Raghavendra KambhampatiAWS SA Associate Practice Questions-10
Updated: Jul 17, 2020
301. Your department creates regular analytics reports from your company’s log files All log data is collected in Amazon 53 and processed by daily Amazon Elastic MapReduce (EMR) jobs that generate daily PDF reports and aggregated tables in CSV format for an Amazon Redshift data warehouse.Your CFO requests that you optimize the cost structure for this system.Which of the following alternatives will lower costs without compromising average performance of the system or data integrity for the raw data?
A. Use reduced redundancy storage (RRS) for all data In 53. Use a combination of Spot Instances and Reserved Instances for Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
B. Use reduced redundancy storage (RRS) for PDF and .csv data in 53. Add Spot Instances to EMR jobs.Use Spot Instances for Amazon Redshift.
C. Use reduced redundancy storage (RRS) for PDF and .csv data In Amazon 53. Add Spot Instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
D. Use reduced redundancy storage (RRS) for all data in Amazon 53. Add Spot Instances to Amazon EMR jobs. Use Reserved Instances for Amazon Redshift.
Answer: C
Explanation:
Using Reduced Redundancy Storage Amazon 53 stores objects according to their storage class. It assigns the storage class to an object when
it is written to Amazon 53. You can assign objects a specific sto rage class (standard or reduced
redundancy) only when you write the objects to an Amazon 53 bucket or when you copy objects that are
already stored in Amazon 53. Standard is the default storage class. For information about storage classes,
see Object Key and Metadata.
In order to reduce storage costs, you can use reduced redundancy storage for noncritical, reproducible data
at lower levels of redundancy than Amazon 53 provides with standard storage. The lower level of
redundancy results in less durability and availability, but in many cases, the lower costs can make
reduced redundancy storage an acceptable storage solution. For example, it can be a cost effective
solution for sharing media content that is durably stored elsewhere. It can also make sense if you are
storing thumbnails and other resized images that can be easily reproduced from an original image.
Reduced redundancy storage is designed to provide 99.99% durability of objects over a given year.
This durability level corresponds to an average annual expected loss of 0.01% of objects. For example, if
you store 10,000 objects using the RRS option, you can, on average, expect to incur an annual loss of a
single object per year (0.01% of 10,000 objects).
Note
This annual loss represents an expected average and does not guarantee the loss of less than 0.01% of
objects in a given year.
Reduced redundancy storage stores objects on multiple devices across multiple facilities, providing 400
times the durability of a typical disk drive, but it does not replicate objects as many times as Amazon 53
standard storage. In addition, reduced redundancy storage is designed to sustain the loss of data in a
single facility.
If an object in reduced redundancy storage has been lost, Amazon 53 will return a 405 error on requests
made to that object. Amazon 53 also offers notifications for reduced redundancy storage object loss: you
can configure your bucket so that when Amazon 53 detects the loss of an RRS object, a notification will
be sent through Amazon Simple Notification Service (Amazon SNS). You can then replace the lost object.
To enable notifications, you can use the Amazon 53 console to set the Notifications property of your bucket.
302. You are the new IT architect in a company that operates a mobile sleep tracking application
When activated at night, the mobile app is sending collected data points of 1 kilobyte every 5 minutes to
your backend
The backend takes care of authenticating the user and writing the data points into an Amazon DynamoDB
table.
Every morning, you scan the table to extract and aggregate last night’s data on a per user basis, and store
the results in Amazon 53.
Users are notified via Amazon 5NI5 mobile push notifications that new data is available, which is parsed
and visualized by (The mobile app Currently you have around IOOk users who are mostly based out of
North America.
You have been tasked to optimize the architecture of the backend system to lower cost what would you
recommend? (Choose 2 answers}
A. Create a new Amazon DynamoDB (able each day and drop the one for the previous day after its data is
on Amazon 53.
B. Have the mobile app access Amazon DynamoDB directly instead of J50N files stored on Amazon 53.
C. Introduce an Amazon SQS queue to buffer writes to the Amazon DynamoDB table and reduce
provisioned write throughput.
D. Introduce Amazon Elasticache Io cache reads from the Amazon DynamoDB table and reduce
provisioned read throughput.
E. Write data directly into an Amazon Redshift cluster replacing both Amazon DynamoDB and Amazon 53.
Answer: B, D
303. Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in
high resolution MP4 format. Your workforce is distributed globally often on the move and using
company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your
company has no video transcoding expertise and it required you may need to pay for a consultant.
How do you implement the most cost-efficient architecture without compromising high availability and
quality of video delivery’?
A. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the
number of nodes depending on the length of the queue. EBS volumes to host videos and EBS snapshots to
incrementally backup original files after a few days. CIoudFront to serve HLS transcoded videos from EC2.
B. Elastic Transcoder to transcode original high-resolution MP4 videos to HLS. EBS volumes to host videos
and EBS snapshots to incrementally backup original files after a few days. CIoudFront to serve HLS
transcoded videos from EC2.
C. Elastic Transcoder to transcode original high-resolution NIP4 videos to HLS. 53 to host videos with
Lifecycle Management to archive original files to Glacier after a few days. C|oudFront to serve HLS
transcoded videos from 53.
D. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust
the number of nodes depending on the length of the queue. 53 to host videos with Lifecycle Management to
archive all files to Glacier after a few days. CIoudFront to serve HLS transcoded videos from Glacier.
Answer: C
304. You’ve been hired to enhance the overall security posture for a very large e-commerce site They have
a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the
app
tier with static assets served directly from 53 They are using a combination of RDS and DynamoOB for their
dynamic data and then archMng nightly into 53 for further processing with EMR
They are concerned because they found QUESTION able log entries and suspect someone is attempting to
gain unauthorized access.
Which approach provides a cost effective scalable mitigation to this kind of attack?
A. Recommend that they lease space at a DirectConnect partner location and establish a IG DirectConnect
connection to their vPC they would then establish Internet connectMty into their space, filter the traffic in
hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection
into their application running in their VPC,
B. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier sub net.
C. Add a WAF tier by creating a new ELB and an AutoScaIing group of EC2 Instances running a host based
WAF They would redirect Route 53 to resolve to the new WAF tier ELB The WAF tier would thier pass the
traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the
WAF tier Security Group
D. Remove all but TLS 1 2 from the web tier ELB and enable Advanced Protocol Filtering This will enable
the ELB itself to perform WAF functionality.
Answer: C
305. You currently operate a web application In the AWS US-East region The application runs on an
autoscaled layer of EC2 instances and an RDS Multi-AZ database Your IT security compliance officer has
tasked you to develop a reliable and durable logging solution to track changes made to your EC2.1AM And
RDS resources. The solution must ensure the integrity and confidentiality of your log data. Which of these
solutions would you recommend?
A. Create a new C|oudTraiI trail with one new 53 bucket to store the logs and with the global services option
selected Use IAM roles 53 bucket policies and Multi Factor Authentication (MFA) Delete on the 53 bucket
that stores your logs.
B. Create a new CIoudTraiI with one new 53 bucket to store the logs Configure SNS to send log file delivery
notifications to your management system Use IAM roles and 53 bucket policies on the 53 bucket mat stores
your logs.
C. Create a new CIoudTraiI trail with an existing 53 bucket to store the logs and with the global services
option selected Use 53 ACLs and Multi Factor Authentication (MFA) Delete on the 53 bucket that stores
your logs.
D. Create three new C|oudTrai| trails with three new 53 buckets to store the logs one for the AWS
Management console, one for AWS 5DKs and one for command line tools Use IAM roles and 53 bucket
policies on the 53 buckets that store your logs.
Answer: A
306. An enterprise wants to use a third-party SaaS application. The SaaS application needs to have access
to issue several API commands to discover Amazon EC2 resources running within the enterprise’s account
The enterprise has internal security policies that require any outside access to their environment must
conform to the principles of least prMlege and there must be controls in place to ensure that the
credentials used by the 5aa5 vendor cannot be used by any other third party. Which of the following would
meet all of these conditions?
A. From the AW5 Management Console, navigate to the Security Credentials page and retrieve the access
and secret key for your account.
B. Create an IAM user within the enterprise account assign a user policy to the IAM user that allows only
the actions required by the SaaS application create a new access and secret key for the user and provide
these credentials to the 5aa5 provider.
C. Create an IAM role for cross-account access allows the SaaS provider’s account to assume the role and
assign it a policy that allows only the actions required by the SaaS application.
D. Create an IAM role for EC2 instances, assign it a policy that allows only the actions required tor the Saas
application to work, provide the role ARM to the SaaS provider to use when launching their application
instances.
Answer: C
Explanation:
Granting Cross-account Permission to objects It Does Not Own
In this example scenario, you own a bucket and you have enabled other AWS accounts to upload objects.
That is, your bucket can have objects that other AWS accounts own.
Now, suppose as a bucket owner, you need to grant cross-account permission on objects, regardless of
who the owner is, to a user in another account. For example, that user could be a billing application that
needs to access object metadata. There are two core issues:
The bucket owner has no permissions on those objects created by other AWS accounts. So for the bucket
owner to grant permissions on objects it does not own, the object owner, the AWS account that created the
objects, must first grant permission to the bucket owner. The bucket owner can then delegate those
permissions.
Bucket owner account can delegate permissions to users in its own account but it cannot delegate
permissions to other AWS accounts, because cross-account delegation is not supported.
In this scenario, the bucket owner can create an AWS Identity and Access Management (IAM) role with
permission to access objects, and grant another AWS account permission to assume the role temporarily
enabling it to access objects in the bucket.
Background: Cross-Account Permissions and Using IAM Roles
IAM roles enable several scenarios to delegate access to your resources, and cross-account access is
one of the key scenarios. In this example, the bucket owner, Account A, uses an IAM role to temporarily
delegate object access cross-account to users in another AWS account, Account C. Each IAM role you
create has two policies attached to it:
A trust policy identifying another AWS account that can assume the role.
An access policy defining what permissions-for example, s3:Get0bject-are allowed when someone
assumes the role. For a list of permissions you can specify in a policy, see Specifying Permissions in a
Policy.
The AWS account identified in the trust policy then grants its user permission to assume the role. The user
can then do the following to access objects:
Assume the role and, in response, get temporary security credentials. Using the temporary security
credentials, access the objects in the bucket.
For more information about IAM roles, go to Roles (Delegation and Federation) in IAM User Guide. The
following is a summary of the walkthrough steps:
Account A administrator user attaches a bucket policy granting Account B conditional permission to upload
objects.
Account A administrator creates an IAM role, establishing trust with Account C, so users in that account can
access Account A. The access policy attached to the ro Ie limits what user in Account C can do when the
user accesses Account A.
Account B administrator uploads an object to the bucket owned by Account A, granting full —controI
permission to the bucket owner.
Account C administrator creates a user and attaches a user policy that allows the user to assume the role.
User in Account C first assumes the role, which returns the user temporary security credentials.
Using those temporary credentials, the user then accesses objects in the bucket.
For this example, you need three accounts. The following table shows how we refer to these accounts and
the administrator users in these accounts. Per IAM guidelines (see About Using an Administrator User to
Create Resources and Grant Permissions) we do not use the account root
credentials in this walkthrough. Instead, you create an administrator user in each account and use those
credentials in creating resources and granting them permissions
307. You are designing a data leak prevention solution for your VPC environment. You want your VPC
Instances to be able to access software depots and distributions on the Internet for product updates. The
depots and distributions are accessible via third party CONs by their URLs. You want to explicitly deny any
other outbound connections from your VPC instances to hosts on the internet.
Which of the following options would you consider?
A. Configure a web proxy server in your VPC and enforce URL-based ru les for outbound access Remove
default routes.
B. Implement security groups and configure outbound rules to only permit traffic to software depots.
C. Move all your instances into private VPC subnets remove default routes from all routing tables and add
specific routes to the software depots and distributions only.
D. Implement network access control lists to all specific destinations, with an Implicit deny as a rule.
Answer: A
308. An administrator is using Amazon CIoudFormation to deploy a three tier web application that consists
of a web tier and application tier that will utilize Amazon DynamoDB for storage when creating the
CIoudFormation template which of the following would allow the application instance access to the
DynamoDB tables without exposing API credentials?
A. Create an Identity and Access Management Role that has the required permissions to read and write
from the required DynamoDB table and associate the Role to the application instances by referencing an
instance profile.
B. Use the Parameter section in the Cloud Formation template to nave the user input Access and Secret
Keys from an already created IAM user that has me permissions required to read and write from the
required DynamoDB table.
C. Create an Identity and Access Management Role that has the required permissions to read and write
from the required DynamoDB table and reference the Role in the instance profile property of the application
instance.
D. Create an identity and Access Management user in the CIoudFormation template that has permissions
to read and write from the required DynamoDB table, use the GetAtt function to retrieve the Access and
secret keys and pass them to the application instance through user-data.
Answer: C
309. An AWS customer is deploying an application mat is composed of an AutoScaIing group of EC2
Instances.
The customers security policy requires that every outbound connection from these instances to any other
service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate
that contains the specific instance-id.
In addition an x 509 certificates must Designed by the customer’s Key management service in order to be
trusted for authentication.
Which of the following configurations will support these requirements?
A. Configure an IAM Role that grants access to an Amazon 53 object containing a signed certificate and
configure me Auto Scaling group to launch instances with this role Have the instances bootstrap get the
certificate from Amazon 53 upon first boot.
B. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group Have the
launched instances generate a certificate signature request with the instance’s assigned instance- id to
the Key management service for signature.
C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the
trusted key management service. Have the Key management service generate a signed certificate and
send it directly to the newly launched instance.
D. Configure the launched instances to generate a new certificate upon first boot Have the Key
management service poll the AutoScaIing group for associated instances and send new instances a
certificate signature (hat contains the specific instance-id.
Answer: A
310. Your company has recently extended its datacenter into a VPC on AVVS to add burst computing
capacity as needed Members of your Network Operations Center need to be able to go to the AWS
Management Console and administer Amazon EC2 instances as necessary You don’t want to create new
IAM users for each NOC member and make those users sign in again to the AWS Management Console
Which option below will meet the needs for your NOC members?
A. Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to
the AVVS Management Console.
B. Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC
members to sign in to the AWS Management Console.
C. Use your on-premises SAML 2.0-compliant identity provider (IOP) to grant the NOC members federated
access to the AWS Management Console via the AWS sing Ie sign-on (550) endpoint.
D. Use your on-premises SAML2.0-comp|iam identity provider (IOP) to retrieve temporary security
credentials to enable NOC members to sign in to the AWS Management Console.
Answer: D
311. You are designing an SSUTLS solution that requires HTIPS clients to be authenticated by the Web
server using client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the web server infrastructure? (Choose 2
answers)
A. Configure ELB with TCP listeners on TCP/4d3. And place the Web servers behind it.
B. Configure your Web servers with EIPS Place the Web servers in a Route53 Record Set and configure
health checks against all Web servers.
C. Configure ELB with HTIPS listeners, and place the Web servers behind it.
D. Configure your web servers as the origins for a Cloud Front distribution. Use custom SSL certificates on
your Cloud Front distribution.
Answer: A, B
312. You are designing a connectMty solution between on-premises infrastructure and Amazon VPC. Your
server’s on-premises will De communicating with your VPC instances. You will De establishing IPSec
tunnels over the internet You will be using VPN gateways and terminating the IPsec tunnels on AWS
supported customer gateways.
Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above?
(Choose 4 answers)
A. End-to-end protection of data in transit
B. End-to-end Identity authentication
C. Data encryption across the Internet
D. Protection of data in transit over the Internet
E. Peer identity authentication between VPN gateway and customer gateway
F. Data integrity protection across the Internet
Answer: C, 0, E, F
313. You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application
in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from
the Internet.
Which of the following options would you consider? (Choose 2 answers)
A. Implement IDS/IPS agents on each Instance running In VPC
B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and
analyze network traffic.
C. Implement Elastic Load Balancing with SSL listeners In front of the web applications
D. Implement a reverse proxy layer in front of web servers and configure IDS/ IPS agents on each reverse
proxy server.
Answer: B, D
314. You are designing a photo sharing mobile app the application will store all pictures in a single Amazon
53 bucket.
Users will upload pictures from their mobile device directly to Amazon 53 and will be able to view and
download their own pictures directly from Amazon 53.
You want to configure security to handle potentially millions of users in the most secure manner possible.
What should your server-side application do when a new user registers on the photo sharing mobile
application?
A. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions
Store these credentials in the mobile app and use them to access Amazon 53.
B. Record the user’s Information in Amazon RDS and create a role in IAM with appropriate permissions.
When the user uses their mobile app create temporary credentials using the AWS Security Token Service
‘Assume Role’ function Store these credentials in the mobile app’s memory and use them to access
Amazon 53 Generate new credentials the next time the user runs the mobile app.
C. Record the user’s Information In Amazon DynamoDB. When the user uses their mobile app create
temporary credentials using AWS Security Token Service with appropriate permissions Store these
credentials in the mobile app’s memory and use them to access Amazon 53 Generate new credentials the
next time the user runs the mobile app.
D. Create IAM user. Assign appropriate permissions to the IAM user Generate an access key and secret
key for the IAM user, store them in the mobile app and use these credentials to access Amazon 53.
E. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user Generate an
access Key and secret Key for the IAM user, store them In the mobile app and use these credentials to
access Amazon 53.
Answer: B
315. You have an application running on an EC2 Instance which will allow users to download fl ies from a
private 53 bucket using a pre-assigned URL. Before generating the URL the application should verify the
existence of the fi Ie in 53.
How should the application use AWS credentials to access the 53 bucket securely?
A. Use the AWS account access Keys the application retrieves the credentials from the source code of the
application.
B. Create an IAM user for the application with permissions that allow list access to the 53 bucket launch the
instance as the IAM user and retrieve the IAM user’s credentials from the EC2 instance user data.
C. Create an IAM role for EC2 that allows list access to objects in the 53 bucket. Launch the instance with
the role, and retrieve the roIe’s credentials from the EC2 Instance metadata
D. Create an IAM user for the application with permissions that allow list access to the 53 bucket. The
application retrieves the IAM user credentials from a temporary directory with permissions that allow read
access only to the application user.
Answer: C
316. You are designing a social media site and are considering how to mitigate distributed denial-of service
(DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
A. Add multiple elastic network interfaces (ENis) to each EC2 instance to increase the network bandwidth.
B. Use dedicated instances to ensure that each instance has the maximum performance possible.
C. Use an Amazon C|oudFront distribution for both static and dynamic content.
D. Use an Elastic Load Balancer with auto scaling groups at the web. App and Amazon Relational
Database Service (RDS) tiers
E. Add alert Amazon CIoudWatch to look for high Network in and CPU utilization.
F. Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
Answer: C, E, F
317. A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which
includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned
capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra
overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon
investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large
and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from
a country where the benefits company has no customers. The web tier instances are so overloaded that
benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending
against this attack?
A. Create a custom route table associated with the web tier and block the attacking IP addresses from the
IGW (Internet Gateway)
B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main
Route Table with the new EIP
C. Create 15 Security Group rules to block the attacking IP addresses over port 80
D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny
rules to block the attacking IP addresses
Answer: D
Explanation:
Use AWS Identity and Access Management (IAM) to control who in your organization has permission to
create and manage security groups and network ACLs (NACL). Isolate the responsibilities and roles for
better defense. For example, you can give only your network administrators or security ad min the
permission to manage the security groups and restrict other roles.
318. Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon 53 versus
acquiring more hardware The outcome was that ail employees would be granted access to use Amazon 53
for storage of their personal documents.
Which of the following will you need to consider so you can set up a solution that incorporates single
sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user
folder in a bucket? (Choose 3 Answers)
A. Setting up a federation proxy or identity provider
B. Using AWS Security Token Service to generate temporary tokens
C. Tagging each folder in the bucket
D. Configuring IAM role
E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in
the bucket
Answer: A, B, D
319. Your company policies require encryption of sensitive data at rest. You are considering the possible
options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance.
Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
A. Implement third party volume encryption tools
B. Do nothing as EBS volumes are encrypted by default
C. Encrypt data inside your applications before storing it on EBS
D. Encrypt data using native data encryption drivers at the file system level
E. Implement SSL/TLS for all services running on the server
Answer: A, C, D
320. You have a periodic Image analysis application that gets some files In Input analyzes them and tor
each file writes some data in output to a ten file the number of files in input per day is high and concentrated
in a few hours of the day.
Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it
takes almost 20 hours per day to complete the process
What services could be used to reduce the elaboration time and improve the availability of the solution?
A. 53 to store 1/0 files. SOS to distribute elaboration commands to a group of hosts working in parallel. Auto
scaling to dynamically size the group of hosts depending on the length of the SOS queue
B. EBS with Provisioned IOPS (PIOPS) to store 1/0 files. SNS to distribute elaboration commands to a
group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the
number of SNS notifications
C. 53 to store 1/0 files, SNS to distribute evaporation commands to a group of hosts working in parallel.
Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications
D. EBS with Provisioned IOPS (PIOPS) to store 1/0 files SOS to distribute elaboration commands to a
group of hosts working in parallel Auto Scaling to dynamically size the group ot hosts depending on the
length of the SOS queue.
Answer: D
Explanation:
Amazon EBS allows you to create storage volumes and attach them to Amazon EC2 instances. Once
attached, you can create a file system on top of these volumes, run a database, or use them in any other
way you would use a block device. Amazon EBS volumes are placed in a specific Availability Zone, where
they are automatically replicated to protect you from the failure of a single component.
Amazon EBS provides three volume types: General Purpose (SSD), Provisioned IOPS (SSD), and
Magnetic. The three volume types differ in performance characteristics and cost, so you can choose the
right storage performance and price for the needs of your applications. All EBS volume types offer the same
durable snapshot capabilities and are designed for 99.999% availability.
321. You require the ability to analyze a customer’s clickstream data on a website so they can do
behavioral analysis. Your customer needs to know what sequence of pages and ads their customer clicked
on. This data will be used in real time to modify the page layouts as customers click through the site to
increase stickiness and advertising click-through. Which option meets the requirements for captioning and
analyzing this data?
A. Log clicks in weblogs by URL store to Amazon 53, and then analyze with Elastic MapReduce
B. Push web clicks by session to Amazon Kinesis and analyze behavior using Kinesis workers
C. Write click events directly to Amazon Redshift and then analyze with SQL
D. Publish web clicks by session to an Amazon SQS queue men periodically drain these events to Amazon
RDS and analyze with sol
Answer: B
Explanation:
Reference: http:/ /www.slideshare.net/AmazonWebServices/aws-webcast-introduction-to-amazon-kinesis
322. An AWS customer runs a public blogging website. The site users upload two million blog entries a
month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months
after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries
have a high update rate during the first 3 months following publication, this drops to no updates after 6
months. The customer wants to use CIoudFront to improve his user’s load times.
Which of the following recommendations would you make to the customer?
A. Duplicate entries into two different buckets and create two separate CIoudFront distributions where 53
access is restricted only to Cloud Front identity
B. Create a CIoudFront distribution with “US” Europe price class for US/ Europe users and a different
CIoudFront distribution with AI I Edge Locations’ for the remaining users.
C. Create a CIoudFront distribution with 53 access restricted only to the CIoudFront identity and partition
the blog entry’s location in 53 according to the month it was uploaded to be used with CIoudFront
behaviors.
D. Create a CIoudFronI distribution with Restrict Viewer Access Forward Query string set to true and
minimum TTL of 0.
Answer: C
323. Your company is getting ready to do a major public announcement of a social media site on AWS. The
website is running on EC2 instances deployed across multiple Availability Zones with a MuIti-AZ RDS
MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second
and relies on an eventual consistency model. After comprehensive tests you discover that there is read
contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2
answers)
A. Deploy EIasticCache in-memory cache running in each availability zone
B. Implement sharding to distribute load to multiple RDS MySQL instances
C. Increase the RDS MySQL Instance size and Implement provisioned IQPS
D. Add an RDS MySQL read replica in each availability zone
Answer: A, C
324. A company is running a batch analysis every hour on their main transactional DB. running on an RDS
MySQL instance to populate their central Data Warehouse running on Redshift During the execution of the
batch their transactional applications are very slow When the batch completes they need to update the top
management dashboard with the new data The dashboard is produced by another system running
on-premises that is currently started when a manually-sent email notifies that an update is required The
on-premises system cannot be modified because is managed by another team.
How would you optimize this scenario to solve performance issues and automate the process as much as
possible?
A. Replace RDS with Redshift for the batch analysis and SNS to notify the on-premises system to update
the dashboard
B. Replace ROS with Redshift for the oaten analysis and SQS to send a message to the on-premises
system to update the dashboard
C. Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update
the dashboard
D. Create an RDS Read Replica for the batch analysis and SQS to send a message to the on-premises
system to update the dashboard.
Answer: A
325. You are implementing a URL whitelisting system for a company that wants to restrict outbound
HTTP’S connections to specific domains from their EC2-hosted applications you deploy a single EC2
instance running proxy software and configure It to accept traffic from all subnets and EC2 instances in the
VPC. You configure the proxy to only pass through traffic to domains that you define in its whitelist
configuration You have a nightly maintenance window or 10 minutes where all instances fetch new software
updates. Each update Is about 200MB In size and there are 500 instances In the VPC that routinely fetch
updates After a few days you notice that some machines are failing to successfully download some, but not
all of their updates within the maintenance window. The download URLs used for these updates are
correctly listed in the proxy’s whitelist configuration and you are able to access them manually using a web
browser on the instances. What might be happening? {Choose 2 answers)
A. You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for
all instances to download their updates in time.
B. You are running the proxy on a sufficiently-sized EC2 instance in a private subnet and its network
throughput is being throttled by a NAT running on an undersized EC2 instance.
C. The route table for the subnets containing the affected EC2 instances is not configured to direct network
traffic for the software update locations to the proxy.
D. You have not allocated enough storage to t he EC2 instance running the proxy so the network buffer is
filling up, causing some requests to fail.
E. You are running the proxy in a public subnet but have not allocated enough EIPs to support the needed
network throughput through the Internet Gateway {IGW).
Answer: A, B
326. To serve Web traffic for a popular product your chief financial officer and IT director have purchased
10 ml large heavy utilization Reserved Instances (Rls) evenly spread across two availability zones:
Route 53 is used to deliver the traffic to an Elastic Load Balancer (ELB). After several months, the product
grows even more popular and you need additional capacity As a result, your company purchases two
C3.2x|arge medium utilization Rls You register the two c3 2xIarge instances with your ELB and quickly find
that the ml large instances are at 100% of capacity and the c3 2xIarge instances have significant capacity
that’s unused Which option is the most cost effective and uses EC2 capacity most effectively?
A. Use a separate ELB for each instance type and distribute load to ELBs with Route 53 weighted round
robin
B. Configure Autoscaning group and Launch Configuration with ELB to add up to 10 more on-demand ml
large instances when triggered by Cloudwatch shut off c3 2xIarge instances
C. Route traffic to EC2 ml large and c3 2xIarge instances directly using Route 53 latency based routing and
health checks shut off ELB
D. Configure ELB with two c3 2xiarge Instances and use on-demand Autoscaling group for up to two
additional c3.2x|arge instances Shut on mi .|arge instances.
Answer: D
327. A read only news reporting site with a combined web and application tier and a database tier that
receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations
automatically. What AWS services should be used meet these requirements?
A. Stateless instances for the web and application tier synchronized using Elasticache Memcached in an
autoscaimg group monitored with CIoudWatch. And RDSwith read replicas.
B. Stateful instances for the web and application tier in an autoscaling group monitored with CIoudWatch
and RDS with read replicas.
C. Stateful instances for the web and application tier in an autoscaling group monitored with CIoudWatch.
And multi-AZ RDS.
D. Stateless instances for the web and application tier synchronized using EIastiCache Memcached in an
autoscaling group monitored with CIoudWatch and multi-AZ RDS.
Answer: A
328. You are running a news website in the eu-west-1 region that updates every 15 minutes. The website
has a world-wide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an
Amazon RDS database Static content resides on Amazon 53, and is distributed through Amazon