1
Q
What are the two required “items” to use AWS Inspector on the host?
A
- Inspector Agent
- Instance must be tagged
2
Q
What are the two types of assessments for inspector?
A
Network Assessment (checks for open ports) Host Assessment
3
Q
What are the two runtime options for Inspector?
A
Run once and run weekly
4
Q
What cannot be done with AWS managed CMKs?
A
Manage the keys yourself,
rotate them manually
change the key policies
use them in your own operations
5
Q
How are AWS manages KMS keys priced?
A
No monthly fee
Free tier
Above that: usage of key
6
Q
How often is a Customer managed CMK / AWS managed CMK automatically rotated?
A
Customer managed: 1 year (optional)
AWS managed: 3 years
7
Q
What are the benefits of CloudHSM (in comparison to KMS)
A
Complete control of the keys, AWS has no access
Single Tenancy
Higher FIPS 140-2 rating
8
Q
What are Web ACL?
A
Rules made by AWS WAF.
Can Count, Allow or Block if criteria is met
9
Q
A company plans to expand its use of AWS services across its product portfolios. To ensure separation of business processes for billing, security, and compliance, the SysOps Administrator must provide each department with new AWS accounts having governance guardrails and a defined baseline in place. An efficient and scalable provisioning process is required to optimize the workflow and save time.
Which of the following options can satisfy the given requirement?
- Use AWS Batch and AWS Organizations to automatically provision new resources and accounts.
- Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.
- Use AWS Service Catalog and AWS Config to automate account creation and configuration.
- Use AWS OpsWorks for Chef Automate and bootstrapping scripts to handle the configuration management and provisioning tasks.
A
- Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.
AWS Control Tower provides three methods for creating member accounts:
- Through the Account Factory console that is part of AWS Service Catalog.
- Through the Enroll account feature within AWS Control Tower.
- From your AWS Control Tower landing zone’s management account, using Lambda code and appropriate IAM roles.
10
Q
As part of the yearly AWS data cleanup, you need to delete all unused S3 buckets and their contents. The tutorialsdojo bucket, which contains several educational video files, has both the Versioning and MFA Delete features enabled. One of your Systems Engineers who has an Administrator account tried to delete an S3 bucket using the aws s3 rb s3://tutorialsdojo command. However, the operation fails even after repeated attempts.
Which of the following are valid options that you can implement to properly delete the bucket? (Select TWO.)
- Delete all markers from the S3 bucket and then run the aws s3 rb s3://tutorialsdojo command again to fully delete the bucket and its contents.
- Use the <code>aws s3 rb s3://tutorialsdojo</code> command again with an additional <code>--force</code> option to forcibly delete the bucket via the CLI.
- Use the AWS SDK to send deletion requests to S3 to remove all objects in your bucket. Ensure that you include the <code>x-amz-mfa</code> header in all requests which contains the MFA authentication code. Afterwards, retry to delete the bucket with the same CLI command that you used before.
- Remove the policy that requires MFA Delete on your S3 bucket. Use the AWS SDK to remove all of the bucket’s delete markers and object versions. Delete the bucket again using the same CLI command that you used before.
A
- Use the AWS SDK to send deletion requests to S3 to remove all objects in your bucket. Ensure that you include the <code>x-amz-mfa</code> header in all requests which contains the MFA authentication code. Afterwards, retry to delete the bucket with the same CLI command that you used before.
- Remove the policy that requires MFA Delete on your S3 bucket. Use the AWS SDK to remove all of the bucket’s delete markers and object versions. Delete the bucket again using the same CLI command that you used before.
11
Q
A company deployed a fleet of Linux-based EC2 instances to run an e-commerce website. The SysOps Administrator needs to monitor the CPU utilization of individual processes that are running in each server.
Which of the following options fulfills this requirement?
- Install Amazon Inspector agent on EC2 instances.
- Enable detailed monitoring on EC2 instances.
- Use AWS Systems Manager agent <code>procstat</code> plugin to collect process metrics on EC2 instances.
- Use Amazon CloudWatch agent <code>procstat</code> plugin to collect process metrics on EC2 instances.
A
- Use Amazon CloudWatch agent <code>procstat</code> plugin to collect process metrics on EC2 instances.
12
Q
You are tasked to prepare a CloudFormation template which should automatically roll back in the event that the entire stack failed to launch. The application stack requires the pre-requisite packages to be installed first in order for it to run properly, which could take about an hour or so to complete.
What should you add in the template to accomplish this requirement?
- In the ResourceSignal parameter of the CreationPolicyresource attribute, add a Timeout property with a value of 2 hours.
- In the ResourceSignal parameter of the DependsOnresource attribute, add a Timeout property with a value of 2 hours.
- In the ResourceSignal parameter of the UpdatePolicy resource attribute, add a Timeout property with a value of 2 hours.
- In the ResourceSignal parameter of the Conditions resource attribute, add a Timeout property with a value of 2 hours
A
1.In the ResourceSignal parameter of the CreationPolicyresource attribute, add a Timeout property with a value of 2 hours.
13
Q
It is a requirement in your work that you produce regular reports and statistics on your EC2 resource consumption across different regions. In an upcoming meeting, you are asked to present these findings to your CTO and Data Analytics team. Aggregating these statistics would detail a lot of information on your resource consumption with ease.
What is the procedure for viewing aggregation statistics in CloudWatch?
- Create a Lambda function that collects metrics from your EC2 instances, computes your desired statistical output, and sends it to CloudWatch for viewing.
- Use CloudWatch Metric Math to query metrics and apply mathematical operations on these metrics.
- There is no way to view aggregate statistics in CloudWatch. CloudWatch cannot aggregate data across Regions.
- Enable detailed monitoring on your EC2 instances.
A
- Use CloudWatch Metric Math to query metrics and apply mathematical operations on these metrics.
You can also use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions. Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can visualize the resulting time series on the CloudWatch console and add them to dashboards.
14
Q
Why are Disk Read Operations and Disk Write Operations not correct metrics to check whether a EBS backed EC2 instance is slow?
A
the instances are being overloaded.
Disk Read Operations and Disk Write Operations are both incorrect because the Disk Read and Write Operations metrics are only applicable for instance store-backed AMI instances.
15
Q
You work for a government agency as their Cloud Infrastructure Consultant and were given the task of automating the recurring tasks in their finance department such as data synchronizaton, infrastructure selection, and patch management, which will improve their current processes. You need to use a tool that can coordinate multiple AWS services into serverless workflows.
Which of these options is the most cost-effective service that you should use?
1´. AWS Batch
- Lambda
- Amazon SWF
- AWS Step Functions
A
AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.
16
Q
A mobile development company has various AWS resources to support its various mobile products. To keep control of costs, they have requested for you to get the billing alerts for your AWS account once it reaches a certain limit.
Which of the following should you enable before you can receive billing alerts in AWS?
- Enable billing alerts in Account Preferences of the AWS Console.
- Request AWS support to notify you on estimated charges.
3 .Enable billing alerts in CloudWatch Console.
A
- Enable billing alerts in Account Preferences of the AWS Console.
Before you can create an alarm for your estimated charges, you must enable billing alerts on your Accounts Preferences page first, so that you can monitor your estimated AWS charges and create an alarm using billing metric data. After you enable billing alerts, you cannot disable data collection, but you can delete any billing alarms that you created.
17
Q
A popular online graphic design tool startup uses a standard S3 bucket that has versioning enabled to store the user-generated images on its platform. They have millions of users around the globe that store their logos, graphics, infographics, and other designs on their platform. Lately, there are a lot of users complaining that they receive a lot of HTTP 503 responses on the platform.
Which of the following options could be the reason why this issue exists?
- The cross-origin resource sharing (CORS) option is not enabled.
- S3 could not handle simultaneous access to the bucket since the S3 transfer acceleration option is not enabled.
- You might have one or more objects in the bucket for which there are millions of versions.
- The Cross-Region Replication (CRR) option is not enabled, which is required if the S3 bucket is being accessed from multiple regions.
A
- You might have one or more objects in the bucket for which there are millions of versions.
When you have objects with millions of versions, Amazon S3 automatically throttles requests to the bucket to protect the customer from an excessive amount of request traffic, which could potentially impede other requests made to the same bucket.
18
Q
What is the use case of AD Connector?
A
To connect to AWS using a self-managed Active Directory
19
Q
A Company uses LDAP and needs to implement access control in AWS as part of an integration between internal and cloud
A
Need to configure SAM federation of IAM users and groups with the LDAP DB and map LDAP user and groups to IAM roles
20
Q
What route53 queries are charged and which are not
A
CNAME: charged
ALIAS: free
21
Q
What are the key facts to Cost-Explorer?
A
- Free Tool
- Charts about costs
- 13month in the past + 3 month of predictions
- Sectioned by Account, AZ, Service etc.
- discovers patterns to identify cost problems
22
Q
What are the key facts to Cost Allocation Tags?
A
- Must be activated on the Billing and Cost Management console
- used to organize resources to track costs
- Tags can be created in the Tag Editor
23
Q
What are the key facts to Cost and Usage Report?
A
- csv in S3
- Lists all items that generate costs
24
Q
What are the key facts to Cost Allocation Tags?
A
- Must be activated on the Billing and Cost Management console
- used to organize resources to track costs
25
What are the key facts to AWS Budgets
- alerts when costs or usage exceed (or are forecasted to exceed) budgeted amount
26
How to make sure that a S3 bucket cannot be deleted in an AWS Organization?
Deny s3:DeleteBucket in an SCP
27
What is the process to create a custom dashboard in CloudWatch for custom metrics?
- Create Dashboard
- Create metric filters
- Select custom metrics
28
What would happen to the metrics if the EC2 Instances server time is set incorrectly?
CloudWatch will still accept the metrics if it's below 30min
29
What would happen to the metrics if the EC2 Instances server time is set incorrectly?
CloudWatch will still accept the metrics
30
How to determine the source of requests to an SQS queue?
CloudTrail - since they are API calls
31
How to ensure that newly created S3 buckets have logging enabled?
Use AWS Config with the Auto remediate rule S3_BUCKET_LOGGING_ENABLED
32
How to limit the AMIs that can be used?
Add a (custom) Config rule to check the AMIs
33
How to limit the AMIs that can be used?
Add a (custom
34
How to automatically disable access key that are > 90 days
Use Config to identify the keys and Systems Manager Automation to disable the keys.
35
A replica of an existing infrastructure, using AWS Service Catalog, should be made
Share the Service Catalog portfolio and import it to the new account
36
How to monitor costs per user in an account?
Use Cost Explorer, activate the createdBy tag and filter by it
37
How to check for underutilized EC2 instances?
Use Cost Explorer to generate a recommendation report
38
You need to check that security best practices are being followed for the AWS account root user
Use Trusted Advisor security checks
39
What are the protocols a Network Load Balancer works on?
TCP, TLS, UDP
40
Can you put EC2 instances in private subnets and still connect them to an ALB?
Yes, it will target the private IP addresses, but the ALB must be put into a public subnet in the same AZ
41
Can you put EC2 instances in private subnets and still connect them to an ALB?
Yes, it will target the private IP addresses
42
What is the Termination Policy and how is it done per default?
Decides which instance will be terminated (if the target group gets scaled in)
1. From AZ with the most instances
2. From the Spot/on Demand strategy
3. Oldest launch template
4. Oldest launch configuration
5. Closets to the next billing hour
43
What are the three types of scaling?
Target scaling - CPU load should be at 50%
Simple scaling - If CPU > 50% launch new instance
Step Scaling Policy - If CPU >50% launch 1 new instance if CPU>70% launch 2
44
(Auto Scaling)
| What are the Pending:Wait & Terminating:Wait states
Gives time to do some work, like saving log files (with Lamda) or sending a message to SNS
45
What are the SurgeQueueLength & SpilloverCount?
SurgeQueueLength: Number of requests pending
SpilloverCount: Number of requests dropped
46
When a launch configuration is created from the CLI, which monitoring tier is selected per default?
Detailed.
| If done from Console: basic
47
What happens to the EC2 instances if you delete an Auto Scaling Group
They get deleted as well.
48
What could be a reason if there are HTTPCode_ELB_5XX_Count metrics in an ALB?
There are no healthy instances in the target group
49
What are the reasons why there are no new instances launched even though max. capacity is not reached?
- Service Limits
| - RunInstance checks in CloudTrail
50
What are the numbers of AZs and instances to create HA?
At least 3 AZs
| desired. 2, min.2, max. >= 2
51
ALB is expecting a large spike in traffic for a memory heavy application.
How to scale?
Use the RequestCountPerTarget, since you cannot use RAM
52
What is EBS Multi-Attach?
Possibility to connect one EBS drive to up to 16 instances.
| For Nitro system-based EC2 instances and PIOPS drives.
53
What is termination protection?
Option to not delete the root drive
54
(EBS) How does encryption affect performance?
It should not.
| Even though there's an overhead - it is taken care in a separate process
55
Who can be the user of a Customer Managed Key?
User
Role
Another account
56
Can you add/remove users from a Customer Managed Key?
Yes, for example to share an encrypted snapshot with another account
57
(EFS) What are the two performance and and throughput modes?
Performance: General Purpose & Max I/O
Throughput: Bursting (scales with size) & Provisioned (fixed amount)
58
What are the characteristics of File Gateway?
- Mounted with SMB / NFS
- optional local cache
- files are stored in S3
- can make use of S3 storage classes, such as S3 I.A.
59
What is the process of a Tape Gateway?
- Mounted as iSCSI to the Gateway
- When data is written it is stored in S3
- After ejecting the tape the data is then pushed to Glacier (deep archive)
60
What can you do to get notified when an EBS volume runs out of space?
- Install the CloudWatch agent on the EC2 instance
| - Monitor disk size with an CloudWatch Alarm
61
(Cached Gateway)
| What should be done if the CacheHitPercent is < 50% and the CachePercentUsed is >95%?
- Create a larger disk for cache volume
62
Describe the five deployment types in Beanstalk
All at once: Will replace the entire infrastructure at once. Will cause downtime.
Rolling: will replace infrastructure piece by piece. Can cause performance issues. Batch size can be set.
Rolling with additional batch: Rolling plus more instances. No performance issues to be expected.Batch size can be set.
Immutable: Will create a separate stack and switch once its healthy
Green/Blue Deployment: Creates a test environment which gives a portion of traffic to the new environment. Done by Route53.
63
How to use a custom domain with ElasticBeanstalk?
Create an ALIAS record to the environment URL
64
What is needed for Systems Manager to utilize EC2 instances?
- SSM Manager on the instance
- Role to talk to SSM
- (optional) tags
65
What can be done in order to avoid an instance to slow down while using AWS SSM Run Command or Patches
Lower the targets Rate Control -> Concurrency
66
What can replace bastion hosts to connect to a private instance via a shell?
AWS Systems Manager - Session Manager
Connects to Linus/Windows with no open ports for SSH
The Instance needs permissions for SSM, S3 , CloudWatch Logs
67
How to secure parameters from forbidden internal use?
Don't allow access via IAM.
68
An Application running on EC2 needs login credentials for a DB that are stored in SSM Parameter store.
How to retrieve them?
Create an IAM role for the instance and grant permissions to read the parameter
69
There are 100 Linux instances that need to be patched, what can be done to ensure the system will not slow down?
In the maintenance window change the concurrency to 10%
70
You created a custom Linux AMI and want to configure it using SSM, but cannot find it. Where could be the problem?
- Missing permissions in the instance profile
| - SSM Manager is not installed
71
IAM access keys that are stored on EC2 instances should be automatically deleted after 60 days, what can be done?
Create an AWS Config rule to identify the keys and a AWS Systems Manager Automation document to delete them and create new ones
72
You want to create infrastructure across multiple accounts, what should be used and how is it done?
CloudFormation StackSets
| The administrator account creates the Set and sets the target to the account where the infrastructure is created
73
You want to create a CloudFormation Template (which creates an EC2 instance) that can be copied to another region without changing the template.
What function can be used?
Use the FindInMap function to select an AMI suited for the Region
74
You want to create one CloudFormation template for multiple environments, how can this be done?
- Create an environment parameter
| - use "Ref" to reference to the value in mappings
75
You need to pass user data into your EC2 instance launched via CloudFormation, how can you do that?
Using Properties: UserData: FN::Base64:
[... COMMANDS ...]
in the properties of the EC2 Instance
76
You deployed instances from CloudFormation and want to install software after the data is created, how can this be done in reference to AWS sources?
Using the helper script cfn-init in the user data
77
You deployed instances from CloudFormation and want to install software after some other events happend, how can you do that?
Use the helper scrip cfn-signal to call AWS when you're ready to proceed.
This is captured by the CreationPolicy to call the next steps.
78
You deployed instances from CloudFormation and wanted to install software with the cfn-init helper script is created,but it is not working. What could be the issue?
- helper scripts are not included in the AMI
| - commands are not configured correctly and did not run
79
You deployed a stack using CloudFormation and your resources are not needed anymore and should be deleted. But you want to keep the S3 Bucket and its data. What can be done?
Set the DeletionPolicy to Retain for the S3 Bucket
80
You deployed instances from CloudFormation and your resources are not needed anymore and should be deleted. But you want to keep the data on an EBS drive. What can be done?
Set the DeletionPolicy to Snapshot
81
You want to deploy a stack using CloudFormation and you have to make sure that a S3 Bucket is created before the EC2 instance is launched. How can this be done?
Use DependsOn from the EC2 instance on the Bucket
82
You need to update a stack, which will replace EC2 instances but you need to keep a copy of the old instances, how can this be done?
Using the UpdatePolicy
83
Your rollback of a stack is failed (UPDATE_ROLLBACK_FAILED) and you want to troubleshoot, what can be done?
You can reverse the rollback and try again
84
(CloudFormation)
| You need to review changes to a CloudFormation Stack before deploying it
Use change sets
85
(CloudFormation)
Manual changes have been made.
How can you include those in the template?
Use drift detection and use the output in the template and redeploy
86
(CloudFormation)
| You need to update changes to the instances in an AutoScalingGroup, but DNS cannot change
Use the AutoScalingReplacingUpdate ploicy to make sure that the ASG stays the same
87
Your rollback of a stack is failed (UPDATE_ROLLBACK_FAILED), but you fixed the issue - what can be done?
Select "Continue update rollback" in the console
88
(EC2)
| How to change the instance type?
- Shutdown behavior must be "stopped"
- Stop the instance
- Change the type
- Start the instance
89
You have multiple stacks of infrastructure, which are mostly the same but have a few differences.
What is the most effective strategy?
- Use nested stacks
| - Build a standard stack & reference the parts that differ
90
(EC2)
| You have several Spot Instances, it does not matter if they are not running, but you need to keep the data.
Change the "Interruption behavior" to Stop, which will keep the EBS volumes
91
(EC2)
| You have an compute intensive Lambda function, what can you do to make it run faster?
Expand the RAM, because if more RAM is allocated, so is more CPU
92
(EC2)
| What can resolve a failed system status check?
Stop and start again, this will move the instance to a new host
93
(EC2)
| You expect a large increase in demand of you Lambda function, what can be done?
Increase the concurrency limit
94
You configured a deny rule for a malicious IP in a NACL, but the user can still connect. What could be a reason?
Prior to the deny rule, there's a allow rule on the port
95
You peered two VPC inter-regional, there are securitry groups allowing traffic by referencing security group ids.
But it is not possible to send traffic.
You cannot attach security groups in this case, but need to use IPs
96
I am creating an application and would like for it to be running with minimal cost in a development environment with Elastic Beanstalk. I should run it in
Single Instance Mode
High Availability Mode
Single Instance Mode
This will create one EC2 instance and one Elastic IP
97
You've added files in your bucket and then enabled versioning. The files you've already added will have which version?
```
1
0
-1
null
```
null
98
I have an on-premise personal server that I'd like to use to perform AWS API calls
I should run `aws configure` and put my credentials there. Invalidate them when I'm done
I should attach an EC2 IAM Role to my personal server
I should run `aws configure` and put my credentials there. Invalidate them when I'm done
You cannot attach a role to an on premise server
99
You would like to provide your users access to hundreds of private files in your CloudFront distribution, which is fronting an HTTP web server behind an application load balancer. What should you use?
```
CloudFront Signed URL
CloudFront Signed Cookies
CloudFront Origin Access Identity
CloudFront HTTPS encryption
```
CloudFront Signed Cookies
100
You are creating an application that is going to expose an HTTP REST API. There is a need to provide request routing rules at the HTTP level. Due to security requirements, your application can only be exposed through the use of two static IPs. How can you create a solution that validates these requirements?
Use Global Accelerator and an Application Load Balancer
Use a Network Load Balancer and attach Elastic IPs to it
Use an Application Load Balancer and attach Elastic IPs to it
Use CloudFront with Elastic IP and an Application Load Balancer
Global Accelerator will provide us with the two static IP, and the ALB will provide use with the HTTP routing rules
101
You would like messages to be processed by SQS consumers only after 5 minutes of being published to SQS. What should you do?
```
Increase the DelaySeconds parameters
Change the Visibility Timeout
Enable Long Polling
Use the extended SQS client
```
Increase the DelaySeconds parameters
Delay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes
102
You have a Kinesis stream usually receiving 5MB/s of data and sending out 8 MB/s of data. You have provisioned 6 shards. Some days, your traffic spikes up to 2 times and you get a throughput exception. You should
Enable Kinesis replication
Use SQS as a buffer to Kinesis
Add more shards
Each shard allows for 1MB/s incoming and 2MB/s outgoing of data
103
You have a Lambda function that will process data for 25 minutes before successfully completing. The code is working fine in your machine, but in AWS Lambda it just fails with a "timeout" issue after 3 seconds. What should you do?
Set the timeout to 25 minutes
Set the memory to 3GB
Run your code somewhere else than Lambda - the maximum timeout is 15 minutes
| Run your code somewhere else than Lambda - the maximum timeout is 15 minutes
104
You'd like to have a dynamic DB_URL variable loaded in your Lambda code
Place it in the environment variables
Place it in the code zip file
Place it in the code itself
Place it in the environment variables
Environment variables allow for your Lambda to have dynamic variables from within
105
We have to provision the instance type for our DynamoDB database
true
false
DynamoDB is a serverless service and as such we don't provision an instance type for our database. We just say how much RCU and WCU we require for our table (or auto scaling)
106
A DynamoDB table has been provisioned with 10 RCU and 10 WCU. You would like to increase the RCU to sustain more read traffic. What is true about RCU and WCU?
RCU and WCU are decoupled, so WCU can stay the same
You will also have to increase WCU to match the RCU value
| RCU and WCU are decoupled, so WCU can stay the same
107
You are about to enter the Christmas sale and you know a few items in your website are very popular and will be read often. Last year you had a ProvisionedThroughputExceededException. What should you do this year?
Increase the RCU to a very, very high value
Create a DAX cluster
Migrate the database away from DynamoDB for the time of the sale
A DynamoDB Accelerator (DAX) cluster is a cache that fronts your DynamoDB tables and caches the most frequently read values. They help offload the heavy reads on hot keys off of DynamoDB itself, hence preventing the ProvisionedThroughputExceededException
108
You have hosted a DynamoDB table in ap-northeast-1 and would like to make it available in eu-west-1. What must be enabled first to create a DynamoDB Global Table?
```
DynamoDB Streams
DynamoDB DAX
DynamoDB Versioning
DynamoDB Backups
```
Streams enable DynamoDB to get a changelog and use that changelog to replicate data across regions
109
In server side encryption, only the encryption happens on the server. Where does the decryption happen?
The Server
The Client
The Server
110
A media agency stores its re-creatable artifacts on Amazon S3 buckets. The artifacts are accessed by a large volume of users for the first few days and the frequency of access falls down drastically after a week. Although the artifacts would be accessed occasionally after the first week, but they must continue to be immediately accessible when required. The cost of maintaining all the artifacts on S3 storage is turning out to be very expensive and the agency is looking at reducing costs as much as possible.
As a Solutions Architect, can you suggest a way to lower the storage costs while fulfilling the business requirements
Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 30 day
Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days
Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3 Standard-IA) after 7 days
Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 7 days
Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) after 30 days
111
Researchers at a pharma company are working on developing a vaccine for the COVID-19 pandemic. They have identified multiple candidates as potential vaccines and they need to analyze healthcare data of individuals in the US to identify the first batch of recipients for the initial trials. For faster processing, the data processing application needs to parse through this healthcare data in an in-memory database that is highly available as well as HIPAA compliant.
As a solutions architect, which of the following AWS services would you recommend for this task?
```
ElastiCache for Memcached
DynamoDB
ElastiCache for Redis
DocumentDB
```
ElastiCache for Redis
* Elasticache for Memcached is not HIPAA eligible, so this option is incorrect.
112
A startup has recently moved their monolithic web application to AWS Cloud. The application runs on a single EC2 instance. Currently, the user base is small and the startup does not want to spend effort on elaborate disaster recovery strategies or Auto Scaling Group. The application can afford a maximum downtime of 10 minutes.
In case of a failure, which of these options would you suggest as a cost-effective and automatic recovery procedure for the instance?
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume
Configure AWS Trusted Advisor to monitor the health check of EC2 instance and provide a remedial action in case an unhealthy flag is detected
Configure Amazon CloudWatch events that can trigger the recovery of the EC2 instance, in case the instance or the application fails
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance can be configured with EBS volume or with instance store volumes
Configure an Amazon CloudWatch alarm that triggers the recovery of the EC2 instance, in case the instance fails. The instance, however, should only be configured with an EBS volume
* The recover action is supported only on instances that have EBS volumes configured on them, instance store volumes are not supported for automatic recovery by CloudWatch alarms.
113
Which of the following is true regarding cross-zone load balancing as seen in Application Load Balancer versus Network Load Balancer?
By default, cross-zone load balancing is disabled for both Application Load Balancer and Network Load Balancer
By default, cross-zone load balancing is enabled for both Application Load Balancer and Network Load Balancer
By default, cross-zone load balancing is disabled for Application Load Balancer and enabled for Network Load Balancer
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer
By default, cross-zone load balancing is enabled for Application Load Balancer and disabled for Network Load Balancer. When cross-zone load balancing is enabled, each load balancer node distributes traffic across the registered targets in all the enabled Availability Zones. When cross-zone load balancing is disabled, each load balancer node distributes traffic only across the registered targets in its Availability Zone.
114
A retail company uses AWS Cloud to manage its IT infrastructure. The company has set up "AWS Organizations" to manage several departments running their AWS accounts and using resources such as EC2 instances and RDS databases. The company wants to provide shared and centrally-managed VPCs to all departments using applications that need a high degree of interconnectivity.
As a solutions architect, which of the following options would you choose to facilitate this use-case?
Use VPC peering to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
Use VPC peering to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations
Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
Use VPC sharing to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations
Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
VPC sharing (part of Resource Access Manager) allows multiple AWS accounts to create their application resources such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared and centrally-managed Amazon Virtual Private Clouds (VPCs). To set this up, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.
115
The engineering team at an e-commerce company is working on cost optimizations for EC2 instances. The team wants to manage the workload using a mix of on-demand and spot instances across multiple instance types. They would like to create an Auto Scaling group with a mix of these instances.
Which of the following options would allow the engineering team to provision the instances for this use-case?
You can use a launch configuration or a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
You can only use a launch configuration to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
You can neither use a launch configuration nor a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
You can only use a launch template to provision capacity across multiple instance types using both On-Demand Instances and Spot Instances to achieve the desired scale, performance, and cost
116
The CTO at an IT company wants to move away from license-based, expensive, and legacy commercial database solutions deployed at the on-premises data center to more efficient, open-source, and cost-effective options on AWS Cloud. At the same time, the CTO is concerned about identifying areas for data-conversion that require special attention during migration since the on-premises databases have multiple active complex configurations such as secondary indexes, foreign keys, and stored procedures.
As a solutions architect, which of the following AWS services would you recommend being used for this solution (Select two)?
AWS Database Migration Service
```
AWS Glue
AWS Schema Conversion Tool
Basic Schema Copy
```
AWS Snowball Edge
AWS Database Migration Service
AWS Schema Conversion Tool
AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. AWS Database Migration Service supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora.
First use the AWS Schema Conversion Tool to convert the source schema and code to match that of the target database, and then use the AWS Database Migration Service to migrate data from the source database to the target database
117
Your company is a large enterprise with a small number of applications on AWS with a VPN connection. What is the simplest, low cost, low latency solution for LDAP authentication to access AWS?
Create an LDAP replica on AWS for the applications.
Create a second LDAP domain and build a trust relationship.
Use AWS Direct Connect
Create an LDAP server on AWS for your enterprise
Creating an LDAP replica on AWS is the simplest, low cost, low latency solution.
118
```
If you have attached an ELB to your Auto Scaling group and an instance fails the load balancer health checks, Auto Scaling does not replace the instance by default.
True
False
```
True
By default, an Auto Scaling group determines the health state of each instance by periodically checking the results of the EC2 instance status checks. If an instance fails the EC2 instance status checks, Auto Scaling considers the instance unhealthy and replaces it. However, if you have attached one or more load balancers to your Auto Scaling group and an instance fails the load balancer health checks, Auto Scaling does not replace the instance by default
119
If your instance type supports one instance store volume, and your AMI has mappings for two instance store volumes, then the instance launches with two instance store volumes.
True
False
The number and size of available instance store volumes for your instance varies by instance type. Some instance types do not support instance store volumes
120
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process of an unhealthy instance. What will happen to the availability zone rebalancing process during this period?
Auto Scaling will not launch or terminate any instances
Auto Scaling will allow the instances to grow more than the maximum size
Auto Scaling will keep launching instances till the maximum instance size
It is not possible to suspend the terminate process while keeping the launch active
Auto Scaling will allow the instances to grow more than the maximum size
Although you have suspended the termination or launch of an instance, autoscaling will still maintain the number of healthy instances
121
To configure your bucket to allow cross-origin requests, you create a CORS configuration, an HTML document with rules that identify the origins that you will allow to access your bucket, the operations (HTTP methods) will support for each origin, and other operation-specific information
True
False
False
| XML not HTML.
122
You can't move an existing instance into a placement group.
True
False
You can move an existing instance to a placement group, move an instance from one placement group to another, or remove an instance from a placement group. Before you begin, the instance must be in the stopped state.
123
AutoScaling PercentChangeInCapacity scaling operation results in 0.8. How many instances are added?
```
1
2
None
```
1
Values greater than 1 are rounded down. For example, 12.7 is rounded to 12.
Values between 0 and 1 are rounded to 1. For example, .67 is rounded to 1.
Values between 0 and -1 are rounded to -1. For example, -.58 is rounded to -1.
Values less than -1 are rounded up. For example, -6.67 is rounded to -6.
124
Which storage engine is required for My SQL read replicas?
```
MyISAM
MySQL Managed File System (MFS)
InnoDB
```
InnoDB
125
S3 Tag Values do not have to be unique in a tag set, and they can be null.
True
False
True
126
By default, the CloudFormation “automatic rollback on error” feature is not enabled.
True
False
By default, the “automatic rollback on error” feature is enabled. This will cause all AWS resources that AWS CloudFormation created successfully for a stack up to the point where an error occurred to be deleted
127
What is the max total size of all the messages that you send in a single call to SQS SendMessageBatch.
64 k
256 k
512 k
4 MB
256 k
128
You are setting up a PostgreSQL database server that runs on a Reserved EC2 instance which will be used by the various internal applications within your VPC. To simplify the naming convention of the database server, you are planning to allocate a custom domain name for the database.
Which of the following should you do to complete this task?
Set up a private hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
Set up a private hosted zone in Route 53. Create a CNAME record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
Set up a publicly hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
Set up a publicly hosted zone in Route 53. Create a CNAME record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
Set up a private hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
you enter the IP of the Server
129
You are working as the Systems Administrator for a leading bank which has a web application that is heavily using the RDS instance for its database tier. You are required to monitor how the different processes or threads on a DB instance use the CPU such as the percentage of the CPU bandwidth and total memory consumed by each process.
Which of the following is the most suitable solution to properly monitor your database?
Enable Enhanced Monitoring in RDS.
Set up a monitoring system which uses Amazon CloudWatch to track the CPU Utilization of your database.
Write a shell script that collects and publishes custom metrics to CloudWatch which tracks the real-time CPU Utilization of the RDS instance.
View the CPU% and MEM% metrics which are readily available in the Amazon RDS console.
Enable Enhanced Monitoring in RDS.
130
Hiring new Database Administrators who will manage the backups of the AWS resources will increase the company's operating expenses and thus, they are looking for ways to automate their processes to cut costs. The company is using point-in-time snapshots of their resources provisioned on AWS.
Which of the following services provides you with a user configurable automatic backup service and backup rotation options without the need for regular user intervention? (Select TWO.)
```
Amazon EFS
Amazon Redshift
Amazon EC2
Amazon RDS
Amazon S3
```
Amazon RDS
| Amazon Redshift
131
A company has multiple AWS accounts that are consolidated using AWS Organizations. A Systems Engineer has been tasked to set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company's AWS accounts and cloud applications. The Engineer has already created a directory in the master account using the AWS Directory Service. Full access has also been configured by the Engineer in AWS Organizations.
Which of the following should the Engineer configure to complete the setup?
For each member account, set up IAM roles that will be used by AWS SSO. Associate the users with these IAM roles using AWS SSO.
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
Set up permission sets in AWS Organizations. Associate the permission sets with AWS SSO users and groups.
Set up service control policies (SCPs) in AWS Organizations. Associate the SCPs with Directory Service users and groups using the AWS Management Console.
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups.
AWS SSO manages access to all your AWS Organizations accounts, AWS SSO-integrated applications, and other business applications that support the Security Assertion Markup Language (SAML) 2.0 standard.
You can configure your identity source in AWS SSO to determine where your users and groups are stored. Once configured, you can then look up users or groups in your store to grant them single sign-on access to AWS accounts, cloud applications, or both.
132
An investment bank is storing the account transactions of their clients in S3. As the SysOps Administrator of the company, you enabled Versioning and MFA Delete to secure the objects stored in the S3 bucket from accidental deletion. In this scenario, which of the following operations in S3 will now require additional authentication? (Select TWO.)
Permanently deleting an object version.
Renaming an object.
```
Change the versioning state of your bucket.
Change the ACL of your bucket.
Moving an object.
```
Change the versioning state of your bucket.
Permanently deleting an object version.
133
A company uses a Volume Gateway as part of their Hybrid Cloud storage solutions to accommodate its growing application. The Volume Gateway is using stored volumes to save the files stored on-premises with scheduled offsite backups. Due to inadequate capacity planning, the volume is quickly running out of space for new data.
How can you expand the volume?
Launch a new volume with a larger size then use that as the storage for new data.
Request a service quota increase for the stored volume size.
Create a new volume of larger size from the existing cached volume.
Create a snapshot of the volume that you want to expand. Use the snapshot to create a new volume of a larger size.
Create a snapshot of the volume that you want to expand. Use the snapshot to create a new volume of a larger size.
134
You are working in a leading global investment bank which has strict security compliance requirements in handling their financial data. As the SysOps Administrator, you are instructed to ensure that the data stored in the EBS Volumes, which are used by your EC2 instances, are also available in another AWS region. This will provide a better redundancy to critical data stored in the volumes.
Which of the following options can you implement to achieve this? (Select TWO.)
Use the Amazon Data Lifecycle Manager (DLM) for EBS Snapshots.
Create a snapshot of the volume and then copy it to the new region.
Create a snapshot from the EBS volumes in another region.
Create a copy of the EBS volumes in the new region.
Use the AWS Trusted Advisor API service for EBS Snapshots.
Use the Amazon Data Lifecycle Manager (DLM) for EBS Snapshots.
Create a snapshot of the volume and then copy it to the new region.
You can also copy snapshots across regions using Data Lifecycle Manager (DLM). You can enable policies which, along with create, can now also copy snapshots to one or more AWS region(s). Copies can be scheduled for up to three regions from a single policy and retention periods are set for each region separately.
135
An online food delivery website is hosted in an Amazon ECS Cluster and is using an RDS database instance. The company has recently deployed the new version of their delivery website which uses DynamoDB instead of RDS. Your manager instructed you to disable the backups of your RDS instance as these will no longer be used. You were able to successfully set the retention period to 1 with no issues but you encountered an error when you tried to set this at 0.
Which of the following could be the possible reason for this issue?
The RDS instance has Read Replicas.
The RDS instance is using a Multi-AZ deployments configuration.
You do not have the required IAM access to configure your RDS instance.
The minimum retention period that you can set is 1.
The RDS instance has Read Replicas.
There are several reasons why you may need to set the backup retention period to 0. For example, you can disable automatic backups immediately by setting the retention period to 0. If you set the value to 0 and receive a message saying that the retention period must be between 1 and 35, check to make sure you haven't setup a read replica for the instance. Read replicas require backups for managing read replica logs, thus, you can't set the retention period of 0. Hence, the correct answer is the option that says, "the RDS instance has Read Replicas."
136
You are migrating an online accounting application to AWS which uses TCP protocol. As the Systems Administrator, you are instructed to improve the scalability and availability of the application and to ensure that the IP address of the clients using the application are recorded for tracking.
Which of the following steps would you implement to fulfill this requirement?
Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled to load-balance the two application servers located in different Availability Zones.
Use Route 53 with Latency Based Routing enabled to distribute load on two or more application servers in different Availability Zones.
Use Route 53 with Weighted Routing to distribute load on two application servers in different Availability Zones.
Use an Elastic Load Balancer with a TCP Listener then enable the Proxy Protocol to distribute load on two or more application servers in different AZs.
Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested. Elastic Load Balancing uses Proxy Protocol version 1, which uses a human-readable header format.
137
A leading telecommunications company has decided to host their e-commerce website in an Auto Scaling group of EC2 instances and a RDS database instance for their mobile phone plans. To secure the online transactions, you were instructed to configure the database to encrypt the data in transit.
Which of the following should you do to meet the requirements?
Use a VPC endpoint, which is powered by AWS PrivateLink, that enables you to connect to the RDS database instance.
Based on its respective DB engine, configure the database to use SSL and use the certificates which are readily available from AWS.
Do nothing. By default, RDS already provides data encryption for data at rest.
Use the CloudHSM service to encrypt the incoming and outgoing traffic to RDS.
Based on its respective DB engine, configure the database to use SSL and use the certificates which are readily available from AWS.
138
An innovative financial startup has been experiencing rapid growth and demand for their cloud-based services. To meet the demand, they are planning to expand their cloud infrastructure for their online portal to two AWS regions: ca-central-1 Canada (Central) and ap-northeast-1 Asia Pacific (Tokyo) to serve their new clients. There is also a requirement to route more or less traffic to a given resource by specifying a value.
As their SysOps Administrator, how can you ensure that the traffic is served based on the geographic location of your users and your resources?
Configure the load balancer of their online portal to redirect distant users to a closer region.
Use a 3rd-party geolocation service to automatically route their users to the best-performing region.
Use the Route 53 service and create a new latency record for the website.
Set up a Geoproximity routing using Route 53 to properly route their users to the best-performing region.
You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias, that expands or shrinks the size of the geographic region from which traffic is routed to a resource.
139
A company has a fleet of On-Demand EC2 instances on their new VPC created using the AWS CLI. You noticed that all recently launched EC2 instances do not have public DNS hostnames. This prevents you from accessing the instances over the Internet.
Which of the following could be a possible reason for this issue?
By default, the enableDnsSupport is set to false and enableDnsHostNames is set to true for VPCs created using the AWS CLI
By default, the enableDnsHostNames is set to false for VPCs created using the AWS CLI
By default, the enableDnsSupport is set to false for VPCs created using the AWS CLI
By default, both the enableDnsSupport and enableDnsHostNames are set to false for VPCs created using the AWS CLI
| By default, the enableDnsHostNames is set to false for VPCs created using the AWS CLI
140
A company has hundreds of Customer Master Keys (CMKs) which they are using with the Amazon Key Management Service to secure their S3 buckets, RDS instances, and other AWS resources. You were instructed to delete some CMKs to avoid management overhead and costs associated with maintaining unused keys.
In this scenario, which of the following is true regarding the deletion of customer master keys? (Select TWO.)
You can schedule the CMK for deletion with a default waiting period of 7 days.
You can directly delete a CMK immediately.
AWS KMS does not rotate the backing keys of CMKs that are pending deletion.
AWS KMS still rotates the backing keys of CMKs that are pending deletion.
A CMK that is pending deletion can still be used in any cryptographic operation.
A CMK that is pending deletion cannot be used in any cryptographic operation.
A CMK that is pending deletion cannot be used in any cryptographic operation.
AWS KMS does not rotate the backing keys of CMKs that are pending deletion.
The option that says: You can schedule the CMK for deletion with a default waiting period of 7 days is incorrect because although you can schedule the CMK for deletion, its default waiting period is 30 days and not 7 days.
The option that says: You can directly delete a CMK immediately is incorrect because you cannot directly delete a CMK immediately. You have to schedule its deletion.
141
A company uses AWS Organizations to manage several AWS accounts. A department in the company requires a new AWS account. A SysOps Administrator must create the new account and configure user-defined cost allocation tags.
What should the Administrator do to enable user-defined cost allocation tags?
Use the Billing and Cost Management console in the payer account to create the new user-defined cost allocation tags.
Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the payer account to mark the tags as cost allocation tags.
Use the Billing and Cost Management console in the new account to create the new user-defined cost allocation tags.
Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the new account to mark the tags as cost allocation tags.
Use the Tag Editor in the new account to create the new user-defined tags, then use the Billing and Cost Management console in the payer account to mark the tags as cost allocation tags
142
A company is deploying AWS Single Sign-On (SSO). A SysOps Administrator has created an AWS SSO directory in an AWS Organizations master account and enabled full access. What is the next step to configure the single sign-on functionality?
Create permission sets in AWS SSO and associate the permission sets with Directory Service users or groups.
Create service control policies (SCPs) in Organizations and associate the SCPs with Directory Service users or groups.
Create IAM users in the master account and use AWS SSO to associate the users with the accounts they will access.
Create IAM roles in each account to be used by AWS SSO and associate users with these roles using AWS SSO.
Create permission sets in AWS SSO and associate the permission sets with Directory Service users or groups.
Permission sets define the level of access that users and groups have to an AWS account. Permission sets are stored in AWS SSO and provisioned to the AWS account as IAM roles.
You can assign more than one permission set to a user. Users who have multiple permission sets must choose one when they sign into the user portal. (Users will see these as IAM roles). For this scenario, the Administrator must next create the permissions sets and then associate the permission set with the user accounts or groups.
143
A SysOps Administrator has been tasked with setting up a record set in Amazon Route 53 to point to an Application Load Balancer (ALB). The hosted zone and the ALB are in different accounts.
What is the MOST cost-effective and efficient solution to this requirement?
Create an alias record in the hosted zone pointing to the Application Load Balancer.
Create an Application Load Balancer in the same account as the hosted zone and forward connections cross-account to the other ALB.
Create an asynchronous replica of the hosted zone in the account with the Application Load Balancer.
Create a CNAME record in the hosted zone pointing to an alias record to the Application Load Balancer.
Create an alias record in the hosted zone pointing to the Application Load Balancer.
It is possible to create an Alias record that points to a resource in another account. In this case the fully qualified domain name of the ALB must be obtained and then entered when creating the record set. This is the most cost-effective option as you do not pay for Alias records and there is minimal configuration required.
144
A company manages a fleet of Amazon EC2 instances in a VPC and wishes to remove their public IP addresses to protect them from internet-based threats. Some applications still require access to Amazon S3 buckets. A SysOps Administrator has been tasked with providing continued access to the S3 buckets.
Which solutions can the Administrator recommend? (Select TWO.)
Add an outbound rule in the security groups of the EC2 instances for Amazon S3 using private IP addresses.
Create a VPC endpoint in the VPC and configure the route tables appropriately.
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.
Set up AWS Direct Connect and configure a virtual interface between the EC2 instances and the S3 buckets.
Configure the internet gateway to route connections to S3 using private IP addresses.
Create a VPC endpoint in the VPC and configure the route tables appropriately.
Deploy a NAT gateway in a public subnet and configure the route tables in the VPC appropriately.
145
A company is creating a new application that will run in a hybrid environment. The application processes data that must be secured and the developers require encryption in-transit across shared networks and encryption at rest.
Which combination of actions should a SysOps Administrator take to meet these requirements? (Select TWO.)
Use AWS KMS to create TLS/SSL certificates.
Use AWS KMS to manage the encryption keys used for data encryption.
Configure an AWS VPN between the on-premises data center and AWS.
Use AWS CloudHSM to encrypt the data using a CMK.
Use AWS Certificate Manager to create TLS/SSL certificates.
Use AWS KMS to manage the encryption keys used for data encryption.
Configure an AWS VPN between the on-premises data center and AWS.
An AWS virtual private network (VPN) connection can be configured to encrypt data over the shared, hybrid network connection. This ensures encryption in-transit and if you don’t have a certificate you can create a pre-shared key.
AWS KMS can be used to manage encryption keys that can be used for data encryption. In this case the keys would then be used outside of KMS to actually encrypt the data.
146
A SysOps Administrator created a script that generates custom Amazon CloudWatch metrics. The EC2 instance on which the script was run had a misconfigured clock resulting in timestamps on the logs that were set to 30 minutes in the past.
What will be the result of this situation?
Amazon CloudWatch will accept the custom metric data and record it.
Amazon CloudWatch will not capture the data because it is in the past.
Amazon CloudWatch will correct the time when recording the timestamp.
Amazon CloudWatch creates its own timestamps and ignores metric timestamps.
Amazon CloudWatch will accept the custom metric data and record it.
The time stamp can be up to two weeks in the past and up to two hours into the future. If you do not provide a time stamp, CloudWatch creates a time stamp for you based on the time the data point was received.
147
A security team has identified an attack on web applications running on Amazon EC2. The attack uses malformed HTTP headers. Which AWS service or feature can be used to prevent this type of attack from reaching the EC2 instances?
Network Access Control List (NACL)
Amazon Security Group rules
Application Load Balancer (ALB)
AWS Web Application Firewall (WAF)
Application Load Balancer (ALB)
An application load balancer will block malformed requests that do not meet the HTTP specification with a HTTP 400: Bad request error. An ALB can be placed in front of the EC2 web applications and this will prevent the attack from reaching the instances.
The ALB attribute “Drop Invalid Header Fields” setting can be used to control if invalid header fields are removed by the load balancer.
148
A SysOps Administrator attempted to deploy an AWS CloudFormation StackSet across multiple AWS accounts. The stack operation failed, and the stack instance status is OUTDATED. What could be a possible cause of this error?
The deployment was run without specifying a CloudFormation template.
The deployment requires multi-factor authentication and a token was not provided.
The deployment is trying to create resources in other accounts in a different region.
The deployment was run with insufficient permissions in the target account.
The deployment was run with insufficient permissions in the target account.
149
A team of Analysts require a specialized Amazon EC2 configuration. The team need to able to launch and terminate instances across the company’s AWS accounts but do not wish to configure EC2 settings on their own. The specialized EC2 configuration contains licensed software and must be available for use only by the Analysts.
Which solution should a SysOps Administrator use to allow the Analysts to deploy their workloads with MINIMAL effort?
Create an Amazon Machine Image (AMI) encrypted with an AWS KMS key. Share the encrypted AMI with authorized accounts. Allow the Analysts access to use the KMS key.
Create an AWS Elastic Beanstalk environment. Share the environment across accounts and use IAM policies to enable access for the team of Analysts.
Create an AWS CloudFormation template and use it to create a portfolio in AWS Service Catalog. Grant the Analysts permissions to launch products from the portfolio.
Create an AWS CloudFormation template and configure launch permissions on the AMI used by the template to add the authorized accounts. Share the template in an Amazon S3 bucket.
Create an AWS CloudFormation template and use it to create a portfolio in AWS Service Catalog. Grant the Analysts permissions to launch products from the portfolio.
150
An application runs on Amazon EC2 instances in multiple Availability Zones (AZs) behind an internet-facing Application Load Balancer (ALB). A SysOps Administrator needs to track the originating IP address of each application request and the EC2 instance that processes it.
What should the Administrator use to access this information?
VPC Flow Logs
AWS CloudTrail
The ALB access logs
Amazon CloudWatch
The ALB access logs
Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. The entries include the client:port which shows the the IP address and port of the requesting client and the target:port which includes the IP address and port of the target that processed this request.
151
A company runs and Amazon Aurora database instance. According to the AWS Shared Responsibility Model, which of the following actions are the responsibility of the customer?
Managing network infrastructure for the database.
Provisioning the underlying server hardware.
Executing maintenance, patches, and other updates.
Scheduling maintenance, patches, and other updates.
Scheduling maintenance, patches, and other updates.
152
A company has several departments and needs to ensure that each department operates within their own isolated environment. They should also only be able to use AWS services that have been pre-approved.
How can these requirements be met?
Create IAM policies for each department that grant access to specific services and attach them to the user accounts.
Create a catalog of services that are approved for use by each department in AWS Service Catalog.
Use an AWS Organization to create accounts for each department and apply service control policies (SCPs) to control access to pre-approved services.
Create separate Amazon VPCs for each department and restrict access to approved services using IAM roles
Use an AWS Organization to create accounts for each department and apply service control policies (SCPs) to control access to pre-approved services.
AWS Organizations can be used to create new accounts programmatically using the Organizations API. This will create an isolated environment for each department. Service Control Policies (SCPs) can then be used to limit the AWS services that the users can use in that account. This enables a pre-approved set of services to be accessible whilst denying access to all others.
153
Each IT staff member in a company uses a unique IAM user account. Permissions are applied to users using IAM policies and IAM groups. The security team has requested that staff members should log in with their on-premises Active Directory user accounts instead of their IAM user accounts when accessing the AWS Management Console.
Which solution can a SysOps Administrator implement to the requirements of the security team?
Enable an Active Directory federation in an Amazon Route 53 private zone.
Use the IAM connector to synchronize the on-premises Active Directory.
Implement a two-way trust relationship between AWS IAM and Active Directory.
Implement a VPN tunnel and configure an Active Directory connector.
Implement a VPN tunnel and configure an Active Directory connector.
AD Connector is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS. When AD Connector is configured, the trust allows you to:
* Sign in to AWS applications such as Amazon WorkSpaces, Amazon WorkDocs, and Amazon WorkMail by using your Active Directory credentials.
* Seamlessly join Windows instances to your Active Directory domain either through the Amazon EC2 launch wizard or programmatically through the EC2 Simple System Manager (SSM) API.
* Provide federated sign-in to the AWS Management Console by mapping Active Directory identities to AWS Identity and Access Management (IAM) roles.
This solution will result in users’ using their on-premises Active Directory user accounts to login to AWS IAM. They would then be able to access the AWS Management Console.
154
An application uses an Amazon RDS Multi-AZ DB instance. Due to new security compliance requirements a SysOps Administrator needs to encrypt the database.
Which approach can the Administrator take to encrypt the database?
Encrypt the standby replica in the secondary Availability Zone and promote it to the primary instance.
Use the RDS management console to enable encryption for the database.
Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
Create an encrypted read replica and promote the replica to master.
Take a snapshot of the RDS instance, copy and encrypt the snapshot, and then restore to the new RDS instance.
You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance.
To do this you create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.
155
A company plans to use AWS CloudFormation to deploy their infrastructure using templates. The deployments will include several environments across multiple AWS Regions. A SysOps Administrator plans to write a single template that can be reused for each environment deployment.
What is the recommended way to use AWS CloudFormation to meet this requirement?
Use parameters to provision the resources.
Use cross-stack references to provision the resources.
Use change sets to provision additional environments
Use nested stacks to provision the resources.
Use parameters to provision the resources.
You can use the optional Parameters section to customize your templates. Parameters enable you to input custom values to your template each time you create or update a stack. You use the Ref intrinsic function to reference a parameter, and AWS CloudFormation uses the parameter's value to provision the stack. You can reference parameters from the Resources and Outputs sections of the same template.
To make templates reusable, parameters can be used with mappings, and conditions sections so that you can customize your stacks when you create them. For example, for your development environments, you can specify a lower-cost instance type compared to your production environment, but all other configurations and settings remain the same.
INCORRECT: "Use nested stacks to provision the resources" is incorrect. Nested stacks are good for defining common patterns for reuse in separate templates. However, to use a single template, use parameters, mappings, and conditions.
156
A company runs an Amazon RDS MySQL DB instance in a production account. Each week a backup of the database must be copied to a separate development account for testing.
What is the MOST cost-effective way to meet this requirement?
Copy an automated RDS snapshot to the development account using the copy-db-snapshot command with the AWS CLI.
Use the Amazon S3 cross-region replication (CRR) to copy the automated backup to the development account.
Create a manual RDS snapshot with the create-db-snapshot CLI command and share it with the development account, create a copy in the development account.
Create a multi-AZ standby of the RDS database in the development account and take a manual snapshot using the create-db-snapshot AWS CLI command.
Create a manual RDS snapshot with the create-db-snapshot CLI command and share it with the development account, create a copy in the development account.
Using Amazon RDS, you can share a manual DB snapshot in the following ways:
* Sharing a manual DB snapshot, whether encrypted or unencrypted, enables authorized AWS accounts to copy the snapshot.
* Sharing an unencrypted manual DB snapshot enables authorized AWS accounts to directly restore a DB instance from the snapshot instead of taking a copy of it and restoring from that.
You can share a manual snapshot with up to 20 other AWS accounts. You can also share an unencrypted manual snapshot as public, which makes the snapshot available to all AWS accounts.
INCORRECT: "Copy an automated RDS snapshot to the development account using the copy-db-snapshot command with the AWS CLI" is incorrect. You cannot copy an automated DB snapshot.
157
An Amazon EBS volume attached to an Amazon EC2 instance running a database and is encrypted using AWS KMS customer-managed customer master keys (CMKs). A SysOps Administrator wants to rotate the AWS KMS keys using automatic key rotation and needs to ensure that the EBS volume encrypted with the current key remains readable.
What should be done to accomplish this?
Back up the current KMS data key and enable automatic key rotation.
Create a new data key in KMS and assign the key to Amazon EBS.
Create a new customer master key in KMS and enable rotation.
Enable automatic key rotation of the customer master key in KMS.
Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.
158
A company uses AWS Service Catalog to manage approved services. A new AWS account has been created and a SysOps Administrator needs to create a replica of the company's existing AWS infrastructure in the new AWS account. Currently, an AWS Service Catalog portfolio is used to create and manage resources.
What is the MOST efficient way to accomplish this?
Create an AWS CloudFormation template to redeploy the AWS Service Catalog portfolio in the new AWS account
Manually create an AWS Service Catalog portfolio in the new AWS account and recreate the original portfolio.
Run an AWS Lambda function to create a new AWS Service Catalog portfolio based on the output of the DescribePortfolio API operation.
Share the AWS Service Catalog portfolio with the other AWS account and import the portfolio into the AWS account.
Share the AWS Service Catalog portfolio with the other AWS account and import the portfolio into the AWS account.
159
A website runs on Amazon EC2 instances and uses an Amazon RDS database with the MySQL engine. A caching layer based on Amazon ElastiCache for Redis (cluster mode enabled) is used to improve read performance.
A new product launch is expected to result in a significant traffic increase over the first few days, potentially doubling the load on the website.
What can a SysOps Administrator do to ensure improved read times for users during the event?
Add shards to the existing Redis cluster.
Use Amazon RDS Multi-AZ.
Offload static data to Amazon S3.
Use a message queue to cache data.
Horizontal scaling allows you to change the number of node groups (shards) in the replication group by adding or removing node groups (shards). The online resharding process allows scaling in/out while the cluster continues serving incoming requests.
160
A company runs an application on Amazon EC2 instances in a VPC private subnet. The instances must upload objects to an Amazon S3 bucket. The company requires access to the bucket to be restricted to the EC2 instances in the private network and data must not traverse the public network.
What actions should the SysOps Administrator take to meet these requirements?
Create a VPC endpoint for the S3 bucket and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
Create a VPC endpoint for the S3 bucket and create an IAM policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
Create a NAT gateway in the VPC and modify the private subnet route table to route all traffic destined for S3 through the NAT gateway.
Create an AWS VPN tunnel between the VPC private subnet and the Amazon S3 public endpoint.
Create a VPC endpoint for the S3 bucket and create a S3 bucket policy that conditionally limits all S3 actions on the bucket to the VPC endpoint as the source.
161
You are attempting to launch EC2 instances in an auto-scaling group, however every time you try, the launch operation fails. Which of the following could be a reason for the failure? [Select all that apply]
The Security Group specified in the launch configuration doesn't exist
The Key Pair you have specified doesn't exist
You have hit the default limit for the number of times you can use the Key Pair
The requested instance type is not supported in your Availability Zone
The Key Pair you have specified doesn't exist
The Security Group specified in the launch configuration doesn't exist
The requested instance type is not supported in your Availability Zone
162
STS (Security Token Service) grants temporary access to AWS resources to users authenticated using which methods?
```
AWS Rekognition
Cross-Origin Resource Sharing
Cross Account Access
Federation with Web Identity Providers
Active Directory Federation
```
```
Cross Account Access
Federation with Web Identity Providers
Active Directory Federation
```
163
A financial organization created a CMK with imported key material. The CMK is used to encrypt the data of a Java web application. To meet the strict security compliance requirements, you must rotate the CMK every 6 months.
Which of the following could help you achieve this requirement?
- Rotate the keys automatically by using AWS managed CMK.
- Enable automatic key rotation.
- In the current CMK, delete the existing key material and import the new key material.
- Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key.
- Set up a new customer master key with imported key material. Update the key alias or key ID to point to the new customer master key.
Remember that automatic key rotation is not supported for imported keys, asymmetric keys, or keys generated in an AWS CloudHSM cluster using the AWS KMS custom key store feature. To meet the strict security compliance requirements, you must rotate the keys manually.
Sysops
flashcards
Decks in class (14)
# Cards
