©2019 by Raghavendra Kambhampati

AWS SA Associate Practice Questions-7

101. A user has attached 1 EBS volume to a VPC instance. The user wants to achieve the best fault tolerance of data possible. Which of the below mentioned options can help achieve fault tolerance?

A. Attach one more volume with RAID 1 configuration.

B. Attach one more volume with RAID 0 configuration.

C. Connect multiple volumes and stripe them with RAID 6 configuration.

D. Use the EBS volume as a root device.

Answer: A

Explanation:

The user can join multiple provisioned IOPS volumes together in a RAID 1 configuration to achieve better fault tolerance. RAID 1 does not provide a write performance improvement; it requires more bandwidth than non-RAID configurations since the data is written simultaneously to multiple volumes.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html

102. A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. The user has 3 elastic IPs and is trying to assign one of the Elastic IPs to the VPC instance from the console. The console does not show any instance in the IP assignment screen. What is a possible reason that the instance is unavailable in the

assigned IP console?

A. The IP address may be attached to one of the instances

B. The IP address belongs to a different zone than the subnet zone

C. The user has not created an internet gateway

D. The IP addresses belong to EC2 Classic; so they cannot be assigned to VPC

Answer: D

Explanation:

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When the user is launching an instance he needs to select an option which attaches a public IP to the instance. If the user has not selected the option to attach the public IP then it will only have a private IP when launched. If the user wants to connect to

an instance from the internet he should create an elastic IP with VPC. If the elastic IP is a part of EC2 Classic it cannot be assigned to a VPC instance.

Reference: http://docs.aws.amazon.com/AmazonVPC/Iatest/GettingStartedGuide/LaunchInstance.htmI

103. A user is aware that a huge download is occurring on his instance. He has already set the Auto Scaling policy to increase the instance count when the network I/O increases beyond a certain limit. How can the user ensure that this temporary event does not result in scaling?

A. The network I/O are not affected during data download

B. The policy cannot be set on the network I/O

C. There is no way the user can stop scaling as it is already configured

D. Suspend scaling

Answer: D

Explanation:

The user may want to stop the automated scaling processes on the Auto Scaling groups either to perform manual operations or during emergency situations. To perform this, the user can suspend one or more scaling processes at any time. Once it is completed, the user can resume all the suspended processes.

Reference:http://docs.aws.amazon.com/AutoScaIing/latest/Deve|operGuide/AS_Concepts.html

104. Select a true statement about Amazon EC2 Security Groups (EC2-Classic).

A. After you launch an instance in EC2-Classic, you can’t change its security groups.

B. After you launch an instance in EC2-Classic, you can change its security groups only once.

C. After you launch an instance in EC2-Classic, you can only add rules to a security group.

D. After you launch an instance in EC2-Classic, you cannot add or remove rules from a security group.

Answer: A

Explanation:

After you launch an instance in EC2-Classic, you can’t change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html

105. A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a message to S3 to enhance the picture accordingly. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in this scenario?

A. AWS Simple Notification Service

B. AWS Simple Queue Service

C. AWS Elastic Transcoder

D. AWS Glacier

Answer: B

Explanation:

Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, and fully managed message queuing service. SQS provides a simple and cost-effective way to decouple the components of an application. The user can configure SQS, which will decouple the call between the EC2 application and S3. Thus, the application does not keep waiting for S3 to provide the data.

Reference: http://aws.amazon.com/sqs/faqs/

106. Which one of the following answers is not a possible state of Amazon CIoudWatch Alarm?

A. INSUFFICIENT_DATA

B. ALARM

C. OK

D. STATUS_CHECK_FAILED

Answer: D

Explanation:

Amazon CIoudWatch Alarms have three possible states: OK: The metric is within the defined threshold ALARM: The metric is outside of the defined threshold

INSUFFICIENT_DATA: The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

Reference:

http://docs.aws.amazon.com/AmazonCIoudWatch/latest/DeveloperGuide/AlarmThatSendsEmaiI.html

107. An accountant asks you to design a small VPC network for him and, due to the nature of his business,just needs something where the workload on the network will be low, and dynamic data will be accessed infrequently. Being an accountant, low cost is also a major factor. Which EBS volume type would best suit his requirements?

A. Magnetic

B. Any, as they all perform the same and cost the same.

C. General Purpose (SSD)

D. Magnetic or Provisioned IOPS (SSD)

Answer: A

Explanation:

You can choose between three EBS volume types to best meet the needs of their workloads: General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic. General Purpose (SSD) is the new, SSD-backed,general purpose EBS volume type that we recommend as the default choice for customers. General Purpose (SSD) volumes are suitable for a broad range of workloads, including small to medium sized

databases, development and test environments, and boot volumes. Provisioned IOPS (SSD) volumes offer storage with consistent and low-latency performance, and are designed for I/O intensive applications such as large relational or NoSQL databases. Magnetic volumes provide the lowest cost per gigabyte of all EBS volume types. Magnetic volumes are ideal for workloads where data is accessed infrequently, and

applications where the lowest storage cost is important.

Reference: https://aws.amazon.com/ec2/faqs/

108. A user is planning to launch a scalable web application. Which of the below mentioned options will not affect the latency of the application?

A. Region.

B. Provisioned IOPS.

C. Availability Zone.

D. Instance size.

Answer: C

Explanation:

In AWS, the instance size decides the I/O characteristics. The provisioned IOPS ensures higher throughput,and lower latency. The region does affect the latency; latency will always be less when the instance is near to the end user. Within a region the user uses any AZ and this does not affect the latency. The AZ is mainly

for fault toleration or HA.

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

109. Which of the following strategies can be used to control access to your Amazon EC2 instances?

A. DB security groups

B. IAM policies

C. None of these

D. EC2 security groups

Answer: D

Explanation:

IAM policies allow you to specify what actions your IAM users are allowed to perform against your EC2 Instances. However, when it comes to access control, security groups are what you need in order to define and control the way you want your instances to be accessed, and whether or not certain kind of communications are allowed or not.

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.html

110. A user has launched one EC2 instance in the US East region and one in the US West region. The user has launched an RDS instance in the US East region. How can the user configure access from both the EC2 instances to RDS?

A. It is not possible to access RDS of the US East region from the US West region

B. Configure the US West region’s security group to allow a request from the US East region’s instance and configure the RDS security group ingress rule for the US East EC2 group

C. Configure the security group of the US East region to allow traffic from the US West region’s instance and configure the RDS security group’s ingress rule for the US East EC2 group

D. Configure the security group of both instances in the ingress rule of the RDS security group

Answer: C

Explanation:

The user cannot authorize an Amazon EC2 security group if it is in a different AWS Region than the RDS DB instance. The user can authorize an IP range or specify an Amazon EC2 security group in the same region that refers to an IP address in another region. In this case allow IP of US West inside US East’s security group and open the RDS security group for US East region.

Reference:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html

111. In Amazon EC2, if your EBS volume stays in the detaching state, you can force the detachment by clicking .

A. Force Detach

B. Detach Instance

C. AttachVoIume

D. Attachlnstance

Answer: A

Explanation:

If your volume stays in the detaching state, you can force the detachment by clicking Force Detach.

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html

112. Do you need to shutdown your EC2 instance when you create a snapshot of EBS volumes that serve as root devices?

A. No, you only need to shutdown an instance before deleting it.

B. Yes

C. No, the snapshot would turn off your instance automatically.

D. No

Answer: B

Explanation:

Yes, to create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

113. An organization has a statutory requirement to protect the data at rest for data stored in EBS volumes.Which of the below mentioned options can the organization use to achieve data protection?

A. Data replication.

B. Data encryption.

C. Data snapshot.

D. All the options listed here.

Answer: D

Explanation:

For protecting the Amazon EBS data at REST, the user can use options, such as Data Encryption (Windows / Linux / third party based), Data Replication (AWS internally replicates data for redundancy),and Data Snapshot (for point in time backup).

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

114. A client of yours has a huge amount of data stored on Amazon S3, but is concerned about someone stealing it while it is in transit. You know that all data is encrypted in transit on AWS, but which of the following is wrong when describing server-side encryption on AWS?

A. Amazon S3 server-side encryption employs strong multi-factor encryption.

B. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

C. In server-side encryption, you manage encryption/decryption of your data, the encryption keys, and related tools.

D. Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data as it writes it to disks.

Answer: C

Explanation:

Amazon S3 encrypts your object before saving it on disks in its data centers and decrypts it when you download the objects. You have two options depending on how you choose to manage the encryption keys:Server-side encryption and client-side encryption.Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. Amazon S3 manages encryption and decryption for you. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects.In client-side encryption, you manage encryption/decryption of your data, the encryption keys, and related

tools. Server-side encryption is an alternative to client-side encryption in which Amazon S3 manages the encryption of your data, freeing you from the tasks of managing encryption and encryption keys.Amazon S3 server-side encryption employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available,256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Reference: http://docs.aws.amazon.com/AmazonS3/Iatest/dev/UsingServerSideEncryption.html

115. A user is running a batch process which runs for 1 hour every day. Which of the below mentioned options is the right instance type and costing model in this case if the user performs the same task for the whole year?

A. EBS backed instance with on-demand instance pricing.

B. EBS backed instance with heavy utilized reserved instance pricing.

C. EBS backed instance with low utilized reserved instance pricing.

D. Instance store backed instance with spot instance pricing.

Answer: A

Explanation:

For Amazon Web Services, the reserved instance helps the user save money if the user is going to run the same instance for a longer period. Generally if the user uses the instances around 30-40% annually it is recommended to use RI. Here as the instance runs only for 1 hour daily it is not recommended to have RI as it will be costlier. The user should use on-demand with EBS in this case.

Reference: http://aws.amazon.com/ec2/purchasing-options/reserved-instances/

116. You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Multi-AZ deployment. You now start to worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure?

A. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

B. Your database will not resume operation without manual administrative intervention.

C. Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

D. Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.

Answer: A

Explanation:

Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up,operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.

When you create or modify your DB Instance to run as a MuIti-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous “standby” replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in

sync and protect your latest database updates against DB Instance failure.

During certain types of planned maintenance, or in the unlikely event of DB Instance failure or Availability Zone failure, Amazon RDS will automatically failover to the standby so that you can resume database writes and reads as soon as the standby is promoted. Since the name record for your DB Instance remains the same, you application can resume database operation without the need for manual administrative intervention. With Mu|ti-AZ deployments, replication is transparent: you do not interact directly with the standby, and it cannot be used to serve read traffic. If you are using Amazon RDS for MySQL and are looking to scale read traffic beyond the capacity constraints of a single DB Instance, you can deploy one or more Read Replicas.

Reference: http://aws.amazon.com/rds/faqs/

117. Which IAM role do you use to grant AWS Lambda permission to access a DynamoDB Stream?

A. Dynamic role

B. Invocation role

C. Execution role

D. Event Source role

Answer: C

Explanation:

You grant AWS Lambda permission to access a DynamoDB Stream using an IAM role known as the “execution role”.

Reference: http://docs.aws.amazon.com/|ambda/latest/dg/intro-permission-model.html

118. Name the disk storage supported by Amazon Elastic Compute Cloud (EC2).

A. None of these

B. Amazon AppStream store

C. Amazon SNS store

D. Amazon Instance Store

Answer: D

Explanation:

Amazon EC2 supports the following storage options: Amazon Elastic Block Store (Amazon EBS) Amazon EC2 Instance Store Amazon Simple Storage Service (Amazon S3)

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Storage.html

119. You are signed in as root user on your account but there is an Amazon S3 bucket under your account that you cannot access. What is a possible reason for this?

A. An IAM user assigned a bucket policy to an Amazon S3 bucket and didn’t specify the root user as a principal

B. The S3 bucket is full.

C. The S3 bucket has reached the maximum number of objects allowed.

D. You are in the wrong availability zone

Answer: A

Explanation:

With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.In some cases, you might have an IAM user with full access to IAM and Amazon S3. If the IAM user assigns a bucket policy to an Amazon S3 bucket and doesn’t specify the root user as a principal, the root user is denied access to that bucket. However, as the root user, you can still access the bucket by modifying the bucket policy to allow root user access.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/iam-troubleshooting.htmI#testing2

120. You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg-encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?

A. Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds.

B. Amazon SQS is for single-threaded sending or receiving speeds.

C. Amazon SQS is a non-distributed queuing system.

D. Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receiving speeds.

Answer: A

Explanation:

Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been

to a queue is available to be received.

Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf

121. A user is observing the EC2 CPU utilization metric on CIoudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CIoudWatch?

A. The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse

B. The user can zoom a particular period by specifying the aggregation data for that period

C. The user can zoom a particular period by double clicking on that period with the mouse

D. The user can zoom a particular period by specifying the period in the Time Range

Answer: A

Explanation:

Amazon CIoudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. The AWS CIoudWatch console provides the option to change the granularity of a graph and zoom in to see data over a shorter time period.To zoom, the user has to click in the graph details pane, drag on the graph area for selection, and then

release the mouse button.

Reference:

http://docs.aws.amazon.com/AmazonCloudWatch/Iatest/Deve|operGuide/zoom_in_on_graph.htmI

122. A scope has been handed to you to set up a super fast gaming server and you decide that you will use Amazon DynamoDB as your database. For efficient access to data in a table, Amazon DynamoDB creates and maintains indexes for the primary key attributes. A secondary index is a data structure that contains a subset of attributes from a table, along with an alternate key to support Query operations. How many types of secondary indexes does DynamoDB support?

A. 2

B. 16

C. 4

D. As many as you need.

Answer: A

Explanation:

DynamoDB supports two types of secondary indexes:Local secondary index — an index that has the same hash key as the table, but a different range key. A

local secondary index is “IocaI” in the sense that every partition of a local secondary index is scoped to a table partition that has the same hash key.

Global secondary index — an index with a hash and range key that can be different from those on the table.A global secondary index is considered “gIobaI” because queries on the index can span all of the data in a table, across all partitions.

Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Secondarylndexes.html

123. Select the correct statement: Within Amazon EC2, when using Linux instances, the device name /dev/sda1 is .

A. reserved for EBS volumes

B. recommended for EBS volumes

C. recommended for instance store volumes

D. reserved for the root device

Answer: D

Explanation:

Within Amazon EC2, when using a Linux instance, the device name /dev/sda1 is reserved for the root device.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.htmI

124. The common use cases for DynamoDB Fine-Grained Access Control (FGAC) are cases in which the end user wants .

A. to change the hash keys of the table directly

B. to check if an IAM policy requires the hash keys of the tables directly

C. to read or modify any codecommit key of the table directly, without a middle-tier service

D. to read or modify the table directly, without a middle-tier service

Answer: D

Explanation:FGAC can benefit any application that tracks information in a DynamoDB table, where the end user (or application client acting on behalf of an end user) wants to read or modify the table directly, without a middle-tier service. For instance, a developer of a mobile app named Acme can use FGAC to track the

top score of every Acme user in a DynamoDB table. FGAC allows the application client to modify only the top score for the user that is currently running the application.

Reference: http://aws.amazon.com/dynamodb/faqs/#security_anchor

125. A user has set up the CIoudWatch alarm on the CPU utilization metric at 50%, with a time interval of 5 minutes and 10 periods to monitor. What will be the state of the alarm at the end of 90 minutes, if the CPU utilization is constant at 80%?

A. ALERT

B. ALARM

C. OK

D. INSUFFICIENT_DATA

Answer: B

Explanation:

In this case the alarm watches a metric every 5 minutes for 10 intervals. Thus, it needs at least 50 minutes to come to the “OK” state.Till then it will be in the |NSUFFUCIENT_DATA state.Since 90 minutes have passed and CPU utilization is at 80% constant, the state of alarm will be “ALARM”.

Reference:

http://docs.aws.amazon.com/AmazonCIoudWatch/latest/DeveloperGuide/AlarmThatSendsEmaiI.html

126. You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: security groups and network access control lists (ACLs).You have already looked into security groups and you are now trying to understand ACLs. Which statement

below is incorrect in relation to ACLs?

A. Supports allow rules and deny rules.

B. Is stateful: Return traffic is automatically allowed, regardless of any rules.

C. Processes rules in number order when deciding whether to allow traffic.

D. Operates at the subnet level (second layer of defense).

Answer: B

Explanation:

Amazon VPC provides two features that you can use to increase security for your VPC:Security groups—Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level Network access control lists (ACLs)—Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level Security groups are stateful: (Return traffic is automatically allowed, regardless of any rules) Network ACLs

are stateless: (Return traffic must be explicitly allowed by rules)

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

127. A user comes to you and wants access to Amazon CIoudWatch but only wants to monitor a specific LoadBaIancer. Is it possible to give him access to a specific set of instances or a specific LoadBaIancer?

A. No because you can’t use IAM to control access to CIoudWatch data for specific resources.

B. Yes. You can use IAM to control access to CIoudWatch data for specific resources.

C. No because you need to be Sysadmin to access CIoudWatch data.

D. Yes. Any user can see all CIoudWatch data and needs no access rights.

Answer: A

Explanation:

Amazon CIoudWatch integrates with AWS Identity and Access Management (IAM) so that you can specify which CIoudWatch actions a user in your AWS Account can perform. For example, you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your cloud resources. You can’t use IAM to control access to CIoudWatch data for specific resources. For example, you can’t give a user access to CIoudWatch data for only a specific set of instances or a specific LoadBaIancer.

Permissions granted using IAM cover all the cloud resources you use with CIoudWatch. In addition, you can’t use IAM roles with the Amazon CIoudWatch command line tools.Using Amazon CIoudWatch with IAM doesn’t change how you use CIoudWatch. There are no changes to CIoudWatch actions, and no new CIoudWatch actions related to users and access control.

Reference: http://docs.aws.amazon.com/AmazonC|oudWatch/latest/DeveloperGuide/UsingIAM.htmI

128. A user is planning to make a mobile game which can be played online or offline and will be hosted on EC2.The user wants to ensure that if someone breaks the highest score or they achieve some milestone they can inform all their colleagues through email. Which of the below mentioned AWS services helps achieve

this goal?

A. AWS Simple Workflow Service.

B. AWS Simple Email Service.

C. Amazon Cognito

D. AWS Simple Queue Service.

Answer: B

Explanation:

Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. It integrates with other AWS services, making it easy to send emails from applications that are hosted on AWS.

Reference: http://aws.amazon.com/ses/faqs/

129. You have multiple VPN connections and want to provide secure communication between sites using the AWS VPN CIoudHub. Which statement is the most accurate in describing what you must do to set this up correctly?

A. Create a virtual private gateway with multiple customer gateways, each with unique Border Gateway Protocol (BGP) Autonomous System Numbers (ASNs)

B. Create a virtual private gateway with multiple customer gateways, each with a unique set of keys

C. Create a virtual public gateway with multiple customer gateways, each with a unique Private subnet

D. Create a virtual private gateway with multiple customer gateways, each with unique subnet id

Answer: A

Explanation:

If you have multiple VPN connections, you can provide secure communication between sites using the AWS VPN CIoudHub. The VPN CIoudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing Internet connections who’d like to implement a convenient, potentially low-cost hub-and-spoke model for

primary or backup connectMty between these remote offices. To use the AWS VPN CIoudHub, you must create a virtual private gateway with multiple customer

gateways, each with unique Border Gateway Protocol (BGP) Autonomous System Numbers (ASNs).Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. These routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites. The routes for each spoke must have unique ASNs and the sites

must not have overlapping IP ranges. Each site can also send and receive data from the VPC as if they were using a standard VPN connection.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPN_CIoudHub.htmI

130. You need to create an Amazon Machine Image (AM) for a customer for an application which does not appear to be part of the standard AWS AM template that you can see in the AWS console. What are the alternative possibilities for creating an AM on AWS?

A. You can purchase an AMs from a third party but cannot create your own AM.

B. You can purchase an AMIs from a third party or can create your own AMI.

C. Only AWS can create AMIs and you need to wait till it becomes available.

D. Only AWS can create AMIs and you need to request them to create one for you.

Answer: B

Explanation:

You can purchase an AMIs from a third party, including AMIs that come with service contracts from organizations such as Red Hat. You can also create an AMI and sell it to other Amazon EC2 users. After you create an AMI, you can keep it private so that only you can use it, or you can share it with a specified list of AWS accounts. You can also make your custom AMI public so that the community can use it. Building a safe, secure, usable AMI for public consumption is a fairly straightforward process, if you

follow a few simple guidelines.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.htm|

131. While creating an Amazon RDS DB, your first task is to set up a DB that controls which IP address or EC2 instance can access your DB Instance.

A. security token pool

B. security token

C. security pool

D. security group

Answer: D

Explanation:

While creating an Amazon RDS DB, your first task is to set up a DB Security Group that controls what IP addresses or EC2 instances have access to your DB Instance.

Reference:

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithSecurityGroups.html

132. Which one of the below is not an AWS Storage Service?

A. Amazon S3

B. Amazon Glacier

C. Amazon CIoudFront

D. Amazon EBS

Answer: C

Explanation: AWS Storage Services are: Amazon S3,Amazon Glacier Amazon EBS

AWS Storage Gateway

Reference: https://consoIe.aws.amazon.com/console

133. You are very concerned about security on your network because you have multiple programmers testing APIs and SDKs and you have no idea what is happening. You think C|oudTrai| may help but are not sure what it does. Which of the following statements best describes the AWS service CIoudTraiI?

A. With AWS CIoudTraiI you can get a history of AWS API calls and related events for your account.

B. With AWS CIoudTraiI you can get a history of IAM users for your account.

C. With AWS CIoudTraiI you can get a history of S3 Iogfiles for your account.

D. With AWS CIoudTraiI you can get a history of CIoudFormation JSON scripts used for your account.

Answer: A

Explanation:

With AWS CIoudTraiI, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, the AWS SDKs, the command line tools, and higher-level AWS services.You can also identify which users and accounts called AWS APIs for services that support CIoudTraiI, the source IP address the calls were made from, and when the calls occurred. You can identify which users and accounts called AWS for services that support CIoudTraiI, the source IP

address the calls were made from, and when the calls occurred. You can integrate CIoudTraiI into applications using the API, automate trail creation for your organization, check the status of your trails, and control how administrators turn CIoudTraiI logging on and off.

Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cIoud_traiI_top_IeveI.html

134. A user has deployed an application on his private cloud. The user is using his own monitoring tool. He wants to configure it so that whenever there is an error, the monitoring tool will notify him via SMS. Which of the below mentioned AWS services will help in this scenario?

A. AWS SES

B. AWS SNS

C. None because the user infrastructure is in the private cloud.

D. AWS SMS

Answer: B

Explanation:

Amazon Simple Notification Service (Amazon SNS) is a fast, filexible, and fully managed push messaging service. Amazon SNS can be used to make push notifications to mobile devices. Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS) queues or to any HTTP endpoint. In this case user can use the SNS apis to send SMS.

Reference: http://aws.amazon.com/sns/

135. After setting up an EC2 security group with a cluster of 20 EC2 instances, you find an error in the security group settings. You quickly make changes to the security group settings. When will the changes to the settings be effective?

A. The settings will be effective immediately for all the instances in the security group.

B. The settings will be effective only when all the instances are restarted.

C. The settings will be effective for all the instances only after 30 minutes.

D. The settings will be effective only for the new instances added to the security group.

Answer: A

Explanation:

Amazon Redshift applies changes to a cluster security group immediately. So if you have associated the cluster security group with a cluster, inbound cluster access rules in the updated cluster security group apply immediately.

Reference: http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.htm|

136. Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions and if you have more than one Amazon EC2 instance in one or more regions, you can use to route traffic to the correct region and then use to route traffic to instances within the region, based on probabilities that you specify.

A. weighted-based routing; alias resource record sets

B. latency-based routing; weighted resource record sets

C. weighted-based routing; weighted resource record sets

D. latency-based routing; alias resource record sets

Answer: B

Explanation:

Regarding Amazon Route 53, if your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify.

Reference: http://docs.aws.amazon.com/Route53/Iatest/DeveIoperGuide/Tutorials.html

137. You have a lot of data stored in the AWS Storage Gateway and your manager has come to you asking about how the billing is calculated, specifically the Virtual Tape Shelf usage. What would be a correct response to this?

A. You are billed for the virtual tape data you store in Amazon Glacier and are billed for the size of the virtual tape.

B. You are billed for the virtual tape data you store in Amazon Glacier and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

C. You are billed for the virtual tape data you store in Amazon S3 and billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

D. You are billed for the virtual tape data you store in Amazon S3 and are billed for the size of the virtual tape.

Answer: B

Explanation:

The AWS Storage Gateway is a service connecting an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure.

AWS Storage Gateway billing is as follows. Volume storage usage (per GB per month):

You are billed for the Cached volume data you store in Amazon S3. You are only billed for volume capacity you use, not for the size of the volume you create.Snapshot Storage usage (per GB per month): You are billed for the snapshots your gateway stores in Amazon S3. These snapshots are stored and billed as Amazon EBS snapshots. Snapshots are incremental backups, reducing your storage charges. When taking a new snapshot, only the data that has changed since your last snapshot is stored.

Virtual Tape Library usage (per GB per month):You are billed for the virtual tape data you store in Amazon S3. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape. Virtual Tape Shelf usage (per GB per month): You are billed for the virtual tape data you store in Amazon Glacier. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

Reference: https://aws.amazon.com/storagegateway/faqs/

138. You are configuring a new VPC for one of your clients for a cloud migration project, and only a public VPN will be in place. After you created your VPC, you created a new subnet, a new internet gateway, and attached your internet gateway to your VPC. When you launched your first instance into your VPC, you realized that you aren’t able to connect to the instance, even if it is configured with an elastic IP. What should be done to access the instance?

A. A route should be created as 0.0.0.0/0 and your internet gateway as target.

B. Attach another ENI to the instance and connect via new ENI.

C. A NAT instance should be created and all traffic should be forwarded to NAT instance.

D. A NACL should be created that allows all outbound traffic.

Answer: A

Explanation:

All traffic should be routed via Internet Gateway. So, a route should be created with 0.0.0.0/0 as a source,and your Internet Gateway as your target.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.htmI

139. A user is currently building a website which will require a large number of instances in six months,when a demonstration of the new site will be given upon launch.Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the demonstration?

A. Procure all the instances as reserved instances beforehand.

B. Launch all the instances as part of the cluster group to ensure resource availability.

C. Pre-warm all the instances one month prior to ensure resource availability.

D. Ask AWS now to procure the dedicated instances in 6 months.

Answer: A

Explanation:

Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.

Reference: http://media.amazonwebservices.com/AWS_Building_FauIt_To|erant_AppIications.pdf

140. You receive a bill from AWS but are confused because you see you are incurring different costs for the exact same storage size in different regions on Amazon S3. You ask AWS why this is so. What response would you expect to receive from AWS?

A. We charge less in different time zones.

B. We charge less where our costs are less.

C. This will balance out next bill.

D. It must be a mistake.

Answer: B

Explanation:

Amazon S3 is storage for the internet. |t’s a simple storage service that offers software developers a highly-scalable, reliable, and low-latency data storage infrastructure at very low costs.AWS charges less where their costs are less.

For example, their costs are lower in the US Standard Region than in the US West (Northern California) Region.

Reference: https://aws.amazon.com/s3/faqs/

141. You are setting up some EBS volumes for a customer who has requested a setup which includes a RAID (redundant array of inexpensive disks). AWS has some recommendations for RAID setups. Which RAID setup is not recommended for Amazon EBS?

A. RAID 5 only

B. RAID 5 and RAID 6

C. RAID 1 only

D. RAID 1 and RAID 6

Answer: B

Explanation:

With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that particular RAID configuration is supported by the operating system for your instance. This is because all RAID is accomplished at the software level. For greater I/O performance than you can achieve with a single volume, RAID 0 can stripe multiple volumes together; for on-instance

redundancy, RAID 1 can mirror two volumes together.RAID 5 and RAID 6 are not recommended for Amazon EBS because the parity write operations of these

RAID modes consume some of the IOPS available to your volumes.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/raid-config.html

142. You receive the following request from a client to quickly deploy a static website for them, specifically on AWS. The requirements are low-cost, reliable, online storage, and a reliable and cost-effective way to route customers to the website, as well as a way to deliver content with low latency and high data transfer speeds so that visitors to his website don’t experience unnecessary delays. What do you think would be

the minimum AWS services that could fulfill the cIient’s request?

A. Amazon Route 53, Amazon CIoudFront and Amazon VPC.

B. Amazon S3, Amazon Route 53 and Amazon RDS

C. Amazon S3, Amazon Route 53 and Amazon CIoudFront

D. Amazon S3 and Amazon Route 53.

Answer: C

Explanation:

You can easily and inexpensively use AWS to host a website that uses client-side technologies (such as HTML, CSS, and JavaScript) and does not require server-side technologies (such as PHP and ASP.NET).

This type of site is called a static website, and is used to display content that does not change frequently.Before you create and deploy a static website, you must plan your architecture to ensure that it meets your requirements. Amazon S3, Amazon Route 53, and Amazon CIoudFront would be required in this instance.

Reference: http://docs.aws.amazon.com/gettingstarted/latest/swh/website-hosting-intro.html

143. What is the default maximum number of Access Keys per user?

A. 10

B. 15

C. 2

D. 20

Answer: C

Explanation:

The default maximum number of Access Keys per user is 2.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.htmI

144. What is the network performance offered by the c4.8xIarge instance in Amazon EC2?

A. 20 Gigabit

B. 10 Gigabit

C. Very High but variable

D. 5 Gigabit

Answer: B

Explanation:

Networking performance offered by the c4.8xIarge instance is 10 Gigabit. Reference:

http://aws.amazon.com/ec2/instance-types/

145. Doug has created a VPC with CIDR 10.201.0.0/16 in his AWS account. In this VPC he has created a public subnet with CIDR block 10.201.31.0/24. While launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance. Which is the most likely reason for this issue?

A. Private IP address 10.201.31.6 is blocked via ACLs in Amazon infrastructure as a part of platform security.

B. Private address IP 10.201.31.6 is currently assigned to another interface.

C. Private IP address 10.201.31.6 is not part of the associated subnet’s IP address range.

D. Private IP address 10.201.31.6 is reserved by Amazon for IP networking purposes.

Answer: B

Explanation:

In Amazon VPC, you can assign any Private IP address to your instance as long as it is: Part of the associated subnet’s IP address range Not reserved by Amazon for IP networking purposes Not currently assigned to another interface

Reference:http://aws.amazon.com/vpc/faqs/

146. You need to create a JSON-formatted text file for AWS CIoudFormation. This is your first template and the only thing you know is that the templates include several major sections but there is only one that is required for it to work. What is the only section required?

A. Mappings

B. Outputs

C. Resources

D. Conditions

Answer: C

Explanation:

AWS CIoudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CIoudFormation takes care of provisioning and

configuring those resources for you.A template is a JSON-formatted text file that describes your AWS infrastructure. Templates include several major sections.

The Resources section is the only section that is required.

The first character in the template must be an open brace ({), and the last character must be a closed brace(}). The following template fragment shows the template structure and sections.

Reference: http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/template-anatomy.html

147. You are planning and configuring some EBS volumes for an application. In order to get the most performance out of your EBS volumes, you should attach them to an instance with enough to support your volumes.

A. Redundancy

B. Storage

C. Bandwidth

D. Memory

Answer: C

Explanation:

When you plan and configure EBS volumes for your application, it is important to consider the configuration of the instances that you will attach the volumes to. In order to get the most performance out of your EBS volumes, you should attach them to an instance with enough bandwidth to support your volumes, such as an EBS-optimized instance or an instance with 10 Gigabit network connectivity. This is especially important when you use General Purpose (SSD) or Provisioned IOPS (SSD) volumes, or when you stripe multiple volumes together in a RAID configuration.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-ec2-config.htmI

148. Can a single EBS volume be attached to multiple EC2 instances at the same time?

A. Yes

B. No

C. Only for high-performance EBS volumes.

D. Only when the instances are located in the US regions.

Answer: B

Explanation:

You can’t attach an EBS volume to multiple EC2 instances. This is because it is equivalent to using a single hard drive with many computers at the same time.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.htmI

149. How long does an AWS free usage tier EC2 last for?

A. Forever

B. 12 Months upon signup

C. 1 Month upon signup

D. 6 Months upon signup

Answer: B

Explanation:The AWS free usage tier will expire 12 months from the date you sign up. When your free usage expires or if your application use exceeds the free usage tiers, you simply pay the standard, pay-as-you-go service rates.

Reference: http://aws.amazon.com/free/faqs/

150. A user is hosting a website in the US West-1 region. The website has the highest client base from the Asia-Pacific (Singapore / Japan) region. The application is accessing data from S3 before serving it to client. Which of the below mentioned regions gives a better performance for S3 objects?

A. Japan

B. Singapore

C. US East

D. US West-1

Answer: D

Explanation:

Access to Amazon S3 from within Amazon EC2 in the same region is fast. In this aspect, though the client base is Singapore, the application is being hosted in the US West-1 region. Thus, it is recommended that S3 objects be stored in the US-West-1 region.

Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf

Share this: