AWS SA Associate Practice Questions-13

Updated: Jul 17, 2020

601. An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

A. The out bound security group needs to be modified to allow out bound traffic.

B. The outbound network ACL needs to be modified to allow outbound traffic.

C. Nothing, it can be accessed from any IP address using SSH.

D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.

Answer: B


602. For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an

appropriate solution? Choose 2 answers

A. Using as an endpoint to collect thousands of data points per hourfrom a distributed fileet of sensors

B. Managing a multi-step and multi-decision checkout process of an e-commerce website

C. Orchestrating the execution of distributed and auditable business processes

D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding jobs

E. Using as a distributed session store for your web application

Answer: A, B

603. A customer wants to leverage Amazon Simple Storage Service (53) and Amazon Glacier as part of

their backup and archive infrastructure. The customer plans to use third-party software to support this

integration. Which approach will limit the access of the third party software to only the Amazon 53 bucket

named “company-backup”?

A. A custom bucket policy limited to the Amazon 53 API in the Amazon Glacier archive “company backup”

B. A custom bucket policy limited to the Amazon 53 API in “company-backup”

C. A custom IAM user policy limited to the Amazon 53 API for the Amazon Glacier archive “company


D. A custom IAM user policy limited to the Amazon 53 API in “company-backup”.

Answer: D

604. A client application requires operating system prMleges on a relational database server. What is an

appropriate configuration for a highly available database architecture?

A. A standalone Amazon EC2 instance

B. Amazon RDS in a Mu|ti-AZ configuration

C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone

D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones

Answer: D


605. What is a placement group?

A. A collection of Auto Scaling groups in the same region

B. A feature that enables EC2 instances to interact with each other via high bandwidth, low latency


C. A collection of authorized CIoudFront edge locations for a distribution

D. A collection of Elastic Load Balancers in the same Region or Availability Zone

Answer: B



606. A company has a workflow that sends video files from their on-premise system to AWS for transcoding.

They use EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service

for this scenario?

A. SQS guarantees the order of the messages.

B. SQS synchronously provides transcoding output.

C. SQS checks the health of the worker instances.

D. SQS helps to facilitate horizontal scaling of encoding tasks.

Answer: D

607. When creation of an EBS snapshot is initiated, but not completed, the EBS volume:

A. Can be used while the snapshot is in progress.

B. Cannot be detached or attached to an EC2 instance until the snapshot completes

C. Can be used in read-only mode while the snapshot is in progress.

D. Cannot be used until the snapshot completes.

Answer: D

608. What are characteristics of Amazon 53? Choose 2 answers

A. 53 allows you to store objects of virtually unlimited size.

B. 53 offers Provisioned IOPS.

C. 53 allows you to store unlimited amounts of data.

D. 53 should be used to host a relational database.

E. Objects are directly accessible via a URL.

Answer: C, E




609. Per the AWS Acceptable Use Policy, penetration testing of EC2 instances:

A. May be performed by AWS, and will be performed by AWS upon customer request.

B. May be performed by AWS, and is periodically performed by AWS.

C. Are expressly prohibited under all circumstances.

D. May be performed by the customer on their own instances with prior authorization from AWS.

E. May be performed by the customer on their own instances, only if performed from EC2 instances

Answer: B



610. You are working with a customer who has 10 TB of archival data that they want to migrate to Amazon

Glacier. The customer has a 1-Mbps connection to the Internet. Which service or feature provides the

fastest method of getting the data into Amazon Glacier?

A. Amazon Glacier multipart upload

B. AWS Storage Gateway

C. VM Import/Export

D. AWS Import/Export

Answer: A


611. How can you secure data at rest on an EBS volume?

A. Attach the volume to an instance using EC2’s SSL interface.

B. Write the data randomly instead of sequentially.

C. Encrypt the volume using the 53 server-side encryption service.

D. Create an IAM policy that restricts read and write access to the volume.

E. Use an encrypted file system on top of the EBS volume.

Answer: E



612. A customer needs to capture all client connection information from their load balancer every five

minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their

applications. Which of the following options meets the customer requirements?

A. Enable AWS CIoudTraiI for the load balancer.

B. Enable access logs on the load balancer.

C. Install the Amazon CIoudWatch Logs agent on the load balancer.

D. Enable Amazon CIoudWatch metrics on the load balancer.

Answer: A

613. If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance a

predetermined private IP address you should:

A. Launch the instance from a private Amazon Machine Image (AMI).

B. Assign a group of sequential Elastic IP address to the instances.

C. Launch the instances in the Amazon Virtual Private Cloud (VPC).

D. Launch the instances in a Placement Group.

E. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.

Answer: B


614. You need to configure an Amazon 53 bucket to serve static assets for your public-facing web

application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2


A. Set permissions on the object to public read during upload.

B. Configure the bucket ACL to set all objects to public read.

C. Configure the bucket policy to set all objects to public read.

D. Use AWS Identity and Access Management roles to set the bucket to public read.

E. Amazon 53 objects default to public read, so no action is needed.

Answer: A, C

615. A company is storing data on Amazon Simple Storage Service (53). The company’s security policy

mandates that data is encrypted at rest. Which of the following methods can achieve this? Choose 3


A. Use Amazon 53 server-side encryption with AWS Key Management Service managed keys.

B. Use Amazon 53 server-side encryption with customer-provided keys.

C. Use Amazon 53 server-side encryption with EC2 key pair.

D. Use Amazon 53 bucket policies to restrict access to the data at rest.

E. Encrypt the data on the client-side before ingesting to Amazon 53 using their own master key.

F. Use SSL to encrypt the data while in transit to Amazon 53.

Answer: A, B, E



616. Which procedure for backing up a relational database on EC2 that is using a set of RAIDed EBS

volumes for storage minimizes the time during which the database cannot be written to and results in a

consistent backup?

A. 1. Detach EBS volumes, 2. Start EBS snapshot of volumes, 3. Re-attach EBS volumes

B. 1. Stop the EC2 Instance. 2. Snapshot the EBS volumes

C. 1. Suspend disk 1/0, 2. Create an image ofthe EC2 Instance, 3. Resume disk 1/0

D. 1. Suspend disk 1/0,2. Start EBS snapshot of volumes, 3. Resume disk 1/0

E. 1. Suspend disk 1/0, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume

disk 1/0

Answer: A


Reference: (page 11)

617. A company needs to deploy virtual desktops to its customers in a virtual private cloud, leveraging

existing security controls. Which set of AWS services and features will meet the company’s requirements?

A. Virtual Private Network connection. AWS Directory Services, and Classic link

B. Virtual Private Network connection. AWS Di rectory Services, and Amazon Workspaces

C. AWS Directory Service, Amazon Workspaces, and AWS Identity and Access Management

D. Amazon Elastic Compute Cloud, and AWS Identity and Access Management

Answer: C

618. After creating a new IAM user which of the following must be done before they can successfully make

API calls?

A. Add a password to the user.

B. Enable Multi-Factor Authentication for the user.

C. Assign a Password Policy to the user.

D. Create a set of Access Keys for the user.

Answer: D



619. Which of the following are valid statements about Amazon 53? Choose 2 answers

A. 53 provides read-after-write consistency for any type of PUT or DELETE

B. Consistency is not guaranteed for any type of PUT or DELETE

C. A successful response to a PUT request only occurs when a complete object is saved.

D. Partially saved objects are immediately readable with a GET after an overwrite PUT.

E. S3 provides eventual consistency for overwrite PUTS and DELETES.

Answer: C, E




620. You are configuring your company’s application to use Auto Scaling and need to move user state

information. Which of the following AWS services provides a shared data store with durability and low


A. AWS EIastiCache Memcached

B. Amazon Simple Storage Service

C. Amazon EC2 instance storage

D. Amazon DynamoDB

Answer: B


Reference: (page 13, aws storage gateway)

621. Which features can be used to restrict access to data in 53? Choose 2 answers

A. Set an 53 ACL on the bucket or the object.

B. Create a Cloud Front distribution for the bucket.

C. Set an 53 bucket policy.

D. Enable IAM Identity Federation

E. Use 53 Virtua I Hosting

Answer: C, D




622. Which of the following are characteristics of a reserved instance? Choose 3 answers

A. It can be migrated across Availability Zones

B. It is specific to an Amazon Machine Image (AMI)

C. It can be applied to instances launched by Auto Scaling

D. It is specific to an instance Type

E. It can be used to lower Total Cost of Ownership (TCO) of a system

Answer: C, D, E

623. Which Amazon Elastic Compute Cloud feature can you query from within the instance to access

instance properties?

A. Instance user data

B. Resource tags

C. Instance metadata

D. Amazon Machine Image

Answer: C

624. Which of the following requires a custom Cloud Watch metric to monitor?

A. Memory Utilization of an EC2 instance

B. CPU Utilization of an EC2 instance

C. Disk usage actMty of an EC2 instance

D. Data transfer of an EC2 instance

Answer: C



625. You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in

your VPC. Only clients connecting from the corporate external public IP address should have

SSH access to the host. Which option will meet the customer requirement?

A. Security Group Inbound Rule: Protocol – TCP. Port Range- 22, Source 72.34.51. 100/32

B. Security Group Inbound Rule: Protocol – UDP, Port Range- 22, Source

C. Network ACL Inbound Rule: Protocol – UDP, Port Range- 22, Source

D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source

Answer: A

626. A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its

dMsions. The dMsions want to maintain administrative control of the discrete AWS resources they

consume and keep those resources separate from the resources of other dMsions. Which of the following

options, when used together will support the autonomy/control of dMsions while enabling corporate IT to

maintain governance and cost oversight? Choose 2 answers

A. Use AWS Consolidated Billing and disable AWS root account access for the child accounts.

B. Enable IAM cross-account access for all corporate IT administrators in each child account.

C. Create separate VPCs for each dMsion within the corporate IT AWS account.

D. Use AWS Consolidated Billing to link the dMsions’ accounts to a parent corporate account.

E. Write all child AWS CIoudTraiI and Amazon CIoudWatch logs to each child account’s Amazon 53 ‘Log’


Answer: D, E

627. You run an ad-supported photo sharing website using 53 to serve photos to visitors of your site. At

some point you find out that other sites have been linking to the photos on your site, causing loss to your

business. What is an effective method to mitigate this?

A. Remove public read access and use signed URLs with expiry dates.

B. Use Cloud Front distributions for static content.

C. Block the IPs of the offending websites in Security Groups.

D. Store photos on an EBS volume of the web server.

Answer: A

628. You are working with a customer who is using Chef configuration management in their data center.

Which service is designed to let the customer leverage existing Chef recipes in AWS?

A. Amazon Simple Workflow Service

B. AWS Elastic Beanstalk

C. AWS CIoudFormation

D. AWS OpsWorks

Answer: D



629. An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto Scaling

needs to terminate an EC2 instance by default, AutoScaIing will: Choose 2 answers

A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating the


B. Terminate the instance with the least active network connections. If multiple instances meet this criterion,

one will be randomly selected.

C. Send an SNS notification, if configured to do so.

D. Terminate an instance in the AZ which currently has 2 running EC2 instances.

E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.

Answer: C, E

630. When an EC2 instance that is backed by an 53-based AMI is terminated, what happens to the data on

the root volume?

A. Data is automatically saved as an EBS snapshot.

B. Data is automatically saved as an EBS volume.

C. Data is unavailable until the instance is restarted.

D. Data is automatically deleted.

Answer: D

631. In order to optimize performance for a compute cluster that requires low inter-node latency, which of

the following feature should you use?

A. MuItipIe Availability Zones

B. AWS Direct Connect

C. EC2 Dedicated Instances

D. Placement Groups E.VPC private subnets

Answer: D


Reference: (enhanced networking)

632. You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are

running in this subnet. These three instances can successfully communicate with other hosts on the

Internet. You launch a fourth instance in the same subnet, using the same AM and security group

configuration you used for the others, but find that this instance cannot be accessed from the internet. What

should you do to enable Internet access?

A. Deploy a NAT instance into the public subnet.

B. Assign an Elastic IP address to the fourth instance.

C. Configure a publically routable IP Address in the host OS of the fourth instance.

D. Modify the routing table for the public subnet.

Answer: B

633. You have a distributed application that periodically processes large volumes of data across multiple

Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2 instance

failures. You are required to accomplish this task in the most cost-effective way.

Which of the following will meet your requirements?

A. Spot Instances

B. Reserved instances

C. Dedicated instances

D. On-Demand instances

Answer: A

634. Which of the following are t rue regarding AWS CIoudTraiI? Choose 3 answers

A. CIoudTraiI is enabled globally

B. CIoudTraiI is enabled by default

C. CIoudTraiI is enabled on a per-region basis

D. CIoudTraiI is enabled on a per-service basis.

E. Logs can be delivered to a single Amazon 53 bucket for aggregation.

F. CIoudTraiI is enabled for all available services within a region.

G. Logs can only be processed and delivered to the region in which they are generated.

Answer: C, D, E



635. You have a content management system running on an Amazon EC2 instance that is approaching

100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?

A. Create a load balancer, and register the Amazon EC2 instance with it

B. Create a Cloud Front distribution, and configure the Amazon EC2 instance as the origin

C. Create an Auto Scaling group from the instance using the Create AutoScaIing Group action

D. Create a launch configuration from the instance using the Create launch Configuration action

Answer: B



636. You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service.

However, your web browser times out when connecting to the load baIancer’s DNS name. Which options

are probable causes of this behavior? Choose 2 answers

A. The load balancer was not configured to use a public sub net with an Internet gateway configured

B. The Amazon EC2 instances do not have a dynamically allocated private IP address

C. The security groups or network ACLs are not property configured for web traffic.

D. The load balancer is not configured in a private subnet with a NAT instance.

E. The VPC does not have a VGW configured.

Answer: A, C

637. A company needs to deploy services to an AWS region which they have not previously used. The

company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2 instances,

which permits the instance to have access to Amazon DynamoDB. The company wants their EC2

instances in the new region to have the same prMleges. How should the company achieve this?

A. Create a new IAM role and associated policies within the new region

B. Assign the existing IAM role to the Amazon EC2 instances in the new region

C. Copy the IAM role and associated policies to the new region and attach it to the instances

D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using the AMI

Copy feature

Answer: B

638. Which of the following notification endpoints or clients are supported by Amazon Simple Notification

Service? Choose 2 answers

A. Email

B. Cloud Front distribution

C. Fi Ie Transfer Protocol

D. Short Message Service

E. Simple Network Management Protocol

Answer: A, D



639. Which set of Amazon 53 features helps to prevent and recoverfrom accidental data loss?

A. Object lifecycle and service access logging

B. Object versioning and Multi-factor authentication

C. Access controls and server-side encryption

D. Website hosting and Amazon 53 policies

Answer: B


Reference: Security_Best_Practices.pdf

640. A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and

send real-time alerts to their operations team. Which AWS services can accomplish this? Choose 2


A. Amazon Simple Email Service

B. Amazon CIoudWatch

C. Amazon Simple Queue Service

D. Amazon Route 53

E. Amazon Simple Notification Service

Answer: B, E

641. A company is preparing to give AWS Management Console access to developers Company policy

mandates identity federation and role-based access control. Roles are currently assigned using groups in

the corporate Active Directory. What combination of the following will give developers access to the AWS

console? {Select 2} Choose 2 answers

A. AWS Directory Service AD Connector

B. AWS Directory Service Simple AD

C. AWS Identity and Access Management groups

D. AWS identity and Access Management roles

E. AWS identity and Access Management users

Answer: A, D

642. You are deploying an application to collect votes for a very popular television show. Millions of users

will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly

available data store for real-time public tabulation. Which service should you use?

A. Amazon DynamoDB

B. Amazon Redshift

C. Amazon Kinesis

D. Amazon Simple Queue Service

Answer: C

643. The Trusted Advisor service provides insight regarding which four categories of an AWS account?

A. Security, fault tolerance, high availability, and connectMty

B. Security, access control, high availability, and performance

C. Performance, cost optimization, security, and fault tolerance

D. Performance, cost optimization, access control, and connectMty

Answer: C

644. You are deploying an application to track GPS coordinates of delivery trucks in the United States.

Coordinates are transmitted from each delivery t ruck once every three seconds. You need to design an

architecture that will enable real-time processing of these coordinates from multiple consumers. Which

service should you use to implement data ingestion?

A. Amazon Kinesis

B. AWS Data Pipeline

C. Amazon AppStream

D. Amazon Simple Queue Sen/ice

Answer: A

645. A photo-sharing service stores pictures in Amazon Simple Storage Service (53) and allows application

sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service

approach to temporary access should you use for the Amazon 53 operations?

A. SANIL-based Identity Federation

B. Cross-Account Access

C. AWS Identity and Access Management roles

D. Web Identity Federation

Answer: D

646. You have an application running on an Amazon Elastic Compute Cloud instance, that uploads 5 GB

video objects to Amazon Simple Storage Service (53). Video uploads are taking longer than expected,

resulting in poor application performance. Which method will help improve performance of your application?

A. Enable enhanced networking

B. Use Amazon 53 multipart upload

C. Leveraging Amazon CIoudFront, use the HTIP POST method to reduce latency.

D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance

Answer: B

647. A customer wants to track access to their Amazon Simple Storage Service (53) buckets and also use

this information for their internal security and access audits. Which of the following will meet the Customer


A. Enable AW5 CIoudTraiI to audit all Amazon 53 bucket access.

B. Enable server access logging for all required Amazon 53 buckets.

C. Enable the Requester Pays option to track access via AWS Billing

D. Enable Amazon 53 event notifications for Put and Post.

Answer: A

648. A company is deploying a two-tier, highly available web application to AWS. Which service provides

durable storage for static content while utilizing lower Overall CPU resources for the web tier?

A. Amazon EBS volume

B. Amazon 53

C. Amazon EC2 instance store

D. Amazon RD5 instance

Answer: B

649. You are designing a web application that stores static assets in an Amazon Simple Storage Service

(53) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What

should you do to ensure optimal performance?

A. Use multi-part upload.

B. Add a random prefix to the key names.

C. Amazon 53 will automatically manage performance at this scale.

D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key


Answer: A

650. When will you incur costs with an Elastic IP address (EIP)?

A. When an EIP is allocated.

B. When it is allocated and associated with a running instance.

C. When it is allocated and associated with a stopped instance.

D. Costs are incurred regardless of whether the EIP is associated with a running instance.

Answer: D

651. A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region.

Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to

push minor code releases from Dev to Prod to speed up time to market . Which of the following options

helps the company accomplish this?

A. Create a new peering connection Between Prod and Dev along with appropriate routes.

B. Create a new entry to Prod in the Dev route table using the peering connection as the target.

C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the


D. The VPCs have non-overlapping CI DR blocks in the same account. The route tables contain local

routes for all VPCs.

Answer: D



652. Which of the following instance types are available as Amazon EBS-backed only? Choose 2 answers

A. General purpose T2

B. General purpose M3

C. Compute-optimized C4

D. Compute-optimized C3

E. Storage-optimized 12

Answer: D, E

653. A customer is hosting t heir company website on a cluster of web servers that are behind a public

facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should

the customer configure the DNS zone apex record to point to the load balancer?

A. Create an A record pointing to the IP address of the load balancer

B. Create a CNAME record pointing to the load balancer DNS name.

C. Create a CNAME record aliased to the load balancer DNS name.

D. Create an A record aliased to the load balancer DNS name

Answer: C




654. You try to connect via SSH to a newly created Amazon EC2 instance and get one of the following error


“Network error: Connection timed out” or “Error connecting to [instance], reason: -> Connection timed out:


You have confirmed that the network and security group rules are configured correctly and the instance is

passing status checks. What steps should you take to identify the source of the behavior? Choose 2


A. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch.

B. Verify that your IAM user policy has permission to launch Amazon EC2 instances.

C. Verify that you are connecting with the appropriate user name for your AMI.

D. Verify that the Amazon EC2 Instance was launched with the proper IAM role.

E. Verify that your federation trust to AWS has been established.

Answer: A, C



655. A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not

connected to their corporate network. They are connecting to the VPC over the Internet to manage all of

their Amazon EC2 instances running in both the public and private subnets. They have only authorized

the bastion-security-group with Mcrosoft Remote Desktop Protocol (RDP) access to the application

instance security groups, but the company wants to further limit administrative access to all of the instances

in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?

A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the


B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to

the bastion from anywhere.

C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access

to the bastion from only the corporate public IP addresses.

D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow

RDP access to the bastion from only the corporate public IP addresses.

Answer: D

656. A customer has a single 3-TB volume on-premises that is used to hold a large repository of images

and print layout files. This repository is growing at 500 GB a year and must be presented as a single logical

volume. The customer is becoming increasingly constrained with their local storage capacity and wants an

off-site backup of this data, while maintaining low-latency access to their frequently accessed data. Which

AWS Storage Gateway configuration meets the customer requirements?

A. Gateway-Cached volumes with snapshots scheduled to Amazon 53

B. Gateway-Stored volumes with snapshots scheduled to Amazon 53

C. Gateway-Virtual Tape Library with snapshots to Amazon 53

D. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

Answer: D

657. You are building an automated transcription service in which Amazon EC2 worker instances process

an uploaded audio file and generate a text file. You must store both of these files in the same durable

storage until the text file is retrieved. You do not know what the storage capacity requirements are.

Which storage option is both cost-efficient and scalable?

A. Multiple Amazon EBS volume with snapshots

B. A single Amazon Glacier vault

C. A single Amazon 53 bucket

D. Multiple instance stores

Answer: C

658. You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group.

Which feature allows you to accomplish this?

A. User data

B. EC2Config service

C. IAM roles