EC2
Basics
- Virtual image (AMI), instance in the cloud
- Varities of different OS versions
- Amazon Linux
- Red Hat Linux
- Windows Server 2016
- Different configurations of CPU and RAM
- Cost models
- Spot instances
- Reserved instances
- On-demand instances
- Can be deployed in multiple regions and availability zones
- Can be accessed securely by key pairs
- Can be stored by tags
- Security Groups act as firewall
- Elastic IP's can be attached to them
- Multiple ENI's can be attached to them
- Instance information can be queried by using metadata
Limits
EC2 doesn't have much limits, most limits are for EC2-Classic
Following topics are exam questions collected through Internet and should be evaluated as so. Answers are mine and have been checked with answers collected through the internet, but might still be wrong.
You have a web application running on six Amazon EC2 instances, consuming about 45% of resources on each instance. You are using auto-scaling to make sure that six instances are running at all times. The number of requests this application processes is consistent and does not experience spikes. The application is critical to your business and you want high availability at all times. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all instances. Which of the following architectural choices should you make?
A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer.
C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer.
D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.
Why? http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html "A load balancer accepts incoming traffic from clients and routes requests to its registered EC2 instances in one or more Availability Zones." and in C answer remaing 3 EC2 instances can still service the remaining load. AMI is usually tied to Region, which rules out D and B.
A. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer.
B. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load Balancer.
C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon Elastic Load Balancer.
D. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer.
Why? http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/how-elastic-load-balancing-works.html "A load balancer accepts incoming traffic from clients and routes requests to its registered EC2 instances in one or more Availability Zones." and in C answer remaing 3 EC2 instances can still service the remaining load. AMI is usually tied to Region, which rules out D and B.
You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the internet. Why is the Internet unreachable from this instance?
A. The instance does not have a public IP address.
B. The internet gateway security group must allow all outbound traffic.
C. The instance security group must allow all inbound traffic.
D. The instance “Source/Destination check” property must be enabled.
Why? https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html "Enabling Internet Access: Ensure that instances in your subnet have public IP addresses or Elastic IP addresses." C can be ruled out, as you trying reach out from instance. B can be ruled out as IGW (Internet Gateway) does not have security group. D is related to configuring NAT -instance.
You launch an Amazon EC2 instance without an assigned AWS Identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?
A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance.
C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.
Why? A and C speaks of registering image, not launching the image. B is not possible, because you can't assign IAM role to running instance.
A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture?
A. A standalone Amazon EC2 instance
B. Amazon RDS in a Multi-AZ configuration
C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones
Why? RDS doesn't provide OS access, D is the only answer where you have OS rights and Multi-AZ configuration.
What is a placement group?
A. A collection of Auto Scaling groups in the same region
B. A feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections
C. A collection of authorized CloudFront edge locations for a distribution
D. A collection of Elastic Load Balancers in the same Region or Availability Zone
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html "A placement group is a logical grouping of instances within a single Availability Zone. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both."
Which of the following are characteristics of a reserved instance? Choose 3 answers
A. It can be migrated across Availability Zones
B. It is specific to an Amazon Machine Image (AMI)
C. It can be applied to instances launched by Auto Scaling
D. It is specific to an instance Type
E. It can be used to lower Total Cost of Ownership (TCO) of a system
Why? Ruling out the wrong B and D leaves correct answer.
Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?
A. Instance user data
B. Resource tags
C. Instance metadata
D. Amazon Machine Image
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-retrieval This can be done by queryering http://169.254.169.254/latest/meta-data
Which of the following requires a custom CloudWatch metric to monitor?
A. Memory Utilization of an EC2 instance
B. CPU Utilization of an EC2 instance
C. Disk usage activity of an EC2 instance
D. Data transfer of an EC2 instance
Why? http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ecs-metricscollected.html where A is not part of this.
In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use?
A. Multiple Availability Zones
B. AWS Direct Connect
C. EC2 Dedicated Instances
D. Placement Groups
E. VPC private subnets
You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost-effective way. Which of the following will meet your requirements?
A. Spot Instances
B. Reserved instances
C. Dedicated instances
D. On-Demand instances
Why? A sounds right because the question is mentioning that the application can recover gracefully from instances failure.
A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
Why? IAM roles are global.
You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: “Network error: Connection timed out” or “Error connecting to [instance], reason: -> Connection timed out: connect,” You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers
A. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.
B. Verify that your IAM user policy has permission to launch Amazon EC2 instances.
C. Verify that you are connecting with the appropriate user name for your AMI.
D. Verify that the Amazon EC2 Instance was launched with the proper IAM role.
E. Verify that your federation trust to AWS has been established.
Why? AC although each option is wrong in the following
You have an application running on an EC2 Instance which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
A. Use the AWS account access keys. The application retrieves the credentials from the source code of the application.
B. Create a IAM user for the application with permissions that allow list access to the S3 bucket. Launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
D. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
Why? Ruling out A which is not secure and D which speak of temporary directory. B can be ruled out (without looking at the IAM user at all) because it uses wrong term "EC2 instance user data, instead of meta-data".
"____" acts as a firewall that controls the traffic allowed to reach one or more instances.
A. security group
B. nACL
C. IAM
D. Private IP Addresses
Why? nACL are used at subnet level, where as security groups act on instance level.
Fill in the blanks : let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
A. Tags
B. special filters
C. pointers
D. functions
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html "To help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of tags."
How many types of block devices does Amazon EC2 support?
A. 2
B. 4
C. 3
D. 1
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html "Amazon EC2 supports two types of block devices: Instance store volumes (virtual devices whose underlying hardware is physically attached to the host computer for the instance)
EBS volumes (remote storage devices)"
A. The instance does not have a public IP address.
B. The internet gateway security group must allow all outbound traffic.
C. The instance security group must allow all inbound traffic.
D. The instance “Source/Destination check” property must be enabled.
Why? https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html "Enabling Internet Access: Ensure that instances in your subnet have public IP addresses or Elastic IP addresses." C can be ruled out, as you trying reach out from instance. B can be ruled out as IGW (Internet Gateway) does not have security group. D is related to configuring NAT -instance.
You launch an Amazon EC2 instance without an assigned AWS Identity and Access Management (IAM) role. Later, you decide that the instance should be running with an IAM role. Which action must you take in order to have a running Amazon EC2 instance with an IAM role assigned to it?
A. Create an image of the instance, and register the image with an IAM role assigned and an Amazon EBS volume mapping.
B. Create a new IAM role with the same permissions as an existing IAM role, and assign it to the running instance.
C. Create an image of the instance, add a new IAM role with the same permissions as the desired IAM role, and deregister the image with the new role assigned.
D. Create an image of the instance, and use this image to launch a new instance with the desired IAM role assigned.
Why? A and C speaks of registering image, not launching the image. B is not possible, because you can't assign IAM role to running instance.
A client application requires operating system privileges on a relational database server. What is an appropriate configuration for a highly available database architecture?
A. A standalone Amazon EC2 instance
B. Amazon RDS in a Multi-AZ configuration
C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones
Why? RDS doesn't provide OS access, D is the only answer where you have OS rights and Multi-AZ configuration.
What is a placement group?
A. A collection of Auto Scaling groups in the same region
B. A feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections
C. A collection of authorized CloudFront edge locations for a distribution
D. A collection of Elastic Load Balancers in the same Region or Availability Zone
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html "A placement group is a logical grouping of instances within a single Availability Zone. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both."
Which of the following are characteristics of a reserved instance? Choose 3 answers
A. It can be migrated across Availability Zones
B. It is specific to an Amazon Machine Image (AMI)
C. It can be applied to instances launched by Auto Scaling
D. It is specific to an instance Type
E. It can be used to lower Total Cost of Ownership (TCO) of a system
Why? Ruling out the wrong B and D leaves correct answer.
Which Amazon Elastic Compute Cloud feature can you query from within the instance to access instance properties?
A. Instance user data
B. Resource tags
C. Instance metadata
D. Amazon Machine Image
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-retrieval This can be done by queryering http://169.254.169.254/latest/meta-data
Which of the following requires a custom CloudWatch metric to monitor?
A. Memory Utilization of an EC2 instance
B. CPU Utilization of an EC2 instance
C. Disk usage activity of an EC2 instance
D. Data transfer of an EC2 instance
Why? http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ecs-metricscollected.html where A is not part of this.
In order to optimize performance for a compute cluster that requires low inter-node latency, which of the following feature should you use?
A. Multiple Availability Zones
B. AWS Direct Connect
C. EC2 Dedicated Instances
D. Placement Groups
E. VPC private subnets
You have a distributed application that periodically processes large volumes of data across multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance failures. You are required to accomplish this task in the most cost-effective way. Which of the following will meet your requirements?
A. Spot Instances
B. Reserved instances
C. Dedicated instances
D. On-Demand instances
Why? A sounds right because the question is mentioning that the application can recover gracefully from instances failure.
A company needs to deploy services to an AWS region which they have not previously used. The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances, which permits the instance to have access to Amazon DynamoDB. The company wants their EC2 instances in the new region to have the same privileges. How should the company achieve this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI Copy feature
Why? IAM roles are global.
You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error messages: “Network error: Connection timed out” or “Error connecting to [instance], reason: -> Connection timed out: connect,” You have confirmed that the network and security group rules are configured correctly and the instance is passing status checks. What steps should you take to identify the source of the behavior? Choose 2 answers
A. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.
B. Verify that your IAM user policy has permission to launch Amazon EC2 instances.
C. Verify that you are connecting with the appropriate user name for your AMI.
D. Verify that the Amazon EC2 Instance was launched with the proper IAM role.
E. Verify that your federation trust to AWS has been established.
Why? AC although each option is wrong in the following
You have an application running on an EC2 Instance which will allow users to download files from a private S3 bucket using a pre-assigned URL. Before generating the URL the application should verify the existence of the file in S3. How should the application use AWS credentials to access the S3 bucket securely?
A. Use the AWS account access keys. The application retrieves the credentials from the source code of the application.
B. Create a IAM user for the application with permissions that allow list access to the S3 bucket. Launch the instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
C. Create an IAM role for EC2 that allows list access to objects in the S3 bucket. Launch the instance with the role, and retrieve the role’s credentials from the EC2 Instance metadata
D. Create an IAM user for the application with permissions that allow list access to the S3 bucket. The application retrieves the IAM user credentials from a temporary directory with permissions that allow read access only to the application user.
Why? Ruling out A which is not secure and D which speak of temporary directory. B can be ruled out (without looking at the IAM user at all) because it uses wrong term "EC2 instance user data, instead of meta-data".
"____" acts as a firewall that controls the traffic allowed to reach one or more instances.
A. security group
B. nACL
C. IAM
D. Private IP Addresses
Why? nACL are used at subnet level, where as security groups act on instance level.
Fill in the blanks : let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
A. Tags
B. special filters
C. pointers
D. functions
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html "To help you manage your instances, images, and other Amazon EC2 resources, you can optionally assign your own metadata to each resource in the form of tags."
How many types of block devices does Amazon EC2 support?
A. 2
B. 4
C. 3
D. 1
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html "Amazon EC2 supports two types of block devices: Instance store volumes (virtual devices whose underlying hardware is physically attached to the host computer for the instance)
EBS volumes (remote storage devices)"
You must assign each server to at least _____ security group
A. 3
B. 2
C. 4
D. 1
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html "A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance."
What are the initial settings of an user created security group?
A. Allow all inbound traffic and Allow no outbound traffic
B. Allow no inbound traffic and Allow no outbound traffic
C. Allow no inbound traffic and Allow all outbound traffic
D. Allow all inbound traffic and Allow all outbound traffic
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group "A default security group is named default, and it has an ID assigned by AWS. The following are the initial settings for each default security group: Allow inbound traffic only from other instances associated with the default security group
Allow all outbound traffic from the instance"
A. 3
B. 2
C. 4
D. 1
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html "A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance."
What are the initial settings of an user created security group?
A. Allow all inbound traffic and Allow no outbound traffic
B. Allow no inbound traffic and Allow no outbound traffic
C. Allow no inbound traffic and Allow all outbound traffic
D. Allow all inbound traffic and Allow all outbound traffic
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#default-security-group "A default security group is named default, and it has an ID assigned by AWS. The following are the initial settings for each default security group: Allow inbound traffic only from other instances associated with the default security group
Allow all outbound traffic from the instance"
Fill in the blanks: The base URI for all requests for instance metadata is ___________
A. http://254.169.169.254/latest/
B. http://169.169.254.254/latest/
C. http://127.0.0.1/latest/
D. http://169.254.169.254/latest/
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html "To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta-data/"
While creating the snapshots using the command line tools, which command should I be using?
A. ec2-deploy-snapshot
B. ec2-fresh-snapshot
C. ec2-create-snapshot
D. ec2-new-snapshot
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshot.html
What are the Amazon EC2 API tools?
A. They don’t exist. The Amazon EC2 AMI tools, instead, are used to manage permissions.
B. Command-line tools to the Amazon EC2 web service.
C. They are a set of graphical tools to manage EC2 instances.
D. They don’t exist. The Amazon API tools are a client interface to Amazon Web Services.
Why? https://aws.amazon.com/developertools/351 "The API tools serve as the client interface to the Amazon EC2 web service. Use these tools to register and launch instances, manipulate security groups, and more."
Fill in the blanks: _________ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
A. wildcards
B. pointers
C. tags
D. special filters
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
A. http://254.169.169.254/latest/
B. http://169.169.254.254/latest/
C. http://127.0.0.1/latest/
D. http://169.254.169.254/latest/
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html "To view all categories of instance metadata from within a running instance, use the following URI: http://169.254.169.254/latest/meta-data/"
While creating the snapshots using the command line tools, which command should I be using?
A. ec2-deploy-snapshot
B. ec2-fresh-snapshot
C. ec2-create-snapshot
D. ec2-new-snapshot
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/create-snapshot.html
What are the Amazon EC2 API tools?
A. They don’t exist. The Amazon EC2 AMI tools, instead, are used to manage permissions.
B. Command-line tools to the Amazon EC2 web service.
C. They are a set of graphical tools to manage EC2 instances.
D. They don’t exist. The Amazon API tools are a client interface to Amazon Web Services.
Why? https://aws.amazon.com/developertools/351 "The API tools serve as the client interface to the Amazon EC2 web service. Use these tools to register and launch instances, manipulate security groups, and more."
Fill in the blanks: _________ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
A. wildcards
B. pointers
C. tags
D. special filters
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
What does the following command do with respect to the Amazon EC2 security groups? ec2-revoke RevokeSecurityGroupIngress
A. Removes one or more security groups from a rule.
B. Removes one or more security groups from an Amazon EC2 instance.
C. Removes one or more rules from a security group.
D. Removes a security group from our account.
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html "Removes one or more ingress rules from a security group."
Can I move a Reserved Instance from one Region to another?
A. No
B. Only if they are moving into GovCloud
C. Yes
D. Only if they are moving to US East from another region
Why? https://aws.amazon.com/ec2/faqs/ "Q: Can I transfer a Convertible or Standard Reserved Instance from one region to another? No, a Reserved Instance is associated with a specific region, which is fixed for the duration of the reservation's term.". You can though move them inside the Region between Availability Zones.
What does specifying the mapping /dev/sdc=none when launching an instance do?
A. Prevents /dev/sdc from creating the instance.
B. Prevents /dev/sdc from deleting the instance.
C. Set the value of /dev/sdc to ‘zero’.
D. Prevents /dev/sdc from attaching to the instance.
Why? http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-clt.pdf "Each entry is passed in the form <devicename>=<blockdevice>. The devicename is the device name of the physical device on the instance to map, and blockdevice can be one of the following values:
• none – Suppresses an existing mapping of the device from the AMI used to launch the instance. For example: "/dev/sdc=none"."
What does the following command do with respect to the Amazon EC2 security groups? ec2-create-group CreateSecurityGroup
A. Groups the user created security groups in to a new group for easy access.
B. Creates a new security group for use with your account.
C. Creates a new group inside the security group.
D. Creates a new rule inside the security group.
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html "Creates a security group. A security group is for use with instances either in the EC2-Classic platform or in a specific VPC."
A. Removes one or more security groups from a rule.
B. Removes one or more security groups from an Amazon EC2 instance.
C. Removes one or more rules from a security group.
D. Removes a security group from our account.
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html "Removes one or more ingress rules from a security group."
Can I move a Reserved Instance from one Region to another?
A. No
B. Only if they are moving into GovCloud
C. Yes
D. Only if they are moving to US East from another region
Why? https://aws.amazon.com/ec2/faqs/ "Q: Can I transfer a Convertible or Standard Reserved Instance from one region to another? No, a Reserved Instance is associated with a specific region, which is fixed for the duration of the reservation's term.". You can though move them inside the Region between Availability Zones.
What does specifying the mapping /dev/sdc=none when launching an instance do?
A. Prevents /dev/sdc from creating the instance.
B. Prevents /dev/sdc from deleting the instance.
C. Set the value of /dev/sdc to ‘zero’.
D. Prevents /dev/sdc from attaching to the instance.
Why? http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/ec2-clt.pdf "Each entry is passed in the form <devicename>=<blockdevice>. The devicename is the device name of the physical device on the instance to map, and blockdevice can be one of the following values:
• none – Suppresses an existing mapping of the device from the AMI used to launch the instance. For example: "/dev/sdc=none"."
What does the following command do with respect to the Amazon EC2 security groups? ec2-create-group CreateSecurityGroup
A. Groups the user created security groups in to a new group for easy access.
B. Creates a new security group for use with your account.
C. Creates a new group inside the security group.
D. Creates a new rule inside the security group.
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/create-security-group.html "Creates a security group. A security group is for use with instances either in the EC2-Classic platform or in a specific VPC."
While performing the volume status checks, if the status is insufficient-data, what does it mean?
A. the checks may still be in progress on the volume
B. the check has passed
C. the check has failed
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html#monitoring-volume-checks "Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. If all checks pass, the status of the volume is ok. If a check fails, the status of the volume is impaired. If the status is insufficient-data, the checks may still be in progress on the volume. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions."
While creating the snapshots using the API, which Action should I be using?
A. MakeSnapShot
B. FreshSnapshot
C. DeploySnapshot
D. CreateSnapshot
Why? http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html
A. the checks may still be in progress on the volume
B. the check has passed
C. the check has failed
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html#monitoring-volume-checks "Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. If all checks pass, the status of the volume is ok. If a check fails, the status of the volume is impaired. If the status is insufficient-data, the checks may still be in progress on the volume. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions."
While creating the snapshots using the API, which Action should I be using?
A. MakeSnapShot
B. FreshSnapshot
C. DeploySnapshot
D. CreateSnapshot
Why? http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateSnapshot.html
Please select the Amazon EC2 resource which cannot be tagged.
A. Images (AMIs, kernels, RAM disks)
B. Amazon EBS volumes
C. Elastic IP addresses
D. VPCs
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions "Elastic IP, Tagging Support: No"
The one-time payment for Reserved Instances is __________ refundable if the reservation is cancelled.
A. always
B. in some circumstances
C. never
Why? https://aws.amazon.com/ec2/pricing/reserved-instances/buyer/ "Purchases of Reserved Instances are non-refundable."
A. Images (AMIs, kernels, RAM disks)
B. Amazon EBS volumes
C. Elastic IP addresses
D. VPCs
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions "Elastic IP, Tagging Support: No"
The one-time payment for Reserved Instances is __________ refundable if the reservation is cancelled.
A. always
B. in some circumstances
C. never
Why? https://aws.amazon.com/ec2/pricing/reserved-instances/buyer/ "Purchases of Reserved Instances are non-refundable."
Amazon EC2 has no Amazon Resource Names (ARNs) because you can’t specify a particular Amazon EC2 resource in an IAM policy.
A. TRUE
B. FALSE
Why? http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-ec2
A. TRUE
B. FALSE
Why? http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-ec2
Can I detach the primary (eth0) network interface when the instance is running or stopped?
A. Yes, You can.
B. No. You cannot
C. Depends on the state of the interface at the time
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#detach_eni "You cannot detach a primary network interface from an instance"
What’s an ECU?
A. Extended Cluster User.
B. None of these.
C. Elastic Computer Usage.
D. Elastic Compute Unit.
https://aws.amazon.com/ec2/faqs/ "The EC2 Compute Unit (ECU)"
Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. What is the monthly charge for using the public data sets?
A. A 1 time charge of 10$ for all the datasets.
B. 1$ per dataset per month
C. 10$ per month for all the datasets
D. There is no charge for using the public data sets
https://aws.amazon.com/public-data-sets/ "AWS hosts a variety of public datasets that anyone can access for free."
The Amazon EC2 web service can be accessed using the _____ web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document.
A. SOAP
B. DCOM
C. CORBA
D. XML-RPC
Why? http://docs.aws.amazon.com/AWSECommerceService/latest/DG/WSDLLocation.html "The WSDL contains all the API endpoints. To select the required endpoint, see your SOAP framework."
You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers
A. Amazon EC2 placement groups
B. Enhanced networking
C. Amazon PV AMI
D. Amazon HVM AMI
E. Amazon Linux
F. Amazon VPC
Why? Ruling out A, as placement group cannot span multiple AZ's. After this, you can check this: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html "HVM AMIs are required to take advantage of enhanced networking and GPU processing. In order to pass through instructions to specialized network and GPU devices, the OS needs to be able to have access to the native hardware platform; HVM virtualization provides this access. For more information, see Enhanced Networking and Linux Accelerated Computing Instances.". This rules out PV AMI and VPC.
A. Yes, You can.
B. No. You cannot
C. Depends on the state of the interface at the time
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#detach_eni "You cannot detach a primary network interface from an instance"
What’s an ECU?
A. Extended Cluster User.
B. None of these.
C. Elastic Computer Usage.
D. Elastic Compute Unit.
https://aws.amazon.com/ec2/faqs/ "The EC2 Compute Unit (ECU)"
Amazon EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. What is the monthly charge for using the public data sets?
A. A 1 time charge of 10$ for all the datasets.
B. 1$ per dataset per month
C. 10$ per month for all the datasets
D. There is no charge for using the public data sets
https://aws.amazon.com/public-data-sets/ "AWS hosts a variety of public datasets that anyone can access for free."
The Amazon EC2 web service can be accessed using the _____ web services messaging protocol. This interface is described by a Web Services Description Language (WSDL) document.
A. SOAP
B. DCOM
C. CORBA
D. XML-RPC
Why? http://docs.aws.amazon.com/AWSECommerceService/latest/DG/WSDLLocation.html "The WSDL contains all the API endpoints. To select the required endpoint, see your SOAP framework."
You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers
A. Amazon EC2 placement groups
B. Enhanced networking
C. Amazon PV AMI
D. Amazon HVM AMI
E. Amazon Linux
F. Amazon VPC
Why? Ruling out A, as placement group cannot span multiple AZ's. After this, you can check this: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/virtualization_types.html "HVM AMIs are required to take advantage of enhanced networking and GPU processing. In order to pass through instructions to specialized network and GPU devices, the OS needs to be able to have access to the native hardware platform; HVM virtualization provides this access. For more information, see Enhanced Networking and Linux Accelerated Computing Instances.". This rules out PV AMI and VPC.
The one-time payment for Reserved Instances is __________ refundable if the reservation is cancelled.
A. always
B. in some circumstances
C. never
Why? https://aws.amazon.com/ec2/pricing/reserved-instances/buyer/ "Purchases of Reserved Instances are non-refundable."
By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates?
A. Remain as is
B. Terminate
C. Hibernate
D. Pause
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#change_term_behavior "By default, elastic network interfaces that are automatically created and attached to instances using the console are set to terminate when the instance terminates. However, network interfaces created using the command line interface aren't set to terminate when the instance terminates."
Select the correct statement:
A. You don’t need not specify the resource identifier while stopping a resource
B. You can terminate, stop, or delete a resource based solely on its tags
C. You can’t terminate, stop, or delete a resource based solely on its tags
D. You don’t need to specify the resource identifier while terminating a resource
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions
"You can't terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier."
Select the incorrect statement
A. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated
B. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped.
C. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped.
D. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime
Why? C is false, instance does retain it's private IP when stopped
Making your snapshot public shares all snapshot data with everyone. Can the snapshots with AWS Marketplace product codes be made public?
A. No
B. Yes
Why? http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyImageAttribute.html "AWS Marketplace product codes cannot be modified. Images with an AWS Marketplace product code cannot be made public."
A. always
B. in some circumstances
C. never
Why? https://aws.amazon.com/ec2/pricing/reserved-instances/buyer/ "Purchases of Reserved Instances are non-refundable."
By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates?
A. Remain as is
B. Terminate
C. Hibernate
D. Pause
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#change_term_behavior "By default, elastic network interfaces that are automatically created and attached to instances using the console are set to terminate when the instance terminates. However, network interfaces created using the command line interface aren't set to terminate when the instance terminates."
Select the correct set of steps for exposing the snapshot only to specific AWS accounts
A. Select public for all the accounts and check mark those accounts with whom you want to expose the snapshots and click Save.
B. SelectPrivate, enter the IDs of those AWS accounts, and click Save.
C. SelectPublic, enter the IDs of those AWS accounts, and click Save.
D. SelectPublic, mark the IDs of those AWS accounts as private, and click Save.
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html "To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts."
Which DNS name can only be resolved within Amazon EC2?
A. Internal DNS name
B. External DNS name
C. Global DNS name
D. Private DNS name
https://aws.amazon.com/about-aws/whats-new/2014/11/05/amazon-route-53-now-supports-private-dns-with-amazon-vpc/ "You can use the Route 53 Private DNS feature to manage authoritative DNS within your Virtual Private Clouds (VPCs), so you can use custom domain names for your internal AWS resources without exposing DNS data to the public Internet."
A. Select public for all the accounts and check mark those accounts with whom you want to expose the snapshots and click Save.
B. SelectPrivate, enter the IDs of those AWS accounts, and click Save.
C. SelectPublic, enter the IDs of those AWS accounts, and click Save.
D. SelectPublic, mark the IDs of those AWS accounts as private, and click Save.
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html "To expose the snapshot to only specific AWS accounts, choose Private, enter the ID of the AWS account (without hyphens) in the AWS Account Number field, and choose Add Permission. Repeat until you've added all the required AWS accounts."
Which DNS name can only be resolved within Amazon EC2?
A. Internal DNS name
B. External DNS name
C. Global DNS name
D. Private DNS name
https://aws.amazon.com/about-aws/whats-new/2014/11/05/amazon-route-53-now-supports-private-dns-with-amazon-vpc/ "You can use the Route 53 Private DNS feature to manage authoritative DNS within your Virtual Private Clouds (VPCs), so you can use custom domain names for your internal AWS resources without exposing DNS data to the public Internet."
Select the correct statement:
A. You don’t need not specify the resource identifier while stopping a resource
B. You can terminate, stop, or delete a resource based solely on its tags
C. You can’t terminate, stop, or delete a resource based solely on its tags
D. You don’t need to specify the resource identifier while terminating a resource
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions
"You can't terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier."
Select the incorrect statement
A. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated
B. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped.
C. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped.
D. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime
Why? C is false, instance does retain it's private IP when stopped
Making your snapshot public shares all snapshot data with everyone. Can the snapshots with AWS Marketplace product codes be made public?
A. No
B. Yes
Why? http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifyImageAttribute.html "AWS Marketplace product codes cannot be modified. Images with an AWS Marketplace product code cannot be made public."
If I write the below command, what does it do?
ec2-run ami-e3a5408a -n 20 -g appserver
A. Start twenty instances as members of appserver group.
B. Creates 20 rules in the security group named appserver
C. Terminate twenty instances as members of appserver group.
D. Start 20 security groups
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
All Amazon EC2 instances are assigned two IP addresses at launch, out of which one can only be reached from within the Amazon EC2 network?
A. Multiple IP address
B. Public IP address
C. Private IP address
D. Elastic IP Address
Why? Private addresses can only be reached inside VPC.
If I want an instance to have a public IP address, which IP address should I use?
A. Elastic IP Address
B. Class B IP Address
C. Class A IP Address
D. Dynamic IP Address
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
ec2-run ami-e3a5408a -n 20 -g appserver
A. Start twenty instances as members of appserver group.
B. Creates 20 rules in the security group named appserver
C. Terminate twenty instances as members of appserver group.
D. Start 20 security groups
Why? http://docs.aws.amazon.com/cli/latest/reference/ec2/run-instances.html
All Amazon EC2 instances are assigned two IP addresses at launch, out of which one can only be reached from within the Amazon EC2 network?
A. Multiple IP address
B. Public IP address
C. Private IP address
D. Elastic IP Address
Why? Private addresses can only be reached inside VPC.
If I want an instance to have a public IP address, which IP address should I use?
A. Elastic IP Address
B. Class B IP Address
C. Class A IP Address
D. Dynamic IP Address
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html
When will you incur costs with an Elastic IP address (EIP)?
A. When an EIP is allocated.
B. When it is allocated and associated with a running instance.
C. When it is allocated and associated with a stopped instance.
D. Costs are incurred regardless of whether the EIP is associated with a running instance.
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html "EC2-VPC: The instance retains its associated Elastic IP addresses. You're charged for any Elastic IP addresses associated with a stopped instance."
You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
A. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
B. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
C. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html "For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. " also you can rule out UDP -protocol right way as /0 is bad IP mask.
A. When an EIP is allocated.
B. When it is allocated and associated with a running instance.
C. When it is allocated and associated with a stopped instance.
D. Costs are incurred regardless of whether the EIP is associated with a running instance.
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Stop_Start.html "EC2-VPC: The instance retains its associated Elastic IP addresses. You're charged for any Elastic IP addresses associated with a stopped instance."
You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?
A. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32
B. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
C. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32
D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0
Why? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html "For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. " also you can rule out UDP -protocol right way as /0 is bad IP mask.
If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a predetermined private IP address you should:
A. Launch the instance from a private Amazon Machine Image (AMI).
B. Assign a group of sequential Elastic IP address to the instances.
C. Launch the instances in the Amazon Virtual Private Cloud (VPC).
D. Launch the instances in a Placement Group.
E. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.
Why? http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html "When you launch an instance into a VPC, a primary private IP address from the address range of the subnet is assigned to the default network interface (eth0) of the instance. Each instance is also given an internal DNS hostname that resolves to the private IP address of the instance."
A. Launch the instance from a private Amazon Machine Image (AMI).
B. Assign a group of sequential Elastic IP address to the instances.
C. Launch the instances in the Amazon Virtual Private Cloud (VPC).
D. Launch the instances in a Placement Group.
E. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.
Why? http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html "When you launch an instance into a VPC, a primary private IP address from the address range of the subnet is assigned to the default network interface (eth0) of the instance. Each instance is also given an internal DNS hostname that resolves to the private IP address of the instance."
An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?
A. The outbound security group needs to be modified to allow outbound traffic.
B. The outbound network ACL needs to be modified to allow outbound traffic.
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
Why? Security Groups are stateful and nACL are stateless, meaning that you need to allow both incoming and outcoming SSH-traffic in stateless nACL whereas in Security Group requires the rule be found on either incoming/outgoing rules.
A. The outbound security group needs to be modified to allow outbound traffic.
B. The outbound network ACL needs to be modified to allow outbound traffic.
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.
Why? Security Groups are stateful and nACL are stateless, meaning that you need to allow both incoming and outcoming SSH-traffic in stateless nACL whereas in Security Group requires the rule be found on either incoming/outgoing rules.
A company is building a two-tier web application to serve dynamic transaction-based content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What services should you leverage to enable an elastic and scalable web tier?
A. Elastic Load Balancing, Amazon EC2, and Auto Scaling
B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
C. Amazon RDS with Multi-AZ and Auto Scaling
D. Amazon EC2, Amazon DynamoDB, and Amazon S3
Why? DB-tier is already provided and hence you should focus on the web-tier in the answer.
Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
A. May be performed by AWS, and will be performed by AWS upon customer request.
B. May be performed by AWS, and is periodically performed by AWS.
C. Are expressly prohibited under all circumstances.
D. May be performed by the customer on their own instances with prior authorization from AWS.
E. May be performed by the customer on their own instances, only if performed from EC2 instances
Why? https://aws.amazon.com/security/penetration-testing/ "To request permission, you must be logged into the AWS portal using the root credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly. If you have hired a third party to conduct your testing, we suggest that you complete the form and then notify your third party when we grant approval."
You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access?
A. Deploy a NAT instance into the public subnet.
B. Assign an Elastic IP address to the fourth instance.
C. Configure a publically routable IP Address in the host OS of the fourth instance.
D. Modify the routing table for the public subnet.
A. Elastic Load Balancing, Amazon EC2, and Auto Scaling
B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
C. Amazon RDS with Multi-AZ and Auto Scaling
D. Amazon EC2, Amazon DynamoDB, and Amazon S3
Why? DB-tier is already provided and hence you should focus on the web-tier in the answer.
Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:
A. May be performed by AWS, and will be performed by AWS upon customer request.
B. May be performed by AWS, and is periodically performed by AWS.
C. Are expressly prohibited under all circumstances.
D. May be performed by the customer on their own instances with prior authorization from AWS.
E. May be performed by the customer on their own instances, only if performed from EC2 instances
Why? https://aws.amazon.com/security/penetration-testing/ "To request permission, you must be logged into the AWS portal using the root credentials associated with the instances you wish to test, otherwise the form will not pre-populate correctly. If you have hired a third party to conduct your testing, we suggest that you complete the form and then notify your third party when we grant approval."
You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access?
A. Deploy a NAT instance into the public subnet.
B. Assign an Elastic IP address to the fourth instance.
C. Configure a publically routable IP Address in the host OS of the fourth instance.
D. Modify the routing table for the public subnet.
A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?
A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
Why? You can rule out B, as it speaks of SSH. C speaks of assigning the Bastion into private subnet (which would disable access from Internet). Same logic applies to A.
A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.
D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.
Why? You can rule out B, as it speaks of SSH. C speaks of assigning the Bastion into private subnet (which would disable access from Internet). Same logic applies to A.
No comments:
Post a Comment