The AWS Cost Management tools give users the ability to do which of the following? (Select TWO.)
- Terminate all AWS resources automatically if budget thresholds are exceeded
- Break down AWS costs by day, service, and linked AWS account
- Create budgets and receive notifications if current or forecasted usage exceeds the budgets
- Switch automatically to Reserved Instances or Spot Instances, whichever is most cost- effective
- Move data stored in Amazon S3 to a more cost-effective storage class
Break down AWS costs by day, service, and linked AWS account & Create budgets and receive notifications if current or forecasted
Which AWS service or feature helps restrict the AWS service, resources, and individual API actions the users and roles in each member account can access?
- Amazon Cognito
- AWS Organizations
- AWS Shield
- AWS Firewall Manager
AWS Organizations
Under the shared responsibility model, which of the following tasks are the responsibility of the AWS customer? (Select TWO.)
- Ensuring that application data is encrypted at rest
- Ensuring that AWS NIP servers are set to the correct time
- Ensuring that users have received security training in the use of AWS services
- Ensuring that access to data centers is restricted
- Ensuring that hardware is disposed of properly
Ensuring that application data is encrypted at rest & Ensuring that users have received security training in the use of AWS services
As a customer on AWS you take responsibility for encrypting data. This includes encrypting data at rest and data in transit. It’s also a customer’s responsibility to properly train their staff in security best practices and procedures for the AWS services they use.
Under the AWS shared responsibility model, which of the following are customer responsibilities? (Select TWO.)
- Setting up server-side encryption on an Amazon S3 bucket
- Amazon RDS instance patching
- Network and firewall configurations
- Physical security of data center facilities
- Compute capacity availability
Setting up server-side encryption on an Amazon S3 bucket & Network and firewall configurations
As a customer on AWS you take responsibility for encrypting data. This includes encrypting data at rest and data in transit. Another security responsibility the customer owns is setting network and firewall configurations. For instance, you must configure Network ACLs and Security Groups, and any operating
system-level firewalls on your EC2 instances.
A web application running on AWS has been received malicious requests from the same set of IP addresses. Which AWS service can help secure the application and block the malicious traffic?
- AWS IAM
- Amazon GuardDuty
- Amazon SNS
- AWS WAF
AWS WAF
The AWS Web Application Firewall (WAF) is used to protect web applications or APIs against common web exploits. Rules can be created that block traffic based on source IP address.
Which AWS service provides the ability to detect inadvertent data leaks of personally identifiable information (PII) and user credential data?
- Amazon GuardDuty
- Amazon Inspector
- Amazon Macie
- AWS Shield
Amazon Macie
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in Amazon S3.
According to the AWS Well-Architected Framework, what change management steps should be taken to achieve reliability in the AWS Cloud? (Select TWO.)
- Use AWS Config to generate an inventory of AWS resources
- Use service limits to prevent users from creating or making changes to AWS resources
- Use AWS CloudTrail to record AWS API calls into an auditable log file
- Use AWS Certificate Manager to create a catalog of approved services
- Use Amazon GuardDuty to record API
activity to an S3 bucket
Use AWS Config to generate an inventory of AWS resources & Use AWS CloudTrail to record AWS API calls into an auditable log file
AWS Config can be used to track the configuration state of your resources and how the state has changed over time. With CloudTrail you can audit who made what API
calls on what resources at what time. This can help with identifying changes that cause reliability issues.
Which of the following acts as a virtual firewall at the Amazon EC2 instance level to control traffic for one or more instances?
- Route table
- Virtual private gateways (VPG)
- Security groups
- Network Access Control Lists (ACL)
Security Groups
A security group is an instance-level firewall that can be used to control traffic the that reaches (ingress/inbound) and is sent out from (egress/outbound) your EC2 instances. Rules are created for inbound or outbound traffic.
Which AWS Cloud design principles can help increase reliability? (Select TWO.)
- Using monolithic architecture
- Measuring overall efficiency
- Testing recovery procedures
- Adopting a consumption model
- Automatically recovering from failure
Testing recovery procedures
& Automatically recovering from failure
Which pricing model will interrupt a running Amazon EC2 instance if capacity becomes temporarily unavailable?
- On-Demand Instances
- Standard Reserved Instances
- Spot Instances
- Convertible Reserved Instances
Spot Instances
Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. When AWS need to reclaim the capacity you get a 2 minute warning and then your instances are terminated.
Which of the following statements about AWS’s pay-as-you-go pricing model is correct?
- It results in reduced capital expenditures
- It requires payment up front for AWS services
- It is relevant only for Amazon EC2, Amazon S3, and Amazon DynamoDB
- It reduces operational expenditures
It results in reduced capital expenditures
The pay-as-you-go pricing model means you only pay for the services and consumption you actually use. You are charged for compute, storage and outbound data transfer. This model reduces capital expenditure as you pay a monthly bill (operational expenditure).
Which AWS service can serve a static website?
- Amazon S3
- Amazon Route 53
- Amazon QuickSight
- AWS X-Ray
Amazon S3
A startup eCommerce company needs to quickly deliver new website features in an iterative manner, minimizing
the time to market. Which AWS Cloud feature allows this?
- Elasticity
- High availability
- Agility
- Reliability
Agility
What is the most efficient way to establish network connectivity from on-premises to multiple VPCs in different AWS Regions?
- Use AWS Direct Connect
- Use AWS VPN
- Use AWS Client VPN
- Use an AWS Transit Gateway
AWS Transit Gateway
AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs)
and their on-premises networks to a single gateway.
A company is using the AWS CLI and programmatic access of AWS resources from its on-premises network. What is a mandatory requirement in this scenario?
- Using an AWS Direct Connect connection
- Using an AWS access key and a secret key
- Using Amazon API Gateway
- Using an Amazon EC2 key pair
Using an AWS access key and a secret key
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret
access key (for example, walrXUtnFEMI/K7MDENG/
bPxRfiCYEXAMPLEKEY). Like a username and password, you must use both the access key ID and secret access key together to authenticate your requests.
Which AWS service is suitable for an event-driven workload?
- Amazon EC2
- AWS Elastic Beanstalk
- AWS Lambda
- Amazon Lumberyard
AWS Lambda
AWS Lambda is an event-driven service. For example you can configure an Amazon S3 bucket with event notifications that trigger an AWS Lambda function when data is uploaded to an S3 bucket.
Based on the shared responsibility model, which of the following security and compliance tasks is AWS responsible for?
- Granting access to individuals and services
- Encrypting data in transit
- Updating Amazon EC2 host firmware
- Updating operating systems
Updating Amazon EC2 host firmware
AWS are responsible for updating Amazon EC2 host firmware. This is considered “security of the cloud”. All other tasks are the responsibility of the customer.
Which AWS service can be used to run Docker containers?
- AWS Lambda
- Amazon ECR
- AWS Fargate
- Amazon AMI
AWS Fargate
AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).
Which type of Elastic Load Balancer operates at the TCP connection level?
- Application Load Balancer (ALB)
- Network Load Balancer (NLB)
- Classic Load Balancer (CLB)
- Amazon Route 53 Load Balancer
Network Load Balancer (NLB)
A Network Load Balancer functions at the
fourth layer of the Open Systems Interconnection (OSI) model. NLBs direct connections based on information at the TCP connection level.
Which AWS technology can be referred to as a “virtual hard disk in the cloud”?
- Amazon EFS Filesystem
- Amazon S3 Bucket
- Amazon EBS volume
- Amazon ENI
Amazon EBS Volume
An Amazon Elastic Block Store (EBS) volume is often described as a “virtual hard disk in the cloud”. EBS volumes are block-level storage volumes that are attached to EC2 instances much as you would attach a virtual hard disk to a virtual machine in a virtual
infrastructure.
In which ways does AWS’ pricing model benefit organizations?
- Eliminates licensing costs
- Focus spend on capital expenditure, rather than operational expenditure
- Reduce the cost of maintaining idle resources
- Reduces the people cost of application development
Reduce the cost of maintaining idle resources
Using AWS you can provision only what you need and adjust resources automatically and elastically. This reduces the amount of resources that are sitting idle which reduces cost.
Which service allows you to monitor and troubleshoot systems using system and application log files generated by those systems?
- CloudTrail Logs
- Cloud Watch Metrics
- CloudWatch Logs
- CloudTrail Metrics
CloudWatch Logs
Amazon CloudWatch Logs lets you monitor and troubleshoot your systems and applications using your existing system, application and custom log files. Cloud Watch Logs can be used for real time application and system monitoring as well as long term log retention.
According to the AWS Shared Responsibility Model,
which of the following is a shared control?
- Operating system patching
- Awareness and training
- Protection of infrastructure
- Client-side data encryption
Awareness and training
Shared Controls are controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include patch management, configuration management, and awareness and training.
Where do Amazon Identity and Access Management (IAM) accounts need to be created for a global organization?
- In each region where the users are located
- Just create them once, as IAM is a global service
- Create them globally, and then replicate them regionally
- In each geographical area where the users are located
Just create them once, as IAM is a global service
IAM is a global service so you only need to create your users once and can then use those user accounts anywhere globally. The other options are all incorrect. as you do not create IAM accounts regionally, replicate them regionally, or create them within geographical areas.
