Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers
A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.
B. Each subnet maps to a single Availability Zone.C. CIDR block mask of/25 is the smallest range supported.
D. By default, all subnets can route between each other, whether they are private or public.E. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP.
Why? This can be solved by using "ruling out" technique. A, C, E are wrong.
A. Subnet can only exist within 1 Availability Zones
C. CIDR blocks are from /28 to /16
E. Elastic IP doesn't play anyrole in this. You can connect to internet without it.
Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured ELB to perform health checks on these EC2 instances, if an instance fails to pass health checks, which statement will be true?
A. The instance gets terminated automatically by the ELB.
B. The instance gets quarantined by the ELB for root cause analysis.
C. The instance is replaced automatically by the ELB.
D. The ELB stops sending traffic to the instance that failed its health check.Why? http://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html "The load balancer sends a health check request to each registered target every HealthCheckIntervalSeconds seconds, using the specified port, protocol, and ping path. It waits for the target to respond within the response timeout period. If the health checks exceed the threshold for consecutive failed responses, the load balancer takes the target out of service. When the health checks exceed the threshold for consecutive successful responses, the load balancer puts the target back in service."
In AWS, which security aspects are the customer’s responsibility? Choose 4 answers
A. Security Group and ACL (Access Control List) settingsB. Decommissioning storage devices
C. Patch management on the EC2 instance’s operating systemD. Life-cycle management of IAM credentialsE. Controlling physical access to compute resources
F. Encryption of EBS (Elastic Block Storage) volumesWhy? By ruling out the impossible answer of B and E, you got the correct answer right away.
For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an appropriate solution? Choose 2 answers
A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of sensors
B. Managing a multi-step and multi-decision checkout process of an e-commerce websiteC. Orchestrating the execution of distributed and auditable business processesD. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs
E. Using as a distributed session store for your web application
Why? Although SNS seems possible option, you should be triggered of SNS. Original example of video transcoding was with SWF and S3, not SNS.
A customer needs to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements?
A. Enable AWS CloudTrail for the load balancer.
B. Enable access logs on the load balancer.C. Install the Amazon CloudWatch Logs agent on the load balancer.
D. Enable Amazon CloudWatch metrics on the load balancer.
Why? http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-monitor-logs.html "The access logs for Elastic Load Balancing capture detailed information for requests made to your load balancer and stores them as log files in the Amazon S3 bucket that you specify."
A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging existing security controls. Which set of AWS services and features will meet the company’s requirements?
A. Virtual Private Network connection. AWS Directory Services, and ClassicLink
B. Virtual Private Network connection. AWS Directory Services, and Amazon Workspaces
C. AWS Directory Service, Amazon Workspaces, and AWS Identity and Access ManagementD. Amazon Elastic Compute Cloud, and AWS Identity and Access Management
Why? VPN is not AWS Service, hence ruling out answer B.
You are working with a customer who is using Chef configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS?
A. Amazon Simple Workflow Service
B. AWS Elastic Beanstalk
C. AWS CloudFormation
D. AWS OpsWorksWhich of the following are true regarding AWS CloudTrail? Choose 3 answers
A. CloudTrail is enabled globallyB. CloudTrail is enabled by default
C. CloudTrail is enabled on a per-region basisD. CloudTrail is enabled on a per-service basis.
E. Logs can be delivered to a single Amazon S3 bucket for aggregation.F. CloudTrail is enabled for all available services within a region.
G. Logs can only be processed and delivered to the region in which they are generated.
Why? https://aws.amazon.com/cloudtrail/faqs/
A - Correct "API calls for global AWS services such as AWS IAM and AWS STS are recorded and delivered by CloudTrail along with regional events. By default, CloudTrail delivers API calls for global services in every region."
B - It's not enabled by default "The quickest way to get started with CloudTrail is to use the AWS Management Console. You can turn on CloudTrail in few clicks."
C - Correct -"Please refer to Regional Products and Services for details of CloudTrail availability by region."
D - It's available per region
E - Correct
F - It's enabled only for services that support CloudTrail "For a list of services supported by CloudTrail, refer to the CloudTrail documentation."
G - Logs can be delivered to any regions S3 "Once you apply a trail in all regions, CloudTrail will create a new trail in all regions by replicating the trail configuration.".
You have a content management system running on an Amazon EC2 instance that is approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?
A. Create a load balancer, and register the Amazon EC2 instance with it
B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the originC. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
D. Create a launch configuration from the instance using the CreateLaunchConfiguration action
Why? I'll go with B as just creating Auto Scaling group will not handle the issue of missing ELB for it and CloudFront is built to ease pain on load on static content (used in CMS systems).
You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer’s DNS name. Which options are probable causes of this behavior? Choose 2 answers
A. The load balancer was not configured to use a public subnet with an Internet gateway configuredB. The Amazon EC2 instances do not have a dynamically allocated private IP address
C. The security groups or network ACLs are not property configured for web traffic.D. The load balancer is not configured in a private subnet with a NAT instance.
E. The VPC does not have a VGW configured.
Why? AC
Which of the following notification endpoints or clients are supported by Amazon Simple Notification Service? Choose 2 answers
A. EmailB. CloudFront distribution
C. File Transfer Protocol
D. Short Message ServiceE. Simple Network Management Protocol
Why? Ruling out the wrong -- CloudFront, FTP and SNMP you'll have the correct ones
A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2 answers
A. Amazon Simple Email Service
B. Amazon CloudWatchC. Amazon Simple Queue Service
D. Amazon Route 53
E. Amazon Simple Notification ServiceWhy? Route 53 is DNS service, SES is email service and SQS is messaging system.
The Trusted Advisor service provides insight regarding which four categories of an AWS account?
A. Security, fault tolerance, high availability, and connectivity
B. Security, access control, high availability, and performance
C. Performance, cost optimization, security, and fault toleranceD. Performance, cost optimization, access control, and connectivity
Why? https://aws.amazon.com/blogs/aws/trusted-advisor-console-basic/ Ruling out the wrong. High availability neither connectivity are features which Trusted Advisor checks. This removes A and B.
You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion?
A. Amazon KinesisB. AWS Data Pipeline
C. Amazon AppStream
D. Amazon Simple Queue Service
Why? Ruling out the wrong. SQS is messaging system, AppStream is basically Citrix and AWS Data Pipeline is a cloud-based data workflow service that helps you process and move data between different AWS services and on-premise data sources.
A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?
A. Create a new peering connection Between Prod and Dev along with appropriate routes.B. Create a new entry to Prod in the Dev route table using the peering connection as the target.
C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.
D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.
Why? http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-pg.pdf#create-vpc-peering-connection As transitive peering is not supported, you're left with creating new peering connection
You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this?
A. User data
B. EC2Config service
C. IAM roles
D. AWS ConfigWhy? https://aws.amazon.com/config/
Which of the following services natively encrypts data at rest within an AWS region? Choose 2 answers
A. Amazon Storage GatewayB. Amazon DynamoDB
C. Amazon CloudFront
D. Amazon GlacierE. Amazon Simple Queue Service
Why? DynamoDB doesn't offer encryption at rest and SQS/CloudFront are not storage services.
What is the minimum time Interval for the data that Amazon CloudWatch receives and aggregates?
A. One second
B. Five seconds
C. One minuteD. Three minutes
E. Five minutes
Why? https://aws.amazon.com/cloudwatch/faqs/ "Amazon CloudWatch metrics provide statistical results at a frequency up to one minute."
You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and network access control lists are property configured. Instances in a private subnet can access the NAT. The NAT can access the Internet. However, private instances cannot access the Internet. What additional step is required to allow access from the private instances?
A. Enable Source/Destination Check on the private Instances.
B. Enable Source/Destination Check on the NAT instance.
C. Disable Source/Destination Check on the private instances.
D. Disable Source/Destination Check on the NAT instance.Why? NAT requires disabling the SRC/DEST on NAT instance
You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers)
A. Route 53 Record Sets
B. IAM Roles
C. Elastic IP Addresses (EIP)
D. EC2 Key Pairs
E. Launch configurations
F. Security Groups
Why? A, B as they are only global resources
Does AWS Direct Connect allow you access to all Availabilities Zones within a Region?
A. Depends on the type of connection
B. No
C. Yes
D. Only when there’s just one availability zone in a region. If there are more than one, only one availability zone can be accessed directly.
Why? https://aws.amazon.com/directconnect/faqs/ "How can I get started with AWS Direct Connect: Use the AWS Direct Connect tab on the AWS Management Console to create a new connection. Then you will change the region to the region you wish to use. "
You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
A. Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
B. Use dedicated instances to ensure that each instance has the maximum performance possible.
C. Use an Amazon CloudFront distribution for both static and dynamic content.D. Use an Elastic Load Balancer with auto scaling groups at the web, app and Amazon Relational Database Service (RDS) tiersE. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.F. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
Why? A and B are not elastic, they are adding power to existing servers but to limitlessly. F will not help on when the DDoS is on. CloudFront will though take some of the hit, helping you on withstanding the DDoS. ELB and Auto Scaling Groups will also help when DDoS is on, as you can add more instances to serve your content. E will provide the same, but you need to provision the resources manually, but you will be notified about DDoS.
Are you able to integrate a multi-factor token service with the AWS Platform?
A. Yes, you can integrate private multi-factor token devices to authenticate users to the AWS platform.
B. No, you cannot integrate multi-factor token devices with the AWS platform.
C. Yes, using the AWS multi-factor token devices to authenticate users on the AWS platform.Why? https://aws.amazon.com/iam/details/mfa/ "AWS Multi-Factor Authentication (MFA) is a simple best practice that adds an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor—what they know), as well as for an authentication code from their AWS MFA device (the second factor—what they have)."
HTTP Query-based requests are HTTP requests that use the HTTP verb GET or POST and a Query parameter named "____"
A. ActionB. Value
C. Reset
D. Retrieve
Why? http://docs.aws.amazon.com/AWSEC2/latest/APIReference/Query-Requests.html "Query requests are HTTP or HTTPS requests that use the HTTP verb GET or POST and a Query parameter named Action."
Your customer is willing to consolidate their log streams (access logs, application logs, security logs etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours? What is the best approach to meet your customer’s requirements?
A. Send all the log events to Amazon SQS. Setup an Auto Scaling group of EC2 servers to consume the logs and apply the heuristics.
B. Send all the log events to Amazon Kinesis. Develop a client process to apply heuristics on the logs. C. Configure Amazon CloudTrail to receive custom logs, use EMR to apply heuristics the logs
D. Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3 use EMR to apply heuristics on the logs
Why? Kinesis is the only service, which provides possibility for realtime analysis.
A web company is looking to implement an intrusion detection and prevention system into their deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC. How should they architect their solution to achieve these goals?
A. Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC.
B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.
C. Configure servers running in the VPC using the host-based ‘route’ commands to send all traffic through the platform to a scalable virtualized IDS/IPS.
D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.Why? Ruling out the impossible. A, promiscuous mode is not allowed. C, 'route' command does not exist. B, is also impossible, leaving D as the only option.
Fill in the blanks: Resources that are created in AWS are identified by a unique identifier called an __________
A. Amazon Resource Number
B. Amazon Resource Nametag
C. Amazon Resource NameD. Amazon Reesource Namespace
Why? http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
What does the AWS Storage Gateway provide?
A. It allows to integrate on-premises IT environments with Cloud Storage.B. A direct encrypted connection to Amazon S3.
C. It’s a backup solution that provides an on-premises Cloud storage.
D. It provides an encrypted SSL endpoint for backups in the Cloud.
Why? http://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html "AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the Amazon Web Services (AWS) storage infrastructure. You can use the service to store data in the AWS cloud for scalable and cost-effective storage that helps maintain data security."
What are the two permission types used by AWS?
A. Resource-based and Product-based
B. Product-based and Service-based
C. Service-based
D. User-based and Resource-basedWhy? http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html "Permissions can be assigned in two ways: as identity-based or as resource-based."
What is the maximum key length of a tag?
A. 512 Unicode characters
B. 64 Unicode characters
C. 256 Unicode characters
D. 128 Unicode charactershttp://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html "Maximum key length: 128 Unicode characters"
Using Amazon CloudWatch’s Free Tier, what is the frequency of metric updates which you receive?
A. 5 minutesB. 500 milliseconds.
C. 30 seconds
D. 1 minute
Why? https://aws.amazon.com/cloudwatch/pricing/ "Basic Monitoring metrics (at five-minute frequency) for Amazon EC2 instances are free of charge, as are all metrics for Amazon EBS volumes, Elastic Load Balancers, and Amazon RDS DB instances."
Which is the default region in AWS?
A. eu-west-1
B. us-east-1C. us-east-2
D. ap-southeast-1
Why? Default region is us-east-1, but "All the main AWS services (except Route 53 & CloudFront) allow you to select which region you would like to use. The US East (N. Virginia) is the default region. You can change the region by using the dropdown menu in the top right of the management console."
What does a “Domain” refer to in Amazon SWF?
A. A security group in which only tasks inside can communicate with each other
B. A special type of worker
C. A collection of related WorkflowsD. The DNS record for the Amazon SWF service
Why? http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dev-domain.html "Domains provide a way of scoping Amazon SWF resources within your AWS account. All the components of a workflow, such as the workflow type and activity types, must be specified to be in a domain. It is possible to have more than one workflow in a domain; however, workflows in different domains cannot interact with each other."
How can I change the security group membership for interfaces owned by other AWS, such as Elastic Load Balancing?
A. By using the service specific console or API\CLI commandsB. None of these
C. Using Amazon EC2 API/CLI
D. using all these methods
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html "To change security group membership for interfaces owned by other services, such as Elastic Load Balancing, use the console or command line interface for that service"
While signing in REST/ Query requests, for additional security, you should transmit your requests using Secure Sockets Layer (SSL) by using _________
A. HTTP
B. Internet Protocol Security(IPsec)
C. TLS (Transport Layer Security)
D. HTTPSWhy? https://support.google.com/webmasters/answer/6073543?hl=en "HTTPS protects that user's personal information between the user and the site. Users expect a secure online experience when providing data via a website. We encourage you to adopt HTTPS in order to protect your users' connection to your website."
What are the four levels of AWS Premium Support?
A. Basic, Developer, Business, EnterpriseB. Basic, Startup, Business, Enterprise
C. Free, Bronze, Silver, Gold
D. All support is free
Why? https://aws.amazon.com/premiumsupport/faqs/ "Q: How are the enhanced AWS Support tiers different from Basic Support?: AWS Basic Support offers all AWS customers access to our Resource Center, Service Health Dashboard, Product FAQs, Discussion Forums, and Support for Health Checks – at no additional charge. Customers who desire a deeper level of support can subscribe to AWS Support at the Developer, Business, or Enterprise level."
Can the string value of ‘Key’ be prefixed with aws:”?
A. Only in GovCloud
B. Only for S3 not EC2
C. Yes
D. NoWhy? http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html "The tag key is the required name of the tag. The string value can be from 1 to 128 Unicode characters in length and cannot be prefixed with "aws:" or "rds:"."
What is the maximum response time for a Business level Premium Support case?
A. 120 seconds
B. 1 hourC. 10 minutes
D. 12 hours
Why? https://aws.amazon.com/premiumsupport/business-support/
Case Severity and Response Times*
Urgent: < 1 hour
High: < 4 hours
Normal: < 12 hours
Low: < 24 hours
When using consolidated billing there are two account types. What are they?
A. Paying account and Linked accountB. Parent account and Child account
C. Main account and Sub account.
D. Main account and Secondary account.
Why? http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html "You sign up for Consolidated Billing in the AWS Billing and Cost Management console, and designate your account as a payer account. Now your account can pay the charges of the other accounts, which are called linked accounts. The payer account and the accounts linked to it are called a Consolidated Billing account family."
You are building a solution for a customer to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement?
A. Amazon VPC peering
B. Elastic IP Addresses
C. AWS Direct ConnectD. Amazon VPC virtual private gateway
Why? https://aws.amazon.com/directconnect/faqs/ "Q. What connection speeds are supported by AWS Direct Connect?: 1Gbps and 10Gbps ports are available.Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners supporting AWS Direct Connect. Read more about APN Partners supporting AWS Direct Connect."
When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions? Choose 2 answers
A. Amazon DynamoDB
B. Amazon Elastic Compute Cloud (EC2)C. Amazon Elastic Load BalancingD. Amazon Simple Notification Service (SNS)
E. Amazon Simple Storage Service (S3)
Why? Ruling out DynamoDB, SNS and S3 as services, leaving B and C as correct answers.
