostCount.
A database is running on an Amazon RDS Multi-AZ DB instance. A recent security audit found the database to be cut of compliance because it was not encrypted.
Which approach will resolve the encryption requirement? Log in to the RDS console and select the encryption box to encrypt the database. Create a new encrypted Amazon EBS volume and attach it to the instance. Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance. Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
A company’s use of AWS Cloud services is quickly growing, so a SysOps Administrator has been asked to generate details of daily spending to share with management.
Which method should the Administrator choose to produce this data? Share the monthly AWS bill with management. Use AWS CloudTrail Logs to access daily costs in JSON format. Set up daily Cost and Usage Report and download the output from Amazon S3. Monitor AWS costs with Amazon Cloud Watch and create billing alerts and notifications.
A company’s Security team wants to track data encryption events across all company AWS accounts. The team wants to capture all AWS KMS events related to deleting or rotating customer master keys (CMKs) from all production AWS accounts. The KMS events will be sent to the Security team’s AWS account for monitoring.
How can this be accomplished? Create an AWS Lambda function that will run every few minutes in each production account, parse the KMS log for KMS events, and sent the information to an Amazon SQS queue managed by the Security team. Create an event bus in the Security team’s account, create a new Amazon CloudWatch Events rule that matches the KMS events in each production account, and then add the Security team’s event bus as the target. Set up AWS CloudTrail for KMS events in every production account, and have the logs sent to an Amazon S3 bucket that is managed by the Security team. Create an AWS Config rule that checks for KMS keys that are in a pending deletion or rotated state in every production account, then send Amazon SNS notifications of any non-compliant KMS resources to the Security team.
A SysOps Administrator is writing a utility that publishes resources from an AWS Lambda function in AWS account A to an Amazon S3 bucket in AWS Account B.
The Lambda function is able to successfully write new objects to the S3 bucket, but IAM users in Account B are unable to delete objects written to the bucket by Account A.
Which step will fix this issue? Add s3:Deleteobject permission to the IAM execution role of the AWS Lambda function in Account A. Change the bucket policy of the S3 bucket in Account B to allow s3:Deleteobject permission for Account A. Disable server-side encryption for objects written to the S3 bucket by the Lambda function. Call the S3:PutObjectAcl API operation from the Lambda function in Account A to specify bucket owner, full control.
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85ba41fc, and it is actively used by 10 Amazon EC2 hosts. The organization has become concerned that the file system is not encrypted.
How can this be resolved? Enable encryption on each EFS connection to the Amazon EFS volume. Each connection must be recreated for encryption to take effect. Enable encryption on the existing EFS volume by using the AWS Command Line interface. Enable encryption on each host's local drive. Restart each host to encrypt the drive. Enable encryption on a newly created volume and copy all data from the original volume. Reconnect each host to the new volume.
An organization finds that a high number of gp2 Amazon EBS volumes are running out of space.
Which solution will provide the LEAST disruption with MINIMAL effort? Create a snapshot and restore it to a larger gp2 volume. Create a RAID 0 with another new gp2 volume to increase capacity. Leverage the Elastic Volumes feature of EBS to increase gp2 volume size. Write a script to migrate data to a larger gp2 volume.
An existing data management application is running on a single Amazon EC2 instance and needs to be moved to a new AWS Region in another AWS account.
How can a SysOps Administrator achieve this while maintaining the security of the application? Create an encrypted Amazon Machine Image (AMI) of the instance and make it public to allow the other account to search and launch an instance from it. Create an AMI of the instance, add permissions for the AMI to the other AWS account, and start a new instance in the new region by using that AMI. Create an AMI of the instance, copy the AMI to the new region, add permissions for the AMI to the other AWS account, and start new instance. Create an encrypted snapshot of the instance and make it public. Provide only permissions to decrypt to the other AWS.
The Security team has decided that there will be no public internet access to HTTP (TCP port 80) because if it is moving to HTTPS for all incoming web traffic. The team has asked a SysOps Administrator to provide a report on any security groups that are not compliant.
What should the SysOps Administrator do to provide near real-time compliance reporting? Enable AWS Trusted Advisor and show the Security team that the Security Groups unrestricted access check will alarm. Schedule an AWS Lambda function to run hourly to scan and evaluate all security groups, and send a report to the Security team. Use AWS Config to enable the restricted-common-ports rule, and add port 80 to the parameters. Use Amazon Inspector to evaluate the security groups during scans, and send the completed reports to the Security team.
A SysOps Administrator has been tasked with deploying a company’s infrastructure as code. The Administrator wants to write a single template that can be reused for multiple environments in a safe, repeatable manner.
What is the recommended way to use AWS CloudFormation to meet this requirement? Use parameters to provision the resources. Use nested stacks to provision the resources. Use Amazon EC2 user data to provision the resources. Use stack policies to provision the resources.
An application accesses data through a file system interface. The application runs on Amazon EC2 instances in multiple Availability Zones, all of which must share the same data. While the amount of data is currently small, the company anticipates that it will grow to tens of terabytes over the lifetime of the application.
What is the MOST scalable storage solution to fulfill the requirement? Connect a large Amazon EBS volume to multiple instances and schedule snapshots. Deploy Amazon EFS is in the VPC and create mount targets in multiple subnets. Launch an EC2 instance and share data using SMB/CIFS or NFS. Deploy an AWS Storage Gateway cached volume on Amazon EC2.
A company's application stores documents within an Amazon S3 bucket. The application is running on Amazon EC2 in a VPC. A recent change in security requirements states that traffic between the company's application and the S3 bucket must never leave the Amazon network. What AWS feature can provide this functionality? Security groups NAT gateways Virtual private gateway Gateway VPC endpoints.
A SysOps Administrator is running an auto-scaled application behind a Classic Load Balncer. Scaling out is triggered when the CPUUtilization instance metric is more than 75% across the Auto Scaling group. The Administrator noticed aggressive scaling out and after discussing with developers, an application memory leak is suspected causing aggressive garbage collection cycle.
How can the Administrator troubleshoot the application without triggering the scaling process? Suspend the scaling process before troubleshooting. Delete the Auto Scaling group and recreate it when troubleshooting is complete. Remove impacted instances from the Classic Load Balancer. Create a scale down trigger when the CPUUtilization instance metric is at 70%.
An organization has decided to consolidate storage and move all of its backups and archives to Amazon S3. With all of the data gathered into a hierarchy under a single directory, the organization determines there is 70 TB data that needs to be uploaded. The organization currently has a 150-Mbps connection with 10 people working at the location.
Which service would be the MOST efficient way to transfer this data to Amazon S3? AWS Snowball AWS Direct Connect AWS Storage Gateway Amazon S3 Transfer Acceleration.
A SysOps Administrator is deploying a legacy web application on AWS. The application has four Amazon EC2 instances behind Classic Load Balancer and stores data in an Amazon RDS instance. The legacy application has known vulnerabilities to SQL injection attacks, but the application code is no longer available to update.
What cost-effective configuration change should the Administrator make to migrate the risk of SQL injection attacks? Configure Amazon GuardDuty to monitor the application for SQL injection threats. Configure AWS WAF with a Classic Load Balancer for protection against SQL injection attacks. Replace the Classic Load Balancer with an Application Load Balancer and configure AWS WAF on the Application Load Balancer. Configure an Amazon CloudFront distribution with the Classic Load Balancer as the origin and subscribe to AWS Shield Standard.
According to the shared responsibility model, for which of the following Amazon EC2 activities is AWS responsible? (Choose two.) Patching the guest operating system Monitoring memory utilization Configuring network ACLs Patching the hypervisor Maintaining network infrastructure.
A company monitors its account activity using AWS CloudTrail, and is concerned that some log files are being tampered with after the logs have been delivered to the account’s Amazon S3 bucket.
Moving forward, how can the SysOps Administrator confirm that the log files have not been modified after being delivered to the S3 bucket. Stream the CloudTrail logs to Amazon CloudWatch to store logs at a secondary location. Enable log file integrity validation and use digest files to verify the hash value of the log file. Replicate the S3 log bucket across regions, and encrypt log files with S3 managed keys. Enable S3 server access logging to track requests made to the log bucket for security audits.
A SysOps Administrator noticed that the cache hit ratio for an Amazon CloudFront distribution is less than 10%. Which collection of configuration changes will increase the cache hit ratio for the distribution? (Select two.) Ensure that only required cookies, query strings, and headers are forwarded in the Cache Behavior Settings Change the Viewer Protocol Policy to use HTTPS only Configure the distribution to use presigned cookies and URLs to restrict access to the distribution Enable automatic compression of objects in the Cache Behavior Settings Increase the CloudFront time to live (TTL) settings in the Cache Behavior.
On a weekly basis, the Administrator for a photo sharing website receives an archive of all files users have uploaded the previous week. these file archives can be as large as 10TB in size. For legal reasons, these archives must be saved with no possibility of someone deleting or modifying these archives. Occasionally, there may be a need to view the contents, but it is expected that retrieving them can take three or more hours.
What should the Administrator do with the weekly archive? Upload the file to Amazon S3 through the AWS Management Console and apply a lifecycle policy to change the storage class to Amazon Glacier. Upload the archive to the Amazon Glacier with the AWS CLI and enable Vault Lock. Create a Linux EC2 instance with an encrypted Amazon EBS volume and copy each weekly archive file for this instance. Create a file gateway attached to a file share on an S3 bucket with the storage class S3 Infrequent Access. Upload the archives via the gateway.
A SysOps Administrator is managing a Memcached cluster in Amazon ElastiCache. The cluster has been heavily used recently, and the Administrator wants to use a larger instance type with more memory.
What should the Administrator use to make this change? use the ModifyCacheCluster API and specify a new CacheNodeType use the CreateCacheCluster API and specify a new CacheNodeType use the ModifyCacheParameterGroup API and specify a new CacheNodeType use the RebootCacheCluster API and specify a new CacheNodeType.
A company with dozens of AWS accounts wants to ensure that governance rules are being applied across all accounts. The CIO has recommended that AWS
Config rules be deployed using an AWS CloudFormation template. How should these requirements be met? Create a CloudFormation stack set, then select the CloudFormation template and use it to configure the AWS accounts Write a script that iterates over the company's AWS accounts and executes the CloudFormation template in each account Use AWS Organizations to execute the CloudFormation template in all accounts Create a CloudFormation stack in the master account of AWS Organizations and execute the CloudFormation template to create AWS Config rules in all accounts.
A company’s Information Security team has requested information on AWS environment compliance for Payment Card Industry (PCI) workloads. They have requested assistance in understanding what specific areas of the PCI standards are the responsibility of the company.
Which AWS tool will provide the necessary information? AWS Macie AWS Artifact AWS OpsWorks AWS Organizations.
A company has deployed a fleet of Amazon EC2 web servers for the upcoming release of a new product. The SysOps Administrator needs to test the Amazon
CloudWatch notification settings for this deployment to ensure that a notification is sent using Amazon SNS if the CPU utilization of an EC2 instance exceeds 70%
How should the Administrator accomplish this? Use the set-alarm-state command in AWS CloudTrail to invoke the Amazon SNS notification Use CloudWatch custom metrics to set the alarm state in AWS CloudTrail and enable Amazon SNS notifications Use EC2 instance metadata to manually set the CPU utilization to 75% and invoke the alarm state Use the set-alarm-state command in the AWS CLI for CloudWatch.
A SysOps Administrator is required to monitor free space on Amazon EBS volumes attached to Microsoft Windows-based Amazon EC2 instances within a company’s account. The Administrator must be alerted to potential issues. What should the Administrator do to receive email alerts before low storage space affects EC2 instance performance? Use built-in Amazon CloudWatch metrics, and configure CloudWatch alarms and an Amazon SNS topic for email notifications Use AWS CloudTrail logs and configure the trail to send notifications to an Amazon SNS topic Use the Amazon CloudWatch agent to send disk space metrics, then set up CloudWatch alarms using an Amazon SNS topic Use AWS Trusted Advisor and enable email notification alerts for EC2 disk space.
A SysOps Administrator wants to prevent Developers from accidentally terminating Amazon EC2
instances.
How can this be accomplished? Use AWS Systems Manager to restrict EC2 termination Use AWS Config to restrict EC2 termination Apply Amazon CloudWatch Events to prevent EC2 termination Enable termination protection on EC2 instances.
A SysOps Administrator launched an Amazon EC2 instance and received a message that the service limit was exceeded for that instance type. What action should the Administrator take to ensure that EC2 instances can be launched? Use Amazon Inspector to trigger an alert when the limits are exceeded Use the AWS CLI to bypass the limits placed on the account Sign in to the AWS Management Console and adjust the limit values to launch new resources Open a case with AWS Support requesting an increase of the EC2 instance limit.
A web application runs on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The instances run in an Auto Scaling group across multiple Availability Zones. A SysOps Administrator has notice that some EC2 instances show up healthy in the Auto Scaling console but show up as unhealthy in the ALB target console.
What could be the issue? The health check grace period for the Auto Scaling group is set too low; increase it The target group health check is incorrectly configured and needs to be adjusted The user data or AMI used for the Auto Scaling group launch configuration is incorrect The Auto Scaling group health check type is based on EC2 instance health instead of Elastic Load Balancing health checks.
A company is running critical applications on Amazon EC2 instances. The company needs to ensure its resources are automatically recovered if they become impaired due to an underlying hardware failure.
Which service can be used to monitor and recover the EC2 instances? Amazon EC2 Systems Manager Amazon Inspector AWS CloudFormation Amazon CloudWatch.
A user has launched 5 instances in EC2-CLASSIC and attached 5 elastic IPs to the five different instances in the US East region. The user is creating a VPC in the same region. The user wants to assign an elastic IP to the VPC instance. How can the user achieve this? The user has to request AWS to increase the number of elastic IPs associated with the account AWS allows 10 EC2 Classic IPs per region; so it will allow to allocate new Elastic IPs to the same region The AWS will not allow to create a new elastic IP in VPC; it will throw an error The user can allocate a new IP address in VPC as it has a different limit than EC2.
|
